<harrison_tang> Heather, can you hear us? I think you are on mute
<heather_flanagan> I don't hear you . Dang it!
<harrison_tang> can you hear us now?
<harrison_tang> heather, you might want to rejoin and check your browser permissions
<harrison_tang> i'll start the admin stuff first
Our Robot Overlords are scribing.
Harrison_Tang: Hi everyone uh welcome to this week's uh w3c she meeting so today we're very excited to have Heather a friend again uh here to talk about feather identity working groups update Heather actually cultures that group so they're very excited to see what uh February identity working group uh has been working on. ✪
<heather_flanagan> Boo! Still not getting sound. Let me try a different browser
Harrison_Tang: Now before we start I just want to quickly uh do the administrative stuff uh first of all just want to uh have a quick reminder on the code of ethics and professional conduct uh that's make sure that we have respectful uh constructive conversations I I know most recently in the past 2 days there has been some email threat um flying around uh I just I by the way I just want to make a quick note uh I will send out um. ✪
Harrison_Tang: Response in the next 4 or 5 hours as a culture uh to uh address the issue uh but just want to uh quickly remind everyone that w3c ccgg is open inclusive form uh that uh encourages everybody to uh voice incubate and discuss identity related ideas uh we do want to welcome uh different communities uh updates and uh Communications and uh developments uh so we want to continue to encourage people doing that. ✪
Harrison_Tang: Have disagreements or certain uh issues that they want to raise feel free to uh reach out to any any of the cultures you know just want to make sure that uh we ensure uh. ✪
Harrison_Tang: Psychologically safe environment where people can actually uh talk about and share their honest opinions ideas uh I don't think uh it's a great uh to actually uh point out issues especially when the people are just sharing their perspectives and bringing other developments and news from other cross uh other related identity uh community so just want to make a quick note um. ✪
<heather_flanagan> VICTORY IS MINE!
Harrison_Tang: Quick note on oh Heather we can see you now great. ✪
Harrison_Tang: Um a quick note on intellectual property I think we can hear you too um so anyone can participate in these calls however also the contributions to any ccg work items must be a member of the ccg with full IPR agreements signed um if you have any questions about the w3c account or Community contributed license agreement uh feel free to uh reach out to any of the cultures. ✪
Harrison_Tang: Please note that these meetings are public uh and the automatically recorded and transcribed uh we will uh try to publish the meeting minutes audio recordings and video recordings in the next day or 2. ✪
Harrison_Tang: We use GT chat uh to cue the speakers during the call as well as to take minutes so you can type in Q Plus to get yourself to the queue or cue minus and. ✪
Harrison_Tang: All right uh just want to get to the introductions and reintroduction so if you're new to the community or you haven't been active and want to re-engage. ✪
Harrison_Tang: Feel free to just unmute and uh introduce yourself uh or just type in Q Plus either way is fine. ✪
Harrison_Tang: All right uh everyone will have plenty of opportunities because this is our regular segments so if you're feeling a little bit shy today feel free to uh just unmute uh or next signed our open discussions I'll start calling out people all right uh announcements and reminders any announcements and or reminders money please. ✪
Manu Sporny: Yeah uh just to um uh the first 1 is that uh as uh folks have seen on the mailing list uh the uh ccg diff um uh trust over IP uh and Iota communities are exploring did method standardization um and uh the next uh 1 of those meetings uh they won't be 1 this week uh but the following week uh so the week of December uh 4th um at 12 pm eastern time uh will be the next diff did methods uh standardization incubation uh meeting um there is some there's a post from Kim Duffy about how you can join that group and participate um so that's item 1 uh item 2 is uh as a part of that work uh we are trying to collect uh goals and requirements for did methods stand. ✪
Manu Sporny: Uh there is an email Thread about there where people are kind of uh putting in their gson requirements for did method standardization uh into the thread so feel free to join in that thread and contribute your own ideas uh there um or if you are uh more familiar with GitHub uh there is a uh GitHub link uh where you could directly contribute uh your goals and requirements uh for did method standardization uh that's it for me. ✪
Kaliya Young: The digital identity unconference Europe is hosting a 2-day event um. ✪
Kaliya Young: Called dice ecosystems really focused on bringing. ✪
Kaliya Young: Uh folks who are building identity ecosystems in Europe together um and it's designed so you can fly in. ✪
Kaliya Young: Uh on the first day and fly out on the second day so you only have to spend 1 Night in a hotel um we created this event because there was Community demand to meet sooner than a year from our last event um and we hope this can be helpful in. ✪
Kaliya Young: Uh catalyzing ecosystem connections and uh interoperability. ✪
Kaliya Young: So I'll put a link in the chat for that. ✪
Harrison_Tang: So uh as uh like a will and I and Kimberly have sharing the last 2 meetings uh we're going to uh open up a nomination for the w3c credentials communities groups of culture position um and I just sent out a formal email to Kickstart that process uh but before that just want to give a quick shout out to Kimberly for her great work and contributions to this community you know like uh I think the culture terms like 3 years so she's not leaving us she's just graduating right graduations are part of a life and our Journeys so I just want to quick quick shout out to Kimberly for her great work um and Kimberly you might do you want to share share some few words. ✪
<dmitri_zagidulin> thank you Kimberly!!
