W3C home > Mailing lists > Public > public-credentials@w3.org > December 2018

[MINUTES] W3C Credentials CG Call - 2018-12-04 12pm ET

From: <kim@learningmachine.com>
Date: Sun, 09 Dec 2018 13:32:16 -0800
Message-Id: <1544391136274.0.71387@Kims-MacBook-Pro.local>
To: Credentials CG <public-credentials@w3.org>
Thanks to Benjamin Young for scribing this week! The minutes
for this week's Credentials CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials CG Telecon Minutes for 2018-12-04

  1. introductions
  2. Announcements and Reminders
  3. DID resolver specification
  4. Work Items
  5. TAG charter review
  Christopher Allen and Kim Hamilton Duffy and Joe Andrieu
  Benjamin Young
  Christopher Allen, Andrew Hughes, Bohdan Andriyiv, Ryan Grant, 
  Manu Sporny, Moses Ma, Joe Andrieu, Ganesh Annan, Dmitri 
  Zagidulin, Lionel Wolberger, Markus Sabadello, Heather Vescent, 
  Benjamin Young, Dan Burnett, Kim Hamilton Duffy, Ted Thibodeau, 
  Jeff Orgel, Daniel Buchner, Jonathan Holt, Samantha Mathews 
  Chase, Drummond Reed

Ryan Grant: Hearing audio
Manu Sporny: Regrets: manu
Christopher Allen: 
Christopher Allen: 
Benjamin Young is scribing.
Benjamin Young is scribing.

Topic: introductions

Christopher Allen:  Anyone new today? first time on the call? 
  please `q+` or speak up
Sub-Topic: reintroductions
Christopher Allen:  Hey kimhd have you been reintroduced 
Joe Andrieu:  On a previous call
Christopher Allen:  My name is Christopher Allen, I work on 
  blockchain security
  ...I consult around better tooling for blockchains and DIDs

Topic: Announcements and Reminders

Christopher Allen: https://w3c-ccg.github.io/announcements/
Christopher Allen: 
Christopher Allen:  Next week we have the workshop on strong 
Daniel Buchner: Do not bring your weak identity ideas to it
  ...if you've not already registered, I believe it's already 
Daniel Buchner: ;)
  ...if you'll be there next week, I look forward to seeing you 
Christopher Allen: http://weboftrust.info
  ...there will not be a meeting on the 11th nor the 25th or 1st 
  because holidays
  ...in the spring there's rebooting web of trust
Christopher Allen: https://www.internetidentityworkshop.com
  ...wrapping up those details now
There's also the internet identity workshop
  ...april 30th through may 2nd
  ...if you have other meetings please email them to the list
  ...So, the CCG team went through how we review action items
  ...we've added a lot of tags to our issues
  ...to help us manage those
Christopher Allen: 
  ...in future weeks we'll be picking 3 items that we'll call 
  "review next"
  ...we'll try and tackle those each week
  ...and let people know we're covering them on upcoming calls
  ...there are quite a few new additional tags
  ...so, we've announced this, so that closes #35

