[MINUTES] W3C Credentials CG Call - 2018-06-12 12pm ET

Thanks to Andrew Hughes for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2018-06-12/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2018-06-12

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2018Jun/0053.html
Topics:
  1. Agenda review
  2. Introductions
  3. Announcements
  4. Action items - 
    https://github.com/w3c-ccg/community/issues?q=is%3Aissue+is%3Aopen+label%3A%22action+item%22_
  5. Work items
  6. DID Method Requirements?
  7. Focal use cases
Action Items:
  1. Kim schedule BTCR planning session
  2. rgrant to send a request for DID document test cases etc to 
    the list
  3. dlongley to look at opencreds sites and move or redirect 
    content as appropriate
Organizer:
  Kim Hamilton Duffy and Joe Andrieu and Christopher Allen
Scribe:
  Andrew Hughes
Present:
  Chris Webber, Andrew Hughes, Dave Longley, Dan Burnett, 
  Christopher Allen, Markus Sabadello, Joe Andrieu, Kim Hamilton 
  Duffy, Lucas Parker, Ryan Grant, Adrian Hope-Bailie, Benjamin 
  Young, Chris Boscolo, Drummond Reed, Jarlath O'Carroll, Samantha 
  Mathews Chase, Adrian Gropper
Audio:
  https://w3c-ccg.github.io/meetings/2018-06-12/audio.ogg

Andrew Hughes is scribing.
Dave Longley: Regrets+ Manu_Sporny
Joe Andrieu:  Reviewed the agenda

Topic: Agenda review

Topic: Introductions

Joe Andrieu:  Nobody new on the call
Benjamin young: with John Wiley & Sons - co-chair of JSON-LD WG

Topic: Announcements

Joe Andrieu:  Summer Hackathon - originally was a DID-focused one
Joe Andrieu:  Want to push DID hackathon to end-Septemer now - 
  new developments coming
Dan Burnett: Can someone drop a link to MyData conf in the chat?
Markus Sabadello:  Kim will have presentation on DIDs - also an 
  Unconference, expected to have lots of did/verifiable credentials 
  talks
Dave Longley: https://mydata2018.org/
Joe Andrieu:  There will not be a ‘salon’ on the saturday 
  following myData conference - logistics don’t work out

Topic: Action items - https://github.com/w3c-ccg/community/issues?q=is%3Aissue+is%3Aopen+label%3A%22action+item%22_

Christopher Allen:  July hackathon - the idea of a broader 
  outreach hackathon is too early given the status of projects
Christopher Allen: 
Christopher Allen:  The BTCR project wants to do something in 
  July
Christopher Allen:  The idea is 9am Pacific, a standup call to 
  give fast status, then a slack channel is used to communicate 
  over the day. Monday-Friday
Christopher Allen:  Still want to do the DID outreach hackathon - 
  all methods projects - try to attract new players, walk them 
  through - exact timing TBD - probably late September/early 
  October
Kim Hamilton Duffy:  BTCR - want to coordinate to do a planning 
  session. Ryan and Dan Pape have been working on tx-ref (?) 
  encoding, C++ implementation - decide on some good outcomes for 
  the hackathon & start assigning tasks
Ryan Grant: +1 On sync-up.
Christopher Allen:  BTCR needs help on JSON-LD 1.1
Christopher Allen:  Need to know what libraries are being updated 
  to v1.1 and other details

ACTION: Kim schedule BTCR planning session

Joe Andrieu:  Discussion about moving the whole hackathon to 
  September 29/30
Joe Andrieu:  Microsoft wants to be involved. Also want to have 
  all the other projects participate in-person
Joe Andrieu:  Rebooting Web of Trust looking for venue the week 
  of September 24 in Toronto
Markus Sabadello:  Can RWOT be combined with IIW? would help with 
  travel
Markus Sabadello:  Or back-to-back weeks?
Joe Andrieu:  IIW fall 2018 is the same week as W3C TPAC
Dan Burnett: TPAC is Oct 22-26
Christopher Allen: TPAC is https://www.w3.org/2018/10/TPAC/
Christopher Allen: https://www.iiw2018.com/
Christopher Allen: Both start October 22nd.