<manu_sporny> Thank you Kimberly -- you've been an awesome community co-Chair!
Kimberly Linson: Sure thanks Harrison this has been an incredible um experience for me and I'm I'm so grateful for it um this has been really for for much of the 3 years at my dedicated learning our um I come every week and have the opportunity to. ✪
Kimberly Linson: Dig deeper into the technologic Tech into my technological side um which is not something I get to do uh every day at work so I I really appreciate it I've appreciated um the warmth and and just sort of common um goal I think we're all centered around uh really interesting and exciting goals and uh I've I've enjoyed watching the success in progress of the community along the way and I think this. ✪
Kimberly Linson: Felt 5 years ago like very nent technology and is now becoming more and more mainstream I think we're starting to see that the real flywheel of business opportunity coming into play and so. ✪
Kimberly Linson: It's been an exciting time to be a a co-chair and I appreciate Harrison and uh will so very much and I know you are in good hands and and as Harrison said I'm not not going anywhere um but I I uh I will be happily turning over the Reigns to to someone new to give them the opportunities that I've had. ✪
Harrison_Tang: Thank you Kimberly and by the way we didn't like uh rehearse this so that was a very touching speech I can't believe I literally just call on you on the Fly um but thank you big thanks you know you have been a great help I think there's a lot of uh work uh kind of under the hood that's happening and I'm very uh I think all the cultures probably can say that we're all very fortunate to have each other and help each other out so big thanks. ✪
Harrison_Tang: All right a quick preview of the process uh so we're opening the election uh nominations uh today officially um and then uh uh the nomination period will have uh will start today and then uh end on. ✪
Harrison_Tang: The candidates was speak at the December 10th uh meeting the voting will open for a week from the December 10th to the 16th will announce the election results on December 17th and the new culture uh turn starts on January 1st January 7th uh. ✪
Harrison_Tang: Basically the beginning of next year. ✪
Harrison_Tang: And all the details are in the email that I just sent out. ✪
Harrison_Tang: All right uh last calls for announcements and reminders. ✪
Harrison_Tang: Any updates on the work items I know we just went through that last week but any updates. ✪
Harrison_Tang: All right let's get to the main agenda again very excited to have Heather here to talk about feather identity it's uh actually 1 of the uh topics I really really care about so the I I'm sure I will learn quite a bit from today's uh session as well so Heather the floor is yours. ✪
Heather_Flanagan: Oh look even sharing worked I wasn't sure if it would or not. ✪
Heather_Flanagan: Excellent excellent all right so for uh folks who don't know me my name is Heather Flanagan and I wear I do wear a lot of different hats I am an independent um contractor at the end of the day. ✪
Heather_Flanagan: My hats is uh the uh working group chair for the Federated identity working group I'm also the community group chair for the community group side of things. ✪
Heather_Flanagan: Uh I tend to collect standards organizations a little bit like other people collect Pokemon uh because I've also worked extensively with the ITF I was the RFC series editor for 8 or 9 years I've uh been a member and a contractor for the open ID Foundation I've worked with neso the national information standards organization. ✪
Heather_Flanagan: Ngos that are related to the uh the standard space such as I can uh which are you know obviously the names and numbers people as well as organizations like reads which is the research and education Federation consortia. ✪
Heather_Flanagan: Been the co-coordinator of that for coming up on 9 years so. ✪
Heather_Flanagan: Oh what all of this has in common is a lot of work in standards and a lot of work in the identity space I'm also the executive director for a nonprofit uh ID Pro which is a Professional Organization for identity and access management practitioners. ✪
Heather_Flanagan: But what you actually want to hear about today is okay so what's happening with identity uh in the w3c specifically with regards to the Federated identity working group now some of you uh have lived this journey with me for the last few years but many of you haven't so I wanted to just give you sort of some background as to. ✪
Heather_Flanagan: How we got where we are today and what's changed over time. ✪
Heather_Flanagan: So I'm going to talk very quickly about identity on the web I know you all have have a prospective on that my perspective is slightly different both are correct going to give you the origin story for the main work item for the Federated identity uh groups uh the Federated Federation credential manager. ✪
Heather_Flanagan: Going to talk about how the problem space itself has evolved over time. ✪
Heather_Flanagan: We're going to talk about the relationship between the FED CM API and the digital credentials API because that's a Hot Topic right now going to talk about okay so what does that mean for where we are today right now this moment. ✪
Heather_Flanagan: What things were looking forward to in the uh the topics over the next year or so. ✪
<kaliya_identity_woman> HEre is the link to register for DICE Ecosystems March 4-5 - https://lu.ma/DICE
Heather_Flanagan: Um so what does the w3c have to do with digital identity well it it actually has quite a bit because when at the end of the day the w3c has ever so much influence over. ✪
