Manu Sporny: Expecting to do some intros today, but they don’t seem to be on the call. ✪

Brian Sletten: Just got back from Las Vegas and spoke to NACS about credentials, and they are interested. ✪

Manu Sporny: Anything we should do/change as a result of your presentations? Are we aligned with their expectations? ✪

Brian Sletten: Nothing to change, they now know that there is something interesting going on here, tried to get some of them to join. ✪

Henry Story: Also have stuff to talk about. ✪

Manu Sporny: We reved the spec - https://tools.ietf.org/html/draft-cavage-http-signatures-05 ✪

Henry Story: Ah good thanks ✪

Manu Sporny: We have a new version of the HTTP Signatures spec, with minimal changes so it won’t expire. We had a bunch of emails that it had expired and concerned that we wouldn’t take it forward. ✪

Carla Casilli: You may know me from Mozilla and Open Badges, noew working with IMS Global. ✪

Chris Webber: Would it be useful for me to give a brief introduction? ✪

Chris Webber: I’m Chris Webber, working on the W3C Social Web WG. We’re working on ActivityStreams/JSON-LD federation standard for having an experience between decentralized sites. Credentials are important for this. ✪

Manu Sporny: https://docs.google.com/presentation/d/1ithW3t-ahelw_0jsAbVmhXi5NyRl_-BAW6hMnJmoixc/edit?usp=sharing ✪

Carla Casilli: Hey everybody. Glad to be here. If you would like to connect my contact information is as follows. email: ccasilli@imsglobal.org ; twitter: @carlacasilli ; skype: cmcasilli ✪

Manu Sporny: We’re prepping for two presentations at the end of October at TPAC. There’s one on the credentials work; it tries to summarize the survey we sent out; we’re up to 43/60 responses. ✪

Manu Sporny: Anonymized results of survey (43 responses): http://opencreds.org/presentations/2015/w3c-tpac/anonymized.html ✪

Manu Sporny: The demo shows the entire credentials eco-system. ✪

Tim Holborn: +1 ✪

Chris Webber: Are there links to more decentralized identifiers stuff? ✪

Chris Webber: It being not linked to domains sounds great ✪

Dave Longley: My comment is to point out that the window that pops up is something that would be standardized in the future. ✪

Henry Story: You’re thinking of this as part of the credential management API. ✪

Tim Holborn: V.bad echo. please turn down speakers... ✪

Dave Longley: It’s intended to be a URL or URI with the “did” scheme, that can be fetched. ✪

Chris Webber: I have a question once henry's question is resolved ✪

Henry Story: If you loose your private key, you can loose access. ✪

Dave Longley: We can talk about that later. ✪

Manu Sporny: We can also use HTTP URLs, but if you don’t have control of the URL (which you can’t really), that is compatibile with this sytem. We thing that DIDs are a great solution, though. ✪

Chris Webber: Interesting ✪

Chris Webber: This sounds interesting. Where are these stored, and what is ussed to retrieve a DID? ✪

Manu Sporny: In the future, they’ll be on a WebDHT; this technology has been around for around 15 years. We need to bring the technology on the web Rather than create a new protocol, we can build it on top of HTTP/HTTPS. ✪

Henry Story: It will be interesting to make sure we can do this in an orthogonal way, so that WebID could be based on this. ✪

Tim Holborn: Does WebID = Agent? or Legal Entity? or Person? ✪

Tim Holborn: FYI: http://www.w3.org/wiki/WebID ✪

Dave Longley: What you’re saying is inherent in the design. It’s like a WebID with a URL you follow to get information about the person. There’s a concept of a DID you can choose, so that it follows you around instead of being tied to a particular domain. We support any kind of URL, but we’re showing the DID concept. ✪

Manu Sporny: We’re proposing what we think the ideal is, but make sure that it’s open to other solutions. ✪

Tim Holborn: What do browsers need to do to make this work if anything? ✪

Chris Webber: I don't have questions, but I think I need to get a list of all relevant specs ✪

Chris Webber: And read through them ✪

Eric Korb: That's ekorb SIP ✪

Henry Story: You go do the DMV, login with your ID (DID), they sign a document saying that the person with the DID has various properties. The browser accepts the Cert in the browser, where it can be stored at an IDP, or stay in the browser. ✪

