<scribe> scribe: dlongley_
manu: We will be talking about a
Web we have more domain over. We get self-issued identifiers,
identity, the ability to transact.
... Introduction to Oma... she will save millions of people and
lives in rural India, parents unbanked.
... Oma doesn't have an official identity. She has to be at
least 5 years old to get one in her country.
... A passport is out of her reach, too costly.
... These conditions reduce a number of things, access to
education, access to financial services, higher education, job
market, and protection from human trafficking. It's very easy
to get lost if you have no identity, hard to find you if
kidnapped.
... People in these positions, including Oma, we want to
achieve their potential despite challenges faced. Web is
playing an increasing role in rural communities, so on. Want to
be clear that a lot of these are political problems that we
can't solve, but we can provide technology to help.
... I will talk for several more minutes then open
session.
... The Web is good at spreading information, good and bad. The
Web is doing a good job at what it was designed to do, not good
at moving money at a distance, establishing trust at a
distance, and there's a data siloing effect that we see from
the Web architecture.
... The self-sovereign Web is about working on these issues,
there are gaps in the Web Platform today and we want to upgrade
it to empower each of us.
... Today W3C is working on some of these issues, Web Payments,
Digital Credentials, portable identifiers and data. The profit
motive for corporations often has to do with automating
business processes, so feel good story and good profit motive
at the same time.
... There are huge benefits for corporations in fixing moving
money and identity problems. Good for the world at the same
time, so incentives aligned.
... These changes will help Oma.
... Some of you came here to get an overview of these things.
There's a WPWG and a WCIG at W3C. Trying to make checkout,
payments easier on the Web. Anyone trying to launch a new
payment network has trouble because rails 40+ years old.
Bitcoin doing ok. Can we leverage any of this? Get faster
payments. Fundamentally WPWG current work is about going to a
merchant site and doing checkout.
... At no point do you have to fill in your credit card number
on the site anymore, done in browser or payment apps.
... Here's where we are with Web Payments today -- a chart
showing all the people using the Web today, native support for
Payment Request API is 34.% and polyfill support is 51.3% of
3.8 billion people. This is a demonstration of how far we've
come in a short time.
... Web Payments help Oma's parents engage globally, give
financial services through their smart phones. They don't have
bank accounts but they do have smart phones (quite often,
perhaps surprisingly).
... This helps them engage globally.
... Next is W3C Verifiable Claims (or Verifiable Credentials,
aka). Can you prove that you have a certain professional
license, do you have a certain level of education, can you send
digital driver's licenses, passports, prove you are over 21
years of age, etc.
... So there's a W3C group working on verifiable credentials.
There's a polyfill for moving verifiable credentials through
the browser and we have the same sort of support with the
polyfill but no native support yet. So 85.8% of 3.8 billion
browsers. But sites must serve the polyfill and use it to
achieve those numbers.
... Verifiable Credentials can help Oma and people like her
apply for universities, make other assertions, etc.
... Web Identifiers. Fundamentally current Web identifiers are
leased to individuals through DNS, etc. That's fine but does
lead to identifier lock-in -- no identifiers for individuals,
always from a website.
... Could we move to something complementary for individuals,
leaving DNS for what it's good at.
... These credentials need to be tied to individuals and they
need to be in control of them. That's where DIDs (decentralized
identifiers) come in.
... Many of the people working on this problem are using
blockchains and DHTs to issue identifiers that individuals own.
Individuals can cryptographically prove ownership/possession
over identifiers.
... That changes things -- people can prove identifiers are
theirs and not really owned by some organization.
... or company on the Web.
... DID examples are on the slides. There are multiple
organizations working on DID methods -- many different types of
DIDs.
... There are a number of people unified working on this
problem with different blockchains, etc.
... This is in contrast to domain name system, the identifier
you tie your data to is yours and that's important.
... We need support from W3C to help push this forward. Web
Payments is doing really well. There's browser deployment
happening. VC is meeting Thu and Fri, there's fairly healthy
progress, specs improving. Web Payments up for rechartering, if
you're an AC rep please support. Please join VCWG/CCG we always
want more diversity.
... We really need help from the membership, if you believe in
DIDs and people and orgs owning their own DIDs is important.
The credential handler API is how you move verifiable
credentials around in the browser and we need browser blessing
on that.