Heather_Flanagan: User experience and the best practice for user experience and that really drives just about everything else when you think about broadly speaking how do people interact online and how do they keep themselves safe how do they you know and how do businesses keep their data safe all of this does tend to boil down to well what choices does the user Make online. ✪
Heather_Flanagan: The w3c is there to provide the technical safeguards to the users and the websites I know that there's a strong emphasis on the user component but it's important to protect the businesses too. ✪
Heather_Flanagan: We're trying to facilitate okay so as a user is doing their Journey which identity do they want to use for any given website that they're at it won't always be the same 1. ✪
Heather_Flanagan: I come primarily from a higher education background and in that scenario more often than not the relying parties truly do not care who I am they care. ✪
Heather_Flanagan: In fact they don't even want to know who I am they just want to know am I a student at Stanford University am I a faculty member at MIT um you know what am I not who am I. ✪
Heather_Flanagan: Facilitating that is is actually I think uh 1 of the things that the w3c is helping with. ✪
Heather_Flanagan: But it's not just us now A friend of mine Mike pelage put this slide together which I thought was both hilarious and very accurate when you think about who's working on digital identity standards. ✪
Heather_Flanagan: There's a lot going on um the ITF has its role working with ooth uh and in cascading out of oath you have things like the selective disclosure for Json web tokens you've got depop you've got any number of things but you've also got authorization work in skim. ✪
Heather_Flanagan: You've got non-human identity in uh Whimsy you've got supply chain efforts in skit. ✪
Heather_Flanagan: Of course ISO is heavily involved here as well because there you've got your M docs your mobile driver's licenses um when this when this slide was put together uh 1801 13-5. ✪
Heather_Flanagan: Which was like the in-person presentation was the only 1 that had reached you know formal specification but now they also have -7 which is remote um presentation of identity so that's pretty interesting too. ✪
Heather_Flanagan: You've got the open ID Foundation you used to have the uh open identity exchange which focused on trust Frameworks but they very recently shut shut the shut uh shut their doors. ✪
Heather_Flanagan: You've got nist uh how much do we all love uh 863 enough that we every time they go out for a public comment we give them thousands upon thousands of comments that they have to resolve their most recent efforts for 8634. ✪
Heather_Flanagan: Resulted in 2000 uh Community comments coming in. ✪
Heather_Flanagan: Because there's just that much about how people care. ✪
Heather_Flanagan: So it's not just the w3c working on this space there's a lot other. ✪
Heather_Flanagan: Lot of other things going on certainly. ✪
Heather_Flanagan: But now let's talk about fed CM so it all started back in the day uh August of 2020 um a group of people got together and basically said do we have a problem to solve here and at the time the answer was absolutely yes because third-party cookie deprecation. ✪
Heather_Flanagan: Was a really big deal it was a huge Cloud not just on the horizon but it was already happening in some of the browsers and some of the authentication protocols. ✪
Heather_Flanagan: The ones coming out of the oath family they had a dependency um in some aspects on third-party cookies so it's like okay yes this is definitely a concern. ✪
Heather_Flanagan: Didn't exactly depend I mean from a pure specification level SEL doesn't care about third-party cookies in the slightest. ✪
Heather_Flanagan: A lot of uh we'll call them sample adjacent Technologies the kind that actually let you discover which IDP you might want to use out of a cast of thousands upon thousands they did they do rely on third-party cookies so yes we felt there was definitely a problem to solve. ✪
Heather_Flanagan: So that conversation led to a uh the formation of a ycg. ✪
Heather_Flanagan: Work effort and a workshop on federations and browsers where really what we wanted to do was Define the problem statement and just suggest what what's the path forward. ✪
Heather_Flanagan: Well the path forward was you know what we need to actually create a community group and that happened in August of 2021 now at this point um you should have access to these slides and you can get links to all this material. ✪
Heather_Flanagan: Everything have has notes back you know as far as the August 2020 if you're interested in that. ✪
Heather_Flanagan: So the community group uh definitely spent quite a bit of time trying to figure out what how all of this was going to come together and. ✪
Heather_Flanagan: The Federated credential management API some people were very concerned that it was. ✪
Heather_Flanagan: Organizations didn't know what to do. ✪
<kaliya_identity_woman> I also forgot to mention in my remarks that we have the DID:Unconf Africa happening in February too https://didunconf.africa/
Heather_Flanagan: Upon a Time right browsers were a passive conduit for information and now and a lot of the identity protocols the oath protocols Sam will all of them depended on that passive just pipe to let information flow through once browsers started to say actually. ✪
Heather_Flanagan: We need to be in active participant we need to be a Gateway um to help make sure that the user stays safe. ✪
Heather_Flanagan: And 1 could actually now start to come up with all other theories as to why browsers want to to own some of this information regardless of. ✪
Heather_Flanagan: I this became a really important component. ✪
Heather_Flanagan: That having the browser's mediate information wasn't interesting problem. ✪
