Credentials Community Group

Minutes for 2018-03-27

  1. Introductions / ReIntroductions
  2. Education Credentials Task Force
  3. https://github.com/w3c-ccg/community
  4. DID Auth Follow-up
Joe Andrieu, Kim Hamilton Duffy, Christopher Allen
Heather Vescent
Heather Vescent, Pelle Brændgaard, Ryan Grant, Kim Hamilton Duffy, Dan Burnett, David Chadwick, Dave Longley, Manu Sporny, Kyle Hartog, Christopher Allen, Christian Lundkvist, Mike Schwartz, John Tibbetts, Mike Lodder
Audio Log
Ryan Grant: https://zoom.us/j/5158678375
Heather Vescent: Ok, over here now.
Heather Vescent: Yes, this is much better for scribing. I will do it here.
Heather Vescent: I had just asked Manu to add me to that list. So this is fine.
Kerri Lemoie: https://zoom.us/j/5158678375
One sec I'll get it
Error: (IRC nickname 'achughes' not recognized)[10:06] <achughes> Meeting ID:
515 867 8375
Pelle Brændgaard: Someone remember to record the meeting
Heather Vescent: @Pelle it is being recorded on zoom

Topic: Introductions / ReIntroductions

Recording is running, I'll need to consult with someone as to where I should upload the mp4. Who would be the best one to contact with that?
Heather Vescent is scribing.
Reintroductions: Christopher Allen (ChristopherA) no longer at Blockstream, now independent, using W3C email address. Founder of RWoT. Working on decentralized projects.
Ryan Grant: Kyle_denhartog: manu usually uploads them
Kim Hamilton Duffy: IIW: https://www.eventbrite.com/e/internet-identity-workshop-iiwxxvi-26-2018a-tickets-39785360083
IIW: April 3-5, Mountain View, Computer History Museum (NO CCG CALL next week - APRIL 3)
Post IIW - Verified Claims meeting afterwards
Dan Burnett: VCWG f2f info: https://www.w3.org/2017/vc/WG/201804f2f.html
Yes I can hear you ChristopherA.
Kim Hamilton Duffy: Can you hear me?
Kim Hamilton Duffy: Sorry
David Chadwick: I cannot here anything on me SIP call
Summer outreach: ChristopherA: This summer plan to have a more standard draft of the DID spec. Identify various parties that can encourage getting the next tier of people involved in DIDs, JASON LD, Verified Credentials, etc. Mini-hackathon, other activities to involved the next tier implementing the tools we are creating.
Dave Longley: S/JASON LD/JSON-LD
Ryan Grant: https://zoom.us/j/5158678375
Progress & Action Items: TPAC action items will follow up this friday. Manu will give update next week. No other updates.

Topic: Education Credentials Task Force

Work item update: Kimhd: kick off meeting on education credentials task force last week. Good attendance. Identified problems the group will address. There is interest in lifecycle and end to end use cases. E.g. revocation, vetting the scenario. Finishing up a poll which will be sent to the group to identify first work items. Next meeting is the Thursday after IIW, agenda will be shared.
Others:??? *crickets*
Thanks Kyle.
Manu Sporny: DIDs are making their way on company banners and people are saying they are doing it. Jumping on the bandwagon. The bad: 1) Working group, what is that? 2) Take credit for inventing DIDs. Concern: what ways can we pull these organizations in and get them to participate in the standardizations.
Manu Sporny: Other interesting developments in the government space. Can see larger (gov) groups participating in standards stuff.
Pelle Brændgaard: Uport, DIDs update: going all in and planning to be complaint asap, working on DID-Auth with our own solution. (Will talk about it at IIW). Want to focus on verified claims next. Have been working on basic infra, so will be more active in next month+.