... Fundamentally that's it -- this is the work that helps
create the self-sovereign Web. At this point I'd like to go
into discussion mode. Are we missing something? Do people
dislike the idea? Is it premature, do people think it will fail
at W3C?
reto: Thanks, what seems to me is the magic of blockchain. You make it sound like this is free and safe to be permanent. Blockchain is a ledger that is copied to many hosts. There's a mechanism that is typically computation expensive to reach consensus. Even if we assume it will last forever there are costs. How much will Oma pay? Won't it be more expensive than a fee to register with DNS?
Christopher: If you want to have total control, self-sovereign identifier, where you are fundamentally the root. I think it costs $1.50 the last time I did a real test one. But all of those can be a merkleroot of a large set of them. All the people in her class, or whatever. Bitcoin is expensive, ethereum is less expensive, Sovrin and Veres One are low cost but perhaps less secure, there is choice. There is a tree of trust, can register with multiple in
dividuals at once, if you want the strongest today you can use the same system that's doing $2B of wealth.
Webber: You can get an identity that's yours for life. Either I pay a $1.50 or an NGO covers that cost. They can have this identifier and it lasts with them. The only real costs that follow after that have to do with key rotation and so forth. There's a reduction in costs then.
Allen: I don't know about Ethereum but on the Bitcoin proposal, any past Bitcoin transaction that you've ever done can be the root of trust. If you've done bitcoin txn before you don't have to pay again.
Joe: There's some understanding within the community that you don't put the claims themselves on the blockchain. To distinguish, there are claims that let you pass assertions from an issuer to a holder and then verifier, you *could* put on the blockchain but a bad privacy practice.
Herman: I come back to the original use case. Who should decide is blockchain/ non-blcokchain. When you talk about your gmail address you don't own that. I never use such an email address for identifying myself, I have my own domain. So your use case that you start with is not strong enough.
manu: You are fairly rich compared to the rest of the world.
Allen: DNS is still a centralized authroity problem. There are people who have their identities taken away from them.
herman: I know of these problems but you need a much stronger case to go through a totally different, and in many respects, an individual.
cwebber2: I have a domain, but
how many people have a domain. How many have forgotten? How
many people know someone who has forgotten to forget a
domain?
... How many people know people who don't have a domain and
never will be able to?
everyone.
cwebber2: Forgetting to pay your
lease and you get kicked out. Just like an apartment. If a
domain was a root of your identity you're getting kicked out of
your life.
... We know all sorts of things that have centralized
authorities that can lead to compromised in that sstem. While
it's great for you and me that's not everyone.
... Even risks for us.
Ruben: It's like uses cases and stories. I like the story to make it concrete. We need more than one. It's not our story for some of us, the people here. So why is it interesting in a day-to-day basis, people on facebook. Do we have these stories already?
Allen: I have a story about someone doing journalism anonymously, etc. What's good enough for stories?
stonemat_: It could be "my mom needs this"
jheuer: Many people unbanked. We introduced mobile phones for creating ways for people to use money. They stepped over th eneed to create a banking system that's in the Western world that isn't needed in other places (or too costly).
stonematt: actually says "use cases don't have to be so noble and idealistic, it could be my mom does this dumb thing everyday and this would help..."
jheuer: We're not just talking about identity and banking -- we're talking about all that together. I'm not sure blockchain is the solution but it provides the fabric for all of this.
kaliya: We tried to do with
OpenID and it *failed*. We trained them to use a URL for
htemselves and it just didn't work.
... One of the reasons I'm most excited about this technology
is that the plumbing is buried. I as the user think I have an
app that does this stuff.
azaroth: My question is around
linking to other things. For these sorts of problems I agree.
I'm in the museum world, one of the VC we want supported would
be ownership of objects. If you can demonstrate that you own
this painting that's an important piece of provenance,
particularly certain paintings from 1945.
... Saying I'm the creator of this piece of art, I own this
piece of art.
Wood: I don't think it's a
surprise to anyone here. W3C has been suspicious of this work,
not always fully supportive, it's taken tremendous amount of
work by Manu and others. It was interesting to see VC all over
Jeff's slides today. I'd like to caution people in the room ...
thinking that somehow what we have is good enough. We tend to
think of these things as solved problems.
