The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-11-13

Agenda
https://lists.w3.org/Archives/Public/public-credentials/2018Nov/0113.html
Topics
  1. Introductions and Reintroductions
  2. Announcements
  3. Action Items
  4. Work Items
  5. DID Unique Selling Proposition
Organizer
Kim Hamilton Duffy, Joe Andrieu, Christopher Allen
Scribe
Manu Sporny, Dmitri Zagidulin
Present
Jeff Orgel, Bohdan Andriyiv, Dmitri Zagidulin, Christopher Allen, Joe Andrieu, Manu Sporny, Dave Longley, Ted Thibodeau, Heather Vescent, Michaela Casaldi, Brent Zundel, Ryan Grant, Ganesh Annan, Ken Ebert, Jonathan Holt, Kim Hamilton Duffy, Moses Ma, Kaliya Young, Dan Burnett, Andrew Hughes, Drummond Reed, Chris Webber
Audio Log
Michaela Casaldi: Present +
Manu Sporny is scribing.
Dmitri Zagidulin: *Manu: I can scribe!*
Dmitri Zagidulin is scribing.
<Start of call / IRC instructions>
Agenda review, intros, announcements, progress reports
Manu Sporny: Just a heads up, the Strong Authentication & Identity Workshop
… the application deadline closes in 3 days
… so if you havent submitted a position statement, hurry up
Jonathan Holt: +Present

Topic: Introductions and Reintroductions

Christopher Allen: Do we have anybody new?
Christopher Allen: Ok, re-introductions
… gannan?
Ganesh Annan: Hi, I'm Ganesh Annan, I'm a dev at Digital Bazaar,
… I'm also part of the VCWG, here to learn & work with new standards
Christopher Allen: Thank you. we have a number of upcoming events
… here it is in IRC. in particular, there is the Strong Auth & Identity Workshop in Redmond,

Topic: Announcements

… which Manu mentioned earlier, happens in Dec 10-11,
Manu Sporny: I like the compactness of the new page.
… I suspect a number of us will be there, we'll have a chance to pitch DIDs as a solution to other working groups at W3C
… in prep for our official request to become a working group at the beginning of the year
Christopher Allen: http://weboftrust.info
… second one is Rebooting Web of Trust, Feb 27-Mar 3 2019, location TBD
… we're hoping to make a decision re location by end of the month
… we're hoping either that event or the Sept event will be in Europa
Moses Ma: If it's in europe, we need lots of advance warning
… finally, we have the Internet Identity Workshop, Apr 30-May 2nd
Bohdan Andriyiv: +1 For Europe!
… where we'll have a lot of people from this group
Moses Ma: Also, I can help organize an event in europe
*Manu: yesss! me too*
Christopher Allen: Any other announcements?
Moses Ma: Would amsterdam work?
… just a little more on Europe, we've heard requests for Berlin. also Zurich and ..?
Moses Ma: I might be able to get some space donated for this?
… we'll know more later
Heather Vescent: OK, that's fine.
Heather Vescent: Q_
Brentz: I was wondering, for those who submitted applications / position statements for the workshop,
… when will we hear back?
Manu Sporny: Excellent question, we don't know yet
Kaliya Young: We have room for up to 70
… if you've submitted a paper, you're almost certainly going to be invited
Kaliya Young: Currently at 45 submitted
… we're behind on getting back to people
Kaliya Young: If it is "in range" you will likely get invite
Kaliya Young: So buy your plane ticket
Dan Burnett: This is very bad for travel booking
… likely you'll hear about it after this Fri, which is a week or so before the event
… but I would just assume - if you submitted both of those things, you're probably in
Christopher Allen: That's both the registration, and an email with your position statement

Topic: Action Items

Christopher Allen: Ok, we're gonna move on to Action Items
… these are our current action items
… at this point, all of these have been assigned, aside from the JWK CryptoSuite specs
Kim Hamilton Duffy: All, please type present+ if you've not already
… this has been an ongoing concern, a lot of people want to us to use JWK,
… if we're gonna do that, we need somebody to make a proposal
Kim Hamilton Duffy: I thought that's going through the VCWG group?
Kim Hamilton Duffy: Ah I see, nm
Christopher Allen: Kim: no, I don't think this is a WG thing, they can't make decisions about signature systems
Dmitri Zagidulin: I was going to ask about CBOR-based key notation instead of JWK - but that may be getting off topic. [scribe assist by Manu Sporny]
Christopher Allen: Anyhow, it's still an open issue, still unassigned, so I'm concerned
… and maybe we should also open an issue about COSE
… would be great to have a formal proposal for that
… manu, can you add those?
Manu Sporny: Yep, will add those

Topic: Work Items

Christopher Allen: Continuing on to Work Items
… we have a large number of items, and progress is a bit slow at the moment, focusing on DIDs and such
… I want to make sure nobody has announcements/changes in the last couple of weeks
… any changes?