Topic: https://github.com/w3c-ccg/community

Dan Burnett: S/complaint/compliant/
Dan Burnett: S/verified claims/verifiable claims/
Manu Sporny: S/verifiable claims/verifiable credentials/ :)
Announcement: Create a repo under CCG org, the repo for community docs to solve: usability issue.
Kim Hamilton Duffy: Landing site: https://w3c-ccg.github.io/
Thanks @burns...
Kyle Hartog: Should we move DID-Auth to the community repo?
Christopher Allen: *Hard to hear*
Christopher Allen: Make the proposal in the community site. Submit: proposal for work item: then approved: then create a repo for the requirements doc: as that finalizes move onward.
Christopher Allen: Repeating: close out the rebooting with the Fall DID-Auth doc. Then make a proposal in the community site for a work item of requirements for DID-Auth, which would be approved as a work item, once approved, you get the repo created.
IIW Prep: Manu: streamline information at IIW. IIW half the people are new or they don't attend regularly (won't know about DIDs, Verified credentials). Propose Day 1: a primer. As an update, intro or refresher. Later in the week, we can break into DID-Auth, resolvers, specific different implementations of the DID spec.
Christopher Allen: +1
Manu Sporny: What do we break into after the Primer? Don't want to lose people.
Manu Sporny: Proposes: Tuesday open with an intro to VC, DIDs. Then break into??
Manu Sporny: Option 2: here are some DID implementors... can all of us and talk about one thing we believe separates DID method x from the others. (Keep positive) And have deep dive meetings after this into the different DID methods.\
ChristopherA - can not hear you.
Christopher Allen: (Bad audio) *waiting fingers*
Christopher Allen: I’ll wait
Christopher Allen: At 2bars
Christian Lundkvist: I can join the discussion and give a quick overview. If everyone can give a quick overview and then we can have a chat. Allow people to ask questions about the different approaches.
Kim Hamilton Duffy: I like the structure.
As me: I like this structure as well... starting as into and building.
Manu Sporny: IIW 1 hour breakout sessions. First hour: Brief intros to DIDs and VCs.
Christopher Allen: I would like more discussion about simple web of trust verifiable credentials at IIW
Manu Sporny: 2Nd hour on Monday (afternoon) here are the DID implementors, e.g. 15 min highlights
Manu Sporny: Wed (IIW day 2): Total breakout methods, uPort methods, etc... on Wed (IIW day 2)
Christopher Allen: Use the primers on Tuesday
Christopher Allen: The most important part is our coopertition
Manu Sporny: Has gotten requests ala "why will DID method X CRUSH DID method y." This is the wrong way of doing competition in the space.
Kim Hamilton Duffy: Alternative take a game show format.
Christopher Allen: Joe, will the demo videos from #RebootingWebOfTrust be ready?
Christian Lundkvist: Agree with Manu. Emphasize this is a very young technology. It's important to emphasize there is a lot of *exploration* and this is why we see different DID methods to explore what works. May look different in 5 years.
Christian Lundkvist: At this time in the tech development, there would be multiple variations of implementation.
Christopher Allen: Also, serve different needs. BTCR emphasizes anonymity, but there is a cost that not all should bear for that.
Kim Hamilton Duffy: @ChristopherA will you be there for BTCR?
Kim Hamilton Duffy: Or @rgrant?
Christopher Allen: Yes
Manu Sporny: How can we coordinate? Manu has a slide deck and can do the introductions. (Or does Drummond want to do his?) Re: lightning talk, let's say it's 15 min block for 4 DID methods. (e.g. Christian uPort, Manu VerisOne,... )
Christopher Allen: I have my #RebootingWebOfTrust BTCR slides
Mike Schwartz: Drummond is in DC, and will be at IIW with other Evernym peeps.