... If you saw Philip not getting his slides up on the
projector, the hardest problems in CS are wifi and printing,
maybe projecting. We treat these things as solved problems, we
treat identity as a solved problem, our relationships to govt
and payments. They aren't solved problems.
reto: Last week I read through the DID spec. I saw an implementation link, only went to Sovrin. Which isn't blockchain, which is trustees around the world managing a ledger. Similar to DNS. You can still lose identity with this method, people can die and they aren't there and people can get almost private keys. This doesn't solve all issues.
azaroth: As part of the cultural heritage domain, the ownership and creation of art objects is an issue that we're grappling with. Verifiable claims of ownership (provenance) and authorship/attribution would make the culture on the web much easier. So, how do we engage with the validation of such claims where there are identities for physical, artistic things?
reto: Bitcoin it's possible for
$1.50, but one txn is 2KWH.
... Using more than capital of ireland in electricity. If this
is reaches a really big share it will use much more power
compensation.
... Showing credibility by showing proof of work, proof of
stake, other methods coming up. I'd like to break open the
magic blockchain and how it guarantees consistency, low cost,
decentralization, etc.
... I'd like to see the social aspect like the SOLID project
where you reach consensus, not by spending resources but by
social relationships.
... Then that's cheap and sustainable.
Drummond: I'm one of the 12 trustees of the Sovrin foundation and I can explain how to address those issues. Bitcoin and Ethereum have proved that there's something that can cryptographically ... properties for smart contracts, etc. How can we design a global public utility that addresses those problems, diffuse trust, low cost, people subsidized, open source, widely scrutinized. How can you design everything around solving that problem. Creating someth
ing to work along side DNS. That's why Sovrin was created, why the source code is open as Hyperledger Indy, etc. When I give prsentations -- we're just trying to find an identifier and verifiable claims. As long as these things are interoperable and anyone can verify signatures, etc we can do it. You can still do this with DNS, there will people identifiers with URLs and with DIDs can co-exist.
nage: What your'e doing is proving ownership. You want to tokenize just the parts that are relevant to the transactions at hand. When you don't do that it turns into a supercookie then you can betray the people who have shard with you. So when using this tech you can avoid correlation. When you anchor to human readable identifiers, you get that kind of correlation. When you do a decentralized identifier you can get better security properties and properl
y model relationships and have secure interactions.
Allen: You can create
decentralized identifiers that refer to people or things that
aren't things. It could be a sensor, you can have censorship
resistent, getting a censhopship resistent DOI -- lots of
different approaches, maybe it will be Bitcion, something
cheaper, etc.
... I'm an the author of SSL/TLS, I've been working with this a
long time, There's a lot of new crypto these days. There's all
kinds of zksnark tech that the existing internet infrastructure
cannot support right now. It's not designed to make the various
crypto proofs. DIDs are beginning to have that capability. We
designed it with that in mind -- we are calling things proofs
not signatures, etc. Being careful in designs.
... This is one of the reasons to be actively supporting it. A
DID *is* a URL. It's compatible.
nage: when you anchor to DNS,
which has a lexical ontology you can't selectively disclose
attributes and maintain or protect the context of your real
world relationships. This puts you in a place where key
management is about hierarchy which isn't a natural mapping for
interactions. With DIDs you can have keys for any purpose,
which allows you to couple attributes to those proofs of
posession as needed and opens back up the possibility of
contextual
... identity and supports relationship-based key management,
which helps you disclose data only within a certain
context.
Allen: We aren't saying don't use tehse other methods, you can still use any URL in a VC.
jheuer: I've been in identity a long time. If identity serves a purpose then it's good. Saying "this is the solution", I don't believe that. We had a few discussions just before this, user centricity perhaps supercedes self-soveriegnty. If I really own my own keys I would have them on my device and my total control and no danger that they would be around for the next centuries proving things I don't want to be known. I would change the picture to move b
lockchain as an option.
jheuer: We started with identifiers, this year is about identifiers, authenticity detection important in the identity world. ... All the regulation and laws around a level of authentication, you need pin, devices, etc. we're forgetting about the authenticity of things here and that should be part of the story.
cwebber2: Manu can confirm when I
sent him a long email, I said ... do we really need all this
stuff? I do that a lot.