Topic: DID Unique Selling Proposition

Christopher Allen: Ok, not seeing anything, so let's move on to the core of our discussion, which is
… the DID unique selling proposition
Ryan Grant: Digital Contract Design is trying to investigate our position on JWT and JSON-LD, and stuck on understanding the Open World assumption. We are looking for examples.
… a number of us have had experience over the last couple of months in talking to each other, getting into the details,
… but somewhere along the way, we've lost track of persuasiveness
… we got some feedback from a couple of groups / committees, one was from the w3c Architecture Group,
Manu Sporny: They were asking, how is this (the DID spec) going to help regular people?
Christopher Allen: I updated my slides on DIDs, so I'm hoping that's become clearer, but I hope we can make more progress on that
… anybody else recently have experience on explaining DIDs, what the problems you encountered were, etc?
Jonathan Holt: I'm on the ABMS
… the struggle they're dealing with - it's about key management
… who manages the keys, in an organization?
Heather Vescent: All - I'm not sure how to bring this up, or if it's not appropriate, but Kaliya and I address a lot of this stuff in our report. We don't have to re-invent this information. We just need to support ways to make it widely available.
Christopher Allen: Right, so we definitely want to address that question sooner rather than later
Christopher Allen: Next is manu
Manu Sporny: I agree with Jonathan,
… I'm coming at it from another angle
Jonathan Holt: ABMS (American Board of Medical Specialties )
… fundamentally, many of these organizations (such as the federal government), do not want to be in the business of managing identifiers
… they end up being responsible for that anyway,
… because everybody decides that the gov't should do it, so now they become a target, a honeypot
… so if we wanted to hone in on a main advantage for DIDs,
… they tend to be different per vertical,
… but the one common thing that we've found is that - the organization just does not want to be responsible for minting identifiers
… and DIDs are are new type of identifier, where they don't have to manage it, but they still get nice cryptographic properties
Ryan Grant: Over the last week, I've been working on a threat model using DIDs
… and we found that it was hard to understand
… the data model of the application without extending the future use of the system
Andrew Hughes: I have a question: does ‘the world’ know why the Certificate Authority model of x.509 certificate management is ‘bad’?
… into Verifiable Claims
… that made several things in our threat model make sense
Manu Sporny: Achughes, probably not :)
Drummond Reed: I want to second that
… I tried multiple explanations over time, but I've migrated entirely to starting with VCs (I call them just "credentials")
Manu Sporny: Achughes, I don't think people really understand the "weakest link" problem of the CA system.
… and the case for digital creds is strong and intuitive for many people
Manu Sporny: We might be making a bad assumption that ‘the world’ knows what we all believe is ‘bad’ about centralized management of keys [scribe assist by Andrew Hughes]
… and then back into the need for a decentralized identifier
… so that just seems to flow nicely, work pretty well
Christopher Allen: My recent experience in talking about borders
… I found it resonated with smaller countries' governments
… also companies across borders, etc
Dan Burnett: I have found that I can explain DIDs just fine, but the 'so what' question only gets answered with VCs.
… the basic argument is: we're more and more part of an international world, and changing rules, and parties, and levels
… and all the models of centralized hierarchy do not work anymore
… so they appreciated the border thng
… this worked in Switzerland, Taiwan, Malta
… it may not work in the heart of the US, but that's certainly a part of it
Kim Hamilton Duffy: Per Learning Machines, leading with VCs makes it a lot easier
… explaining that a VC is like a degree, it's a long-term credential, hopefully for the entire lifetime
Dan Burnett: Not ownership. Control!
… so then key management comes up, so then we get into DIDs
… various implementations may not have this or that feature,
… so this works well, but it limits it to an audience that buys into the idea of cryptographic ownership/control
Joe Andrieu: I tried to get Tzviya to chime in
… she presented DIDs internally
… and the first question was - what about key management?
Joe Andrieu: A. digital credentials separated from login management B. for subject: no longer dependent on credential issuer for verification C. for issuer: no longer need to manage user name & password for credentials
… (tried to get Tzviya to chime in)
Kaliya Young: Key MANAGEMENT Is a huge issue - we should be having intensive focus on solving this....and stop hand waving. What is the plan? for realz?