Topic: DID resolver specification

Markus Sabadello:  We are discussing the resolution architecture
  ...there are a number of open topics related to that
  ...the document linked there contains a short abstract, basic 
  example, and a list of open topics
  ...there is also a topic paper from the last RWoT about DID 
  ...Dimitry and I have done a few calls to discuss this
  ...but as yet there's not much content on the document yet
  ...we're motivated to start working more on that now
Christopher Allen:  Any blockers?
Dmitri Zagidulin: +1 To everything markus said
Markus Sabadello:  No blockers on my side
  ...I am wondering a little bit about the process
  ...is this an official work item?
  ...should we have regular calls around this topic?
Christopher Allen:  So, that's exactly what we want to do for 
  each of these items
  ...continuing on that, we have an action item
  ...for manu for verifying DID methods
Christopher Allen: https://github.com/w3c-ccg/community/issues/4
Joe Andrieu: Present?
Christopher Allen: 
Christopher Allen:  So, we'll address that later when manu's on 
  the call
  ...these items are items that the community is doing
  ...and hear from anyone who has updates on these
  ...there are 7 items open
  ...we're working on a DID explainer
  ...that's today's main topic
  ...does anyone have any status updates on these?
  ...we still need to review the model specification?
  ...burn is that something the VCWG needs us today officially?
Dan Burnett:  Technically yes
  ...the VCWG charter says we'll coordinate with a specific list 
  of groups
  ...and we need official feedback
  ...which could be as minimal as "we looked at it, and it's 
Christopher Allen:  So, we need an action item for that, because 
  we need to do it soon
Ryan Grant: For purposes of testing DID Document parsing, I'm 
  still looking for a corpus of valid DID Documents.
Dan Burnett: Yes, talk to JoeA about what "soon" means for VCWG
  ...Ryan Grant had sent a DID Document use case request
  ...seems he's still looking for valid DID documents
  ...so, if you have such things please send those to rgrant
  ...he's collecting those
Dmitri Zagidulin: Rgrant - is there an issue or document where we 
  can add DID docs?
  ...we also need to do a review of the various approaches so 
  far--that'll be a future meeting
  ...we also keep seeing this security/vulnerability report on 
  our repos, and that needs addressing
Christopher Allen: 
  ...now on to work items

Topic: Work Items

Christopher Allen:  Any status on any of these?
Dmitri Zagidulin:  Yes, send a pull request to 
  https://github.com/dcdpr/diddoc-validation [scribe assist by Ryan 
Christopher Allen: 
  ...here's the list of issues the chairs are focused on
Christopher Allen: 
  ...we go through these every Friday to make sure they're being 
  ...we're also working to tag all our issues
  ...and seems we've accomplished that so far
  ...anyone's encouraged to submit issues related to their work
Christopher Allen: 
  ...and now we'll address unassigned issues
  ...we need a lead on #28 Review VC Data Model Spec
  ...is there anyone who could read through that and lead a 
  discussion on a future meeting?
Andrew Hughes:  If no one else wants to do it, I can do that
  ...and I'm happy to accept supporting contributors as well
Christopher Allen:  Anyone here from EIP who could address #21?
Markus Sabadello:  I'm definitely not from the Ethereum Community
  ...but I could contribute a bit there
