The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back


Credentials CG Telecon

Minutes for 2017-05-16

Manu Sporny is scribing.

Topic: Introduce New Chairs

Christopher Allen: Manu put out a call for new chair nominations, have we received any?
Manu Sporny: Nope, no new nominations.
Christopher Allen: We're going to leave that open for now, if someone else gets nominated, let us know. At present it's Kim Hamilton and myself.
Christopher Allen: My name is Christopher Allen, I've been involved in Internet Cryptography work for a while. I co-authored TLS. I've been involved in ad-hoc standards at IETF... been involved in Verifiable Claims for 2 years or so. Also AC rep for Blockstream.
Kim Hamilton Duffy: I'm Kimberly Duffy, lead designer for BlockCerts. I've been participating in Verifiable Claims for a while, we're finding ourselves turning into a working prototype of the work here. We've been involved in Rebooting Web of Trust as well, very interested in expanding on that work as well.

Topic: New Members

Christopher Allen: Are there any new members?
No new members at this meeting.

Topic: Review of Credentails CG Mission Statement

Christopher Allen: This work started in 2014... with more work before that in Web Payments CG. We have successfully established a Verifiable Claims WG, so now is the time to review what we've been doing and will do.
Christopher Allen: A quick recap of our mission statement... (at link above)
Christopher Allen: There is one thing in here that's core to me - the Credentials CG is to discuss, research, document, prototype credential systems for the Web... that's the core of this.
Christopher Allen: If there is some other aspect of that longer paragraph that we should keep ... or something we should remove.
Manu Sporny: That mission statement hasn't been updated in 2 years and it was put together in a rush. We should update it and make it simpler and more concise. One thing about it that most of the folks don't know about is that we wrote it understanding that there were multiple groups that were hostile to the work at the time. Anyone that was working on things like JWTs/JOSE/SAML/etc may have viewed the work/at least the discussions at the time were "you are reinventing the wheel don't do it". Much of that statement was about allowing us to have the discussion around whether the existing tech could meet the use cases we had. We've come to the conclusion since then that existing tech doesn't but we've tried to integrate the parts that do. I think we should update that mission statement to reflect what we want to do over the next 2 years. I think the environment isn't as hostile as it used to be, the other procedural thing ... we can't change the mission statement without contacting W3C staff and having them update it. We should be absolutely sure with the text we want before approaching them so we don't make them cranky. All that to say, the best thing for that mission statement is to get something on the table and have people nitpick it. Get it into a Google doc and have people comment and have chairs try and capture the essence. [scribe assist by Dave Longley]
Christopher Allen: I'd like more comments, but no proposals just yet.
Joe Andrieu: Reading this, the first thing that pops up is that credential didn't seem quite right.
Joe Andrieu: The credential isn't a statement about a fact, it's an assertion about something by an authority.
Manu Sporny: +1 To what Joe just said.
Matt Stone: +1 To JoeAndrieu comment
Christopher Allen: We need to consider something that happened six months ago - a number of the specs that the Task Force was working on got moved over to the Digital Verification CG.
Christopher Allen: What's important about that group is that these are the signature standards. For instance, reading the mission statement...
Christopher Allen: The mission of the Digital Verification Community Group is to study, design, promote, and deploy systems that increase trust on the Web. These systems include, but are not limited to signature systems, data normalization algorithms, and computational proof systems.
Christopher Allen: There's some interesting work going on there - Merkle Proofs, Proof of Existence, etc. I'm the Chair of the CG... mailing list isn't active... considering our role in this CG... does it include that CG? Merge back? Wanted to review that that was there. Wanted to hold off on specific proposals... There are two communities currently.

