Verifiable Claims Telecon Minutes for 2017-05-02

Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2017-05-02/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2017-05-02

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2017Apr/0084.html
Topics:
  1. Finalize CG Reports, hand-off to WG
  2. Trip Reports
  3. Working Group Membership
  4. Suggestions for next week
Resolutions:
  1. Publish 2017-05-01 drafts as Final Reports. Gather feedback 
    until this coming Friday, and publish final specifications if no 
    objections.
Action Items:
  1. Chairs to send resolution to the mailing list inviting 
    objections if there are any.
  2. Manu to work with Chairs to get sign-off on IPR for specs.
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Matt Stone, Manu Sporny, Christopher Allen, Gregg 
  Kellogg, Matthew Larson, Adam Migus, Adam Lake, David I. Lehn, 
  Rob Trainer, Joe Andrieu, Richard Varn, Kelly Cooper
Audio:
  http://w3c.github.io/vctf/meetings/2017-05-02/audio.ogg

Dave Longley is scribing.
Matt Stone:  Any newcomers that haven't introduced themselves 
  yet?

Topic: Finalize CG Reports, hand-off to WG

Matt Stone:  We've got some booking keeping and clean up to do 
  for the WG. To get a crisp hand off point for the docs that are 
  in flight right now (data model spec and use cases).
Matt Stone:  When the WG begins we can inherit the CG's doc and 
  we need a clear start for attribution and IPR, etc.
Matt Stone:  There are some PRs going and we have some open 
  issues. We need to figure out as a group where we declare that 
  these are the docs that the WG should begin with.
Matt Stone:  We probably want the WG to take over the docs at 
  that point.
Manu Sporny:  I can speak a bit to that.
Manu Sporny:  Last night I went ahead and prepped two final CG 
  docs, they don't have to be the actual final docs. We've pulled 
  in everything but one final PR that doesn't have any IPR in it, 
  it's a non-normative section.
Manu Sporny:  At this point we can freeze the docs and ask for 
  IPR commitments. Typically this group decides that we want to 
  freeze the docs. Then there's an interface on the CG site that 
  can say "these are the final specs" and the chairs can do that.
Manu Sporny:  The group freezes the docs, the editors prep them, 
  and then we wait a bit and then the chairs publish the docs 
  through the CG site and we ask for anyone who has contributed 
  content to the specs. That is anyone who has done PRs to the 
  spec.
Manu Sporny:  They must explicitly release IPR -- they've already 
  implicitly done this, we are just gathering explicit ones. We're 
  past the point where we should be that concerned where IPR slips 
  into these docs that we don't want in there, but the final report 
  is an explicit statement saying that content is released to W3C 
  and their patent free policy, etc.
Manu Sporny:  So we want the handoff to be really clean. The 
  final CG specs are done, if anyone on the call believes that we 
  get something else important into the speak they should speak up 
  now or on the mailing list. If we don't hear from anyone, the 
  chairs should publish the final reports and then we get 
  commitments from everyone who contributed. Takes 2-4 weeks and I 
  think we can get it done before the WG spins up.
Manu Sporny:  Any questions?
Matt Stone:  You did it for the both the data model and the use 
  case doc?
Manu Sporny:  Yes, I sent an email to the mailing list last night 
  with the static doc locations, those are frozen, the files don't 
  change.