  ...I worked on the related DID method
  ...but I'm not probably the best person for handling #21
Christopher Allen:  So your task can be to find someone to 
  address it
  ...so that's done
  ...now we need someone to lead a discussion on #18 JWK 
  cryptosuite spec
  ...things such as CBOR, IPLD, etc.
  ...anyone up for this one? maybe someone from microsoft?
  ...we're looking for someone to generate a report about IPLD, 
  JSON-LD, etc.
Daniel Buchner:  So, we have been working on some of  this
  ...we've worked with larger financial groups and things wanting 
  token auth
Daniel Buchner:  That's the status I have for now anyway
Christopher Allen:  Daniel if you can think about a future 
  meeting where we can go into more details
  ...maybe sometime early in january
  ...in the meantime, what is your github name?
Daniel Buchner:  Csuwildcat
Christopher Allen:  That closes out that part of the agenda
Daniel Buchner: Summary: there is a flavor of JW*-based DID auth 
  in DIF that supports RSA and secp256k1, and we have been getting 
  feedback from potential large corp/gov adopters that they want 
  OIDC support at some level, where possible. We're going to 
  continue working on the former, and trying to make the latter 
  compatible, wherever we can
  ...it went a bit longer today, but it's what we'd like to 
  tackle this process each week
Dmitri Zagidulin:  I'd like to add some thoughts about JWT
Christopher Allen:  Sure, go ahead
Dmitri Zagidulin:  We did a call recently about JWT
Dan Burnett: Verifiable Credentials, NOT Verifiable Claims :)
  ...there's a lot of interest in using existing JWT 
  infrastructure to support DIDs and VCs
  ...the general consensus was that we're going to go for a 
  ...where we can use any of these wrappers
  ...JWT, CWT, or future ones
  ...and then embed the full VC in the claims part of the token
  ...so, instead of mapping various attributes from JWT
  ...everyone on the call has expressed a commitment
  ...to sort of stuffing the entire VC into the claims portion of 
  the JWT
Christopher Allen:  So, whoever else was part of the community, 
  feel free to add some agenda items
  ...create URLs, etc, to help people find how to use JWT, etc as 
  these sorts of enveloping packages
Dmitri Zagidulin:  Does anyone have a link to those minutes?
Jonnycrunch3: was this my issue we mentioned earlier? or 
  something else?
Christopher Allen:  I think we need to find if that's handled by 
  this enveloping idea
Jonnycrunch3: so, my issue was in the DID spec
  ...and in the VC data model spec
  ...I summarized it in my paper
Christopher Allen:  We should probably discuss it in the CG and 
  make a work item for it
Dan Burnett: JWT special call minutes: 
Moses Ma: DID Monetization discussion/meeting is likely going to 
  be held on Thursday December 13th at noon PST. Zoom conference, 
  for 1 hour. Featuring Dr. Po Chi Wu. Sign up here: 
Moses Ma:  Hi all, sharing some call details
  ...I've also invited Christine Sandberg
  ...it should be a nice interesting call
Christopher Allen:  Great. there's a sign-up link
  ...in the future, there's an announcements repo
Moses Ma: Here's the time planning noodle: 
  https://xoyondo.com/dp/2mYFAeCroNL9riZ And an initial list of 
  possible business/revenue models: 
  ...where people can share things like that
  ...it'd help to give folks more advance to post those there
  ...it would help us so they always show up in the announcements 
  section on these calls
  ...on to the meat of our discussions...