Heather_Flanagan: It's happening uh the group has gotten fairly far uh far enough that they said you know what we think we're we're getting close enough to actually having a formal recommendation we need a working group. ✪
Heather_Flanagan: And that working group uh officially formed in March of 2024. ✪
Heather_Flanagan: The first public working draft was published in August. ✪
Heather_Flanagan: And 1 of the interesting components we're going to start to to diverge a little bit here uh was when we were going through the chartering process. ✪
Heather_Flanagan: There was a big question about a piece of work that seemed functionally or logically related and that was the digital credentials API. ✪
Heather_Flanagan: The Federated identity working group and the community group up to this point had been very focused on what we'll call traditional Federation models the Oaths the Samus the open ID connects um. ✪
Heather_Flanagan: IDP you're relying party what some people refer to as a 2-party model I happen to hate the 2-party and 3-party model terms but we'll go with them it's what people know. ✪
Heather_Flanagan: But when you think about it what we wanted the FED fed cm to do is help a user make a choice as to what identity they wanted to use for whatever transaction they were about to take and that's a lot of what the digital credentials API was doing as well. ✪
Heather_Flanagan: And so the original charter as proposed uh said when digital credentials is ready. ✪
Heather_Flanagan: Will have a space for that work item to come here. ✪
Heather_Flanagan: That was not a popular decision at the time folks felt that there needed to be a whole lot more conversation about that and so we chose to do since fed CM was fairly far along in terms of its developments we said you know what for this initial Charter let's just say uh fed cm is our work item. ✪
Heather_Flanagan: We're going to shift the digital credentials discussion out a little bit. ✪
Heather_Flanagan: And let it be its own conversation so we did that by getting the charter approved and then immediately turning around and proposing a recharter that again would bring in that digital credentials work. ✪
Heather_Flanagan: That recharter was proposed in July and in September. ✪
Heather_Flanagan: Formal objection was submitted to that recharter basically saying you know what we don't like the whole idea of of the digital credentials work because it is making it easier for users to. ✪
Heather_Flanagan: Release information about themselves unknowingly on the web don't want it don't like it just the the whole the whole principle. ✪
Heather_Flanagan: Um the push back on that was to say well yeah. ✪
Heather_Flanagan: Because it's happening already and if we do this work maybe we can put some guard rails around that. ✪
Heather_Flanagan: So there there was no uh consensus to be found at that point thus the formal objection stood. ✪
Heather_Flanagan: I don't know how much you all know about the formal objection process but the first step is to try and find um. ✪
Heather_Flanagan: So that you can just it's almost like arbitration can you find a way out of this without going to court. ✪
Heather_Flanagan: In this case the answer was no not really and so the formal objection went forward and a council was formed the council is still meeting today uh this has not been resolved yet if you want to get a bit more background I strongly encourage you to look at the team report which was published uh last month. ✪
Heather_Flanagan: About what does all this mean how is us all supposed to work together why is this a concern and what what do we recommend to happen going forward. ✪
Heather_Flanagan: Now the reason I wanted to give you that background is to get to this slide uh which to say well okay but that sounds like maybe your scope is is creeping and the answer is well no the problem is the scope is changing um entirely because where we started with a concern about phasing out a third-party cookies. ✪
Heather_Flanagan: Well that was back in 2020 and today there's there's just so much more out there that really needs to be addressed and that we would be remiss not to be touching on there there exists in the world digital identity wallets there exists pass Keys which may very well take over the whole concept of federation in the consumer space. ✪
Heather_Flanagan: Necessarily in higher education or Enterprise or Healthcare or others it's an interesting conversation regulations actively changing over time and I think everybody is starting to shift towards that bigger picture of how users can securely and privately use Federated Authentication. ✪
Heather_Flanagan: I think in this group there's a lot of interest in saying you know what we want to give that control to the user themselves. ✪
Heather_Flanagan: And I think that's a model that works super well. ✪
Heather_Flanagan: Particularly in the consumer space I'm not sure how well it works in those spaces like in higher education where you start to say but I don't care who the user is and they don't own the information that's most valuable which is their affiliation. ✪
Heather_Flanagan: I think there's some some fun conversations we could have there that may perhaps not write this instant. ✪
Heather_Flanagan: The changing landscape looking at the FED CM looking at digital credentials and I think the digital credentials work is significantly of interest to to you in this community group um the digital credentials and and pass Keys both do 1 Thing super well and that's give the user the control of their key. ✪
Heather_Flanagan: If you boil it all down so much of this comes down to Key Management at the end of the day. ✪
Heather_Flanagan: Um the Federated flows using things like open ID connect can add a lot more detail than that. ✪
