W3C home > Mailing lists > Public > public-credentials@w3.org > August 2017

[MINUTES] W3C Credentials CG Call - 2017-08-29 12pm ET

From: <msporny@digitalbazaar.com>
Date: Tue, 29 Aug 2017 14:18:43 -0400
Message-Id: <1504030723478.0.27643@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Ryan Grant for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2017-08-29/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2017-08-29

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2017Aug/0073.html
Topics:
  1. Introductions
  2. Work Item Progress
  3. Privacy and Security Requirements
  4. DID Specification Progress
Organizer:
  Kim Hamilton Duffy and Christopher Allen
Scribe:
  Ryan Grant
Present:
  Ryan Grant, Christopher Allen, Paul Simmonds, Ed Bice, Kim 
  Hamilton Duffy, Nathan George, Adam Lake, Manu Sporny, Mike 
  Lodder, David Chadwick, Dave Longley, Moses Ma, Dan Burnett, 
  David I. Lehn, Frederico Sportini, Lionel Wolberger, Adam Migus, 
  Adrian Gropper
Audio:
  https://w3c-ccg.github.io/meetings/2017-08-29/audio.ogg

Ryan Grant is scribing.
Christopher Allen:  Today is a joint meeting of W3C verifiable 
  claims (members only), and credentials comminuty group.
Christopher Allen:  David Chadwick presenting

Topic: Introductions

Paul Simmonds:  Hi, I'm Paul Simmonds from the Global Identity 
  Foundation. We want a safer world where all entities can interact 
  using a single digital identity; that provides them enhanced 
  security and privacy, and which is completely under their 
  control; enabling an eco-system of assured trust for all digital 
  transactions. There is a lot in common between our work and the 
  work being done here.
Paul Simmonds:  More on us here... 
  http://www.globalidentityfoundation.org/index.html
Ed Bice:  Hi Ed Bice from Meedan. Meedan builds digital tools for 
  global journalism and translation. We are a team of designers, 
  technologists and journalists who focus on open source 
  investigation of digital media and crowdsourced translation of 
  social media. We are based in San Francisco and are doing work on 
  collaborative fact checking with our Check product. We have been 
  dealing with the Fake News problem since before it was called 
  that. We heard about this group through Evan Sandhaus of the NYT 
  and would like to explore if we can use Verifiable Claims to 
  address some of our use cases. Here to learn more.
Ed Bice:  More on us here... https://meedan.com/en/

Topic: Work Item Progress

Christopher Allen:  How are we keeping track of work items?
Kim Hamilton Duffy:  DID spec received discussion, so let's cover 
  that.  Data minimzation may have other groups working in similar 
  areas.
Nathan George:  Mentions competing efforts at hyperledger
Nathan George:  There, there is an attempt to understand coverage 
  of privacy related issues?
Adam Lake: +1
Manu Sporny:  Fake news has brought us Ed and good feedback from 
  BBC.
Manu Sporny:  Not sure where Ed's work will land, we need to get 
  them scheduled between VCWG and CCG.
Nathan George: Hyperledger forum where most credentials and 
  verifiable claims discussions are happening 
  https://wiki.hyperledger.org/groups/identity/identity-wg
Mike Lodder: I would like to participate in the selective 
  disclosure group
Nathan George: The Architecture WG has also spawned a Privacy and 
  Confidentiality sub-group that is addressing some of these topics
Christopher Allen:  Suggests Ed review RWOT Fall conference 
  agenda for relevance.  Especially reputation systems and which 
  parts of our current work are underlying infrastructure for that.
Kim Hamilton Duffy: Bots, Fake News, and VC discussion: 
  https://goo.gl/fuLHB8
Nathan George: Additionally there is implementation work going on 
  here http://identity.foundation/ (folks from this group will be 
  around at IIW 25 http://www.internetidentityworkshop.com/)
Christopher Allen:  Are we done with mission statement?  (yes!)
Kim Hamilton Duffy:  We need to notify W3C and some other groups 
  of our changes.
Nathan George: We have been working on support for shared crypto 
  libraries and tools for selective disclosure at Hyperledger, if 
  you are interested in helping that effort, I'd love to talk to 
  you about how to get more organizations involved there.
Manu Sporny:  Manu has action item to follow up with Dan from 
  EOS.  they're going to participate in verifiable claims.

