11:50:44 RRSAgent has joined #rwi 11:50:48 logging to https://www.w3.org/2024/03/12-rwi-irc 11:50:48 RRSAgent, do not leave 11:50:49 RRSAgent, make logs public 11:50:50 Meeting: Building Consensus on the Role of Real World Identities on the Web 11:50:50 Chair: Martin Thomson, Marcos Caceres 11:50:50 Agenda: https://github.com/w3c/breakouts-day-2024/issues/12 11:50:50 Zakim has joined #rwi 11:50:51 Zakim, clear agenda 11:50:51 agenda cleared 11:50:51 Zakim, agenda+ Pick a scribe 11:50:52 agendum 1 added 11:50:52 Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy 11:50:52 agendum 2 added 11:50:52 Zakim, agenda+ Goal of this session 11:50:54 agendum 3 added 11:50:54 Zakim, agenda+ Discussion 11:50:54 agendum 4 added 11:50:54 Zakim, agenda+ Next steps / where discussion continues 11:50:55 agendum 5 added 11:50:55 tpac-breakout-bot has left #rwi 11:51:02 tidoust has joined #rwi 11:51:07 tidoust has left #rwi 11:51:13 tidoust has joined #rwi 12:03:24 marcosc has joined #rwi 12:13:50 tidoust has changed the topic to: Breakout: Building Consensus on the Role of Real World Identities on the Web - Ukulele - 13:00-14:00 UTC 12:25:09 hire-a-geek has joined #rwi 12:25:36 Joining early to say hello to like minded people. Talk to you all real soon! 12:52:55 dom has joined #rwi 12:56:34 Hey Dom 12:58:34 hsano has joined #rwi 12:58:57 hsano_ has joined #rwi 12:59:03 mt has joined #rwi 12:59:08 ivan has joined #rwi 12:59:30 Ian has joined #rwi 12:59:56 present+ 13:00:07 present+ 13:00:07 present+ 13:00:39 present+ 13:01:17 Present+ 13:02:00 marcosc has joined #rwi 13:02:09 npdoty has joined #rwi 13:02:33 cpn has joined #rwi 13:02:46 zakim, take up item 1 13:02:46 agendum 1 -- Pick a scribe -- taken up [from tpac-breakout-bot] 13:02:49 Dingwei has joined #rwi 13:02:51 present+ 13:02:59 present+ Chris_Needham 13:03:01 present+ 13:03:04 koalie has joined #rwi 13:03:07 present+ Coralie 13:03:08 present+ 13:03:19 robin has joined #rwi 13:03:19 hober has joined #rwi 13:03:24 present+ 13:03:26 xfq has joined #rwi 13:03:27 takashi has joined #rwi 13:03:28 DKA has joined #rwi 13:03:29 kdenhartog has joined #rwi 13:03:33 present+ 13:03:34 present+ 13:03:35 present+ 13:03:40 present+ Dan_Appelquist 13:03:46 scribe+ 13:03:51 LuisM has joined #rwi 13:03:52 martin_alvarez has joined #rwi 13:03:56 Lei_Zhao has joined #rwi 13:04:00 zakim, close item 1 13:04:00 agendum 1, Pick a scribe, closed 13:04:00 I see 4 items remaining on the agenda; the next one is 13:04:00 2. Reminders: code of conduct, health policies, recorded session policy [from tpac-breakout-bot] 13:04:10 zakim, take up item 2 13:04:10 agendum 2 -- Reminders: code of conduct, health policies, recorded session policy -- taken up [from tpac-breakout-bot] 13:04:17 plh has joined #rwi 13:04:25 -> https://www.w3.org/policies/code-of-conduct/ CEPC 13:04:41 zakim, close item 2 13:04:41 agendum 2, Reminders: code of conduct, health policies, recorded session policy, closed 13:04:42 [this session is not recorded] 13:04:43 I see 3 items remaining on the agenda; the next one is 13:04:43 3. Goal of this session [from tpac-breakout-bot] 13:04:44 sleep is important for your health people 13:04:45 zakim, take up item 3 13:04:45 agendum 3 -- Goal of this session -- taken up [from tpac-breakout-bot] 13:05:03 timcappalli_ has joined #rwi 13:05:21 LeeCampbell has joined #rwi 13:05:29 Goal from the description: "Work toward a consensus view of what the role of Real World Identity should be on the Web in the next 5-10 years." 13:06:05 andreubotella has joined #rwi 13:06:05 That was largely Ben's work. Full credit where it is due. 13:06:15 mt: part of the point of this exercise is to gather to think what the problem is and where the problem is likely to take us, what we should avoid, what we should strengthen 13:06:19 wseltzer has joined #rwi 13:06:33 ... it's broad and open discussion we're unlikely to cover fully, more of a starting point 13:06:40 unextro has joined #rwi 13:06:43 ... there is active work in W3C and other fora on this very topic 13:06:52 ... some of it is relatively advanced 13:07:36 ... which people may feel worried about 13:07:38 ... My own