Christopher Allen:  The data document does not provide anything 
  about signature formats or anything of that nature.
Manu Sporny:  Yes, but to be clear, the WG can do whatever they 
  want to these specs as long as it's in charter. The WG can decide 
  to add/remove whatever from the specs.
Christopher Allen:  The design spec wise, is that we say that the 
  recommended signature formats are in a separate document or ?
Manu Sporny:  That's up to the WG to decide. That's a 
  conversation for them.
Manu Sporny:  The charter says we have to recommend signature 
  formats that we believe work with Verifiable Claims, so we'll do 
  that in the WG.
Manu Sporny:  That's my expectation.
Manu Sporny:  Did that make sense?
Christopher Allen:  Yes, I'd like to get the data format done and 
  stylistically/architecture wise mention future signature 
  mechanisms, specs, etc. We can decide that later as you said.
Christopher Allen:  I'm at crypto this week and I've been talking 
  about long term signatures, the only thing that satisfies that 
  are hash signatures, which are huge. Things for marriage 
  certs/college degrees, etc. I want to make sure we can talk about 
  those things later.
Manu Sporny:  Yes, we can. My expectation is that VC won't 
  mandate that you must use, for example RSA, we'd allow the entity 
  that's issuing the VC what algorithms/mechanisms work best for 
  the types of claims they are issuing.
Christopher Allen:  I think we need more than just that. It's one 
  thing that you're talking about a claim that's renewable for a 
  period of time but there may be sub cases where you have to talk 
  about why you should use one signature over another.
Manu Sporny:  Yes, like a signatures best practices document. 
  Privacy considerations may also need its own document because it 
  may take a lot more space than the data model itself. The same 
  could be true for signature formats/best practices, etc. 
  Typically the way this happens in the doc is that you put it in 
  the main doc and it grows until it's unwieldy and the WG agrees 
  to move it to a separate spec. The WG decides what to produce, 
  the charter is only a guide for that, as long as the work is in 
  scope you can produce more docs.
Matt Stone:  Ok, thanks, Manu for the overview and what to 
  expect. Can we take down some actions to make sure we get this 
  done over the next 2 weeks?
Manu Sporny:  Yes, first, the proposal is to publish the two 
  links that I sent out last night as the final report. The chairs 
  need to put forward a proposal and we should +1/-1 on the call 
  today and we can proceed as long as there are no objections. We 
  need to do the same on the mailing list and give people a week to 
  object. If there are no objections after that the chairs can 
  publish them as the final reports on the CG site.
Manu Sporny:  Verifiable Claims Use Cases (CG Final Report) -  
  https://opencreds.github.io/vc-use-cases/CGFR/2017-05-01/
Manu Sporny:  Verifiable Claims Data Model and Representations 
  (CG Final Report) - 
  https://opencreds.github.io/vc-data-model/CGFR/2017-05-01/
Matt Stone:  Should we just let this hang as uncommitted? The 
  remaining PR https://github.com/opencreds/vc-data-model/pull/38
Manu Sporny:  Because there's no IPR in it we don't need to be 
  that concerned about it.
Manu Sporny:  The suggestion is, let's just wait and pull it into 
  the document later.
Christopher Allen:  I'd prefer to wait on the PR.
Manu Sporny:  We're going to give ownership of the repo over to 
  the WG.
Manu Sporny:  So it should be really clean.
Dave Longley: +1 To that then.