Tim Holborn: Cheers\ ✪

Eric Korb: Dlongley, joim.me info? ✪

Tim Holborn: https://join.me/digitalbazaar ✪

Manu Sporny: Goes to a credential consumer. You create a bank account, they can pre-fill information by submitting a drivers licence, a cert version can ensure that information is not fraudulant. ✪

Gregg Kellogg: What does the bank need to do to verify that credential. [scribe assist by Manu Sporny] ✪

Manu Sporny: First step is to check basic syntactic validity. It can then fetch the PK, to be sure it matches. ✪

Nate Otto: +1 On that countersignature by the credential's recipient. ✪

Henry Story: If there’s a way for the consumer to say what kind of credentials the accept (who they trust), so the client can filter among stored credentials. ✪

Dave Longley: We’re looking into that; they could specify properties of credentials they want, and may also show the set of issuers they trust. ✪

John Tibbetts: I still find it hard to visualize are the workflows among the parties. This would be a great topic of a future Manu-Cast. ✪

Manu Sporny: There’s a privacy component to your question, you really don’t want to reveal anything other than your age. Not even exposing your DID. ✪

Eric Korb: 6 Points of identity ✪

Eric Korb: Plus, photo id ✪

Tim Holborn: Does a mechanism exist that discourages groups from demanding more information from a credential than is required for legal purposes? ✪

Manu Sporny: Yes and no. The way that the system works right now is that the consumer queries for a set of attributes that they need to know about you. ✪

Eric Korb: So, at the liquor store, they would have you scan a QR code that would request your ID. ✪

Manu Sporny: So if they just need to know your name the query is just name and you're taken to the IdP to prove your name. Your Idp shows you 20 creds with your name. We're hoping the software and the people make it obvious that you pick the credential(s) with the least amount of information. It's up to you to decide what you ultimately hand over. ✪

Tim Holborn: Given the potential explosion in identity requests, has any consideration been made into reputation? ✪

Tim Holborn: Ie: perhaps using ontologies to describe what might be required to fulfill particular requests. ✪

Eric Korb: A privacy question: As a best practice, I suspect that we would not want people to publish credentials on a public website that contain their DID. If they did they could be tracked. If I publish my driver's license on linked in then people could track me with any credential I ever put out there. ✪

Manu Sporny: Maybe, it just depends on how public you want that particular identity to be. You can have many identities. Maybe it's your public identity and you get credentials for it and publish those and you don't have a problem with exposing that information. ✪

Tim Holborn: Ie: if an adult website or online game, that may simply require name or proof of age, requests more information for say - ‘free credits’ , perhaps reputation plays a role? ✪

Manu Sporny: There may be requirements to keep things hidden, however, sometimes. Like any healthcare credentials. ✪

Tim Holborn: I imagine part of that is beyond the scope of credentials spec. Yet support for ontological functional adaption may need to be included? ✪

Manu Sporny: There isn't a clear answer to the question, it follows practices of today, some things you want public and some things you want private. ✪

Eric Korb: So, that makes a case for multiple IdPs ✪

Carla Casilli: You answered some of the questions I had, one was about atomic level credentials, not needing everything in a credential, just a few bits of information. So my other question, your provider is saying "Here are five credentials that are being requested of you." I'm wondering about the owner of these credentials and how people juggle that? Will IdP help handle that, if so how? ✪

Manu Sporny: There is a competitive marketplace for IdPs and one of the factors would be how well they help you select the credentials to use. ✪

Manu Sporny: An Idp could say this is the credential you should share because it exposes you the least amount of information. Another might say "You use your driver's license all over the Web, just go ahead and use it again." ✪

Manu Sporny: It's up to IdP software to compete to help you the way you want. ✪

Eric Korb: By default credentials are private, you have to make them public by choice. ✪

Manu Sporny: Yes. ✪

Tim Holborn: Privacy by default; for the entire credential? or for elements of the credential? is it all or nothing? ✪

Henry Story: What I was thinking of is, I suppose one reason for integrating the IdP in the browser is that if you authenticate to one site with 3 different credentials, then in fact they can get the sum of that information. If the IdP doesn't know who you are connecting then it can't help you make certain decisions. It seems like you'd need that sort of thinking for automation. ✪