observations: your use of your own personal idenitty on-line is something we cherish and the flexibility it affords e.g. in terms of privacy 13:07:57 ... allowing people to present themselves on-line the way they choose is a real advantage the Web has opened up 13:08:17 ... very different from the expectations e.g. in places where government-id get asked or required 13:08:49 ... we're looking at the intersection of these two worlds - a possibly small intersection that we need to manage carefully 13:09:30 q+ 13:09:30 Marcos: some of us are focused on the technological aspect of this, what's already available in some OS - important to take a step back and think about the role of the Web in this 13:09:47 mt: we're at an interesting point in terms of some of the technological options available to us 13:10:02 ... e.g. cryptographic techniques that weren't available to us 10 years ago that opens up new opportunities 13:10:16 rbyers has joined #rwi 13:10:20 ... but I suggest we focus on use cases and the important characteristics we want to preserve 13:10:54 kdenhartog: I spent 5 years working on that technology; former editor of the VC WG, and now in browser land - so with a fairly unique perspective 13:11:06 ... my summary: this is coming, the question is what it is going to look like? 13:11:10 cwilso has joined #rwi 13:11:17 present+ 13:11:17 ... with AI and KYC checks being by-passed 13:11:25 q? 13:11:43 ... we don't want to break down long-held guarantees on the Web, privacy guarantees 13:11:53 q+ 13:11:54 ... with the risks associated to data leaks 13:11:56 q+ 13:12:00 dbaron has joined #rwi 13:12:03 ... there are legitimate use cases - but how do we limit them? 13:12:10 mt: what limitations do you think we should examine? 13:12:19 q+ Hicham 13:12:33 q+ on risks and appropriate use cases 13:12:34 kdenhartog: one of the main ones that I see: as data becomes more available, it gets used more 13:12:57 ... my main concern is that as these 3rd-party credentials become available on-line digitally, more and more sites start to take advantage of them 13:13:00 kyle is referring to en.wikipedia.org/wiki/Jevons_paradox 13:13:23 Present+ 13:13:24 ... e.g. starting with liquor sales, then social media identity check against disinformation, 13:13:30 Present+ 13:13:30 q? 13:13:54 ... then enforcement on browser/wallets/hardware guarantees leading to web environment integrity checks to guarantee the credential robustness 13:14:08 ... figuring where to draw that line is what I'm interested in 13:14:13 ack kden 13:14:17 ack timc 13:14:24 I'm also hearing concerns about DRM being a sort of side effect of more confident presentation of identity credentials remotely 13:14:25 timcappalli_: from Okta, driving the WICG work item on the topic 13:14:42 q+ 13:14:42 ... Top 4 issues: overdisclosure through social engineering 13:14:51 #dataminimization 13:14:55 ... users being restricted from using their wallet identity of their choice 13:15:05 ... gov identity being forced for sign-in 13:15:20 ... wallets governance (browser, platform) 13:15:38 --> https://www.wipo.int/treaties/en/ip/marrakesh/ Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired or Otherwise Print Disabled 13:15:45 morimori has joined #rwi 13:16:08 plh: in terms of use cases, implementation of the Marrakesh treaty to provide copyright exemption for people with disability 13:16:17 ... intersection of identity and credential 13:16:53 hicham: standards engineering working on identity in different organizations (from Apple) 13:17:23 ... we all agree it's complicated; as we navigate the complex landscape of online identity verification, it's essential to adopt a cautious adaptive approach 13:17:25 marie has joined #rwi 13:17:40 ... starting with restrictive measures that we carefully and iteratively fine-tune 13:17:40 q? 13:17:48 ack plh 13:17:50 present+ 13:17:51 ack Hicham 13:18:22 ... allowing fair and legitimate requests, detecting over-request/over-burdening the user, where the browser has a significant role to play 13:18:39 ... finding the balance between streamlining the identity verification process and protecting the user 13:18:40 [Tim Cappalli's list of concerns typed into zoom chat: Users being tricked into over disclosure (e.g. only an age predicate is needed) 13:18:40 Users being restricted from using identity wallets of their choice 13:18:40 Government identity documents being used for sign in 13:18:40 Wallets maintaining allowlists of verifiers (beyond abuse mitigations)] 13:18:46 ack npdoty 13:18:46 npdoty, you wanted to comment on risks and appropriate use cases 13:19:13 npdoty: the privacy concerns have been discussed and I share those: both overcollection and undermining the tracking protection 13:19:44 ... but this is an area that introduces significant concerns about free expression, about limiting who can access information 13:20:04 ... e.g. what children can access (e.g. LBGTQ, reproductive health issues) 13:20:23 q+ 13:20:27 q+ 13:20:33 +1 to npdoty 13:20:35 ... other risks of exclusion for people who cannot get some type of credential (because of immigration status, country of origin, level of technology or wealth) 13:20:51 ... we need to think of these as a new class of risks 13:21:07 ... thinking about the appropriate and inappropriate use cases 13:21:24 Unintended Consequences 13:21:43 https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md 13:21:56 npdoty: the PING draft above lists some of these risks 13:22:17 q? 13:22:37 q+ 13:22:39 mt: I've heard the advice of "taking it slow" from a number of people 13:23:06 Nick Doty, Center for Democracy & Technology, co-chair W3C Privacy Interest Group (PING) 13:23:21 ack wseltzer 13:23:23 wseltzer: in addition to many of the already raised considerations, I would add the issuance of identity credentials as very heavily political - governments-backed identity credentials 13:23:40 ... governments claim exclusive right on citizenship claims 13:23:46 s/gov/some gov/ 13:24:13 ... we'll need to interface with a lot of different governments and political challenges if exposing government-backed stores of identity 13:24:21 ack kdenhartog 13:24:22 dom, I would welcome advice from issues in i18n/a11y on exclusion. I probably shouldn't say these things are entirely new, even if I expect that it is distinct in some ways 13:24:38 kdenhartog: adding to that, governments are already moving on regulations on this 13:24:54 ... at least 5 to 10 states in the USA have legislation around providing digital credentials 13:24:55 Hicham has joined #rwi 13:25:01 ... so is the EU with eIDAS 13:25:18 ... the regulators are going to somewhat tie our hands - we'll need to find a good balance 13:25:43 ... previous similar examples around certificate authority management 13:25:59 -> https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/ Continuing to Protect our Users in Kazakhstan 13:26:13 q? 13:27:00 https://github.com/w3cping/credential-considerations/blob/main/risks.md 13:27:00 rbyers: Rick Byers, engineering lead on Chrome involved in identity API recently 13:27:46 ... let's not fall on the engineer trap on our ability to control this - we're a piece of a puzzle; we have a role to play, but we don't get to decide 13:28:07 ... we DO have a huge opportunity to influence the discussion and empower decision makers to make well-informed decisions 13:28:27 ... we should push towards whta we think is the happy path, e.g. zero-knowledge proof, e.g. for age verification 13:28:42 ... for the riskier stuff, we should feel the responsibility to show more data and help interpret it 13:29:02 ... there are challenging trade-offs; let's not fool ourselves in figuring out the right answer without data 13:29:13 I tend to think that the engineering trap is more often just providing the tools and abdicating responsibility about how it is used or misused 13:29:50 ... Google has an age verification system that asks users to take a picture of their government id 13:30:28 To Rick's point, we can also look to recent history with COVID passes. There's likely some insight that we can look to there. 