Heather_Flanagan: Does still look similar about how much control and at what point you're giving things to the user. ✪
Heather_Flanagan: That said the Privacy properties of both are very very different. ✪
Heather_Flanagan: And that's where and here's another document I strongly encourage you to look to the threat model related to decentralized identities focusing on digital credentials come into play now um Simone on the w3c held the pen on that 1 and I think it's a really interesting read I keep rereading it because I keep getting new stuff out of it and so I would encourage you to do as well. ✪
Heather_Flanagan: But in all of this I come back to something that that I feel like gets lost and that is that. ✪
Heather_Flanagan: The web we tend to focus on consumer scenarios. ✪
Heather_Flanagan: Because that is perhaps the biggest use case for you know why why who's on the web how many people what are they doing well that's where you get your social media you get a lot of different a lot of different scenarios in the consumer space but their requirements are very very different from Enterprise Academia fintech government health care and keeping all those use cases in mind where you may may have mutually exclusive requirements. ✪
Heather_Flanagan: So what's the status of the working group um the working group meets exclusively once a month. ✪
Heather_Flanagan: The combined community group and working group. ✪
Heather_Flanagan: Meet every other week so there's a meeting happening every single week. ✪
Heather_Flanagan: Mostly it's it's with the community group and we have a document on our process that talks about the different stages of of work stage zero which is a glint in someone's eye stage 1 which is okay we have we have uh something written down and an issue that we can discuss stage 2 being we have specification. ✪
Heather_Flanagan: Stage 3 being we have consensus on that and now we're just looking for uh. ✪
Heather_Flanagan: Implementations in stage 4 is when you actually redirect recommendation status. ✪
Heather_Flanagan: Uh tc39 we based our process very much on that. ✪
Heather_Flanagan: We're focused on discussing the issues uh raised during the first public working draft stage. ✪
Heather_Flanagan: Working group in particular focuses on the pull requests um more than just the issues. ✪
<dmitri_zagidulin> the SocialWeb CG is also in the process of adopting that same FedID WG staging process! :)
Heather_Flanagan: So far it's proving to be working fairly well it's a very interesting interesting space and an interesting set of discussions. ✪
Heather_Flanagan: But that's today what about tomorrow well we have we have so many questions things like Okay so. ✪
Heather_Flanagan: Coming back to the formal objection. ✪
Heather_Flanagan: Basically there's 3 things that could happen. ✪
Heather_Flanagan: Thing number 1 is that the uh the w3c council says we 100% uh agree with the objection and this stuff should not merge and we're done. ✪
Heather_Flanagan: The next thing is for them to say well there's there's something to the objection and so we recommend some some perhaps some changes to the Charter or some other work to happen but given that the work can go forward. ✪
Heather_Flanagan: The third option is we reject entirely the objection and everything is fine just as it stands. ✪
Heather_Flanagan: I'm personally betting on option 2 that's something in the middle of there's going to be some some additional work that rolls out of that. ✪
Heather_Flanagan: That will ultimately feed into the different specifications but the charter change will then subsequently happen. ✪
Heather_Flanagan: Okay so let's assume that's the case. ✪
Heather_Flanagan: What changes if and or when fed cm and digital credentials come to the same group are we going to see these apis merge entirely. ✪
Heather_Flanagan: They actually truly solving different problems. ✪
Heather_Flanagan: Uh I think that's a great question and I don't have an answer for you but it's on the list of things we need to talk about. ✪
Heather_Flanagan: The next thing uh we need to solve some pretty hairy problems um coming back to the higher education use case. ✪
Heather_Flanagan: Is very typical and completely reasonable that a relying party will need to present to the to the user over 5,000 different identity providers that they may legitimately be able to use in order to. ✪
Heather_Flanagan: Login and get access to for example a scholarly Journal. ✪
Heather_Flanagan: Dealing with the user experience of that and just how hard it is for literally uh over 2 decades this is a super super super hard problem to solve especially when you're worried about well what if you don't want the relying party to know a whole lot about the idps or you don't want the idps to know a whole lot about the relying parties. ✪
Heather_Flanagan: Way in the sample use case but uh it's not it's not a trivial solution and trying to figure out how to make that apply to. ✪
Heather_Flanagan: Something like fed cm and digital credentials and whatnot we don't know how to do it yet. ✪
Heather_Flanagan: Another thing that's on the list of Tomorrow is we need additional editors and reviewers on this stuff right now um fed cm is prymrr the the I think it's got 1 edit and that's uh Nicholas from Google who's doing a fantastic job if I may say so. ✪
Heather_Flanagan: We need additional editors on that and we need additional uh reviewers for the PRS uh that are being proposed so this is an area that's of interest to you. ✪
Heather_Flanagan: I'd love to have your participation. ✪
Heather_Flanagan: And that is my update as to where things stand today it was it was a pretty high level 1 um but I'm happy to. ✪
Heather_Flanagan: Questions as best I can and there may be other people on this. ✪
Our Robot Overlords are scribing.