Topic: TAG charter review

Moses Ma: Okay, will enter a pull request...
Christopher Allen:  The W3C's Technical Architecture Group (TAG) 
  is charged with reviewing technical specifications and group 
  ...they have a new methodology called an explainer
Christopher Allen: 
  ...because they weren't really satisfied with our primer
  ...we've begun that explainer
  ...there's a variety of thoughts from some folks
  ...I've linked to the google doc
  ....JoeAndrieu do you want to take it from here?
Joe Andrieu:  If you've made edits and would like to present your 
  work, please jump on the queue
  ...basically, we'd like to get through this document with some 
  rough content
  ...once we've done with some of the work in the last week, we 
  can discuss this more
Ryan Grant: As I recall, at the last meeting we left off looking 
  for politically appropriate use cases.  Did we make progree on 
Joe Andrieu:  Maybe kimhd you have some examples?
Samantha Mathews Chase: Presnt+
  ...so, scenario 1 is an international student applicant
  ...the DID is first kept on a hardware wallet
  ...then a decade later, she shares that elsewhere
  ...the folks involved were able to verify the credential 
  without direct contact with past employers and universities
  ...the TAG's explainer explainer did ask for code
  ...so I'm hoping to get a sample DID and VC into this explainer 
  in place of code
Ryan Grant: Does Oxford need to sign a nonce to prove that they 
  still stand by issuing Sally's diploma?  Do we have an 
  offline-verifiable-credential already?
Moses Ma: Christopher, can you post the URL to the repository 
  where you want a pull request for a new work item/meeting/project 
  - announcements? issues?
Kim Hamilton Duffy: I'll mock up a VC for scenario 1
Joe Andrieu:  So this was my write-up, and although it reaches 
  beyond "just DIDs"
  ...I was able to fold in interesting scenarios showing that it 
  helps remove the burden of authentication from the university
  ...or for them to even be involved in the loop to verify
  ...hopefully it highlights things accurately
Jonnycrunch3: one concern is around non-goals
  ...I understand this is the W3C which seems very married to 
  HTTP and DNS
  ...and there are vulnerabilities in those protocols
Dmitri Zagidulin: What particular vulnerability do you have in 
  ...so limiting this to just those protocols seems limiting
Joe Andrieu:  The explainer doesn't ask for things that map to 
  those concerns
  ...but I may just add them anyway
Christopher Allen:  Specific to this educational scenario
  ...it's probably important to mention that VC's may be wrapped 
  in various proofs
  ...one for this usecase is a timestamp
  ...so that they know it was valid at the time of issuance
  ...but there might be 3 proofs
  ...a short term signature proof
  ...with an expiration on the signature
  ...that point might need to be in there somehow
Joe Andrieu:  Do you think timestamps are a unique selling points 
  for DIDs?
Christopher Allen:  I think one of the principles of DIDs 
  however, is that we're part of an ecosystem
  ...you're talking about a VC here
  ...and that encodes those proofs
  ...you're right this isn't technically part of the DID spec
  ...but it does show that multiple proofs is part of our 
Joe Andrieu:  It's also not part of the VC spec
  ...timestamping is kind of its own thing
Christopher Allen:  Maybe we point that it may be a service 
  offered or something...but we'll see
Brentz: I just wanted to say we should have a very simple use 
  ...ideally one that doesn't involve VC
  ...something I can identify and resolve
  ...I'm not sure we're highlighting the best things that DIDs 
"Knows" from last year
Joe Andrieu:  What's a better use case?
Brentz: maybe IoT?
  ...I'll work on one and suggest it
Joe Andrieu:  If you could write something up, that would be 
  ...simpler is better
Drummond Reed:  I'd be happy to help also
Markus Sabadello:  The idea that was just mentioned
  ...that the DID can prove control of it prior to doing anything 
  ...that seems to be what people mean when they say DID Auth
  ...something as simple as single-sign on
  ...but this time with an identifier no one can take away from 
  ...and doesn't hard code the identity provider
Joe Andrieu:  So, how would that be different than just WebAuthN
  ...one of the critiques is that DIDs aren't any different
Markus Sabadello:  I could name a number of reasons
  ...we've already included them in our report
  ...do we want to go into that now?
WebAuthN isn't necessarily self-sovereign, need third party
Christopher Allen:  I think that it's worth trying to find one
  ...but I admit to having a skepticism around sign-sign on or 
  email signing
  ...because it connects us to lots of areas where folks will 
  ...the educational one doesn't currently have a contender in 
  this space
  ...so it's less likely to be contentious
  ...maybe rotating a TOFU would be interesting
  ...but short of that, we hit other things
Joe Andrieu:  TOFU == Trust on First Use
Markus Sabadello: With DID Auth you can change the authentication 
  method (key pair, password, biometrics, whatever) without 
  changing the identifier.
Ryan Grant:  Can someone remind me where our past use case work 
  ...I feel like we did lots of this previously
Joe Andrieu:  Yeah, I'll look those up