13:30:42 ... we've started instrumenting chrome to detect identification activity through openid; at the moment, very limited activity from eIDAS systems 13:30:47 q+ 13:30:56 ack rbyers 13:30:58 ... I think that means there is still room to have an impact 13:31:15 rbyers reported on instrumenting detection of use of custom schemes for mdoc or openid4vp 13:31:26 mt: everything I'm hearing is telling me it's too late, so happy to hear otherwise 13:31:30 ack DKA 13:31:38 STRINT workshop report https://www.w3.org/2014/strint/report.html 13:31:42 DKA: the interplay between technologies and regulatory/policy makers 13:32:09 ... we had a workshop about 10 years ago about strengthening the internet against pervasive monitoring 13:32:19 ... in reaction to news around government monitoring 13:32:25 q? 13:32:49 ... it started off with identifying pervasive monitoring as a threat to the internet 13:33:13 ... the W3C/IETF/IAB community came together and put a line in the sand, saying "this is not OK" 13:33:34 ... we need to work with regulators and policy makers, but we can also have an opinion 13:33:48 ack kdenhartog 13:34:24 -> https://www.w3.org/Security/strong-authentication-and-identity-workshop/report.html See also report from 2018 workshop on authentication and strong identity 13:34:35 kdenhartog: +1 on gathering data on this today 13:35:12 mt: we probably need to look at the different use cases 13:35:32 ... age verification is interesting and thorny (with censorship adjacent applications) 13:36:05 ... the application of gov-id systems for @@@ management 13:36:13 q+ 13:36:21 s/@@@/fraud 13:36:23 Zakim, mute robin 13:36:23 sorry, dom, I can't do that anymore 13:36:46 DKA: I want to make sure we solve use cases that really exist, that are helping people 13:36:59 ... not a technology solution to a non-problem 13:37:33 ... I've had to go through some of these tasks recently on-line, without any of the cryptographic magic 13:37:42 ? 13:37:43 q? 13:37:46 q+ 13:37:53 q+ 13:38:04 ack DKA 13:38:27 q+ 13:38:32 marcosc: how did you feel about sending id pictures to these web sites? 13:38:38 q+ on login and friction level of use cases 13:38:42 -> https://filigrane.beta.gouv.fr/ French gov "watermark" online gneeration 13:39:01 DKA: I had to do this; this was end-to-end encrypted, on sites referenced by a trusted source 13:39:15 ^^ for the use-case of needing to send copies of personal documents 13:39:35 ... is the marginal improvement we're talking about worth the risk? incl to marginalized community, to disenfranchise people, etc 13:39:49 Top of mind ones: IDV for loans/mortgages, Age proofing for purchasing, Age proofing for content access, IDV for new employees, Employment verification to third parties, Education verification to third parties 13:40:11 scribenick: Ian 13:40:34 Dom: There are plenty of use cases; it's a matter of tradeoffs. Are the risks worth the benefits? 13:40:42 ...I think we are missing the framework to make that assessment. 13:40:52 ...what is our role in informing discussion of those tradeoffs? 13:41:16 ...there are clearly opportunities for improvements to how this is done in the real world. 13:41:31 ...the hard part is informing the ecosystem about risks and the expected value to be derived from any tech approaches. 13:41:47 ...I think use cases should focus on the tradeoffs (and not simply what problem is being solved) 13:41:58 ...that's where we can usefully help structure the discussion 13:42:00 ack dom 13:42:04 scribenick: dom 13:42:19 ack kdenhartog 13:42:36 dom: high-insurance use cases typically need governance backed id 13:42:46 ... but this started from a data portability perspective 13:43:01 ... incl self certified credentials 13:43:13 s/high-insurance/high-assurance/ 13:43:17 ... this came with a lot of struggles, but there are interesting use cases that exist here 13:43:25 ... that's also part of TBL's vision behind SOLID 13:43:46 s/dom:/kyle:/ 13:44:08 ... in Web3 spaces, they've been exploring one-person/one-vote with pseudonimity - also a hard problem but worth exploring 13:44:16 q+ 13:44:48 ack rbyers 13:45:00 rbyers: I used to feel pretty strongly when we were approached a few years ago on the question of exposing real world identity 13:45:14 ... eIDAS is changing this, and so are some of the US states regulation 13:46:00 ... if these