PROPOSAL:  Publish 2017-05-01 drafts as Final Reports. Gather 
  feedback until this coming Friday, and publish final 
  specifications if no objections.

Gregg Kellogg: +1
Dave Longley: +1
Matt Stone: +1
Manu Sporny: +1
Matthew Larson: +1
Adam Migus: +1
Adam Lake: +1
Christopher Allen: +1

RESOLUTION: Publish 2017-05-01 drafts as Final Reports. Gather 
  feedback until this coming Friday, and publish final 
  specifications if no objections.


ACTION: Chairs to send resolution to the mailing list inviting 
  objections if there are any.

Matt Stone:  Can you track down the committers?
Manu Sporny:  Yes, I can work with the chairs offline to walk 
  through the process, we will send direct emails to each one of 
  the committers to sign off on the IP

ACTION: Manu to work with Chairs to get sign-off on IPR for 
  specs.

Christopher Allen:  Could I ask if the trip reports could be 
  swapped with the next item in the agenda?
Matt Stone:  Sure.
Matt Stone:  One more thing before we move onto the next item in 
  the agenda. This is just a validation of what Manu mentioned 
  earlier. Since the WG will take ownership of the repo, all the 
  issues and discussions will follow as well. So there's nothing we 
  have to do with those as well?
Manu Sporny:  The three repositories end up being handed over to 
  the W3C organization.
Manu Sporny:  Right now it's in the opencreds organization and it 
  will be handed to W3C, all the issues, teams, etc. will 
  automatically move over.
Dave Longley:  CG continues to work on things? Protocol things? 
  In open creds space?  [scribe assist by Manu Sporny]
Manu Sporny:  Correct, slight wrench in there. We may want to 
  spin down the opencreds repo and use the VC CG repo instead.
Dave Longley: +1 To that
Matt Stone: +1 To using the new name
Manu Sporny:  We should use the new name so people don't get 
  confused.
Manu Sporny:  Opencreds is 3 years old or so.
Gregg Kellogg:  The repo or the organization?
Manu Sporny:  The organization, the VC CG organization.
Matt Stone:  In the W3C, there is an opencreds page there where 
  we're all listed as members, is there some naming/branding we 
  need to do?
Gregg Kellogg: https://github.com/w3c-vc
Manu Sporny:  The naming on the W3C side is Verifiable Claims, 
  the WG. It's confused right now ... there's opencreds, VC CG and 
  VC WG, the CG needs to decide what name to use going forward.
Manu Sporny:  The discussion should be around "Should we be 
  called the Credentials CG or rebrand to the Verifiable Claims CG" 
  there are pluses and minuses.
Christopher Allen:  Will the groups start splitting? I'd like to 
  see the CG be a little broader.
Matt Stone:  Broader than Credentials?
Christopher Allen:  I just mean not tie explicitly to the WG, 
  there are things that the CG can do that VCWG can't do, so 
  untying them a bit is useful.
Matt Stone: +1 To ChristopherA
Manu Sporny:  +1 To that, the CG is going to deal with everything 
  the WG can't deal with right now or isn't chartered to take on. 
  So things like protocol, decentralized identifiers.
Manu Sporny:  The things we know we need for a good healthy 
  ecosystem but we weren't able to charter the WG to do yet.
Dave Longley: +1
Christopher Allen:  I'd almost like to see it be Credentials 
  Infrastructure or something like that that covers the entirety of 
  the problem, but it's not a topic for today.
Matt Stone:  We probably need an agenda item for next week that 
  is scheduled for CG calls and how we're going to keep the broader 
  discussion alive and have the WG start to focus. We'll want 
  someone on the CG side to take a chair role and keep those 
  driving forward.
Christopher Allen:  Who is the current chair?
Matt Stone:  It's Richard and I.
Matt Stone:  We'll be moving to the WG, can't do both.
Christopher Allen:  I'd be interested in talking about that, can 
  take it offline.
Matt Stone:  Let's do the next agenda item. Next up is trip 
  reports.

