Credentials Community Group Telecon

Minutes for 2015-11-10

  1. Credentials Task Force in WPIG Update
  2. Tasks for Credentials CG
  3. Linked Data Fast Track WG Update
Manu Sporny
Dave Longley
Dave Longley, Manu Sporny, Henry Story, Laura Fowler, Rebecca Simmons, Brian Sletten, Gregg Kellogg, Nate Otto, Eric Korb, John Tibbetts, Chris Webber
Audio Log
Dave Longley is scribing.
Manu Sporny: Last week we talked about what happened at W3C TPAC. The good news is that the Web Payments IG wants to do something around Credentials; we're trying to figure out where to do the work and where to write the charter and tie up loose ends.
Manu Sporny: There's an action item on me to propose a way forward for Credentials at W3C. We made a proposal; it had mixed feedback. We'll discuss that. We'll also be assigning tasks to folks. We'll give an update on our discussion with the SoLiD team as well. We chatted a bit with TimBL on the HTTP signatures stuff as well.
Henry Story: Ah cool, interested about hearing the discussion on SoLiD
Manu Sporny: Anything else we need to cover today?

Topic: Credentials Task Force in WPIG Update

Manu Sporny: We have made some modifications to the proposal as a result of the call yesterday. I'll review what was proposed and then talk next steps.
Manu Sporny: The goal is to determine whether or not a W3C Working Group should be created. The outcome of this task force will either be a charter for the W3C member to vote on to start the work or it's going to be a finding that we should not do the work at W3C. Clearly, the people in this group would like to see it started at W3C. There are some other people who feel the world isn't ready to see this work start.
Manu Sporny: A lot of the proposal is based on the survey we did. 58 orgs filled it out; how they view a proper credential ecosystem. We had them rate capabilities. We kept it data driven and so it was difficult for people who are against the work to argue against.
Manu Sporny: There were a number of concerns that were raised. The concerns were added to the wiki.
Manu Sporny: Some of those concerns are questions we need to answer. Some of them we are in no position to answer. "What is the jurisdictional scope of a credential and how are they regulated?" Way too early to answer but it was raised as a question to answer at some point.
Manu Sporny: In general, the IG said "Yes, we should do something about this and this proposal isn't offbase." Only +1's to say we should proceed with the work. The pushback was where the work would happen.
Manu Sporny: The proposal was that this group (this CG) would just shift gears and work on the questions.
Manu Sporny: There was almost immediate objection to that. Because there are people (some of whom we know, and some of whom we don't know) that feel that we don't have a neutral forum here. Meaning, we've worked on technology like the Open Badges stuff, technical implementations have been discussed and because of that, this group isn't neutral.
Henry Story: Argh.
Manu Sporny: A request was made for another group to be made that can't talk about the technology; and only talk about capabilities.
Manu Sporny: Speaking as an individual, this is fantastically frustrating because we strive to be very neutral in this group and have a good track record of doing so. This group started out with use cases and no particular technology focus. We had two input specs. We didn't have a strong technical view, etc. we did discussions, found data, worked from there. There are people are saying (again, people we don't know who they are) that we aren't neutral and that they weren't involved. These people didn't join the work a year or so ago but now they are saying that their views weren't taken into account. We have identified a number of people that we *do* know and we've been talking with them and asking them to discuss things with us and that's great and is not an issue. The problem is the people who are only talking through W3C staff and we can't talk to them directly ... and the only solution seems to be creating a new group that is filled with the same people in this group, plus a few more, and that can't talk about technology solutions.
Manu Sporny: Please provide your input ... do you support a new Community Group focused only on capabilities and writing, no tech, etc. We need to hear opinions from this group.
Henry Story: If I look at the Linked Data Protocol group, which was headed by IBM. They had implementations, they had a lot of people, they had narrowed down the technology and the specifics and a proposal put forward. This seems suspicious to me; I don't know the process all that mutch, but it seems a bit weird.
Henry Story: I'd like to speak with Arnaud and see what he said. I think you just need 20 members or some percentage to get people on board. The danger is if you get too many people on board then it's too general and becomes hard to succeed. That's me from an outsider's perspective.
Henry Story: You have more understanding, Manu, of the politics.
