The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2014-09-30

Tim Holborn is scribing.
Manu Sporny: On the agenda today, making sure people know about the Web Payments use case vote, are registered for TPAC, and going through the use-cases. Any other additions/changes to Agenda?
No changes.

Topic: Web Payments Use Cases Vote

Manu Sporny: Web-payments use-group have finalised a draft that will be presented to the W3C Interest group at TPAC
Manu Sporny: Basically the use-cases are more-or-less revised. these cases came from paris. alot of identity use-cases moved into this group.
Manu Sporny: This is the use-cases, credentials is a big part of the use-cases. although it has been set in stone for web-payments, it’s very much the requirement for credentials group. A vote is going on, if this is agreed upon. it will be the responsibility of this group to define the credentials solution
Manu Sporny: If anyone here is involved with web-payments, make sure you get involved with the vote. Basically, look at the use-cases and identify what the technical requirements will be for the web-payments work.
Tim Holborn: Questions about the privacy stuff, what about the ODRL group? Is that fit to print? I need to follow up on that with you at some stage. [scribe assist by Manu Sporny]
Tim Holborn: We spoke about the privacy work and I'm not sure if it's going to fit the work, I'll follow up. [scribe assist by Dave Longley]
Manu Sporny: I don’t know if we have the data rights stuff in there, I don't think we do have it in the Web Payments Use Cases doc.
Manu Sporny: My concern is that we were talking about data rights in credentials, but not in web-payments. we need to do both
Manu Sporny: Because your purchase / transaction history can be used to track you.
Manu Sporny: And ODRL we need to touch base with from both groups.
Manu Sporny: The other thing to pay attention to, is that the payments process is exactly the same proces the credentials group will need to go through.
Manu Sporny: My hope is that we’ll be able to go through exactly the same thing in the next few weeks
Manu Sporny: Any other questions?

Topic: Register Now for W3C TPAC

Manu Sporny: Web Payments IG now on the schedule
Manu Sporny: Important thing to note is that the web-payments session is in the schedule now.
Manu Sporny: (W3C Web Payments Activity) the web-payments interest group is listed. the vote to create the Web-Payments activity at W3C is going on now.
Manu Sporny: If you are going to TPAC - make sure you register for the Web-payments group if you want to discuss the credentials work.
Manu Sporny: Talking about schedule….
Pat Adler: Is the meeting on wednesday?
Manu Sporny: (Discussing the way TPAC is organised this year). Basically, we can have the credentials meeting on Mon/Tue instead of Wed.
Manu Sporny: The internet identity workshop is happening on the wednesday.
Manu Sporny: Perhaps we’ll announce an ad-hoc meeting on the wednesday.
Tim Holborn: Still working on funding to get over there, if you could help w/ getting access to the W3C TPAC as an Invited Expert. [scribe assist by Manu Sporny]
Manu Sporny: Let's take the discussion offline, Web Payments group is being very strict about Invited Experts (which is unfortunate for the preliminary meeting). [scribe assist by Manu Sporny]

Topic: Advanced Use Cases (Tim Holborn)