Topic: Trip Reports

Christopher Allen:  I wanted to report the last couple of 
  weeks... Manu did you report last week since Rebooting?
Manu Sporny:  No, this is the first call I've been able to join.
Christopher Allen:  Why don't you start out and I'll close.
Manu Sporny:  Ok, sounds good. A couple of events that happened 
  before RWoT (Rebooting Web of Trust), I'll cover those first. We 
  went to IETF to move the signature stuff forward, that has to do 
  with Koblitz signatures that bitcoiners/ether people are using. 
  It had to do with signing HTTP messages, etc. We met with a 
  number of people at IETF, we met with the X-chairs of the JOSE 
  working group, Jim Schaad, we met with folks that were involved 
  with JWS and JWT, specifically, John Bradley from Ping Identity 
  and Mike Jones from MS. We tried to figure out a way to harmonize 
  the work at IETF and the work at VC. The good news is that we 
  came out of it with a pretty solid harmonization strategy.
Manu Sporny:  The reason we couldn't use JWTs still stands, but 
  we can do a variant of JWS. By doing that, we get to reuse all of 
  the security analysis that has gone into JWS. The challenge that 
  we had before IETF was going to be a fairly 6mo-2yr security 
  review on our signatures even though they don't fundamentally do 
  anything new... you have to go through IETF process, then you get 
  your stuff through. If we can reuse JWS we get to skip 2 years of 
  work. I sat down with John Bradley and Mike Jones and came up 
  with something with JWS that we believe will work for the VC 
  community, the signature doesn't change all that much, just the 
  signature value. We pay a penalty of around 20 bytes per 
  signature, which isn't nearly as bad as before where docs were 
  going to double in size each time you added signatures. That was 
  unworkable. The new format allows us to only add an additional 20 
  bytes now.
Manu Sporny:  That's all really great news because it means that 
  we can continue on, there's harmony between IETF and W3C on the 
  signature stuff, we skip politics and time.
Manu Sporny:  We had the theory down at IETF and when we met at 
  RWoT ... and a number of people joined us and wanted to do 
  implementation. We had Kim Hamilton from MIT/blockcerts.
Manu Sporny:  Kim did the implementation in JavaScript, 
  BigCHainDB implementation in python (missed one more)
Manu Sporny:  We came in with an idea for how to do it from IETF 
  and we left RWoT with 3 interoperable implementations. It all 
  seemed to work nicely. It also opened the door to do Koblitz 
  signatures using the same mechanism.
Manu Sporny:  The signature stuff became really aligned and all 
  good news.
Manu Sporny:  Other things happened at RWot around decentralized 
  key management and authentication. We still don't have fully 
  interop implementations of DID specs, but DB and Evernym have 
  committed to that. Christopher Allen can speak to people working 
  on the bitcoin/ethereum specs that are related. The community 
  seems to be working really well together, actually generating 
  code, shipping products, really good, Christopher go ahead, 
  please cover anything I missed.
Christopher Allen:  We made real progress on a particular 
  reconciliation with real code in three languages. The DID specs 
  are moving forward, bitcoin and ethereum ones getting mature to 
  match the Sovrin one. Other interesting work, around articulating 
  reputation and other types of issues. Lots of higher level issues 
  to continue. We're going to have another RWoT in October in 
  Boston. First week of October. If people are interested in 
  participating. Part of the reason why it was scheduled then was 
  to fit in with 3 other conferences in Paris, security and 
  privacy, eurocrypt, and privacy on the blockchain workshop. Those 
  all went very well and CFRG meeting. We mentioned that we've got 
  a secp256k1 spec, talked about advantages, got some reluctance to 
  open up the political can of worms they've had in the past which 
  is understandable, but the more important thing was that after 
  this meeting Jim Schaad, who is the editor for the JOSE standards 
  said that if there's a reasonable spec for secp256k1 as an 
  internet draft that he's more than willing with his editor powers 
  to add that as an acceptable cipher suite to JOSE without 
  requiring a full CFRG review and a chair of CFRG said that was 
  acceptable to him. That would let us bring in communities that 
  use this alternative curve. I'm at Eurocrypt this week and since 
  we're talking about educational use cases and the institution I 
  worked with doesn't even exist made me realize long term 
  signatures are important. I've been doing research into hash 
  signatures which are inefficient and slow but crypto experts 
  believe it's a strong long term tech (quantum resistant, etc.) 
  it's a great way to have a long term sig. It's 43k per signature, 
  which is significant but it may be worth the extra effort to have 
  something last that long.
Christopher Allen:  If anyone has any questions they can talk to 
  manu or myself.
Manu Sporny:  Wanted to follow up on hash based signatures. We 
  met with a Canadian company working on hash based signatures and 
  they are very interested in working with the VC group to get that 
  sort of signature in. There's interest in that space, we can't 
  necessarily move quickly on it but keep it in the back of our 
  minds, especially because we've got a company packed with post 
  quantum cryptoggraphers. It's useful multiple decades out, long 
  lasting stuff.
Christopher Allen:  Definitely says something as a requirement 
  for our docs and the future, there's a big difference between a 
  claim that you can get reissued ... claims that have short 
  expiration dates, etc. and these long term claims, interesting 
  from privacy and security point of view.
Matt Stone:  That was a great update, both of you guys, thank you 
  very much. Pretty exciting activity going on out there? Any more 
  questions or comments on trip reports?
No other comments
Matt Stone:  So, WG membership is the next topic.