Manu Sporny: I think you're right in that it's strange. I think there's a fair degree of misunderstanding. There is a mismatch between what we're trying to do and what people think we're doing here. Let me try and draw where the various points of confusion are. I think there's a misunderstanding on what we're working on. Like we're working on authentication protocols like FIDO. We're absolutely not doing that here. The tech we're using here could be used with authentication but that's not what we're primarily pushing here.
Manu Sporny: So there's confusion and objection over that.
Manu Sporny: There's also confusion over where this group started. This group started with "we need to have verifiable claims/attributes" and we called them credentials and we were open to anyone to come and discuss at length.
Manu Sporny: I think one problem is that there is some work going on at IETF that is similar; that group had already started and was already charted and once chartered they really push their world view. For example JOSE. There's nothing wrong with that there's a good technical implementation that fits their use cases. But their use cases aren't our use cases. And some people looked at this work and thought "nothing needs to be done." Now a year later, we have another group at W3C are backing doing work with Credentials. Now that other group is objecting because there would be two technical specs that conflict with one another. There are some things in common but I think the OpenID Connect, OAuth, IETF folks think there is more overlap than there is. For example, with the digital signature stuff, the JOSE folks are looking at that and saying "The Open Credentials folks are coming up with a new signature format" but they don't understand Linked Data; they aren't looking at the technology and they are just saying "We should just try to use their stuff before doing something new" without understanding that we already tried that. The mistake we made was not better documenting that effort.
Manu Sporny: There are a couple of places where there is confusion: authentication vs. authorization, etc. and there are objections that our group is trying to do something that has been done before. There are people that don't understand the technology and some say we need to slow the process so people can understand that.
Henry Story: Yep makes sense
Manu Sporny: I think those are the politics being played but I don't think any of it is mean spirited, I just think it's people who aren't familiar with the work we're trying to do and jumping to conclusions. And then those people talk to W3C staff and say "You are on the brink of doing work that's being done elsewhere" And W3C doesn't want to do that and says we need to document what's different.
Rebecca Simmons: What you said makes sense, but as an outsider it's hard to say what needs to be done.
Henry Story: It would be itneresting to have a document to show how what you are doing goes beyond jose, for example.
Manu Sporny: If we can answer all of the criticisms and make everyone happy then we can create a charter and go forward with the work.
Henry Story: I have some ideas, of how it goes beyond, but it is interesting to know it.
Brian Sletten: If we create a new CG, what's to stop them from throwing up obstacles to that CG?
Manu Sporny: One primary question for this group: Do we want to push back and say "This CG you are proposing is the same thing we've already done. We'd rather have the people who are objecting make themselves known and join us and have the discussion in public." the other choice is "We'll create a new CG that doesn't talk technology at all and just talks capabilities and that group is going to go out and focus these people who are having issues and document their objections."
Manu Sporny: Or there might be another option? Thoughts from the group?
Gregg Kellogg: It seems clear that this is just a mechanism to push through their own agenda to overwhelm a new group. Even though technology discussions are off the table there I can see how it would be phrased to push one tech over another. It seems like a big scheme to me. I do think that the work we've done over the last year is exactly what a new group would do. I'd like to know what would be in front of a new CG that would be different that might then lead to a different outcome; otherwise it's a lot of wasted effort of a lot of people's time for no good reason other than to satisfy a powerful minority that seems frustrated.
Henry Story: That makes sense to try to find out what these people want.
Manu Sporny: To go back to Henry's point, you only need 20-25 member companies to say this work should start; but that is only after getting W3C Management approval. They have to agree there is consensus around what to work on. Right now ... I thought it was there, positive feedback from CEO and some staff contacts, but the person in charge of making the decision is unconvinced. We want to reach out to that person to find out what would convince them. I believe it's down to one person that is holding the process up.
Manu Sporny: I think the general point that the W3C staff members in the IG were making was that, "yes, we realize that this is somewhat annoying, but you need to create a neutral playing field. If a group of people are saying there isn't a neutral field, you need to create one so they'll come in." One proposal is to create a new CG with the same calls and time as this one (just replace it) but tightly focus that group around the creation of a charter and answering the questions around what needs to be done.