… and for the issuer, they no longer need to manage identifiers, like manu said
Andrew Hughes: I don't think I've heard a good explanation as to why not some other universal id scheme, like DNS or certificates — why are they bad?
… what problem is DIDs trying to solve?
… why is "decentralized" better?
Kim Hamilton Duffy: Cwebber2 described this brilliantly at last year's TPAC
In order to be useful, why do the identifiers have to be centralized?
… why not use an existing centralized identification scheme, that everyone is using?
Christopher Allen: I really appreciated Kaliya's presentation at MyData,
… the beginning had a nice way of leading into — there are just too many identifiers
Christopher Allen: Now, whether or not DIDs solve that particular problem, is an open question
Andrew Hughes: X/<static>/identifiers for things are needed/
Manu Sporny: I've been hearing lots of good things about Kaliya's presentation at MyData
… I feel she nailed it, as far as intro
… the thing I went on the queue for: these identifiers, they seem like a hot potato,
… nobody wants them. Gov't does not want to manage them, it's a giant money pit
… it's just something they need to achieve some secondary thing. they don't care about identifiers themselves
… so then the issue becomes, who will? A foundation or nonprofit?
… many foundations are like, we're not going to trust a for-profit company,
Kaliya Young: Here is another shorter one that i did at New America for the Future of Property Rights - https://identitywoman.net/my-talk-at-new-america-on-self-sovereign-identity-the-domains-of-identity/
Dave Longley: Centralized IDs introduce a third party in the middle of a relationship that is otherwise unnecessary ... decentralized IDs also more accurately represent entities as they exist in the natural world: they have independent existence.
… and a nonprofit company may have trouble being funded to manage this for a long time
… so, nobody wants to manage identifiers, but they all want to depend on them
… and then there's the subject of - DIDs give you nice cryptographic properties, service discovery mechanisms,
… and they become an interesting avenue that people may not have pursued already
Andrew Hughes: I think the ‘hot potato’ explanation is a good one when contrasted with the ‘corporate control of identifiers is bad’ - that for me is a powerful argument
… we've tried all those things before (government issued, corporate issued, etc), and it hasn't addressed many of the problems
Dmitri Zagidulin: On the subject of DIDs, in order to have universal identifiers, you need two things 1) format of URL, and 2) format of payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin: DIDs are a nice standard for the format of the payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin: Someone needed to standardize what the JSON object needed to look like - service endpoints, public keys, you're going to need something like that regardless of what you come up with. [scribe assist by Manu Sporny]
Drummond Reed: +1 To DIDs extending, not competing, with other identifiers
Dmitri Zagidulin: The URLs themselves -- it's important to note that it's not in competition... it's a superset - they can work w/ traditional URLs, but they can also work with these new ledgers. [scribe assist by Manu Sporny]
Drummond Reed: Yeah, I agree with that point, DIDs don't compete, they're a new type of identifiers
… when I first got exposed to the acronym DID, it was from verbiage that Manu and Longley had written
Dan Burnett: New URL scheme == new identifiers
… and I love the way they captured it - every identifier that's currently in use, globally available over the internet - they're RENTED
Dave Longley: "Every identifier you've ever had on the Web is controlled by someone else"
… once you stop paying, it's gone, so that's unacceptable from a security and privacy perspective
… so that's one thing that I mention, theyre not rented, they're permanent identifiers
… and I'm not familiar with any other alternatives
Dan Burnett: The "You don't control any of your other identifiers" argument is the one that I use, too. Every single one can be taken away from you.
Christopher Allen: Another thing that I haven't heard is talking about vendor lock-in
Manu Sporny: Identitywoman, re: key management - I think we're still trying to figure it out -- I mean, there are theories and implementations, but this stuff hasn't been out long enough to truly understand what this looks like in the hands of the masses (other than Signal/WhatsApp-style key management)
… for example, take Linked In, who has this nice API for a long time,
… but then soon deprecated it, so it ruined the ecosystem
Dan Burnett: I was ggonna challenge Manu a bit, re problems with existing identifiers
… the question I have is really whether the key management issue for DIDs will end up the same type of hot potato
