Meeting minutes
<hire-a-geek> Joining early to say hello to like minded people. Talk to you all real soon!
<hire-a-geek> Hey Dom
Pick a scribe
Reminders: code of conduct, health policies, recorded session policy
[this session is not recorded]
<mt> sleep is important for your health people
Goal of this session
Goal from the description: "Work toward a consensus view of what the role of Real World Identity should be on the Web in the next 5-10 years."
<mt> That was largely Ben's work. Full credit where it is due.
mt: part of the point of this exercise is to gather to think what the problem is and where the problem is likely to take us, what we should avoid, what we should strengthen
… it's broad and open discussion we're unlikely to cover fully, more of a starting point
… there is active work in W3C and other fora on this very topic
… some of it is relatively advanced
… which people may feel worried about
… My own observations: your use of your own personal idenitty on-line is something we cherish and the flexibility it affords e.g. in terms of privacy
… allowing people to present themselves on-line the way they choose is a real advantage the Web has opened up
… very different from the expectations e.g. in places where government-id get asked or required
… we're looking at the intersection of these two worlds - a possibly small intersection that we need to manage carefully
Marcos: some of us are focused on the technological aspect of this, what's already available in some OS - important to take a step back and think about the role of the Web in this
mt: we're at an interesting point in terms of some of the technological options available to us
… e.g. cryptographic techniques that weren't available to us 10 years ago that opens up new opportunities
… but I suggest we focus on use cases and the important characteristics we want to preserve
kdenhartog: I spent 5 years working on that technology; former editor of the VC WG, and now in browser land - so with a fairly unique perspective
… my summary: this is coming, the question is what it is going to look like?
… with AI and KYC checks being by-passed
… we don't want to break down long-held guarantees on the Web, privacy guarantees
… with the risks associated to data leaks
… there are legitimate use cases - but how do we limit them?
mt: what limitations do you think we should examine?
kdenhartog: one of the main ones that I see: as data becomes more available, it gets used more
… my main concern is that as these 3rd-party credentials become available on-line digitally, more and more sites start to take advantage of them
<mt> kyle is referring to en.wikipedia.org/wiki/Jevons_paradox
kdenhartog: e.g. starting with liquor sales, then social media identity check against disinformation,
… then enforcement on browser/wallets/hardware guarantees leading to web environment integrity checks to guarantee the credential robustness
… figuring where to draw that line is what I'm interested in
<npdoty> I'm also hearing concerns about DRM being a sort of side effect of more confident presentation of identity credentials remotely
timcappalli_: from Okta, driving the WICG work item on the topic
… Top 4 issues: overdisclosure through social engineering
<DKA> #dataminimization
timcappalli_: users being restricted from using their wallet identity of their choice
… gov identity being forced for sign-in
… wallets governance (browser, platform)
<plh>
plh: in terms of use cases, implementation of the Marrakesh treaty to provide copyright exemption for people with disability
… intersection of identity and credential
hicham: standards engineering working on identity in different organizations (from Apple)
… we all agree it's complicated; as we navigate the complex landscape of online identity verification, it's essential to adopt a cautious adaptive approach
… starting with restrictive measures that we carefully and iteratively fine-tune
… allowing fair and legitimate requests, detecting over-request/over-burdening the user, where the browser has a significant role to play
… finding the balance between streamlining the identity verification process and protecting the user
[Tim Cappalli's list of concerns typed into zoom chat: Users being tricked into over disclosure (e.g. only an age predicate is needed)
Users being restricted from using identity wallets of their choice
Government identity documents being used for sign in
Wallets maintaining allowlists of verifiers (beyond abuse mitigations)]
<Zakim> npdoty, you wanted to comment on risks and appropriate use cases
npdoty: the privacy concerns have been discussed and I share those: both overcollection and undermining the tracking protection
… but this is an area that introduces significant concerns about free expression, about limiting who can access information
… e.g. what children can access (e.g. LBGTQ, reproductive health issues)
<DKA> +1 to npdoty
npdoty: other risks of exclusion for people who cannot get some type of credential (because of immigration status, country of origin, level of technology or wealth)
… we need to think of these as a new class of risks
… thinking about the appropriate and inappropriate use cases
<DKA> Unintended Consequences
<npdoty> https://
npdoty: the PING draft above lists some of these risks
mt: I've heard the advice of "taking it slow" from a number of people
<npdoty> Nick Doty, Center for Democracy & Technology, co-chair W3C Privacy Interest Group (PING)
wseltzer: in addition to many of the already raised considerations, I would add the issuance of identity credentials as very heavily political - governments-backed identity credentials
… some governments claim exclusive right on citizenship claims
… we'll need to interface with a lot of different governments and political challenges if exposing government-backed stores of identity
<npdoty> dom, I would welcome advice from issues in i18n/a11y on exclusion. I probably shouldn't say these things are entirely new, even if I expect that it is distinct in some ways
kdenhartog: adding to that, governments are already moving on regulations on this
… at least 5 to 10 states in the USA have legislation around providing digital credentials
… so is the EU with eIDAS
… the regulators are going to somewhat tie our hands - we'll need to find a good balance
… previous similar examples around certificate authority management
Continuing to Protect our Users in Kazakhstan
<rbyers> https://
rbyers: Rick Byers, engineering lead on Chrome involved in identity API recently
… let's not fall on the engineer trap on our ability to control this - we're a piece of a puzzle; we have a role to play, but we don't get to decide
… we DO have a huge opportunity to influence the discussion and empower decision makers to make well-informed decisions
… we should push towards whta we think is the happy path, e.g. zero-knowledge proof, e.g. for age verification
… for the riskier stuff, we should feel the responsibility to show more data and help interpret it
… there are challenging trade-offs; let's not fool ourselves in figuring out the right answer without data
<npdoty> I tend to think that the engineering trap is more often just providing the tools and abdicating responsibility about how it is used or misused
rbyers: Google has an age verification system that asks users to take a picture of their government id
<kdenhartog> To Rick's point, we can also look to recent history with COVID passes. There's likely some insight that we can look to there.