Manu Sporny: So there are maybe 8 people, at most, that we need to interview. We can say it has to be on the record and public on what needs to be done. Once we get all those interviews out of the way, we will clear those interviews with the W3C staff who are saying people are objecting; we'll get a list from them and interview those people, clearly document those concerns, etc. and then hope that the argument that those people feel they aren't being heard is addressed.
Manu Sporny: The other approach is that we have way more than 20 orgs that want to start this work.
Manu Sporny: We could, instead, and say "If you want something else done, you have to propose something. Everyone can't just stop because someone feels there's some nebulous better solution out there... if you feel it's out there, propose it so the group can talk about it."
Dave Longley: It would be an option to invite them to this group. I know they don't think this group is a natural fit. We're going to bring together the same group of people w/ other people. Could we invite them specifically? [scribe assist by Manu Sporny]
Dave Longley: Make it a more formal invitation to those that have concerns - we want them to talk about concerns - we want this to be a neutral group. [scribe assist by Manu Sporny]
Manu Sporny: I proposed that and they said "It doesn't matter, they don't think you have a neutral group so they won't participate."
Manu Sporny: So we could say "ok, fine, people seem to think this isn't a neutral group, so let's just create a new group." But we'd have all the same people like you said, with a new group name. We'd just be going through new mailing list and set up and all that.
Manu Sporny: I believe that the W3C staff wants to hear from the rest of this group. If they don't hear from the rest of the people in this CG, and no one else speaks up, their counter argument is going to be that it's just Digital Bazaar's opinion, not the groups.
Manu Sporny: Gregg and Henry spoke up but we need more people to voice their opinions on where they want this group to go.
Manu Sporny: If we say people can just join this group the counter argument will be that they won't join because it's not a neutral group. If we have people in this group clearly saying we should either "Create a new group" or "No, same people would join."
Nate Otto: Without all the context, I think creating a new group would be more work for uncertain gains.
Brian Sletten: If we create a new group and they don't come ... procedurally what is our response? At some point they are just doing a denial of service attack.
Eric Korb: Why is the onus on us to do this work? How do we substantiate their claims?
Manu Sporny: Procedurally, we'd have to write a new charter, get approval of the charter, create the group via W3C CG process, create new mailing list, new IRC channel, etc. About a week. Once we do all that it would be all of us on the call again, but hopefully 4-5 more people.
Brian Sletten: If they still don't show up, what then?
Manu Sporny: It helps if we can say there are some folks in the group that believe this won't help.
Brian Sletten: At some point you need to be out in the open, you can't just hide behind anonymity and try to stop work that other people are working on.
John Tibbetts: We've done a lot of homework over the last few years and months, including the survey. It's time to start talking about the technology issues. Talking about the technology helps you think about the problem; it's time to be doing that. I think we need to push back on that.
John Tibbetts: We need to get on with it.
Eric Korb: So, lets object to their work!
Manu Sporny: Eric asks "How do we substantiate their claims?" This is asymmetric. We do a lot of work to answer a concern and then there's an objection that says "No you didn't cover this other thing." This is coming from someone who cares about privacy/security, which is good, but they don't have a company that depends on the tech, they aren't going to deploy it, etc -- lower priority. One of the problems with that is that we went out and documented a bunch of the stuff we've been saying here in this group and doing an enormous amount of work which has moved things forward a bit, but not far enough. The onus is on us because we want to do something; all anyone else has to do is just object. One reason the onus has continued to be on us is because we've been very receptive to questions and concerns of people outside this group. It is getting to the point where we're wondering when we've done enough work.
Manu Sporny: Eric, we can't object to their work because some of them aren't doing any, and others of them aren't working on the problems we're working on. They are just objecting to our work because they think we're working on the same stuff, but we're not.
Nate Otto: I have found this group to have some members who have clear ideas about a technical direction to proceed in, but that those people are very open to making sure that we are building the right technology and formulating our use cases properly. We hope this effort moves forward. (Nate Otto, Director, Badge Alliance)
Eric Korb: Manu, thx
Manu Sporny: The only work out there to "object" to would be things like OpenID Connect/OAuth/SAML/etc, but we don't even necessarily object to those technologies, some of them may work for their use cases, etc -- this again has to do with the misunderstandings. SAML and OpenID Connect doesn't work for our use cases, and that's the issue. There is work we're doing like the expression of a digital credential, there is no work out there that is as extensive as we've done. There are things like "here's how you can express an email address or a name" but there's no work about cryptographically verifiable claims like education credentials, doctor's licenses, where people work, etc. That is being proposed/created by this group.