Henry Story: On the other side, imagine if you had different IDs, one for your age, one for your driver's license, one for membership of a club, you could have other credentials that identify those? You could have as many of those credentials that identifier (owl:sameAs relations). ✪

Manu Sporny: Yes we want to automate these processes as much as possible. ✪

Dave Longley: Quick response - there are other technologies out there that don't fully provide all features that we need. Some of these other protocols, the way the protocol is designed requires the IdP to know all sites you're logging into. [scribe assist by Manu Sporny] ✪

Dave Longley: You can provide the IdP with where you're logging into, but that is not shared by default. [scribe assist by Manu Sporny] ✪

Tim Holborn: Here ✪

Tim Holborn: Has any consideration been made into reputation? ✪

Tim Holborn: Ie: perhaps using ontologies to describe what might be required to fulfill particular requests. ✪

Tim Holborn: Ie: if an adult website or online game, that may simply require name or proof of age, requests more information for say - ‘free credits’ , perhaps therein a mechanism around reputation might play a role? ✪

Tim Holborn: Thereafter: i imagine part of that is beyond the scope of credentials spec. Yet support for ontological functional adaption may need to be included? ✪

Tim Holborn: Therein; by privacy by default; is that for the entire credential? or for elements of the credential? is it all or nothing? ✪

Manu Sporny: "Are there any ontologies for requests?" The requests use linked data so we can arbitrarily extend them in the future as needed. ✪

Manu Sporny: RIght now they are attribute based. ✪

Manu Sporny: Yes, you can have reputation-based credentials, absolutely. ✪

Tim Holborn: I mean... ✪

Tim Holborn: Mailing list it... ✪

Manu Sporny: I don't know what you mean by "ontological functional adaption" ✪

Manu Sporny: When it comes to a credential itself, it's all or nothing (in terms of privacy), because of the limits of cryptography at the moment. We can ask issues to atomize the information as much as possible. ✪

Dave Longley: It's all-or-nothing right now, there are cryptographers working on getting around this but there are lots of limitations right now. ✪

Manu Sporny: It's up to people in the market to create and publish reputation ontologies and issues to use them, etc. ✪

Tim Holborn: Sorry - i copy and pasted it to make it easier for you… cheers. i’ll follow-up on the list. ✪

Henry Story: What is the relationship with HTTP signatures? ✪

Manu Sporny: They are designed to give you access to this system. They are meant for machines or agents to be able to access Websites. ✪

Dave Longley: The flow that we showed today is a browser-based API [scribe assist by Manu Sporny] ✪

Dave Longley: In the future, you may give automatic access to certain credentials to certain consumers - in those systems, where you are preauthorized, there are the issuers and consumers - they use HTTP Signatures to authenticate. [scribe assist by Manu Sporny] ✪

Tim Holborn: Is it possible to make hierarchical credentials that create in effect a package of crednetials? ✪

Tim Holborn: Ie: a drivers license is made up of several child credentials…? ✪

Tim Holborn: Ie: Age, Address, DL ID, etc. ✪

Chris Webber: Very helpful! ✪

John Tibbetts: Very helpful ✪

Manu Sporny: Any other questions send to the mailing list, hopefully this was helpful to everyone and to understand the flow for where we are today. ✪

Tim Holborn: Thank you… good to see ;) ✪

Manu Sporny: Thanks everyone for the call today! ✪

Dave Longley: Mediaprophet, you could provide the same information a driver's license provides by combining other credentials together ✪

Tim Holborn: Yup ✪

Tim Holborn: That was what i was thinking ✪

Tim Holborn: So, the DL ends up being a credential package ✪

Dave Longley: When a consumer requests attributes, what you essentially do is what we've been calling ✪

Dave Longley: "Compose a view of your identity" ✪

Dave Longley: You pick N credentials ... and those, together, will provide the attributes requested ✪

Tim Holborn: Therein; if someone needs Proof of Age, perhaps the Sig. on the Age constituent is an element ✪

Tim Holborn: Yet. ✪

Tim Holborn: For trust purposes, they might want the age you’ve listed on your DL ✪

Dave Longley: So what gets sent to the consumer is an "identity document" with a bunch of credentials ... which, with JSON-LD processing ends up being a doc with a bunch of attributes on it for use ✪