Manu Sporny: We went through the use-cases Tim Brought-up in the first email last week.
Manu Sporny is scribing.
Tim Holborn: So, peer-to-peer advertising - concept was to wrap an Offer statement as a payment URL.
Tim Holborn: Conceptually, make the offer discoverable.
Tim Holborn: That Webizen system searches FOAF URLs, so if you type in "tim" it'll pull information out from decentralized identities.
Tim Holborn: This is about writing some sort of HTML-style document where you can specify an offer, and then potentially create a claim on that offer w/o needing to integrate it into a traditional content management system.
Tim Holborn: Like an eBay or traditional merchant type website.
Manu Sporny: This seems like a Web Payments use case.
Should/ can commercial offers be represented by credentials, really? (Joerg Heuer, Deutche Telekom Labs)
Tim Holborn: How do you make sure someone hasn't changed the payment URL? If they change that, then contract would be void.
Tim Holborn: Would you generate a credential from that?
Joerg: If we go too deeply into the shopping experience that won't be good for this group. We'll have a session and something that offers a transaction in the Web Payments work, might not need to go deeper than that..
Manu Sporny: This use-case touches credentials, but likely belongs in the web-payments group. [scribe assist by Tim Holborn]
Tim Holborn: When you're signing the document, does that protect it?
Dave Longley: Yes, if any of the information changes, the signature will fail. You can't tamper with it.
Dave Longley: A credential is a set of statements about an identity that is endorsed by some 3rd party. The most important part is that we're talking about a set of statements about an identity. We don't want to open the scope to be wider about that.
Dave Longley: That's not where we want to go.
Tim Holborn: So the credential, we're dealing w/ the identity of a legal entity.
Manu Sporny: Only thing the digital signature does, is ensures the digital information that was signed cannot be tampered with. [scribe assist by Tim Holborn]
Manu Sporny: Definition we use for credential is very specific, as defined in the charter... [scribe assist by Tim Holborn]
Dave Longley: Take a look at Web Commerce spec, talks about publishing an offer. Describes what an offer would look like. The credentials work comes in where there is an ID for an entity (person providing offer, person receiving payment, etc.)
Tim Holborn: I think where my confusion was was around the generation of the signature.
Manu Sporny: This group is then going to work on the identity, such as drivers licenses, bank accounts and other identity information... [scribe assist by Tim Holborn]
Tim Holborn: What consitutes a credential? The list from the call last week -
... But a credential coud be a 'proof of purchase' to let you access content, etc. Right?
Tim Holborn: Was it documented clearly? [scribe assist by Tim Holborn]
Dave Longley: Joerg, <-- proof of purchase
Dave Longley: Joerg: still not a "credential", but is a digitally-signed document (a receipt) that proves a purchase occurred
Dave Longley: Joerg: (that you can use to access content/service/whatever)
Manu Sporny: Is a proof of purchase a credential? it is a digital receipt. you could say / argue it is a credential. we are arguing it is not a credential. [scribe assist by Tim Holborn]
... Using it as an access key - or to receive a special discount...
Pat Adler: It could be used if was used after the transaction? [scribe assist by Tim Holborn]
Joerg: When talking about digital goods, you could use a digital receipt as a credential.
Manu Sporny: A license to a particular person could be termed a credential. [scribe assist by Tim Holborn]
Manu Sporny: It depends on how the information could be used. but for right now, if you’ve got a bunch of statements about an entity. we’re saying that’s a credential. if it’s something about an asset? we’re saying that’s not a credential. [scribe assist by Tim Holborn]
Dave Longley: I think what's important is that we think of these definitions in how these systems can work together, we need to make sure to keep the scope limited.
Proposal - the subject of a purchase can be a credential - or a book or file...
Dave Longley: There's nothing wrong w/ those arguments, they could all be philosophically argued to be correct, we need to keep our scope limited to identity.
Dave Longley: Otherwise, all of this stuff will bleed together, and we won't be able to work on the technology.
Eric Korb: I agree that definition is clear wrt. licenses.
Pat Adler: Is the difference - anything that is a credential is expected to be used to authenticate?
We don't need to take care of every kind of credentials, I think.
Dave Longley: It might be that in one context something is considered a credential, in another context, it's not.
Pat Adler: Receipts are for verification that something happened, where authentication is for access... maybe more of a heuristic? What types of entities require a credential vs. a receipt?
Pat Adler: Information about organization, government, individual, machine system doing the action - those require credentials for authentication purposes. Perhaps it's a heuristic.
Manu Sporny: The key being we’re trying to narrowly scope the work, we do not need to take care of everything with a credential. [scribe assist by Tim Holborn]
Tim Holborn: +1

Topic: Offer use case

Tim Holborn: I create a document to advertise the availability of my pushbike, including the amount i seek for the bike and the terms (pick-up only).
Tim Holborn: Selling a bike is similar to P2P Advertising. [scribe assist by Tim Holborn]
Tim Holborn: I create a document to advertise the sale of a T-Shirt. I display the price (in local currency) and link to a shipping provider (to automate the shipping fees)
Manu Sporny: This is a Web Payments use case - it's an offer of sale/availability/service. [scribe assist by Tim Holborn]
Tim Holborn: Yup, Let's, move it to Web Payments CG.

Topic: Proof of Contribution Use Case

Tim Holborn: I use a credential when initiating PUT on a project, incorporating a multitude of others, and an agreement for contributing to project. My credential is associated to my contributions for the purpose of remunerating me if the project moves to a point where a revenue is identified
Tim Holborn: Some of these Bitmark images show a variety of use-cases. In the above example; the use-case denotes a ‘proof of stake’ rather than the use of a transactional credential of a fixed financial integer (meaning $1). In the “contribute” example, a contributor may provide 1% of total contribution, or 10% of total contribution for stage 1, or 1% of total contribution to date, or 0.5% of total contribution - upon the date that the project is achieving critical mass (has a million users, is generating revenue, etc.)
Tim Holborn: Contribute: so, the use-case is like using github
Manu Sporny: The general idea is when you are working on a project, you want to associate your identity to your contributions. so if the project moves to the situation where it’s making money, you can be renumerated for it. [scribe assist by Tim Holborn]
Manu Sporny: You need to assocaite it to identity. which means we need some sort of URL that can be looked-up. In the use-cases, it means you can find an identity URL. I think we already have this covered, we don't need another use case. Does anyone disagree? [scribe assist by Tim Holborn]
Tim Holborn: +1
Tim Holborn: +1 - All good..
Sunny Lee: Nope
Dave Longley: +1 - Already covered by the use cases we have

