The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-11-13

Michaela Casaldi: Present +
Manu Sporny is scribing.
Dmitri Zagidulin: *Manu: I can scribe!*
Dmitri Zagidulin is scribing.
<Start of call / IRC instructions>
Agenda review, intros, announcements, progress reports
Manu Sporny: Just a heads up, the Strong Authentication & Identity Workshop
… the application deadline closes in 3 days
… so if you havent submitted a position statement, hurry up
Jonathan Holt: +Present

Topic: Introductions and Reintroductions

Christopher Allen: Do we have anybody new?
Christopher Allen: Ok, re-introductions
… gannan?
Ganesh Annan: Hi, I'm Ganesh Annan, I'm a dev at Digital Bazaar,
… I'm also part of the VCWG, here to learn & work with new standards
Christopher Allen: Thank you. we have a number of upcoming events
… here it is in IRC. in particular, there is the Strong Auth & Identity Workshop in Redmond,

Topic: Announcements

… which Manu mentioned earlier, happens in Dec 10-11,
Manu Sporny: I like the compactness of the new page.
… I suspect a number of us will be there, we'll have a chance to pitch DIDs as a solution to other working groups at W3C
… in prep for our official request to become a working group at the beginning of the year
Christopher Allen:
… second one is Rebooting Web of Trust, Feb 27-Mar 3 2019, location TBD
… we're hoping to make a decision re location by end of the month
… we're hoping either that event or the Sept event will be in Europa
Moses Ma: If it's in europe, we need lots of advance warning
… finally, we have the Internet Identity Workshop, Apr 30-May 2nd
Bohdan Andriyiv: +1 For Europe!
… where we'll have a lot of people from this group
Moses Ma: Also, I can help organize an event in europe
*Manu: yesss! me too*
Christopher Allen: Any other announcements?
Moses Ma: Would amsterdam work?
… just a little more on Europe, we've heard requests for Berlin. also Zurich and ..?
Moses Ma: I might be able to get some space donated for this?
… we'll know more later
Heather Vescent: OK, that's fine.
Heather Vescent: Q_
Brentz: I was wondering, for those who submitted applications / position statements for the workshop,
… when will we hear back?
Manu Sporny: Excellent question, we don't know yet
Kaliya Young: We have room for up to 70
… if you've submitted a paper, you're almost certainly going to be invited
Kaliya Young: Currently at 45 submitted
… we're behind on getting back to people
Kaliya Young: If it is "in range" you will likely get invite
Kaliya Young: So buy your plane ticket
Dan Burnett: This is very bad for travel booking
… likely you'll hear about it after this Fri, which is a week or so before the event
… but I would just assume - if you submitted both of those things, you're probably in
Christopher Allen: That's both the registration, and an email with your position statement

Topic: Action Items

Christopher Allen: Ok, we're gonna move on to Action Items
… these are our current action items
… at this point, all of these have been assigned, aside from the JWK CryptoSuite specs
Kim Hamilton Duffy: All, please type present+ if you've not already
… this has been an ongoing concern, a lot of people want to us to use JWK,
… if we're gonna do that, we need somebody to make a proposal
Kim Hamilton Duffy: I thought that's going through the VCWG group?
Kim Hamilton Duffy: Ah I see, nm
Christopher Allen: Kim: no, I don't think this is a WG thing, they can't make decisions about signature systems
Dmitri Zagidulin: I was going to ask about CBOR-based key notation instead of JWK - but that may be getting off topic. [scribe assist by Manu Sporny]
Christopher Allen: Anyhow, it's still an open issue, still unassigned, so I'm concerned
… and maybe we should also open an issue about COSE
… would be great to have a formal proposal for that
… manu, can you add those?
Manu Sporny: Yep, will add those

Topic: Work Items

Christopher Allen: Continuing on to Work Items
… we have a large number of items, and progress is a bit slow at the moment, focusing on DIDs and such
… I want to make sure nobody has announcements/changes in the last couple of weeks
… any changes?