Topic: DID Auth Follow-up

Christopher Allen: My slides are animated
DID-Auth followup: resume discussion.
Christopher Allen: Is there anything we should do at IIW re DID-Auth?
Christian Lundkvist: In the intro setting with DIDs and VCs, DID-Auth could be mentioned. It's a natural thing to do with a DID/login. Make sure it's mentioned.
Hey Ken - the missing part in the discussion is **Identification** as a precursor to authentication
Kyle Hartog: Bringing in the mailing list discussion: need to clarify the items on the list and include in the paper.
Kyle Hartog: Authentication vs authorization, specifically how VCs play into it. Required in DID-Auth or leave it separate. Pelle and Markus brought up some reasons for one way vs another.
@Manu thanks will do
John Tibbetts: +1 Kyle. I want to understand - authentication - it is 1 way or mutual way of decentralized identifies vs a verified credential exchange. These are different protocols and you may want to do one, or both. They should not be bundled.
Christopher Allen: VC is more authorization oriented, so maybe focus on DID Authentication first
Manu Sporny: In agreement. The object capabilities around authorization is another variable to be discussed. Could use VCs as authorization and verification and this could be confusing if the right lines are not drawn.
Sadly I need to step away ... look forward to discussions in IIW next week
Dave Longley: I don't think we should say that "VC is more authorization oriented" ... a VC allows you to authenticate that you have certain attributes -- that doesn't say anything, necessarily, about authorization.
IMO identification and authentication should be put together (authentication being proving the authenticity of the DID) - the difference between authentication and authorization are blurry if people forget to mention the identification part as the purpose of authentication
Manu Sporny: It's an open discussion. Not expect DID-Auth w/ capabilities. But more recently discussing object capabilities.
Kim Hamilton Duffy: https://lists.w3.org/Archives/Public/public-credentials/2018Mar/0077.html
Kim Hamilton Duffy: Pointing to Markus' response in the email thread.
Mike Lodder: And a good set of use cases
Mike Lodder: Is needed for various capabilities for DID-Auth
Kyle Hartog: Re: drawing the lines. We are waiting for more people to come into the conversation. The concern is interoperability.
Mmm... Authentication (are you the same person who presented the DID last time)
Authorization are you permitted to do THING - X
Totally different!!!
Dave Longley: +1 To identitywoman_
(Raise hand)
Manu Sporny: +1 To identitywoman as well :)
Pelle Brændgaard: We should be cautious using terminology from the non-decentralized world, where there is a good reason for differentiating. The old way of looking at it may not make sense. In most cases there are not 3rd parties where you have to authenticate. The authorization part hard to define in the decentralized world. SOme implementation may be clear, but others, not as much. We should think about it.
Dave Longley: I disagree that centralized/decentralized changes that.
Christopher Allen: (Robot bad audio)
Dave Longley: (I think authn/authz line is still bright and clear whether system is decentralized or centralized)
Christopher Allen: ..."Hoping"....
Mike Lodder: +1 Dlongley
Christopher Allen: After Kaliya
Christopher Allen: In tunnel
Kaliya: This distinction is critical to maintain and not confuse. Asserting a DID and proving you are the owner, has nothing to do ...
Dave Longley: +1 To Kaliya
Manu Sporny: +1
Kaliya: We need to get this clear and keep them separate.
Christopher Allen: I would like the minimalist authentication that allows a VC to be minimally valid.
(Sorry, it was too nuanced/too fast for me to transcribe correctly what Kaliya said so eloquently)
Christopher Allen: Almost through tunnel
Ryan Grant: +1 To keeping them separate
Christopher Allen: Though my statement above may be enough
Authentication is DIFFERENT then AUTHORIZATION!!!!
Manu Sporny: Yikes, they are very different --- authz !== authn
Kyle Hartog: Explaining one side of thinking. To prove you own the key.
Manu Sporny: Bad things happen when you treat them as the same thing.
If you prove you own the key that is Authentication
If you want to DO something - get authorized are you permitted...
That is Authorization
Manu Sporny: Pelle, DID-Auth happens at a much higher level than Ethereum authz... think there is a miscommunication here.
Christopher Allen: I first want a standard way of proving possession of key
Pelle Brændgaard: More discussion about authorization and authentication. Business vs HTTP use.
Dave Longley: VC is primarily about authenticating you have certain attributes -- that doesn't mean you are authorized to do anything.
Dave Longley: DID-Auth is about authenticating that you control a DID, again, says nothing about authorization.
Christopher Allen: (Through tunnel)
Pelle Brændgaard: We should stop thinking about everything as http model.
You do an authentication and if it "matches" then you might be authorized.
Christopher Allen: Basic requirement: very first VC, authenticate the key in the VC against the DID.
Mike Lodder: +1 Dlongley, let me add to that. VC for now just shows that an issuer signed claims, not that the information is correct, its up to the relying party to choose whether they trust it or not
Dave Longley: You could potentially say you possess an authorization token in a VC -- but it would be that authorization token that lets you do things
Dave Longley: But i think that's probably not a good idea :)
Its not complicated
Dave Longley: (Mixing the token into the VC)
Kyle Hartog: Move it into the mailing list.
People who have been working on identity for 15 years - they are DIFFERENT
David Chadwick: There are two aspects to ABAC (Attribute based Authz). (i) prove you have the attributes (VCs do this) ii) Determine which attributes are needed to access a resource (the verifier does this)
The purpose of authentication is to confirm that the identifier that is under consideration is valid and controlled etc. Once you are certain that the identifier is authenticated, then authorization decisions can be made about that identifier
Me: this may be a good session at IIW as well.
Dave Longley: +1 To mike-lodder
Manu Sporny: +1 To achughes
First they have to do an authentication - THEN they can use that to grant authorization
Pelle Brændgaard: +1 For IIW session
Heather Vescent: While http model doesn't have to go forward as before, you should use the knowledge in understanding that ppl in that space have done thinking about it [scribe assist by Kim Hamilton Duffy]
Heather Vescent: Something Kaliya said in the chat -- while the HTTP model of authz vs. authn doesn't have to go forward as it was used in the past, we should use that knowledge / understanding in that space and not ignore it. If you're new to the space, do the research on tech, social, historical, and pay attention to that. [scribe assist by Manu Sporny]
Kim Hamilton Duffy: ...Ignore at your peril. ton of ppl thinking about this who will be at IIW
+ To white board
Heather Vescent: This is a good conversation to have in front of a white board at IIW. [scribe assist by Manu Sporny]
Unfortunately I won't be able to be at IIW, but I will get context on later calls
No meeting next week, we will be at IIW. See you the following week.
Thanks all
Christopher Allen: Thanks Kyle!
Thanks @kyle for using your Zoom room.
Kyle Hartog: Zoom has auto-record and auto-transcribe features... potential options.
Christopher Allen: I used app on phone