Manu Sporny: It feels it feels like there is an enormous amount of convergence that's happening here and it feels like the stakes are a little higher right now meaning like you know if the if for example like you know I I agree with your your your uh uh thought that it's probably option to the formal objection has some Merit but like there's also work that we need to do here and better to do the work here than have it just. ✪
Manu Sporny: Be be done elsewhere where we don't know what's going to happen um but but in order to do the work as you said like I'm you know that that diagram you showed of like all the different orbits of like identity and everyone that's involved and all that kind of stuff it feels like there's a there could be a massive convergence that happens right I mean you know at the last w3c technical planner we had you know people from Google going like well what exactly is the difference between a pass key and additional credential and this and that aren't they actually kind of the same thing um what what do you feel like. ✪
Manu Sporny: Question on like where that discussion should happen and if it happens in the working group there's like there are huge ramifications for that like for example like the European Union is is kind of depend like from a regulatory perspective depending on this work happening um. ✪
Manu Sporny: How do you how do you see I mean being the chair how do you see navigating that like I mean there's some you know wait what happens if a conversation gets kicked off where we try to merge all these things together and it leads to like 2 years of disagreement or whatever so so I guess what are the contingencies what are the backup plans how are the different ways we could we could you know get through this knowing that there's so many people looking at what's going to happen in this in this working group over the next year. ✪
Heather_Flanagan: So I have an answer I'm not entirely happy with the answer let me put that right out there but the the only way I know of threading this particular needle is to be very very very precise in the scope of work and that means being able to say that's you know problem Ah that's a super valid problem we cannot solve it here. ✪
Heather_Flanagan: Know go have a side meeting about where you might want to solve it but it cannot be solved here for. ✪
Heather_Flanagan: For the reason might be most probably because we don't have the right people in the room. ✪
Heather_Flanagan: Um or it's a a cross-cutting type of thing so. ✪
Heather_Flanagan: I've been I've been uh working with different groups and whatnot uh large-scale collaborations for about. ✪
Harrison_Tang: So Heather I have a question can you further clarify what's the difference between fed cm and digital credentials API is the difference between is the differences between like Federate identity the or the traditional oibc and then the digital credentials API is more like a decentralized software identity. ✪
Heather_Flanagan: So that is a fantastic question and. ✪
Heather_Flanagan: I'm going to drop a link in the chat. ✪
Heather_Flanagan: How was was the discovery component it to me that felt like a big a big aspect of it was the FED CM was was more focused on getting the user to discover uh any number of different identities and could conceivably be regardless of protocol of what you were using. ✪
Heather_Flanagan: The other thing that I kept hearing was that um. ✪
Heather_Flanagan: Digital credentials is focused on that that bridge between if you think about it it's actually a super tiny component that Bridges between the browser and the operating system. ✪
Heather_Flanagan: Is not with fed cm is doing fed CM doesn't have anything to do with the operating system underneath so I think there's there's some aspects like that that are different now that's how they're different today. ✪
Heather_Flanagan: Do they need to be that different can they be merged. ✪
Heather_Flanagan: I don't know that's why I'm chair because I think that's a great question and I have no skill to solve it so. ✪
Heather_Flanagan: Is something that I think we will end up talking about I've heard some people say yeah I think there's room to merge them and I've heard other people say no of course they're different so. ✪
Harrison_Tang: So for those like who are not familiar with fcm like can you clarify what what it does because in the traditional Federated identity like effectively the most dominant uh uh like uh identity providers are just like Google and Facebook right so in other words in some ways this might be a controversial statement but in some ways the relying party just Outsourcing their identity problems to to the big Tech right so in its fascinating basically trying to replace a the identity providers with browsers and left browsers uh do that job or can you kind of clarify a little bit yeah. ✪
Heather_Flanagan: Um I wouldn't say that uh either idps or RPS was were exactly trying to Outsource anything um it's more that fed cm is going to add a binding to some of the existing protocols that allow the protocols to pass that information back and forth between the RP and the IDP. ✪
Heather_Flanagan: Request permission of the user. ✪
Heather_Flanagan: I think that's that's kind of how it boils it boils down is is them standing in as a as a little Gateway. ✪
Heather_Flanagan: But once once the permission has been given they're supposed to get out of the way of the the actual protocols such that uh open ID connect ooth can still just work the way they're used to working. ✪