rbyers: we've started instrumenting chrome to detect identification activity through openid; at the moment, very limited activity from eIDAS systems
… I think that means there is still room to have an impact
<npdoty> rbyers reported on instrumenting detection of use of custom schemes for mdoc or openid4vp
mt: everything I'm hearing is telling me it's too late, so happy to hear otherwise
<DKA> STRINT workshop report https://
DKA: the interplay between technologies and regulatory/policy makers
… we had a workshop about 10 years ago about strengthening the internet against pervasive monitoring
… in reaction to news around government monitoring
… it started off with identifying pervasive monitoring as a threat to the internet
… the W3C/IETF/IAB community came together and put a line in the sand, saying "this is not OK"
… we need to work with regulators and policy makers, but we can also have an opinion
See also report from 2018 workshop on authentication and strong identity
kdenhartog: +1 on gathering data on this today
mt: we probably need to look at the different use cases
… age verification is interesting and thorny (with censorship adjacent applications)
… the application of gov-id systems for fraud management
DKA: I want to make sure we solve use cases that really exist, that are helping people
… not a technology solution to a non-problem
… I've had to go through some of these tasks recently on-line, without any of the cryptographic magic
<mt> ?
marcosc: how did you feel about sending id pictures to these web sites?
<koalie> French gov "watermark" online gneeration
DKA: I had to do this; this was end-to-end encrypted, on sites referenced by a trusted source
<koalie> ^^ for the use-case of needing to send copies of personal documents
DKA: is the marginal improvement we're talking about worth the risk? incl to marginalized community, to disenfranchise people, etc
<timcappalli_> Top of mind ones: IDV for loans/mortgages, Age proofing for purchasing, Age proofing for content access, IDV for new employees, Employment verification to third parties, Education verification to third parties
Dom: There are plenty of use cases; it's a matter of tradeoffs. Are the risks worth the benefits?
… I think we are missing the framework to make that assessment.
… what is our role in informing discussion of those tradeoffs?
… there are clearly opportunities for improvements to how this is done in the real world.
… the hard part is informing the ecosystem about risks and the expected value to be derived from any tech approaches.
… I think use cases should focus on the tradeoffs (and not simply what problem is being solved)
… that's where we can usefully help structure the discussion
kyle: high-assurance use cases typically need governance backed id
… but this started from a data portability perspective
… incl self certified credentials
… this came with a lot of struggles, but there are interesting use cases that exist here
… that's also part of TBL's vision behind SOLID
… in Web3 spaces, they've been exploring one-person/one-vote with pseudonimity - also a hard problem but worth exploring
rbyers: I used to feel pretty strongly when we were approached a few years ago on the question of exposing real world identity
… eIDAS is changing this, and so are some of the US states regulation
… if these regulations are going to push these workflows, I want us to make sure we make them work as safely and privacy-respectful as possible
mt: I'm hearing harm minimization
npdoty: I'm not trying to say we should not do this work, but rather that we should do it well
… we're looking mostly at high-friction/low-frequency events: e.g. new job, gov benefits sign-up
<Zakim> npdoty, you wanted to comment on login and friction level of use cases
npdoty: this is not a case of reducing friction everywhere
… e.g. pushing back on using it in the login context (vs passkeys)
<npdoty> I think regulators are also identifying use case regulation as important
marcos: we use constrain this technology to as few and well-defined use cases as possible, since this is already scary enough as is
<Hicham> travel use cases: Airlines, Visa requests, esta etc etc
<npdoty> eIDAS, for example, doesn't envision that just any website at any time can ask for a govt credential, but rather that there needs to be an approved reason with justification
marcos: we should not widen its usages e.g. in autofill - just in scenarios where it's actually needed
<npdoty> https://
<mt> https://
<kdenhartog> If we intend to ship something I agree with you @marcos. I just more wanted to point out there exists ways to use this technology without framing this as only for high assurance credentials
robin: we should start from the end system we want to have, à la STRINT
… and find the use cases from that - to the risk of trying to solve too many use cases with this
<Zakim> robin, you wanted to talk about system vs use cases
<Zakim> mt, you wanted to wrap up
Next steps / where discussion continues
mt: there are concerns in terms of equity of access - one of the positive things we can do is making the system more equitable e.g. by requiring to support multiple credentials (e.g. not driver licenses from a single jurisdiction)
<marcosc> WICG/
marcos: please let's continue the discussion on the digital credentials WICG repo
mt: PING is also actively discussing this work, risks and risk mitigations
<koalie> https://
npdoty: happy to continue these risk discussions in PING, since these aren't technology specific
<koalie> [people drop off to prep for the next breakout sessions]