Topic: Proof of Invention Use Case

Tim Holborn: I write a document disclosing an invention i purport to have defined in a manner that would denote the work as being innovative. I publish this specification, incorporating a credential that provides a date-stamp (“priority date” esk). I submit an offer statement with respect to the use of the knowledge contained within that document; and perhaps define a specified market (i.e. use can MFG product for personal use or for commercial manufacture within these restrictions).
Tim Holborn: Essentially - a portion of the intellectual property process is establishing a priority date.
Tim Holborn: So, the objective is to provide sufficient information that supports this priority date requirement.
Tim Holborn: There are several different parts - the first element is you make a claim of some point of innovation (identified a priority filing date).
Tim Holborn: Whether or not the patent should be granted is up to the national authority. So, the main thing - concept around publishing an idea on the Web, have it date-stamped, digitally signed, so that it's effectively the same as publishing via the USPTO.
Dave Longley: I'm trying to figure out what part of the standard would be used in this case. It involves digital signatures, assertion of certain identity writing a document, not seeing what would be standardized around this use case.
Dave Longley: Seems like it would be useful for someone to implement, why is it a credentials use case?
Joerg: This looks like something in EU framework - attribute-based credentials. I might have an institution asking me to ensure that they're not making me give away my identity/credentials. I think we should support attribute-based credentials, in scope - would like to see that. Overall process around it, assuring customer that everything is being done correctly, doesn't belong in credentials work.
Pat Adler: Other interesting angle here is the inputs to the payment group - group working on verification on credentials - they should support for each transaction a composite signature - multiple identities being used to verify a particular claim. USPTO signature, plus mine, plus some other organization (counter-signatures) should be supported.
USE CASE: Support endrosements/counter-signatures on credentials. Signatures can be either dependent on one another (chained together), or multiple signatures on original document (part of a mathematical Set).
Dave Longley is scribing.
Manu Sporny: We want to support both of these use cases: I give a document to Pat and Joerg and they both sign it and give it back -- or I give a document to Pat and he signs it and then gives it to Joerg who signs it (and includes Pat's signature).
Tim Holborn: Is there a use case where the information can remain confidential before publishing?
Manu Sporny: We have the technology to encrypt, so that's not a problem, so the questions is "Do we want to talk about encrypted credentials?" -- and the way most patent systems work is that you need to make a public statement when applying for a patent
Tim Holborn: Don't you need to maintain confidentiality of the invention?
Manu Sporny: Not for patents, in general, you have to make a full disclosure of a patent.
Manu Sporny: For the confidentiality stuff we should be talking about private documents between people or organizations.
Tim Holborn: In the preparation of a concept an ‘inventor’ wants to patent - does it need to be confidential prior to the publication of the ‘patent document’. [scribe assist by Tim Holborn]
Tim Holborn: Ie: drafts.
Tim Holborn: +1
Dave Longley: The disclosure of the patent is what gives you the power. [scribe assist by Manu Sporny]
Tim Holborn: Actually, I see what you mean now.
Tim Holborn: Write a document on the web which supports an identity claim, a date stamp, digitally signed with the capacity to countersign the document
Pat Adler: One of the other derivatives of the counter-signing thing is - what about composite credentials? Combinations of authorizations from multiple parties. You, completing transaction are authorized by multiple organizations. For example, USPTO - combining different elements of credentials from different organizations. In order to open bank account, I have to have different banking credentials (drivers license, government credentials) [scribe assist by Manu Sporny]
Pat Adler: Using credentials issued by separate authorities. [scribe assist by Manu Sporny]
USE CASE: Enable multiple credentials from multiple 3rd parties to be composed together to grant authorization to access a system.
Dave Longley: We probably have a use case that you can provide credentials to authenticate. We want to make sure that we're clear that you can combine multiple credentials in a particular transaction. [scribe assist by Manu Sporny]
Pat Adler: How do I pass along organization's authorization along with my own credential information? We should answer that question. [scribe assist by Manu Sporny]

Topic: Wrapping up Use Cases

Manu Sporny: I think the plan is to try to get through the rest of the use cases next week and then see if we can put all of this in a document and vote on it to be ready in time for W3C TPAC. Anyone have any issues w/ trying to do that? [scribe assist by Tim Holborn]
Tim Holborn: +1
Dave Longley: +1
Manu Sporny: Ok, then we'll do that - organise these into a more definative list of use-cases. and as long as everyone is ok with it, we’ll goto some sort of vote to get the first set of use-case agreed for TPAC. We'll try to do this next week. [scribe assist by Tim Holborn]
Tim Holborn: +1
Dave Longley: +1
Sunny Lee: Thanks everyone
Mary Bold: Thanks!
David I. Lehn: Bye all