Manu Sporny: Um yeah so so early in your presentation um you mentioned that um you know w3c you know focuses a lot on kind of consumer identity and that is different from you know educational identity in fintech identity and stuff like that to some degree um I wanted to kind of uh uh dive in on that a little little more um just to give you know some background you know this is the community that you know incubated decentralized identifiers and incubated verifiable credentials and you know those standards that you know are those specs that went to become standards that at w3c so there's a there's a pretty strong focus on like. ✪
Manu Sporny: An individual being in control of their attributes and having consent on when they're released in in things of that nature um in in how that's not necessarily the model that you know is used in um uh you know education or fintech like they're they're asking different questions so I was wondering if you could kind of um explain the the differences there so to to me it feels like this it feels like it could be the same thing and I think the the barrier there feels largely cultural like education and fintech has operated in a very specific way for decades and it's kind of built into their DNA for them to kind of not include the individual in um. ✪
Manu Sporny: Uh and things of that nature whereas you know self Sovereign identity movement is very much about putting the person in the middle and being them being able to say like no don't share that information about me with with party X so um what are you uh what are the what are the what are the kind of you feel or like the. ✪
Manu Sporny: Able differences between those those 2 spheres um if you think those exist don't think. ✪
Heather_Flanagan: Well I think in some cases you're right that it is it is strongly a cultural thing I think uh. ✪
Heather_Flanagan: 1 of the things I find fascinating uh looking at the higher ed space is is how how you've got Divergence between digital credentials. ✪
Heather_Flanagan: They're very they they have been they're different departments at the University they're solving different problems they're they're very very separate in how they work and and what kind of contracts are written which I think is a piece that comes into this that that makes things a little bit hairy you've got your culture differences but those cultural differences are actually embedded in legal contracts in some ways in terms of what's allowed what's required. ✪
Heather_Flanagan: What I think the w3c can do though and this is something that's going to change over time so I'm going to date myself uh a bit here when I was working at Stanford University as the Director of systems that was the point in time where Stanford was starting to uh give students rather than host the students email they're like you know we're going to contract with Google and Google will host students email. ✪
Heather_Flanagan: Because we just don't want to have it it's more more trouble than it's worth and this is what the students are asking for and it will all be fine The Faculty on the other hand said yes Over My Dead Body will you put my email on big Tech servers no way no how not going to happen and it took about 3 or 4 years for the faculty to say oh my God we have no functionality not like that we see that our students have could you just put our stuff on Google please. ✪
Heather_Flanagan: I'm willing to bet that this that's the kind of thing that's going to happen um very much in with with some of the digital credential work where people are going to be experiencing it out in the wild and they're going to come back to their institutions their Workforce their schools what have you and say why aren't you giving me this functionality. ✪
Heather_Flanagan: I think I think we'll be able to drive a cultural difference. ✪
Heather_Flanagan: By existing improve providing a better experience than what they have today. ✪
<manu_sporny> haha! super useful backstory about how that happened!
Harrison_Tang: By the way uh another clarification question Heather is that is it a true or is a misunderstanding where fascism is more about browser authentications and digital credentials Works more with the wallets right for example Apple wallet and Google Wallet what is it not true. ✪
Heather_Flanagan: But not I mean everything comes down to Like An Origin story which is 1 of the reasons I wanted to go through the origin story for fed CM fed cm is coming out of a place where yes it's it's it's browser focused 100% digital credentials is coming out of. ✪
Heather_Flanagan: Use cases mobile operating systems and that and now I think there's going to be a point where those converge where the browser will be a wallet on the web and therefore it's going to look a lot like the other things. ✪
Heather_Flanagan: 1 of the 1 of the things I've observed uh is that the where something comes from even as its use cases evolve that that core origin has a huge impact on the overall design of the spec. ✪
Heather_Flanagan: Um in this case I think fed cm and it's it's backstory of looking at browsers looking at cookies it changes the shape of the spec going forward I think digital credentials with its backstory of looking at um mobile operating systems and whatnot is going to change the way it looks going forward. ✪
Heather_Flanagan: I think the same exact thing is and this might be controversial but I think the same exact thing has happened with the verifiable credential space What was what was the what problem was it initially trying to solve. ✪
Heather_Flanagan: The answer for that with the w3c is verifiable credentials using capital letters. ✪
Heather_Flanagan: A very broad open flexible model. ✪
Heather_Flanagan: In the iso that was based on a driver's license use case and therefore it is much more structured and restrictive now canopy opened up yeah but it it always comes back down to. ✪
Heather_Flanagan: A very very structured use case versus an open use case and all the every further uh development of the specifications are going to reflect I think that mindset that went into that core. ✪