Topic: DID Unique Selling Proposition

Christopher Allen: Ok, not seeing anything, so let's move on to the core of our discussion, which is
… the DID unique selling proposition
Ryan Grant: Digital Contract Design is trying to investigate our position on JWT and JSON-LD, and stuck on understanding the Open World assumption. We are looking for examples.
… a number of us have had experience over the last couple of months in talking to each other, getting into the details,
… but somewhere along the way, we've lost track of persuasiveness
… we got some feedback from a couple of groups / committees, one was from the w3c Architecture Group,
Manu Sporny: They were asking, how is this (the DID spec) going to help regular people?
Christopher Allen: I updated my slides on DIDs, so I'm hoping that's become clearer, but I hope we can make more progress on that
… anybody else recently have experience on explaining DIDs, what the problems you encountered were, etc?
Jonathan Holt: I'm on the ABMS
… the struggle they're dealing with - it's about key management
… who manages the keys, in an organization?
Heather Vescent: All - I'm not sure how to bring this up, or if it's not appropriate, but Kaliya and I address a lot of this stuff in our report. We don't have to re-invent this information. We just need to support ways to make it widely available.
Christopher Allen: Right, so we definitely want to address that question sooner rather than later
Christopher Allen: Next is manu
Manu Sporny: I agree with Jonathan,
… I'm coming at it from another angle
Jonathan Holt: ABMS (American Board of Medical Specialties )
… fundamentally, many of these organizations (such as the federal government), do not want to be in the business of managing identifiers
… they end up being responsible for that anyway,
… because everybody decides that the gov't should do it, so now they become a target, a honeypot
… so if we wanted to hone in on a main advantage for DIDs,
… they tend to be different per vertical,
… but the one common thing that we've found is that - the organization just does not want to be responsible for minting identifiers
… and DIDs are are new type of identifier, where they don't have to manage it, but they still get nice cryptographic properties
Ryan Grant: Over the last week, I've been working on a threat model using DIDs
… and we found that it was hard to understand
… the data model of the application without extending the future use of the system
Andrew Hughes: I have a question: does ‘the world’ know why the Certificate Authority model of x.509 certificate management is ‘bad’?
… into Verifiable Claims
… that made several things in our threat model make sense
Manu Sporny: Achughes, probably not :)
Drummond Reed: I want to second that
… I tried multiple explanations over time, but I've migrated entirely to starting with VCs (I call them just "credentials")
Manu Sporny: Achughes, I don't think people really understand the "weakest link" problem of the CA system.
… and the case for digital creds is strong and intuitive for many people
Manu Sporny: We might be making a bad assumption that ‘the world’ knows what we all believe is ‘bad’ about centralized management of keys [scribe assist by Andrew Hughes]
… and then back into the need for a decentralized identifier
… so that just seems to flow nicely, work pretty well
Christopher Allen: My recent experience in talking about borders
… I found it resonated with smaller countries' governments
… also companies across borders, etc
Dan Burnett: I have found that I can explain DIDs just fine, but the 'so what' question only gets answered with VCs.
… the basic argument is: we're more and more part of an international world, and changing rules, and parties, and levels
… and all the models of centralized hierarchy do not work anymore
… so they appreciated the border thng
… this worked in Switzerland, Taiwan, Malta
… it may not work in the heart of the US, but that's certainly a part of it
Kim Hamilton Duffy: Per Learning Machines, leading with VCs makes it a lot easier
… explaining that a VC is like a degree, it's a long-term credential, hopefully for the entire lifetime
Dan Burnett: Not ownership. Control!
… so then key management comes up, so then we get into DIDs
… various implementations may not have this or that feature,
… so this works well, but it limits it to an audience that buys into the idea of cryptographic ownership/control
Joe Andrieu: I tried to get Tzviya to chime in
… she presented DIDs internally
… and the first question was - what about key management?
Joe Andrieu: A. digital credentials separated from login management B. for subject: no longer dependent on credential issuer for verification C. for issuer: no longer need to manage user name & password for credentials
… (tried to get Tzviya to chime in)
Kaliya Young: Key MANAGEMENT Is a huge issue - we should be having intensive focus on solving this....and stop hand waving. What is the plan? for realz?