... That example part is actually really important (of DID
methods, etc).
jheuer: User-centricity sometimes
more open than distributed identifier
... Identifier will almost always need authentication
associated (authenticity of data plus authentication when using
a 'claim')
cwebber2: I'm now more convinced that we want a blockchain for people's long term identifiers. You may want some identifiers like for things to be transient. A couple of these ledgers are being built specifically for DIDs, but in the IPFS case, what if you wanted to generate DIDs that would be garbage tomorrow. The DID only stays alive as long as people want to use them. Bitcoin would keep things around forever which is good for things like e-gold. I'm
getting off track. Even if you're a blockchain skeptic, not all of these approaches are directly Bitcoin, and it may not be used in the way that you're generating lots of txns, please review the multiple methods and see if they do what you want, different properties.
cwebber2: Handing out DIDs are long term replacement for SSN is just one case.
kimhd: Q4 2018, Ethereum expects to be on proof of stake -- you have to be very careful that you're preserving the characteristics of the blockchain. The implementation links only referencing Sovrin we need to fix that. We did a BTCR hackathon ... many different implementations on different ledgers. To Kaliya's point, usability ... some options and method providers might provide social recovery, like designating several of your contacts to authorize you
to recover.
kimhd: DIDs for identity -- I'm in the education space, for us value is on the issuer side. Outdated, directly contact institutions, clearing houses, etc. It's a huge advantage to say this identifier is associated with this institution, etc. better.
Drummond: It's clearly a topic ... it's a new area, lot of confusion, I spend a lot of time dispelling myths. You said Sovrin isn't blockchain, it's not Bitcion. We're seeing fit-for-purpose blockchains, an explosion of them. There's a DHS sponsored presentation on that.
cwebber2 not all blockchains are bitcoin, and we even have one non-blockchain method :)
fab_gandon: a pointer to the mentioned presentation ?
Drummond: Sovrin uses public
permissions expressly so that it doesn't have to use PoW, to
avoid the power issue. Another misconception is that you only
have one DID. Sovrin approach will be thousands, all
pairwise.
... To avoid correlation. It's not just for blockchain, it's
for enabling democratiization of key management, etc. There are
7 methods already today.
... I expect to get to a couple dozen of these, more than one
even on a single blockchain.
... There are new things about how this is working and is
fundamentally about decentralized PKI, also funded by DHS, an
open standard that may go to OASIS.
... This is about decentralized PKI
hadleybeeman: I work for the UK govt and we're facing this as well. Knowing who owes what tax, to get disability benefits, help support community, people over 18 need to show it to drink, etc.
reto: hadleybeeman: "In contrast, Sovrin utilizes a “public permissioned” distributed ledger—not a blockchain—that provides public access for identity owners while permitting " -- https://sovrin.org/technology/#distributed_ledger
hadleybeeman: From a dev
perspective, the easiest way to do that is to have one
identifier created by the govt that is imposed on you, the
model in the US. Due to GDPR, that's not an option for us in
the UK. Going back to WWII and having someone be forced to
present their papers we can't have that model.
... We are very much experimenting with and trying to grapple
with the idea of decentralized identifiers (DIDS), please keep
going, we need these problems solved.
Allen: GDPR is hugely going to be
driving some of this stuff. There are a number of people
looking at it and saying existing heirach-certs won't confirm
to GDPR. More Jews died as a % in Holland than Germany because
of SSN.
... We're very American centric sometimes and GDPR will be a
driving force.
jheuer: I heard a lot of support here. Tech does not incite trust, brand does. Please come to me and tell me that's stupid or keep it in mind. It's not the tech, the brand. Some brand is needed and many brands that are relevant in many different contexts, having thousands of these things makes sense.
Drummond: Many of the biggest brands in the world interested too.
Herman: The goal of this meeting
is to come to W3C at some point, work a lot on the story. Manu
and I go back a long way, the way it was presented, we want to
start all over again because what's there is unusable. The
arguments you gave sometimes were not technological but
business arguments. If that comes then you have will a
tremendous pushback. And that's why I was poking you with this.
You know the people and they might be much less nice than
me.
... For example it has to be made very clear how a DID coexists
with what is already on the Web, not that whatever is on the
Web is out of the room. So how can I use the DID and use it
when i want to sign into a Website.
... People may think "these guys want to fork the Web" and you
don't want that reaction.
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/Ah, got it. :)// Succeeded: s/dlongley_: Are you replaying the minutes?// Present: Manu_Sporny Samsung Olivier_Yiptong Benjamin_Young JudyZhu HadleyBeeman Joerg_Huer Reto_Gmur Frank Dave_Longley Fabien_Gandon Robert_Sanderson Christopher_Allen David_Wood Ivan_Herman Kim_Duffy Arnaud_Le_Hors Drummond_Reed Nathan_George Alexandre_Bertails Joe_Andrieu Gregg_Kellogg Dominic_from_Google Dan_Burnett Kaliya Matt_Stone Richard_Varn 10_plus_people_unidentified Found Scribe: dlongley_ Inferring ScribeNick: dlongley_ WARNING: No "Topic:" lines found. WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]