Topic: Privacy and Security Requirements

Kim Hamilton Duffy: https://goo.gl/ZeyJUS
David Chadwick: Draft security and privacy requirements is here:  
  https://goo.gl/ZeyJUS
David Chadwick:  Upon review, when the subject is the holder 
  (versus when subject is not subject) there are some subtle 
  differences.
David Chadwick:  If the subject is a third party holder, does it 
  depend on the subject as to whether the credential can be 
  verified?
David Chadwick:  Two scenarios
David Chadwick:  Subject delegates credential to holder, allowing 
  holder to access a website or whatever
David Chadwick:  With negative credential, a service may accept a 
  non-delegated negative credential.
David Chadwick:  Tricky.
Manu Sporny:  General comment - it does get tricky - on the 
  document: it's straightforward, but Manu can think of lots of 
  edge cases that contradict.
Manu Sporny:  Where to take it next?  explore use cases or refine 
  for high-level understand?
David Chadwick:  Intent is to work it into the lifecycle and data 
  model documents.
David Chadwick:  It is meant to remain high level.  there are 
  ambiguities when looking at details.
David Chadwick:  We're going to spell out the cases more for 
  security review.  not sure if this is that document.  maybe 
  lifecycle doc.
Christopher Allen:  Document perhaps too simplified.  See some 
  lingo gaining traction in 
  https://www.researchgate.net/publication/234720523_A_terminology_for_talking_about_privacy_by_data_minimization_Anonymity_Unlinkability_Undetectability_Unobservability_Pseudonymity_and_Identity_Management
Christopher Allen:  Document title: "A terminology for talking 
  about privacy by data minimization: Anonymity, Unlinkability, 
  Undetectability, Unobservability, Pseudonymity, and Identity 
  Management"
Manu Sporny: 
  https://tools.ietf.org/html/draft-iab-privacy-terminology-01
Christopher Allen:  We don't need to adopt their wording.  We 
  should look at attacker motivation, i.e. how would availability 
  or integrity fail.
Manu Sporny: Here is the final RFC: 
  https://tools.ietf.org/html/rfc6973
David Chadwick:  Great suggestion
Manu Sporny:  See published RFC (6973) defining private 
  considerations.  we would set ourselves up for failure if we 
  didn't build off this work.
*Privacy considerations
RFC6973 compliance is already required in DID specification 
  section 10.1
David Chadwick:  If we show how we're using their guidelines, 
  that helps our review process
Mike Lodder:  Is a cryptographer working on selective disclosure
Christopher Allen:  Separate work item exists: survey of 
  non-cryptographic techniques surrounding data minimization.  
  Looking for survey of the class of problems.
Christopher Allen:  As a culture, we have a tendency to always 
  use cryptography, even when it doesn't add security.
Kim Hamilton Duffy:  We need more people dedicated to data 
  minimization.  RFC is good catalyst.
Manu Sporny:  This is also very important for verifiable claims 
  working group.  previous criticism said we weren't doing enough 
  deep dives into the space of techniques.
Mike Lodder: Do we have a formal place to begin working on it
Manu Sporny:  Work now will reduce objections in a years time, 
  when we're closer to finalization..
Dave Longley: And this CG can submit a report to the WG with some 
  of that security/privacy information (and/or it can take place in 
  the WG directly depending on the charter)