… and for the issuer, they no longer need to manage identifiers, like manu said
Andrew Hughes: I don't think I've heard a good explanation as to why not some other universal id scheme, like DNS or certificates — why are they bad?
… what problem is DIDs trying to solve?
… why is "decentralized" better?
Kim Hamilton Duffy: Cwebber2 described this brilliantly at last year's TPAC
In order to be useful, why do the identifiers have to be centralized?
… why not use an existing centralized identification scheme, that everyone is using?
Christopher Allen: I really appreciated Kaliya's presentation at MyData,
… the beginning had a nice way of leading into — there are just too many identifiers
Christopher Allen: Now, whether or not DIDs solve that particular problem, is an open question
Andrew Hughes: X/<static>/identifiers for things are needed/
Manu Sporny: I've been hearing lots of good things about Kaliya's presentation at MyData
… I feel she nailed it, as far as intro
… the thing I went on the queue for: these identifiers, they seem like a hot potato,
… nobody wants them. Gov't does not want to manage them, it's a giant money pit
… it's just something they need to achieve some secondary thing. they don't care about identifiers themselves
… so then the issue becomes, who will? A foundation or nonprofit?
… many foundations are like, we're not going to trust a for-profit company,
Kaliya Young: Here is another shorter one that i did at New America for the Future of Property Rights -
Dave Longley: Centralized IDs introduce a third party in the middle of a relationship that is otherwise unnecessary ... decentralized IDs also more accurately represent entities as they exist in the natural world: they have independent existence.
… and a nonprofit company may have trouble being funded to manage this for a long time
… so, nobody wants to manage identifiers, but they all want to depend on them
… and then there's the subject of - DIDs give you nice cryptographic properties, service discovery mechanisms,
… and they become an interesting avenue that people may not have pursued already
Andrew Hughes: I think the ‘hot potato’ explanation is a good one when contrasted with the ‘corporate control of identifiers is bad’ - that for me is a powerful argument
… we've tried all those things before (government issued, corporate issued, etc), and it hasn't addressed many of the problems
Dmitri Zagidulin: On the subject of DIDs, in order to have universal identifiers, you need two things 1) format of URL, and 2) format of payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin: DIDs are a nice standard for the format of the payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin: Someone needed to standardize what the JSON object needed to look like - service endpoints, public keys, you're going to need something like that regardless of what you come up with. [scribe assist by Manu Sporny]
Drummond Reed: +1 To DIDs extending, not competing, with other identifiers
Dmitri Zagidulin: The URLs themselves -- it's important to note that it's not in competition... it's a superset - they can work w/ traditional URLs, but they can also work with these new ledgers. [scribe assist by Manu Sporny]
Drummond Reed: Yeah, I agree with that point, DIDs don't compete, they're a new type of identifiers
… when I first got exposed to the acronym DID, it was from verbiage that Manu and Longley had written
Dan Burnett: New URL scheme == new identifiers
… and I love the way they captured it - every identifier that's currently in use, globally available over the internet - they're RENTED
Dave Longley: "Every identifier you've ever had on the Web is controlled by someone else"
… once you stop paying, it's gone, so that's unacceptable from a security and privacy perspective
… so that's one thing that I mention, theyre not rented, they're permanent identifiers
… and I'm not familiar with any other alternatives
Dan Burnett: The "You don't control any of your other identifiers" argument is the one that I use, too. Every single one can be taken away from you.
Christopher Allen: Another thing that I haven't heard is talking about vendor lock-in
Manu Sporny: Identitywoman, re: key management - I think we're still trying to figure it out -- I mean, there are theories and implementations, but this stuff hasn't been out long enough to truly understand what this looks like in the hands of the masses (other than Signal/WhatsApp-style key management)
… for example, take Linked In, who has this nice API for a long time,
… but then soon deprecated it, so it ruined the ecosystem
Dan Burnett: I was ggonna challenge Manu a bit, re problems with existing identifiers
… the question I have is really whether the key management issue for DIDs will end up the same type of hot potato