Topic: Community Group Priorities

Christopher Allen: We need to figure out our priorities going forward... rename the group? revised mission? Merge CGs? Timeframe? Concrete Deliverables?
Christopher Allen: Maybe we can have some discussion, and then talk about the pipeline?
Kim Hamilton Duffy: With regard to signatures, a couple of the near timeframe items that I had a goal to work on with this group is basically coding out something around signature suites. RSA signature suites, Merkle signature suites... those are more follow your nose items... they need to be finished. It would be nice to have an active group to collaborate on with those efforts. Don't know if this is the right group for that work.
Christopher Allen: I may be interested in seeing groups get merged back together. We may want to see the other group as a more crypto-aware group... more CFRG-like. Reviews things as a high level. I have a couple of crypto folks to entice into reviewing these specs. It's been a challenge to get those reviews, one of the ways to get that is to offer a way to have someone put something on their CV doing that sort of stuff.
Nathan George: +1 To the idea of merging the groups... there is some interest at Hyperledger on Verifiable Claims so people outside their ledgers can see/verify the ledgers.
Dave Longley: Thanks
Nathan George: I think being able to do different signature schemes, that work would be useful to do here... we'll have to split participation across both of those forums... consolidating those may have to deal w/ real-world implementation.
Dave Longley: +1 To consolidate until there's a need to split ... which there doesn't seem to be at the moment.
David Chadwick: My question is what about the whole life cycle of using VCs, ie. inspectors telling users which VCs to send
David Chadwick: I could not connect by voice so am only on chat
Matt Stone: +1 On that line of discussion
David Chadwick: Users selecting the correct VCs (ie. giving consent) and then the VCs being transferred to inspectors
Dave Longley: Further developing a protocol/query language for inspectors and so on is definitely in this CG's domain
Christopher Allen: This comes to the larger question... things that the VCWG are not chartered to do... talked a bit about the pipeline... we can incubate things early, at places like RWoT, and then feed into the CG and formalize more, and then go into WG.
Matt Stone: There is a difference between the validity period of a license/degree (profession credential) vs. the term that a published claim can be used/relied upon.
Christopher Allen: Potentially create Task Forces, WG... thoughts. there, Manu?
Dave Longley: User selection of VCs, etc. related to a browser polyfill tech, again, something this CG should work on, IMO.
Manu Sporny: We want to be a bit careful with merging the two CGs. Primarily from a messaging layer... the W3C membership, there are 420-450 members, only 5% pay any attention to the CG space. When you come to them with a proposal, if you have something that's very clear, like "we have a new signature format under consideration and the digital verification community has been working on it for a while" that's a better message than it coming from a group with a [scribe assist by Dave Longley]
Dave Longley: Different name, etc. We have to think about branding, unfortunately.
Joe Andrieu: +1 To think about branding wrt merging & naming
Kim Hamilton Duffy: +1 To joint meetings, sounds easier politically
Manu Sporny: We have to think of a name that will put the W3C membership at ease. We don't want them wondering why things are coming from certain groups and it would take a while to educate them. The reason we split signatures out was that we had it in the payments group and people raised eye brows and then we moved it to credentials and still an eye brow raise, then moved it to the digital verification group and no more eye brows. That doesn't mean we have to [scribe assist by Dave Longley]
Dave Longley: Work on it that way -- we can work on it however we want. We can have joint meetings and say we're working on these things jointly with the digital verification group. That would, I think, be more beneficial than just combining the groups. Another way is we could have a Verifiable Claims CG and if the WG gets a good reputation and we say the CG has signatures coming out that are needed for the WG, then that's a good line of argumentation. If the brand if
Dave Longley: Good we can use it if it's good in a year or two, or we continue to use the digital verification branding. And make that where we put signatures and so forth there. I'm a bit hesitant to recombine the groups and we spent some effort splitting them apart.
Manu Sporny: That's the signature format stuff. The pipeline ... one of things we've worked hard to do over the last, even before the Credentials CG was formed it was in Web Payments, 4+ years. We've got a good pipeline finally setup. It's effectively, we incubate super experimental stuff at IIW/RWoT/etc any workshop that will have us. Those end up being formed into W3C like spec, we then take that spec into a CG for incubation and once it's incubated we hand it [scribe assist by Dave Longley]
Dave Longley: Off to a WG.