Topic: DID Specification Progress

Christopher Allen:  Now that we're implementing DID-methods, 
  we've discovered some issues.
Kim Hamilton Duffy:  Looking for plan as to how we'll be making 
  more progress
Manu Sporny:  There is a new DID-method spec
Manu Sporny: Veres One DID Method specification: 
  https://w3c-ccg.github.io/didm-veres-one/
Manu Sporny: Live site is here: https://veres.one/
Manu Sporny:  Hope is that this implementation helps us in the 
  standardization discussion.
Manu Sporny:  What is the impact?  BTCR DID-method spec work 
  raised lots of queitons.
Manu Sporny:  We now have three different data models as 
  suggestions.
Manu Sporny:  Ethereum and Sovrin input will go into the spec.
Manu Sporny:  Hope is to have discussion in September
Kim Hamilton Duffy: 
  https://github.com/w3c-ccg/didm-veres-one/issues/1
Manu Sporny:  Then come to technical decisions at conference
Manu Sporny:  Has put up "straw men" as discussion points on 
  proofs versus signatures
Dave Longley: Use cases, use cases, use cases
Manu Sporny:  We believe we have generalized, but need to check 
  everyone's use cases.
Manu Sporny:  What is minimum viable DDO?
Manu Sporny:  Want some kind of proposal going into RWOT
Manu Sporny:  Need to prioritize
Christopher Allen:  Issue identified: which keys can be used for 
  control versus update
Manu Sporny:  We agree that that (<--what?) is what should be 
  done
Mike Lodder: +1
Manu Sporny:  Two use cases: authentication versus update
Manu Sporny:  Use case identified: want (or was considered) to 
  prevent key from updating certain fields of DDO
Manu Sporny:  Be very specific about proof models
Dave Longley: 
  https://github.com/w3c-ccg/didm-veres-one/issues/1#issuecomment-325450670
Dave Longley:  We were looking at separating out authentication 
  from authorization
Dave Longley:  This is about what fields you can write to in the 
  DDO
Dave Longley:  And you can constrain them to say that they can 
  only authenticate using certain methods
Manu Sporny:  General read on the DID spec: conflation between 
  authentication and authorization
Manu Sporny:  Went back to review Joram use case
Manu Sporny:  We were able to use data structures to walk through 
  use case.
Manu Sporny:  Want to present at RWOT
Christopher Allen:  We need to get Ethereum people back here
Ryan Grant:  What was the conflation? [scribe assist by Manu 
  Sporny]
Manu Sporny:  It was design flaw in logical intent that led to a 
  confused deputy attack when delegating and then the total loss of 
  identity (read: it was really bad)
Christopher Allen:  The blockchain CG is shutting down.  there 
  were possibly a couple issues to import, that were being 
  discussed there.
Christopher Allen:  The problem is can Web Ledger work with 
  multiple blockchains
Manu Sporny:  There was a futile attempt to align the data model 
  across all blockchains.
Manu Sporny: Web Ledger Protocol - 
  https://w3c.github.io/web-ledger/
Manu Sporny:  As you all know, blockchains are just state 
  machines... you get in events, write them to the ledger, that 
  updates the state machine. We've been working on a unified data 
  model and protocol that would enable generalized blockchain 
  clients (just basic ability to read blocks and events... the 
  contents are always going to be specific to the blockchain). 
  Think of it kinda like HTTP for blockchains.
Manu Sporny:  It could be that this group picks up some of this
Manu Sporny:  This group could pick up Veres One.  this isn't a 
  central work item for the group
Christopher Allen:  Interested in general concept of the API.
Christopher Allen:  Some work to untangle things.
Christopher Allen:  Good to see things being registered.  this 
  group could be a placeholder for things so that they don't get 
  lost.
Manu Sporny:  Microsoft has released their own blockchain, the 
  Coco Framework
Manu Sporny:  It feels like Hyperledger Indy in design, any 
  feedback from Sovrin/Evernym folks?
Manu Sporny:  What is the interplay between that work and the 
  DIF?
Christopher Allen:  Drummond isn't here, anyone else from Evernym 
  want to say something?
Manu Sporny: 
  http://www.reuters.com/article/us-microsoft-blockchain-idUSKBN1AQ1KD
Dave Longley: Coco Framework
Manu Sporny:  They say "it's a framework for blockchains", but it 
  looks like a specific blockchain
Manu Sporny: 
  https://github.com/Azure/coco-framework/blob/master/docs/Coco%20Framework%20whitepaper.pdf
Christopher Allen:  Also confused between Sovrin and Indy, which 
  is hyperledger's implementation
Moses Ma:  Talking to Aeternym in Paris.  They're working with 
  ISO, and coming in October (to RWOT) to bridge the groups.  we 
  should work harder to collaborate.
Nathan George: Sovrin is an installed instance of Hyperledger 
  Indy for global public identity.  Just like you can run multiple 
  instances of a database like MySQL a network can run an 
  installation of a blockchain, Sovrin is an instance of Indy for 
  public identity.
Christopher Allen:  We want to make a presentation at W3C TPAC
Dan Burnett:  VCWG chairs are working on agenda
Moses Ma: TPAC: https://www.w3.org/2017/11/TPAC/
Christopher Allen:  Kimhd what's our plan?
Kim Hamilton Duffy:  Request from Christopher Webber to cover his 
  project, else DID work.
Manu Sporny:  Let's talk about data model for DDOs.
Christopher Allen:  We should invite Christian from Ethereum 
  uPort. I'll do that.
Christopher Allen:  Thx all.  See everyone next week!
Received on Tuesday, 29 August 2017 18:19:06 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:45 UTC