Drummond Reed: I completely disagree that key management requires another party to get involved
… the whole thing behind DKMS is that keys are controlled by their owner
… but there's no necessity for a third party
Jonathan Holt: +1 Can be totally self sovereign
Drummond Reed: DKMS reference:
Christopher Allen: I want to address something somebody said earlier, which is, we need a DID Document, whether the identifier is centralized or not
… and somebody mentioned that therre aren't any individually-owned ones, and there were,
… CIDs, cryptographic identifiers, like PGP, Tor etc
Dan Burnett: Drummond, my comment was not about what is technically possible, rather about how the average person will end up using them. It's an issue I see in the blockchain industry I'm in in general.
Drummond Reed: Also, there hasn't been any mention yet of the key rotation, key recovery, and service discovery benefits of DIDs.
… and the problem with them was - they could not be easily rotated
Moses Ma: Q
… whereas DIDs potentially allow you to retain the identifier through key changes, updates
Dmitri Zagidulin: Just wanted to also mention Heather and Kaliya's report on Decentralized Ecosystem - they give a very accessible introduction there, good selling points there. [scribe assist by Manu Sporny]
Drummond Reed: +1
Manu Sporny: I wanted to translate some of the great discussion happening today into written prose
… the w3c technical architecture group had asked us
… to say some subset of the discussion of today's call, in written form
… it's slightly frustrating since we've written a Primer already, but it's not quite enough, they want to understand how an everyday person will benefit from DIDs, in a short form
… so I'm wondering, who in the community will take that action item?
… so, who is interested?
Drummond Reed: I too think the DID Primer is pretty good.
Moses Ma: Hi everybody
… we're writing a paper about the use of DIDs and Credentials in STOs (security token offerings)
… and I'd like to get some reviews on it. send me an email
Dan Burnett: I will help too
Joe Andrieu: I posted a link to "About Explainers",
… but if there are other folks who want to get involved, I'll take the lead, but I would love assistance
Christopher Allen: Ok, let's move to the next section, which is - writing down the questions that people ask
… the raw common questions that we get, to make sure we have answers
… we're gonna try to get through that in the next 10 mins or so, and maybe next week we can look into a draft explainer
… I'm not sure what the best way to do a draft FAQ
*ChristopherA: maybe we start a Google Doc?*
Joe Andrieu: What I was hoping for on this call (and we got some of it), is to ask - what are the common questions?
… so, not necessarily a full FAQ, but just - let's start with a list of questions
Kaliya Young: Key Management!!!
Joe Andrieu: Ok, let me go get that google doc started
Manu Sporny: Just to echo what Kaliya said on IRC, key management does come up,
… but in our experience, customers don't even know what key management is or why it's a problem
Moses Ma: So if you have time to review my white paper on DIDs and STOs, please send me a note?
… we often ship software that shields users from key management, it's hidden from them
Kaliya Young: The key management people bring up when I present is the key management by the Individual.
Kaliya Young: Not by the "issuing party"
… let me step back. when we try to explain DIDs and VCs,
… it's always in a very specific context, to a specific customer problem
… when we engage with tech teams, they only have a superficial knowledge of decentralized tech, and they don't know or care
… they only care that addresses their problem, and that it has had security vetting
Kim Hamilton Duffy: +1 On that
… it does happen, at a certain level, that at some point we get handed off to someone who truly does understand this stuff in depth
… and then there's a whole slew of questions, like - what are the economics of the ledger
Dan Burnett: Yep
… what happens if the governance structure of the ledger falls over,
… what happens in case of device loss?
Joe Andrieu: For recording questions
… so yes, we get key mgmt questions, but most of the other questions are about economic and governance models
Dave Longley: "Who is the audience?"
… but those questions are only people who are interested in this in-depth, they are not typical of most customers
… like Google Docs — you don't care about the details underneath, you just use them, or not
Ryan Grant: True but i used to trust Google differently than i do now, and people ask me.
Christopher Allen: Ok, so, I'm gonna bring something to the floor
… Heather and Kaliya both claim that they have in their report answers to a lot fo these questions
… but it's a commercial report, and they would like compensation,
… I don't think the community is in a place where we can buy out the whole report