regulations are going to push these workflows, I want us to make sure we make them work as safely and privacy-respectful as possible 13:46:37 mt: I'm hearing harm minimization 13:46:38 zakim, close item 3 13:46:38 I see a speaker queue remaining and respectfully decline to close this agendum, Ian 13:47:03 npdoty: I'm not trying to say we should not do this work, but rather that we should do it well 13:47:29 q? 13:47:41 ... we're looking mostly at high-friction/low-frequency events: e.g. new job, gov benefits sign-up 13:47:41 ack npdoty 13:47:41 npdoty, you wanted to comment on login and friction level of use cases 13:47:48 q+ to talk about system vs use cases 13:48:06 ... this is not a case of reducing friction everywhere 13:48:32 ... e.g. pushing back on using it in the login context (vs passkeys) 13:49:11 q+ to wrap up 13:49:23 zakim, close the queue 13:49:23 ok, Ian, the speaker queue is closed 13:49:33 ack marcos 13:50:05 I think regulators are also identifying use case regulation as important 13:50:14 marcos: we use constrain this technology to as few and well-defined use cases as possible, since this is already scary enough as is 13:50:22 travel use cases: Airlines, Visa requests, esta etc etc 13:50:41 eIDAS, for example, doesn't envision that just any website at any time can ask for a govt credential, but rather that there needs to be an approved reason with justification 13:50:54 ... we should not widen its usages e.g. in autofill - just in scenarios where it's actually needed 13:51:04 https://epicenter.works/en/content/eu-digital-identity-reform-the-good-bad-ugly-in-the-eidas-regulation discusses "Use Case Regulation" 13:51:04 https://papersplease.org/wp/2024/03/08/us-passports-and-freedom-of-international-travel/ is relevant to travel cases 13:51:16 If we intend to ship something I agree with you @marcos. I just more wanted to point out there exists ways to use this technology without framing this as only for high assurance credentials 13:51:18 robin: we should start from the end system we want to have, à la STRINT 13:51:44 ... and find the use cases from that - to the risk of trying to solve too many use cases with this 13:51:52 q? 13:51:55 ack robin 13:51:55 robin, you wanted to talk about system vs use cases 13:52:15 ack mt 13:52:15 mt, you wanted to wrap up 13:52:22 zakim, take up item 5 13:52:22 agendum 5 -- Next steps / where discussion continues -- taken up [from tpac-breakout-bot] 13:53:48 mt: there are concerns in terms of equity of access - one of the positive things we can do is making the system more equitable e.g. by requiring to support multiple credentials (e.g. not driver licenses from a single jurisdiction) 13:54:38 https://github.com/WICG/digital-identities 13:54:43 marcos: please let's continue the discussion on the digital credentials WICG repo 13:54:57 mt: PING is also actively discussing this work, risks and risk mitigations 13:55:08 https://github.com/w3cping/credential-considerations/blob/main/risks.md 13:56:06 npdoty: happy to continue these risk discussions in PING, since these aren't technology specific 13:56:20 I have made the request to generate https://www.w3.org/2024/03/12-rwi-minutes.html Ian 13:56:27 [people drop off to prep for the next breakout sessions] 13:56:35 RRSAgent, draft minutes 13:56:36 I have made the request to generate https://www.w3.org/2024/03/12-rwi-minutes.html dom 13:57:43 unextro has left #rwi 13:58:23 koalie has left #rwi 13:58:27 ivan has left #rwi 13:59:55 andreubotella has left #rwi 14:04:40 unextro has joined #rwi 14:24:52 Ian has left #rwi 17:26:47 tidoust has joined #rwi 20:19:39 tpac-breakout-bot has joined #rwi 20:19:40 Zakim, bye 20:19:40 RRSAgent, make logs public 20:19:41 leaving. As of this point the attendees have been hsano_, Ian, mt, ivan, dom, Dingwei, Chris_Needham, marcosc, Coralie, npdoty, hober, xfq, kdenhartog, robin, Dan_Appelquist, 20:19:41 Zakim has left #rwi 20:19:41 RRSAgent, draft minutes 20:19:43 I have made the request to generate https://www.w3.org/2024/03/12-rwi-minutes.html tpac-breakout-bot 20:19:48 ... cwilso, dbaron, rbyers, marie 20:19:49 RRSAgent, bye 20:19:49 I see no action items