Heather_Flanagan: Uh core material the core use case that drove the thing to exist at all. ✪
Heather_Flanagan: And that right there is like why that's that's the hard part you're right because both those models are valid. ✪
Heather_Flanagan: Both those use cases are reasonable both those use cases are required by somebody and the fact that we have to be flexible enough to support both makes our job really hard. ✪
Heather_Flanagan: I know personally how to do it other than to say okay here's here's your base now here's your profile if you're having to deal with this kind of situation because the profiles are you know are always more strict than the base component. ✪
Heather_Flanagan: That's personally it's the only way I can think about how to do it. ✪
Dmitri Zagidulin: To that question a little bit uh to answer D David Chadwicks. ✪
Dmitri Zagidulin: Uh and that is to say the 2 models are actually not that different. ✪
Dmitri Zagidulin: The verifiable credential we may verify the credential ecosystem in the wallet ecosystem. ✪
Dmitri Zagidulin: Uh have been putting off thinking about identifying verifiers but now that implementations have gone out the door now that we have issuing software now that we have a handful of both open source and proprietary wallets now that we have verifiers vicious come up front and center which is why you see so much work being done around issuer and verifier registries. ✪
Dmitri Zagidulin: And and for those for those of you not familiar with what we're talking about it's the fact that when I hand you a credential when I hand you a diploma. ✪
Dmitri Zagidulin: Uh not only do you need to identify the issuer right because it's signed by an opaque key signed by an opaque did you have no idea who that key belongs to so you have to look it up in your known mapping you can say okay this opaque key belongs to this University so that's identifying the issuers so we're we're all starting to sort of understand why we need to do that but even in the non-mobile driver's license world in in regular plain verifiable credential world we have responsibility to the user to identify the verifier as well specifically to identify to identify who's asking for their credentials. ✪
Dmitri Zagidulin: I'm applying uh for a job and the employer is asking me for my diploma my wallet needs to say this company that you're applying for is asking for your diploma that the UI needs to say that otherwise there could be uh also the potential for man in the middle attacks and so on and if I'm doing it in person if I'm standing in front of the desk of the employer I can sort of identify who's asking just by the timing I scanned the QR code and immediately a request popped up but with any sort of online uh online form or even in person we still have a responsibility to the user to look up the identity of the request and present it to the user in a comprehensible way right it's not enough to say he 1 to 3 is requesting your diploma it needs to be this employer or this other university you're applying for is asking for your diploma and for that we use the same exact mechanisms as issuer Registries it's just that they're now issuer and verify our registries. ✪
<phil> To expand on Dmitri's comment - it's a responsibility of the issuer and verifier registry to convey the trust signals that are associated with a given issuer and verifier so we're not relying on brand names etc.
<harrison_tang> well said, Dmitri :)
Dmitri Zagidulin: Uh all of that digression is to say is the the 2 models are exactly the same in the MDOC world and in the verifiable credential world it's just that we haven't uh gotten around to standardizing the format of the uh uh issue and verify a Registries in the verify credential world but we're working on it right we have several several specifications uh in progress being actively worked on that working groups 1 of them is open a federations another 1 is ccgs very own verified issue and verify specification and have uh the diff um I forget what it's called okay I'll I'll pause here. ✪
<manu_sporny> I like this website already
Dmitri Zagidulin: It depends on the wallet though several of the um both European union and us-based wallets uh some of the vertical specific ones are enforcing. ✪
Harrison_Tang: Oh wait uh just a curiosity question Heather um so like uh digital credentials API and the fcm is basically uh empowering the users to basically take control of the credentials exchange and uh feder identity historically at least I associated with like Google login. ✪
Harrison_Tang: So my question is why is the working group named Federate identity working group like why not it's called like South Sovereign identity working group or something. ✪
Heather_Flanagan: Because naming things is hard and that's the 1 we were able to actually agree on when when we. ✪
Heather_Flanagan: Talk about it's not just the social login it's also. ✪
Heather_Flanagan: What the user is doing is picking the IDP and. ✪
Heather_Flanagan: Going from there but we had lots of different options we started with web ID. ✪
Heather_Flanagan: And then people didn't like that 1 and then we didn't want to get too confused with the what was happening in the self Sovereign space. ✪
Heather_Flanagan: Didn't have objection to it but we wanted to to give something to indicate we were focused more on open ID connect ooth Samuel use cases things like that so that's where we ended up. ✪
Harrison_Tang: Cool no thank you for the clarification yeah I was just like saying that some people might have that confusion if they didn't read closely into it so thank you. ✪
Harrison_Tang: All right I think uh there's a we can have time for 1 more question anyone else has any questions. ✪
Harrison_Tang: Well thank you thanks Heather uh for jumping on and taking your time to uh lead a wonderful conversation and presentation so thanks a lot. ✪