Dave Longley: Anyway, this stuff is all linked data, so it's fairly flexible ✪

Dave Longley: We don't know what people will want to put in these credentials and we don't pretend to know it ... so we get out of the way and let people innovate. ✪

Tim Holborn: Understood… With a Digital Cinema Package or DCP. ✪

Dave Longley: We just want to ensure interop ... and then let markets evolve as needed. ✪

Tim Holborn: https://en.wikipedia.org/wiki/Digital_Cinema_Package ✪

Tim Holborn: It’s basically got a bunch of files in it. ✪

Tim Holborn: I think it’s best i follow-up on the mailing list. ✪

Tim Holborn: Ok [scribe assist by Dave Longley] ✪

Tim Holborn: It’s also 3:19am here. so probably better in the morning ;) ✪

Dave Longley: Yes :), gnight! ✪

Tim Holborn: Cheers. really enjoyed the demo. ✪

Dave Longley: Great :) ✪

Chris Webber: Indeed ✪

Chris Webber: Really interested in exploring further ✪

Chris Webber: Just downloaded http://opencreds.org/specs/source/identity-credentials/ to my e-reader, will read over tonight ✪

Chris Webber: Be warned that's pretty out of date. [scribe assist by Dave Longley] ✪

Tim Holborn: I think the simple version, is that i’m thinking about a tree structure. So the child results are simple claims like age, etc. the parent record might reference those claim documents and use them to create a ‘parent’ claim, for example - drivers license. Theory being around whether it’s possible to in-effect create a credential where a check-box (for instance) could be used to select that ‘age’ element, of a DL. ✪

Chris Webber: Dlongley, is there newer material I should read? ✪

Dave Longley: Paroneayea, don't pay attention to any of the REST API stuff. ✪

Tim Holborn: Being that it is part of the ‘trust provider’ delivered by the motor authority ✪

Tim Holborn: Yet, don’t need to supply the entire claims chain, contained within the parent cred. ✪

Dave Longley: Paroneayea, if you want to know about the API used in the demo: https://github.com/digitalbazaar/credentials-polyfill ✪

Dave Longley: The stuff in the Identity Credentials spec regarding how things are marked up isn't too far off ✪

Henry Story: I suppose one question is how does the idp send the credentials to the Relying Party? In OpenId it is via a redirect, but that requires a URL with encoded attribute values. Is there another way? ✪

Dave Longley: It's worth reading that spec anyway, just know that a lot of what was in the demo hasn't been updated in the spec ✪

Dave Longley: Mediaprophet, there are certain limitations based on cryptography for plucking out bits of a doc ✪

Tim Holborn: Understand. ✪

Tim Holborn: Yet, question might be whether you can create a cred. that incorporates other creds. ✪

Henry Story: With the browser API, the IdP sends them to the browser [scribe assist by Dave Longley] ✪

Dave Longley: Via a JS API ✪

Tim Holborn: And thereafter package them in some way... ✪

Henry Story: Is that a new API? ✪

Dave Longley: Bblfish, https://github.com/digitalbazaar/credentials-polyfill ✪

Dave Longley: Bblfish, yes, it's a new API ... we're slowly converging with the Credential Management API ✪

Dave Longley: This demo was our largest move towards it ... we're not too far off now. ✪

Henry Story: Great. ✪

Dave Longley: Essentially `navigator.credentials.get()` is called on the consumer site ... just like the Credential Management API ✪

Dave Longley: It returns a Promise that will resolve, eventually, to the credentials (or "identity document containing credentials") selected at your IdP ✪

Dave Longley: After you go through the flow. ✪

Dave Longley: Similarly, you call `navigator.credentials.store` at the issuer site to store something ... it returns a Promise that will resolve once you've done something at your IdP. ✪

Dave Longley: And this is all polyfilled with postMessage and iframes and such. ✪

Dave Longley: (Full source available at that link) ✪

Dave Longley: https://github.com/digitalbazaar/authorization.io ✪

Dave Longley: Also open source^ ✪

Dave Longley: That's the code the `authorization.io` site runs that acts as the part of the browser that would run the flows and display your IdP and so on. ✪

Tim Holborn: Nb. before manu picked-up the questions, i copy / pasted them, trying to make it easier… so in effect, there’s duplicates ✪