Topic: Working Group Membership

Matt Stone:  Everyone should have gotten a notice that the WG was 
  created, if you want to participate please join. The first 
  meeting will be the 16th of May. Call in information will be in 
  the invitation to members of the WG, you need to join the WG to 
  get the call in details, etc.
Matt Stone:  It's W3C member only.
Matt Stone:  We'll then be resuming work on the data model and 
  use cases and so on when we get together next.

Topic: Suggestions for next week

Matt Stone:  There are a couple of action items to finish up the 
  docs from the CG, we'll do an update on that and make sure that's 
  wrapped up. Any other topics we need to keep in mind for the 
  agenda next week?
Manu Sporny:  I'm wondering if we want to start ... there are a 
  number of people who will be on the WG call, I'm wondering if we 
  should do some preplanning on the topics we want to cover first. 
  There's a question around when we'll have a F2F meeting if we'll 
  have one in the summer, there are terminology issues we should 
  tackle up front, we'll need to bring people online pretty quickly 
  once the WG starts up, we'll want to understand what docs we want 
  to publish and we should have another discussion on that. We may 
  want to have some discussions before the WG starts up to prime 
  these discussions.
Manu Sporny:  We may want to have a discussion about that next 
  week.
Manu Sporny:  We to come up with topics to get into the WG to be 
  ready to discuss.
Christopher Allen:  I'd like to see a new kick off for the CG. 
  The WG is going to kick off on its own. Starting fresh sort of 
  (new kickoff) with the CG would be great. There's a broader issue 
  of decentralized identity we'd like to have a place to 
  discuss/post reports, etc. and come up with new docs.
Christopher Allen:  There may be things that are in the 
  decentralized identity community that don't belong in the WG or 
  VC.
Matt Stone:  Yeah, I think accepting a narrowed charter for the 
  WG was fine given that the CG would keep working and feeding into 
  a new WG/new charter in the future. So the CG keeps working on 
  the next set of ideas.
Matt Stone:  One of the things we were talking about on the chair 
  calls as a matter of convenience, it would be nice if the CG and 
  WG calls were back to back. So many of us are participating in 
  both, if we need to slide extra time in the CG or WG we may have 
  flexibility to do that.
Christopher Allen:  Maybe that's just an agenda item and maybe 
  the CG can have a longer meeting once a month on the same day as 
  VC. Does the CG, with its new goals need to meet weekly, etc.?
Manu Sporny:  The other thing, I've been hearing this second hand 
  was to put the calls back-to-back, the other upside that I heard 
  was that it would time box the CG call if it was 30 minutes 
  before the WG, we'd see a bunch of people leave at the 30 minute 
  mark. Two one-hour calls back to back is asking a lot, but a 30 
  min CG call directly before/after the WG is a pretty good idea. 
  Everyone's just there and they've blocked the time out. The 
  benefit for having it before is there's a hard stop, whereas 
  after the call it can expand. If the chairs are diligent and it's 
  30 minutes only, to mop up after the WG, then that might work. 
  With the possibility to extend if we really need that time.
Christopher Allen:  Please not before :)
Matt Stone:  We could change the WG start time to half-past if we 
  don't want to go earlier.
Christopher Allen:  +1 On that
Matt Stone:  I'd rather not go earlier than what we're currently 
  scheduled.
Matt Stone:  Any more input?
Matt Stone:  On next week.
No other input.
Matt Stone:  That concludes our meeting for the day.

Received on Thursday, 4 May 2017 14:33:24 UTC