Manu Sporny: We have this pipeline setup for VC, not only data format and syntax, but protocols, moving over browsers or NFC/whatever, whether we need to work on nice gen tech, blockchain, etc. The core thing is that we have to keep the pipeline alive. Three seconds, super experimental stuff, CG prepping stuff, WG stuff. Any of those stalls or shuts down we have to go through a lot of effort to get it up and working again. We want to make sure all sections of [scribe assist by Dave Longley]
Dave Longley: The pipeline are fed at all times and we have a fairly good idea of what the roadmap is. That might be a hint that one of the things after the mission statement is a roadmap and priorities so everyone knows the focus and where things are in the pipeline. It also helps us with TPAC presentations, etc so people get a heads up for what's coming down the pipeline. This is just a proposal on how we work, it seems to have paid off at present. We hope to
Dave Longley: Continue to have it working for us over the next 2 years.
Christopher Allen: We talked about the pipeline as having 3 phases, but there is a 4th phase - security/crypto review... we've talked about them, but we haven't had that kind of formal aspect of this.
Christopher Allen: The Credentials CG should be doing things like talking about privacy, incorporating Joe's ideas at a high level - what do we need? What do we mean when we talk about Privacy? It's the place for Use Cases that don't fall into the VCWG charter. Human rights use cases, Web of Trust use cases.
Christopher Allen: Once we get down to the details, maybe we need to get into Digital Verification CG sub community. I could see this used by other WGs to sign other JSON messages... JSON-LD messages, but are not technically a Verifiable Claim.
Christopher Allen: If we can support that, that would be good. Maybe we could get two active work items... implementations and finalizing spec - two at a time, of list of things in Digital Verification CG. Separate from higher-level on issuing requirements/reports, DIDs, and other stuff.
Christopher Allen: I'm open to it, recognize the conflict... in some ways, it's clear that we're in the bits level and Kim should be Chair of that group along w/ cryptographer... or we do Credentials CG differently.
David Chadwick: Re: Privacy. At EIC last week, it was suggested that the IETF token binding spec (draft-ietf-tokbind-https-09.txt) can be used to privacy protect VCs and allow them to be transferred from issuer to inspector without the issuer knowing who the inspector is
Christopher Allen: This is another example of a more detailed bit-level spec that could be a part of either group.
Manu Sporny: +1 To looking into tokenbinding in this group.
Kim Hamilton Duffy: I'm fine either way (wrt. splitting groups) - only thing that I'm worried about is if signature folks in this group care about only one side of it. I'm curious to find out more about what the general group is interested in.
Manu Sporny: I think we should gather a list of things we could work on and see where the most amount of interest is and a specific focus on people who would not only work on the spec but implement. [scribe assist by Dave Longley]
Dave Longley: "Champions"
Manu Sporny: Interoperable implementations really moves things forward. Signatures we should polish up and get finished. There are other specs out there like the DID (Decentralized Identifier) specs, lots of implementer interest there. Browser API specs that we really need a long lead time on to pass by Google/Mozilla/etc. to see if they are interested in implementing in the browser. We've had a lot of people list of a number of specs/techs they are interested [scribe assist by Dave Longley]
Dave Longley: In working on. We also have people that don't say much on the calls or people in Europe/Asia/Australia that can't join the calls. Putting out a poll with a list of things to work on and have people rank them that basically tells us what the group should be doing.
Christopher Allen: Having 2 or 3 mailing lists could be a useful way of doing things.
Dave Longley: Was just going to add that it would be good to have champions for different techs -- which are also usually the editors for specs -- important to move things forward.
Joe Andrieu: Please add Engagement Model similar to Joram 1.0.0 to possible work, to help flesh out the pipeline/lifecycle for credentials
Kim Hamilton Duffy: +1 On champions
Manu Sporny: Just to push back a bit on splitting too early ... it's always obvious when you've got too much going on in a group and part of the group wants to split off, but it's really hard to start in three separate groups to get the momentum on any single item. Let's not do multiple telecons/mailing lists, let's just rate a bunch of stuff in this group and then get feedback on what we choose. [scribe assist by Dave Longley]
Manu Sporny: (Reduce overhead until necessary) Split off when it becomes obvious when we need to do that. [scribe assist by Dave Longley]
Christopher Allen: Kim and I will take it as our charge to keep an eye on things, monitor, ask periodically. I agree, one joint call, one joint mailing list, only split when we have to seems reasonable.
David Chadwick: +1

