Manu Sporny: On agenda, update to WG plan, recruiting, and maybe DIDs discussion. ✪
Topic: Credentials WG Plan
Manu Sporny: I had a discussion with W3C Staff last week, and the payments IG had a discussion on Monday. ✪
… Due to feedback in round-table and W3C got after F2F meeting ,,,
… A number of people came back saying they didn’t intend for it to be struck.
… We have a go-ahead for pitching a WG to W3C.
… W3CM would like to see a list of organizations that are committed to joining the work if it gets started at W3C. We have a list started, but we need more organizations interested.
Manu Sporny: They’ve looked at the list in Credentials CG and would like to see more representatives from a broader set of organizations. ✪
… They’d like to see about 30 organizations before they’re comfortable with proposing a new WG to W3CM.
… There are a number of back-channel discussions working against us, particularly from the security community.
… Unfortunately, they’re not coming here, but are voicing directly to W3CM.
… There are 2 blog posts/papers they’d like to see us put together to counter these arguments.
… 1) What makes this credentials approach different from the last 15 years of approaches that have failed: SAML, OpenID Connect, …
… 2) Define where W3C can add value. Why should the work be done at W3C vs IETF/OASIS/ISO?
… The Payments IG will wait for us to put this strategy together, in concert with some W3C Staff, to put together a proposal that will be a sell to W3CM.
… Also joining will be some banking and finance, where were taken aback by what happened at the Payments IG F2F.
… That puts us in a better possition than a week or so ago, but still not where we want to be.
Richard Varn: What would be the timeline for deciding yes/no, and where? ✪
Nate Otto: Are the concerns shared specifically about security and privacy? Was there anything specific that was critiqued about the suggested technical approach in this CG? ✪
Manu Sporny: The question will be does W3CM feel comfortable proposing a draft charter to the membership in August? That would be the most agressive thing that can happen. ✪
… We may still be able to have our first meeting at TPAC.
… Less agressive would be September, which would be too late for TPAC. We’d probably try to have a meeting there anyway. That would drive more people into the group.
… Or, we can’t do it at all :(
Nate Otto: Were concerns from security and privacy related directly to that? ✪
Manu Sporny: I don’t think the loudest critics really understand what we’re trying to do. ✪
… “I don’t think it’s a good idea to create an identifier that can be used across multiple websites”, for example.
… There is privacy push-back; they’d rather see bearer credtitials.
… Also against using an email address.
… I think this group cares very deeply about privacy, and we want to be sure we are as privacy enhancing as possible, without gutting the core use case.
Nate Otto: +1 To being as privacy-enhancing as possible without gutting the core use case. ✪
… The other thing is security: “why aren’t you guys using JOSE for using signatures, why propose a new mechanism?”
… Thinks we’re trying to end-around the security community with LD-Signatures, and trying to go around JOSE.
… It’s not that, but they’re quite focused on JOSE, and don’t have spare-bandwidth to look at LD-Signatures. Clearly we’ll get a good security review.
Nate Otto: Working in the badges community, we have concerns as well. Is it possible to put the genie back in the bottle. ✪
… Eventually we’ll need a high-level security review, but we could always go back to JOSE if LD-Signatures won’t work. We’ll work with the security community to make sure we have a valid solution.
Manu Sporny: ALso, note that LD-Signatures is not inventing new cryptographic methods. The problem is that the statements are coming from someone who doesn’t understand this. We’re simply re-using RSA, eliptic curve, … ✪
… The new thing is the normalization and message structure of the signature.
… Once security folks at the F2F understood this, they thought it would be straight-forward.
Eric Korb: The idea of signing the credentials, is it critically important, or is it an option? ✪
… The badge aliance is mostly doing hosted credentials, and signing isn’t as important.
… Can we make this optional?
Manu Sporny: Sure, they don’t need to be signed. There can be other ways of validating. ✪
… If an open badges badge has an alternate way of validating, that mechanism could be used.
… Signatures are for hard cases like financial use cases.
… Other industries don’t have the same high-stakes requirements.
… IF you recieve a signed credential, you don’t even have to validate it.
Eric Korb: An reciever should validate, if it needs to. If it’s not there, and you don’t mind it not being there, you should be able to use it. ✪
Richard Varn: We should probably be exploring a parallel path, in case the W3C doesn’t work out. ✪
Manu Sporny: I have some concerns over sending mixed messages if approaching both W3C and IMS Global. ✪
… We may want to take IMS Global guys aside to discuss them as an alternative.
Eric Korb: I don’t think it’s an either/or, it’s a “please join the work” ✪
Richard Varn: There’s an opportuinty for IMSG to bring some new things to the table. It’s getting them to associate the work they’re going to do anyway with the W3C initiative. ✪
… It could grow into a broader standards effort if we don’t get anywhere with the W3C.
Eric Korb: The project we currrently working on is eTranscript to be demoed at educause ✪
Manu Sporny: This group is focusing on recruiting. I have an action to write up 2 blog posts about what’s different about what we’re doing. ✪
Matt Collier: Working with Digital Bazaar on this and authorization.io. ✪
Christoph Dorn: I work independently. My focus is on software tooling. I’m interested in creating an open prototype embodying the specs and staying up to date, and allow people to on-board early. ✪
Jim Goodell: I’m with Quality Information Partners, we’ve been working on common education standards. I’m interested form education- and workforce- credientials cases. ✪