Heather Vescent: There were like ~20 use cases in that document.
Ryan Grant: 
  ...we came up with 10-12 DID focal use cases
  ...it was sent to the TAG
  ...and our proposed charter
  ...but folks didn't find it compelling enough to replace the 
Ryan Grant:  I just dropped the link I found in the notes
  ...it would be interesting to know what of those were not 
  ...and share that feedback with the group
Heather Vescent: It wasn't clear what the next step was with that 
  document. We could do a group survey/analysis of those use cases/
Joe Andrieu:  Some of it was just "I don't care about use case X" 
  and they moved on
  ...the stuff in there isn't sorted at all either; just very raw 
Heather Vescent:  I was confused by the origin of the use cases 
  in the explainer document
  ...I wondered why we didn't use stuff from Ryan's work
  ...lots of people contributed to that
  ...as a recovering Silicon Valley product manager
  ...I'd want to do analysis on these uses cases
  ...to sort out which seems most appropriate and strongest for 
  this audience
Ryan Grant: I think the thing missing is principles of 
  politically desirable use cases.
  ...in order to make the case with W3C management
  ...the easiest thing you could do is a survey
  ...getting feedback on the various use cases
  ...to help understand and categorize these
  ...to see which actually resonates with the community
  ...we had a lot of contribution
Samantha Mathews Chase: Agree with heather, we should score those 
  use cases, combine all other docs and rate and order them
  ...but it lacked quantitative feedback
Samantha Mathews Chase: That doc was the reason i joined and I 
  would happily update it
Samantha Mathews Chase: As I'm sure others would
Joe Andrieu:  To reflect the process that got us here
  ...we did present those other use cases to W3M
  ...and as a result to that feedback, we kicked off discussions 
  around DIDs Unique Selling Proposition
Heather Vescent: Ok. The results of that feedback wasn't clearly 
  communicated back to this group.
  ...what are the pain points which DIDs uniquely solve
  ...we've discussed this for the last several weeks
  ...and what's currently in the explainer is an attempt to focus 
  on the Unique Selling Proposition
  ...and narrow that to a few scenarios
  ...to make that case
  ...that's how we got here
  ...we had some great discussions in the last couple weeks
  ...that highlighted some of these USPs
  ...like "no one wants to manage their credentials"
Samantha Mathews Chase: Why don't we add our newthoughts and 
  feedback to the top of the doc
Christopher Allen:  So. we still want to continue exploring use 
  ...refine them, add to them, etc.
  ...the difference with the explainer
Samantha Mathews Chase: And encourage everyone to go back and 
  clean those up
  ...the explainer specifically is under a time constraint
  ...we really wanted it out last week
  ...the TAG wanted to know specifically why DIDs were 
  different/better than existing specs/approaches like WebAuthN
  ...we needed to lead with something they'd understand relative 
  to other things they're evaluating
  ...we now have a very specific audience we're trying to appeal 
Ryan Grant: This is the first time I've heard that we should be 
  making a list of features that we have that webauthn doesn't 
  have.  That's annoying.
Andrew Hughes: Are these the major value points of DIDs?
  ...that, I believe, is how we ended up on this educational 
Andrew Hughes: * DID are self-issued identifiers
Andrew Hughes: * DID use cryptographic proofs to demonstrate the 
Andrew Hughes: * DID cannot be ‘cancelled’ by an authority
Andrew Hughes: * DID make key rotation possible (the ‘identifier' 
  part is separate from the 'cryptographic proof' part)
Andrew Hughes: * DID are resolvable
Andrew Hughes: * DID can be directly used and referenced in any 
  DLT (by writing a new DID method)
Andrew Hughes: *
  ...where it would seem like a first for the TAG
Joe Andrieu:  So. we're running out of time
  ...samchase if you'd like to chime in
Samantha Mathews Chase:  We're working to get our pilot off the 
  ...if we're going to work back from that document
  ...basically I think the main point is letting someone have not 
  just single sign-on
  ...but also carry their preferences with them
  ...and in that scenario, you make data brokers become separate 
  from identifying entities
  ...just giving people over the tagging of their data
  ...so when they give it to you they're confident
  ...I'd love to help, but sadly I'm really swamped before the 
Joe Andrieu:  We are a bit under the gun
  ...next week are 2 events
  ...those in attendance will be reviewing this doc
Samantha Mathews Chase: I'll type something up today thanks for 
  the fire under my butt
  ...and getting a lot of feedback from WebID, WebAuthN folks
Moses Ma: Christopher or Joe, did I do this right and in the 
  right place? https://github.com/w3c-ccg/community/issues/40
  ...we're doing all this to support the charter activity
  ...which is also under the gun
  ...we've got a train that's moving forward and we'd like you to 
  hop on samchase if you can
  ...we're a little bit after the hour
  ...ok, no meeting next week
  ...see you 2 weeks from now
Moses Ma: Thanks and bye folks
Received on Sunday, 9 December 2018 21:32:42 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 9 December 2018 21:32:43 UTC