Topic: Potential Work Items

Christopher Allen: I'll focus on new mission statement, personal action item.
Dave Longley: I'm interested on implementation and spec for Credentials polyfill API... this is the main piece that's missing for people that want to share credentials on the web. Digital Bazaar has built a polyfill for this a number of years ago, polyfill API has changed in tandem with Credential Management API... ours is an extension to that spec. We need to figure out if we want to continue down that path.
Dave Longley: There is a lot of different discussion that needs to happen there. Implementation work on that polyfil. Important part of ecosystem that needs to be done.
Joe Andrieu: I would like to put some effort into larger use case. Engagement model for Joram is an example of that. I'd like to pick a use case and walk through it. Lifecycle of a Verifiable Claim.
Joe Andrieu: It has resonance in areas that we can't yet talk about in the VCWG and outside as well.
David Chadwick: +1
Manu Sporny: I wanted to second Dave Longley's browser API spec thing. This speaks a bit to what David Chadwick mentioned earlier in the call. The question of how do we get these things around. How do you store verifiable claims, how do people ask for them, how do we move them around from A to B in an interoperable way. It's critical for the ecosystem to operate. I'm a bit concerned in skipping a step where we document why you can't accomplish this with [scribe assist by Dave Longley]
Dave Longley: SAML/JOSE, we've done some of that analysis but need to write it up. That's also part of the VCWG charter and no reason the CG can't help them with that.
Manu Sporny: I also wanted to mention the DID spec, as those involved in this group have seen over time, it started as a Mozilla Persona thing as a way to do Persona correctly... [scribe assist by Dave Longley]
Manu Sporny: Eventually Evernym folks picked up the work and we helped them put out a spec. It's mature enough to turn into a W3C format style spec and getting two interoperable implementations on that spec would be good to queue that up to get into a WG. [scribe assist by Dave Longley]
Nathan George: I won't queue myself unless others think it is needed (a lot of this has already been mentinoed, and is related to the DID suite of specs): Comparisons with OAuth/OpenID Connect/SAML, Protocol work (Claim Request, Claim Response, Proof Request, Proof Response), Signature schemes for anoncreds, credential management issues (at sovrin we sometimes call this a proof solver), expanding on the use of VCs and DIDs (Authentication, API spec, non-repudiabilty of
Nathan George: Identity owner APIs)
Manu Sporny: That may be a heavy lift. We'd have to do some education on W3C and IETF and why the world needs DIDs. I'd rather get started on that work now, understanding that it's going to take a while for people to get it. Having a spec and interop implementations help people get it. I also agree with Kim in that the signature stuff is super important. We've gotten tired with the "why didn't you consult me/work with these crypto people to do it" -- we can't [scribe assist by Dave Longley]
Dave Longley: Wait on the "right" people to look on it ("right" being relative).
Manu Sporny: To be clear, it's in that order ... priorities: 1. signatures, 2. browser API spec, 3. DIDs [scribe assist by Dave Longley]
Manu Sporny: As far as my personal preference is concerned. [scribe assist by Dave Longley]
Christopher Allen: I'm committed to continuing to work with Community to drive that forward. Some things at a higher level - original DPKI - we need to revisit that. Now that we've done DIDs... say "This is why we're doing DIDs... here are the requirements... there is no better way to meet these use cases." Then we can dive into specifics of protocols/formats of DIDs. We do have a persuasion job... Self-sovereign identity, DPKI, we're not doing a fabulous job explaining to uninitiated what that is and why it's important. I'd like the Credentials group to work on that.
Christopher Allen: We have particular problems in data minimization and selective disclosure - I'd like to see a report - what exactly is selective disclosure, different forms of it... when I say something as a cryptographer, it means something specific. Some others think that's "data minimization".
Christopher Allen: There are things like Merkle Proof signature - that may be more important than other signature formats. We don't know that yet, community hasn't accepted that yet, but we haven't decided what our privacy/public disclosure stuff is.
Dave Longley: I have interest and spec+implementation input on everything discussed so far :)
Kim Hamilton Duffy: Ditto
David Chadwick: I more or less agree with the priority order. the W3C web auth spec is also of interest to me (https://www.w3.org/TR/webauthn/). This comes under priority 2. But under 2. we should also consider the whole VC lifecycle model
Manu Sporny: You only need another 12 hours in the day to work on those items, folks :)
Christopher Allen: We are going to have to prioritize...
Dave Longley: Voip-vctf: connections?
Christopher Allen: I'd really like to hear from some of the other players - you're spending a good chunk of time here - what are your areas of interest? What can you commit to?
Kim Hamilton Duffy: I was going to ask a similar question - there was a lot of traction around DIDs at last RWoT... any areas of focus there? If not, we can follow up on mailing list. I definitely want to work on signature suite stuff.
Christopher Allen: If Credentials group things we want to take in DIDs, we have 100+ people in RWoT community, we can try to broaden the community to get them in.
Christopher Allen: How can we add items to this list and further the list.
Nathan George: The Sovrin and Decentralized Identity folks have started talking about DID TLS (using SNI hints and token binding) as well as a DID Auth spec
Manu Sporny: What we might be able to do is put the list in a google doc and put it out the mailing list and say "If you have any other items please add them". We give people a week to weigh in, then create a poll that allows people to assign priorities, like 0-10, and items that get the most votes are the ones that we end up working on. [scribe assist by Dave Longley]
Dave Longley: You should also ask people what they will work on [scribe assist by David Chadwick]
ACTION: Manu to create preliminary list of work items for group and send out to mailing list.
Christopher Allen: We may want to get a list of things that people want to work on.
Christopher Allen: That is, something they are willing to commit to.
ACTION: ChristopherA to create first draft of new credential mission
Christopher Allen: Please get back to me on mission statement.
Christopher Allen: We'll meet at same time next week. Progress on action items, we can continue to dive into the potential projects here. I'm reluctant to recruit a cryptographer to do sigantures group yet until we know that that's the way we're going to be running things. Potential action item - decision to keep those things separate as a repo. What are our requirements there? Any other action items for next week?
ACTION: Christopher to create a new proposal for how digitial verificaton group integrates.
Christopher Allen: Let's the Chairs know if you have further agenda items.