Chris Webber: So I'll speak up mainly so that I am on the record. For me, this work is very important because in order to really see federation succeed, I think we need to have clear authorization systems and methods of verifying that communication has come from one place to another. We've already seen this in the ActivityPump spec, where we are basically forced to keep record of conversation forever in order so that clients can verify its source.
Chris Webber: This is bad if you are concerned with privacy.
Henry Story: Though you need to be careful about authorization.
Eric Korb: +1 Nate
Chris Webber: Right
Chris Webber: Authentication and credentials are one of the notoriously hardest parts to get working right in federated systems. I have a lot of confidence in the members of this group to think things through well.
Manu Sporny: So I'm going to play devil's advocate here; W3C staff would channel these other people and say "Yes, but, you need a clear set of use cases and you need buy in around that set of use cases and you need to talk about capabilities before you talking about specs or anything of that nature."
Manu Sporny: I can take the minutes from today and push back. The group can say "We'd like to just do the interviews in the group and talk about it with them."
Manu Sporny: It seems like there is consensus around the group that "creating a new CG wouldn't address the issues". People feel that they aren't being heard so let's bring them in and listen to them and write down those concerns... and maybe from that we can figure out if people think they are being heard or if we need a new group."
Eric Korb: +1 Chris
Manu Sporny: I think we have high attendance in these calls because we've really tried to be open and transparent.
Dave Longley: I second the notion to figure out if the group is neutral - why don't people come to the group and receive their concerns - why don't we just try that instead of assuming this group is not neutral. They should come and try out the group - that hasn't even happened yet. The people that have these concerns haven't even come to the group to try it out. Let's give it a shot. If a new group needs to be created, so be it. [scribe assist by Manu Sporny]
Dave Longley: I would expect that we'd give them a warm welcome and address their concerns. [scribe assist by Manu Sporny]
Eric Korb: +1 Dlongley
Henry Story: +1 I agree. I am new to the group, and it feels very friendly here.
Manu Sporny: So I think consensus is that we should invite people who have concerns and we can spend 30 mins to 1 hour with them and clearly document their concerns and how they'd like to proceed. Once we've done that, we could talk to them and ask if they feel that they are being listened to.
Chris Webber: Yes, I've experienced a lot of patience and thoughtful consideration with my questions here :)
Manu Sporny: Then we can see where we are at that point. So let's not start a new group and instead invite people here and see what they have to say and we'll document and circle back around and see if they feel heard. If they are, there's no need to create a new group.
John Tibbetts: I support the work in this group because it takes a higher-level semantic viewpoint for web security; that is, a concept of credential, rather than just focussing on the lower-level flows and protocols...This is what we need for the more semantically rich credentials to support something like an electronic transcript. John Tibbetts, IMS Global Chief Product Architect.
Dave Longley: +1 To that proposal
Henry Story: And I think the other is to speak about the size of the members support
Brian Sletten: I think the other part of the response would be to just find out what the exact objections are that are keeping us from moving forward. If they don't act in good faith, what is our recourse?
Henry Story: ( I don't actually know how big the support is being new to this group )
Manu Sporny: Yes, to get that before we proceed. We want it to be clear to us that we aren't wasting our time and so it's clear to the others what is happening if they don't participate in the discussion.
Manu Sporny: Eric, if they dont' show, we need to clearly negotiate what happens in that case. I'm going to strongly assert that the work should not stop if they don't show. We've got a number of people around the table that want the work to proceed; we don't want it held hostage by people who won't discuss.
Eric Korb: As CEO of Accreditrust, I echo Nate Otto's comments, "I have found this group to have some members who have clear ideas about a technical direction to proceed in, but that those people are very open to making sure that we are building the right technology and formulating our use cases properly."
Manu Sporny: There's already enough member support to approve a charter and the hope is that it's growing.