Drummond Reed: I completely disagree that key management requires another party to get involved
… the whole thing behind DKMS is that keys are controlled by their owner
… but there's no necessity for a third party
Jonathan Holt: +1 Can be totally self sovereign
Drummond Reed: DKMS reference: http://bit.ly/dkmsv3
Christopher Allen: I want to address something somebody said earlier, which is, we need a DID Document, whether the identifier is centralized or not
… and somebody mentioned that therre aren't any individually-owned ones, and there were,
… CIDs, cryptographic identifiers, like PGP, Tor etc
Dan Burnett: Drummond, my comment was not about what is technically possible, rather about how the average person will end up using them. It's an issue I see in the blockchain industry I'm in in general.
Drummond Reed: Also, there hasn't been any mention yet of the key rotation, key recovery, and service discovery benefits of DIDs.
… and the problem with them was - they could not be easily rotated
Moses Ma: Q
… whereas DIDs potentially allow you to retain the identifier through key changes, updates
Dmitri Zagidulin: Just wanted to also mention Heather and Kaliya's report on Decentralized Ecosystem - they give a very accessible introduction there, good selling points there. [scribe assist by Manu Sporny]
Drummond Reed: +1
Manu Sporny: I wanted to translate some of the great discussion happening today into written prose
… the w3c technical architecture group had asked us
… to say some subset of the discussion of today's call, in written form
… it's slightly frustrating since we've written a Primer already, but it's not quite enough, they want to understand how an everyday person will benefit from DIDs, in a short form
… so I'm wondering, who in the community will take that action item?
… so, who is interested?
Drummond Reed: I too think the DID Primer is pretty good.
Moses Ma: Hi everybody
… we're writing a paper about the use of DIDs and Credentials in STOs (security token offerings)
… and I'd like to get some reviews on it. send me an email
Dan Burnett: I will help too
Joe Andrieu: I posted a link to "About Explainers",
… but if there are other folks who want to get involved, I'll take the lead, but I would love assistance
Christopher Allen: Ok, let's move to the next section, which is - writing down the questions that people ask
… the raw common questions that we get, to make sure we have answers
… we're gonna try to get through that in the next 10 mins or so, and maybe next week we can look into a draft explainer
… I'm not sure what the best way to do a draft FAQ
*ChristopherA: maybe we start a Google Doc?*
Joe Andrieu: What I was hoping for on this call (and we got some of it), is to ask - what are the common questions?
… so, not necessarily a full FAQ, but just - let's start with a list of questions
Kaliya Young: Key Management!!!
Joe Andrieu: Ok, let me go get that google doc started
Manu Sporny: Just to echo what Kaliya said on IRC, key management does come up,
… but in our experience, customers don't even know what key management is or why it's a problem
Moses Ma: So if you have time to review my white paper on DIDs and STOs, please send me a note?
… we often ship software that shields users from key management, it's hidden from them
Kaliya Young: The key management people bring up when I present is the key management by the Individual.
Kaliya Young: Not by the "issuing party"
… let me step back. when we try to explain DIDs and VCs,
… it's always in a very specific context, to a specific customer problem
… when we engage with tech teams, they only have a superficial knowledge of decentralized tech, and they don't know or care
… they only care that addresses their problem, and that it has had security vetting
Kim Hamilton Duffy: +1 On that
… it does happen, at a certain level, that at some point we get handed off to someone who truly does understand this stuff in depth
… and then there's a whole slew of questions, like - what are the economics of the ledger
Dan Burnett: Yep
… what happens if the governance structure of the ledger falls over,
… what happens in case of device loss?
Joe Andrieu: For recording questions
… so yes, we get key mgmt questions, but most of the other questions are about economic and governance models
Dave Longley: "Who is the audience?"
… but those questions are only people who are interested in this in-depth, they are not typical of most customers
… like Google Docs — you don't care about the details underneath, you just use them, or not
Ryan Grant: True but i used to trust Google differently than i do now, and people ask me.
Christopher Allen: Ok, so, I'm gonna bring something to the floor
… Heather and Kaliya both claim that they have in their report answers to a lot fo these questions
… but it's a commercial report, and they would like compensation,
… I don't think the community is in a place where we can buy out the whole report
