*(By the way, this week we're in what I call "summertime skew" -- UK and
Europe have changed, and US hasn't. Be sure to check the online calendar
for the exact call time. US Pacific is normative. Things right themselves
again by next week. It's always best to subscribe to the calendar for best
results.)*
http://kantarainitiative.org/confluence/display/BSC/2016-11+%28November+201…
Agenda:
- Report
<http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockch…>
writing –
Sovrin Foundation questionnaire answers discussion
Attending: Eve, Thomas, John W, Kathleen, Susan, Jeff S, Andrew, Alex,
Adrian
*Logistics:* Today marks four months out of six in this DG's journey.
*Smart contracts vs. legal contracts:* How has this difference been
articulated? Barclays has written a paper, and we've discussed it some
(need for jurisdiction information and formal identification of parties).
The MIT event had some discussion as well, with Bart Suichies' comparison
table (was that distributed to the list?). Where does the role of consensus
come in? Any delta is relevant to our report-writing, especially as it
relates to identity. Scott D has the action to write about legal contracts.
Thomas listed four elements: parties (majority have 2), terms of the
contract, consensus/verifiability (other parties can independently check
whether the terms were executed on), semantic connection between legal
prose and machine-readable code.
Do the elements of (machine-readable) access control constitute a
machine-readable contract? Lots of machine-readable authorization policy
languages either could be (and/or or) easily translated to, or constitute
themselves, a near-natural language declarative semantic description. Could
they be "taken to court", that is, could they be validated in a way that is
traditional for legal contracts?
How does Jim H envision (or actually implement, by now) the connection
between the legal contract text in CmA and the smart contract code? What if
one half "blows up"? How does the regulatory regime under which the
contract operates get identified? Have smart contracts been operating in
such a gray zone that they've been trying to set totally separate standards
that add a different and possibly even bigger risk? Could civil law
standards usefully be created to mitigate this risk?
Thomas and Susan took the assignment to flesh out the Smart Contracts
definition and analysis in the report. This section should link to and
discuss the CmA connection, and, where it can, talk about parties in their
"identity" guise.
*Sovrin answers:* You can find them in your inbox or in the email archive
<http://kantarainitiative.org/pipermail/dg-bsc/2016-October/000289.html>. See
also the paper
<https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/…>
Thorsten
mentioned in email.
Discussion of the "Different approaches being taken in the new solution
space, e.g. if other approaches are being taken outside of Sovrin" answer:
Adrian attended IIW and the Sovrin-related sessions. Sovrin came across as
"one of only four standards-track efforts that are alternatives to
federation". You can use the private key you get as part of your identity
to sign things. Evernym has basically become Sovrin now, having donated the
code to the Foundation. The technical part of the model seems identical to
the Blockstack model, and then there's a governance model on top that adds
permissioning. The answer in this section talks about other blockchain use
cases such as Bitcoin. As for other blockchain *identity* use cases, it
appears they have all converged on a single technical answer: Don't put
identity information itself on the blockchain (for the usual reasons:
security and privacy of PII, latency, bloat); only put pointers on the
blockchain; make that pointer model flexible so that that the identity
holder can have pseudonyms; identity information is actually stored in a
traditional repository of some kind. It's not that IdPs necessarily go away
(they're mentioned in the Sovrin FAQ), but they would depend on the Sovrin
layer. It's a four-layer model.
Thomas notes that UMA enables a distributed model when it comes to an
identity-holder's resources. Eve also notes that OpenID Connect enables
distributed and aggregated identity claims in SSO explicitly. Adrian
discusses the W3C verifiable claims work as being uncontested as solving
the triple-blind concern.
The question is: What, then, is the Sovrin work actually solving, if the
current state of the art in identity and federated identity isn't so bad?
Is it just that "having IdPs in the world is evil?" (Not that this may not
be enough...) For whom is this solution targeted, then? Is the value worth
the implementation/deployment cost, and for whom?
*AI:* Eve: Send her analysis of the triple-blind vulnerability identified
by researchers to the list.
*AI:* Adrian: Send a link to the verifiable claims work to the list.
*AI:* Thomas and Susan: Work on the Smart Contracts subsection of the
Blockchain report section.
Next time: Assemble a final list of comments and questions back for the
Sovrin folks to answer, and work on the Sovrin Foundation Case Study report
draft section.
*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*
Agenda:
- Continue Sovrin Foundation questionnaire response analysis (with
inputs from IIW if anyone was there)
- On-the-fly discussion of UMA points if time
*Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
*The ForgeRock Identity Summit* is coming to
<http://summits.forgerock.com/> *Paris
in November!*