Manu Sporny: We have 44 organizations saying "Yes, we want this problem solved", 17 of them are W3C members, 7 of them are non-members that would join, and 16 of them are sitting on the fence.
Eric Korb: I also support the opinions of JohnTib, "I support the work in this group because it takes a higher-level semantic viewpoint for web security; that is, a concept of credential, rather than just focussing on the lower-level flows and protocols...This is what we need for the more semantically rich credentials to support something like an electronic transcript."
Manu Sporny: I'm going to take what has been said in the call today back to W3C staff. Say that the group would like to start by interviewing all these folks that have not been necessarily supportive/critical of the work, etc and get all their thoughts down. And that specifically that we feel that creating a new group is unnecessary; that this is an open forum. People and their orgs can come in and we can document their concerns.

Topic: Tasks for Credentials CG

Manu Sporny: The more people we have on these tasks and the faster we can get the list done the faster we can get to a charter for a WG. A lot of this is documentation work. We need to explain our thinking around each one of these items. Will anyone volunteer for what's on that list?
Brian Sletten: What's the time frame?
Nate Otto: I can put some time in... looking
Manu Sporny: ASAP. If we can get it all done in 4 months, we can potentially get a group started then. If it's 8 months, it's that long.
Henry Story: My guess is that January would be the fastest any work can be done.
Manu Sporny: If you say, for example, say you sign up for "Create a comparison between Identity Credentials and OpenID Connect" then you'd write a paper/blog post on that.
Brian Sletten: I'll commit to a couple of them.
Nate Otto: I can do one or two of the comparison blog posts at least.
Manu Sporny: Just tell me offline what you're signing up for and I'll put your name beside it.
Henry Story: I am still too new to this work, but I'll be interested to review
Eric Korb: I updated doc
Nate Otto: I can do both SAML and OpenID Connect.

Topic: Linked Data Fast Track WG Update

Manu Sporny: We demo'd the credentials work to Sir Tim Berners Lee's team at MIT. I know Henry is involved with that team as well. There is consensus to coordinate on RDF Dataset Normalization and Linked Data Signatures. I had a fairly in depth conversation with Tim about that. Right now there is a fast track proposal for the RDF Dataset Normalization work. We will work on a charter and still need 20 votes, but believe we can do it. There's no one pushing back, it's just a matter of writing the charter, get feedback, and then put in front of W3C staff and then membership for a vote.
Manu Sporny: Any other concerns/comments on the direction we're taking over the next week or so?
Henry Story: Is that Linked Data Fast Track _Platform_ or just Linked Data Fast Track?
Manu Sporny: Henry, it's really "Specification Fast Track" - one of the first specs might be the RDF Dataset Normalization spec.
Henry Story: What is the Fast track thing? Is it to do with LDP or with Linked Data?
Henry Story: Ah cool
Manu Sporny: It's to do w/ general W3C process. A number of the member companies at W3C TPAC this year were trying to figure out a way to get a spec to REC faster than the 4+ year process it takes.
Manu Sporny: JSON-LD made it through in 2 years.
Manu Sporny: I think they're trying to speed it up to 1 year now.
Henry Story: Btw. does your normalisation algorithm allow me to normalise rdf to disk, so as to minimize differences when someone edits a file?
Manu Sporny: The idea is that you start at CR (if you have a fully baked spec, at least two implementations, and a test suite)
Henry Story: Nice
Henry Story: And here they want to do PATCH too?
Manu Sporny: The normalization algorithm that dlongley created does enable you to normalize RDF to disk
Manu Sporny: PATCH may be in a different fast track group
Manu Sporny: We're trying to focus on something that has an almost guaranteed chance of success.
Henry Story: Yes. makes sense.
Manu Sporny: There are some that are saying that LD Patch isn't ready
Manu Sporny: I don't think anyone is saying RDF Dataset Normalization isn't ready.
Manu Sporny: We're just trying to reduce the number of variables that might create failure.
Henry Story: ( I can imagine that it can be complex as new mathematical algorithms come out )
Manu Sporny: There are improvements that could be made (for example, memory consumption w/ large bnode graphs), but we have to cut version 1.0 at some point.
Manu Sporny: And the solutions that the algorithm creates aren't wrong, we just need to seek if we have consensus since a standardized solution doesn't exist right now.