Topic: Work items

Christopher Allen: #RebootingWebOfTrust is week of September 
  24th, likely in Toronto
Adrian Hope-Bailie:  So we have Microsoft listed in the 
  spreadsheet?
Christopher Allen: Agenda: work items report 
  https://github.com/w3c-ccg/community/blob/master/work_items.md
Adrian Hope-Bailie:  *Do
Joe Andrieu:  Need info from Manu about DID WG proposal startup 
  items
Ryan Grant:  Working on (BTCR) DID document validation - looking 
  for existing test cases and collections of compliant and 
  non-compliant DID documents
Christopher Allen: We can make a repo if an abstract is sent and 
  work item approved.
Ryan Grant: Yes, i'll send email

ACTION: rgrant to send a request for DID document test cases etc 
  to the list

Christopher Allen: https://opencreds.org/minutes/
Christopher Allen:  Need to do something with opencreds
Christopher Allen:  It was started by this community a while back 
  - github and web site - stale
Christopher Allen:  Need to move or redirect or delete content
Dave Longley:  Digital bazaar has people that worked on it - they 
  will do some cleanup and redirecting

ACTION: dlongley to look at opencreds sites and move or redirect 
  content as appropriate

Benjamin Young:  (Benjamin Young)
Microsoft is not on the implementers spreadsheet. We have uPort 
  Validbook Foundation Dominode, Inc Province of British Columbia 
  HIE of One lifeID Foundation HTC Exodus phone Veres one Sovrin 
  Danube Tech Transendx Chlu
Christopher Allen:  Did you really mean: https://www.iiw2018.com/ 
  ? [scribe assist by Chris Boscolo]
Joe Andrieu: Work item: DID Document Examples?
Benjamin Young:  Want to have DID documents to be in a repo that 
  everyone can contribute to - central repo
Chris Boscolo: That link doesn't look correct
Dave Longley: 
  https://github.com/digitalbazaar/did-io/tree/v0.7.0/tests
Dave Longley:  Did-resolvers might be listed somewhere? that 
  might be a good place to put test suites as well
Markus Sabadello: DIF Universal Resolver also has examples: 
  https://uniresolver.io/
Benjamin Young:  The DID spec should have illustrative examples
Error: (IRC nickname 'agropper_' not 
  recognized)[2018-06-12T16:31:56.508Z] <agropper_> We can add 
  resolvers to 
  https://www.google.com/url?q=https://docs.google.com/spreadsheets/d/1ZDHH1p4EBjxVqQJyO07gWOowhrsW2hrkRH2kgNzt0y0/&sa=D&ust=1528824456194000&usg=AFQjCNFHcRO_Qmw09aQafAWsAxA14tDDIA
Markus Sabadello:  The universal resolver at DIF has some 
  examples - link above
Markus Sabadello: https://github.com/w3c-ccg/did-resolution
Markus Sabadello:  Another possibility for examples at 
  did-resolution github - link above
Christopher Allen:  We need verifiable claims (test repo); need 
  signed verifiable claims (reference versions  - signed in various 
  ways); various examples of DID documents
Christopher Allen:  If a DID WG is started then it may have a 
  repo that will contain the example materials
Joe Andrieu:  The verifiable claims stuff should be in the 
  Verifiable Claims WG
Joe Andrieu: Action item: add a web page to CCG wiki with links 
  to DID document examples

Topic: DID Method Requirements?

Joe Andrieu:  We need a formal statement of what is required to 
  be declared a ‘did method’
Joe Andrieu:  Revocation is not fully consensus (does it actually 
  need revocation?)
Joe Andrieu:  Revocation - should be about key compromise
Joe Andrieu:  Rotation is also undecided - generally updating 
  transactional keys
Markus Sabadello: See discussion here about DIDs that cannot be 
  revoked/rotated: https://github.com/w3c-ccg/did-spec/pull/55
Christopher Allen:  Some did methods want to have a single key 
  with no concept of revocation or rotation - should these be 
  accepted as did methods?
Christopher Allen:  Need to set a minimum requirement to avoid 
  quality issues or security issues
Christopher Allen:  Revocation/rotation is a new/interesting 
  thing that DID methods offer
Drummond Reed: Pelle from uPort has made a case for these "single 
  key single use" DIDs. I was initially opposed but he convinced me 
  that it was okay because these types of DIDs would have their own 
  DID method that explain that they are single use with no 
  rotation.
Joe Andrieu:  Planting the seed - there are probably other open 
  issues and undecided topics - features that are supported/not
Christopher Allen: But are those DIDs revocable?
Chris Boscolo: +1 For that
Joe Andrieu: Action Item: invite comment on DID method 
  requirements on mailing list
Joe Andrieu: Fq?
Christopher Allen: There may be a risk that if we have 
  non-rotatable DIDs, the legacy identity community points to them 
  and says "but DIDs are worse then what we already offer"