… so my question is - can the community pay a small amount to Heather and Kaliya, to maybe put together a primer, with a link to the larger report
Kaliya Young: Why isn't the community in a place to buy out the report - seems like there are some pretty big corporations at this table
Dan Burnett: Bounties!
… so, do we want to talk about passing the hat? would Heather and Kaliya be interested?
Kaliya Young: IBM, HTC, Microsoft
Heather Vescent: Also, the big companies pay for DEVELOPERS and TECHNOLOGY DEVELOPMENT
Heather Vescent: I'm listening to this conversation,
… increasingly frustrated.
… this is the challenge that we have working together
… this is an ongoing challenge we have in this community
… I'm watching these large organizations, they have money behind initiatives, and the reason Kaliya and I wrote this report,
… was that we saw the need for all of these questions being discussed
… and we took our own initiative and did it.
… but we're not in a privileged position, like the authors of that German blockchain organization, that have dayjobs
… these companies, they will make so much money on these new technologies
… I hear this conversation, where you're trying to get everyone to work together on these questions, and we spent so much time on that already,
… and had it reviewed by three different technologists
… and we don't want to paywall it, but we want to be compensated
Christopher Allen: We're very sympathetic, and want to solve the problem
… in the room, a lot of the big companies, IBM etc, are not represented
… we have trouble getting them to attend, etc
… but the people currently in the room are not able to help out. I wish we could, but it's not happening,
… let's find a strategy that might help in some other way
… maybe a shorter description / explainer, with a link to the full report?
… we want to solve this problem for everybody.
Kaliya Young: Clear communication about this technology IS currently the limiting factor for adoption
Christopher Allen: We do have a URL to the FAQ / question list
Kaliya Young: Clear communication takes effort, time, expertise and therefore money
Christopher Allen: I agree, Kaliya and Heather
… it's a problem, I don't know how to solve it.
Manu Sporny: I'd suggest that "production technology" is also a gating factor.
Kaliya Young: The way one solves it is to find the $ to compensate the communicators
Kim Hamilton Duffy: I feel like we have brought this up a few times,
… and it's not clear what a working model is
… when we bring it up, we risk… I don't know, I don't think we're making progress in talking about how to solve it
… I'm curious - what is a model that Kaliya and Heather would like?
… maybe we're proposing things that work in the developer community, but not in this case
Heather Vescent: We were approached.. wait, to back up.
… everyone has an opinion on how we should do things
… we chased 5 different models, we want to make it accessible and available
… and none of those has succeeded
… in our conversations, everyone has an idea of how you should do it
… and I've spent so much time chasing the viability of different models, when all I want to do,
… is that I want to release this content we spent so much time on, that I know you and your clients will benefit from
… but I can't, the last time I did that, I was exploited. I'm traumatized by this now
… I want it to be accessible and available
… but I don't know what's going to work.
… I don't want to volunteer for more stuff. I want to leverage what we've got.
Christopher Allen: I want to make sure, a) you know that we appreciated the problem
… manu has experienced very similar problems
Heather Vescent: Right - so why don't we work together to ensure this doesn't happen. Why can't we work together to solve this problems for us all?
… I don't think it's personal. it's an industry-wide problem, a tech problem
… I don't know how to solve it.
Manu Sporny: I think the issue is that we don't know /how/ to solve the problem, heathervescent.
Jonathan Holt: Is there a link to purchase the report?
Christopher Allen: I'd like to move forward to the next thing
… if you could put a link to the report
… I've pitched it a few times to people.
… I'd certainly like to see it happen. I'd like to see us all do well.
Manu Sporny: +1 To wanting to see us all do well.
Christopher Allen: Ok, closing comments?
… we'll focus on pain points next week
… we need to be able to put this explainer document, it'll have to be open source, go onto various mailing lists
… we can't progress without writing up some of this stuff
… it doesn't need to be the full report. we just need a 2-4 page thing, that's better than the current DID Primer
… anyone else?
Moses Ma: Thanks for being visionary and see y'all next time! bye!
… ok, nobody else on the queue. everybody, thank you for your stories today
… look forward to working with you in the next few weeks
… thank you, bye