… so my question is - can the community pay a small amount to Heather and Kaliya, to maybe put together a primer, with a link to the larger report
Kaliya Young: Why isn't the community in a place to buy out the report - seems like there are some pretty big corporations at this table
Dan Burnett: Bounties!
… so, do we want to talk about passing the hat? would Heather and Kaliya be interested?
Kaliya Young: IBM, HTC, Microsoft
Heather Vescent: Also, the big companies pay for DEVELOPERS and TECHNOLOGY DEVELOPMENT
Heather Vescent: I'm listening to this conversation,
… increasingly frustrated.
… this is the challenge that we have working together
… this is an ongoing challenge we have in this community
… I'm watching these large organizations, they have money behind initiatives, and the reason Kaliya and I wrote this report,
… was that we saw the need for all of these questions being discussed
… and we took our own initiative and did it.
… but we're not in a privileged position, like the authors of that German blockchain organization, that have dayjobs
… these companies, they will make so much money on these new technologies
… I hear this conversation, where you're trying to get everyone to work together on these questions, and we spent so much time on that already,
… and had it reviewed by three different technologists
… and we don't want to paywall it, but we want to be compensated
Christopher Allen: We're very sympathetic, and want to solve the problem
… in the room, a lot of the big companies, IBM etc, are not represented
… we have trouble getting them to attend, etc
… but the people currently in the room are not able to help out. I wish we could, but it's not happening,
… let's find a strategy that might help in some other way
… maybe a shorter description / explainer, with a link to the full report?
… we want to solve this problem for everybody.
Kaliya Young: Clear communication about this technology IS currently the limiting factor for adoption
Christopher Allen: We do have a URL to the FAQ / question list
Kaliya Young: Clear communication takes effort, time, expertise and therefore money
Christopher Allen: I agree, Kaliya and Heather
… it's a problem, I don't know how to solve it.
Manu Sporny: I'd suggest that "production technology" is also a gating factor.
Kaliya Young: The way one solves it is to find the $ to compensate the communicators
Kim Hamilton Duffy: I feel like we have brought this up a few times,
… and it's not clear what a working model is
… when we bring it up, we risk… I don't know, I don't think we're making progress in talking about how to solve it
… I'm curious - what is a model that Kaliya and Heather would like?
… maybe we're proposing things that work in the developer community, but not in this case
Heather Vescent: We were approached.. wait, to back up.
… everyone has an opinion on how we should do things
… we chased 5 different models, we want to make it accessible and available
… and none of those has succeeded
… in our conversations, everyone has an idea of how you should do it
… and I've spent so much time chasing the viability of different models, when all I want to do,
… is that I want to release this content we spent so much time on, that I know you and your clients will benefit from
… but I can't, the last time I did that, I was exploited. I'm traumatized by this now
… I want it to be accessible and available
… but I don't know what's going to work.
… I don't want to volunteer for more stuff. I want to leverage what we've got.
Christopher Allen: I want to make sure, a) you know that we appreciated the problem
… manu has experienced very similar problems
Heather Vescent: Right - so why don't we work together to ensure this doesn't happen. Why can't we work together to solve this problems for us all?
… I don't think it's personal. it's an industry-wide problem, a tech problem
… I don't know how to solve it.
Manu Sporny: I think the issue is that we don't know /how/ to solve the problem, heathervescent.
Jonathan Holt: Is there a link to purchase the report?
Christopher Allen: I'd like to move forward to the next thing
… if you could put a link to the report
… I've pitched it a few times to people.
… I'd certainly like to see it happen. I'd like to see us all do well.
Manu Sporny: +1 To wanting to see us all do well.
Christopher Allen: Ok, closing comments?
… we'll focus on pain points next week
… we need to be able to put this explainer document, it'll have to be open source, go onto various mailing lists
… we can't progress without writing up some of this stuff
… it doesn't need to be the full report. we just need a 2-4 page thing, that's better than the current DID Primer
… anyone else?
Moses Ma: Thanks for being visionary and see y'all next time! bye!
… ok, nobody else on the queue. everybody, thank you for your stories today
… look forward to working with you in the next few weeks
… thank you, bye