Topic: Focal use cases

Joe Andrieu: 
  https://docs.google.com/document/d/1wz8sakevXzO2OSMP341w7M2LjAMZfEQaTQEm_AOs3_Q/edit?usp=sharing
Weblogin use case
Joe Andrieu: Use Case #10
Drummond Reed: FYI, the Sovrin community does not currently have 
  any use for these single-use DIDs, but uPort does.
Joe Andrieu: Ryan Grant is speaker
Ryan Grant:  References are made to the DID-Auth draft at RWOT
Kim Hamilton Duffy: Interesting, if they are single-use only (how 
  is this enforced?) then maybe revocation is less important? But 
  maybe some timebox is needed? I.e. if it's created and then 
  "immediately" used (for some definition of immediate), the window 
  for key theft is reduced
Ryan Grant:  Did-auth has a few different mechanisms described 
  for web logon - need some additional details there, probably
Ryan Grant:  Sticky wicket - don’t try to store a password - just 
  ask for proof of control of the did (presumably did-auth?)
Joe Andrieu: I like the point that DIDs separate proof from the 
  identifier
Andrew Hughes:  Yes, Did Auth.  example here: 
  https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md#did-auth-architecture-6-web-page-and-web-browser 
  [scribe assist by Ryan Grant]
Kim Hamilton Duffy:  Would like more info about how “single key 
  single use” works re revocation - is the window of threat small 
  enough to not need it
Use Case #11
Joe Andrieu:  Use case came from verifiable credentials use case 
  discussion
Joe Andrieu:  Better use case for dids than for verifiable 
  credentials
Chris Boscolo: Where is the appropriate place to have this DID 
  method discussion? (here/mailing list/some other chat chanel...)
Joe Andrieu:  University students have access to other university 
  library - typical approach is to whitelist based on attributes 
  provided from home university
Joe Andrieu:  What would this look like using dids?
Kim Hamilton Duffy: I liked Christopher's point that Tzviya's use 
  case is a great one for DIDs + OCAP
Joe Andrieu:  Or object capabilities?
Dan Burnett: Sounds like a special case of Single Sign On
Chris Webber:  Ocap-ld - need to have some cryptographic material 
  that has been authorized to do something - this might be 
  student’s did or derived from their student id
Chris Webber:  The ocap way - a university would get a capability 
  to access the library - then assign it to your did
Dcc: need to understand how the licensing model works for 
  libraries to make sure the use case is accurate
Dcc: not sure the use case works as described
Kim Hamilton Duffy: Curious for more context from Tziya or 
  someone else at Wiley on the call. Seems like they'd have domain 
  knowledge there :)
Joe Andrieu:  Yes, it’s probably that we are missing the point 
  from the use case
Chris Webber:  Note - there is a way to deal with prohibiting 
  delegation (split contract)
Benjamin Young:  Tzviya is Ben’s boss - ra21.org is looking at 
  this problem - one thing is the ‘access by vpn’ - restrictions 
  are IP filters so hard to do individual control of access
Benjamin Young:  Would like to be able to do individual-based 
  access control with verifiable credentials
Using keys directly works fine.  Why use a DID?
Dave Longley: Lots of options for this use case ... ocap, 
  credential handler API, so on ... all related to DIDs.
Joe Andrieu:  Defer prescription use case to next call
Dave Longley: Dcc: one reason to use a DID is so that when you're 
  with UNC and you leave and go to NC your DID is not tied to 
  either

Received on Thursday, 14 June 2018 15:32:57 UTC