[MINUTES] W3C Credentials CG Call - 2018-03-20 12pm ET

Thanks to Andrew Hughes for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2018-03-20/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2018-03-20

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2018Mar/0011.html
Topics:
  1. Introductions
  2. Announcements
  3. Current action items progress
  4. Work items
  5. DID-based Authentication (DID-Auth)
Resolutions:
  1. Adopt MyData panel at Helsinki as a CG work item.
Organizer:
  Joe Andrieu
Scribe:
  Andrew Hughes
Present:
  Joe Andrieu, Andrew Hughes, Heather Vescent, Alberto Elias, Manu 
  Sporny, Ed Eykholt, Kaliya Young, David Challener, Kim Hamilton 
  Duffy, Christopher Allen, Markus Sabadello, Dave Longley, Kyle 
  Den Hartog, Moses Ma, Ryan Grant, Dennis Yurkevich, Lionel 
  Wolberger, Kerri Lemoie
Audio:
  https://w3c-ccg.github.io/meetings/2018-03-20/audio.ogg

Andrew Hughes is scribing.
Heather Vescent: Also, you can put me on the scribe list.
Alberto Elias: No luck joining the call
Joe Andrieu:  Reminded everyone of the IPR policy
Manu Sporny:  Requested an upgrade for the number of simultaneous 
  channels that DigitalBazzar can support (up to 50) - waiting for 
  pricing

Topic: Introductions

Ed Eykholt:  Hi, I'm part of Pithya, part of the RChain 
  initiative, looking into Decentralized Identifiers and Verifiable 
  Credentials.
Kaliya Young: Hi everyone, my name is Kaliya Young also known as 
  Identity Woman on the Internet. I'm one of the co-founders of the 
  Internet Identity Workshop. Good to be here and participating.
Heather Vescent: Great to see you @Identitywoman!!!

Topic: Announcements

Joe Andrieu:  Upcoming events - see the agenda for a list
David Challener: IIW26 soon.
Joe Andrieu:  Need to have a hackathon to introduce the 
  technology for new developers - should probably be a new Work 
  Item - figuring out how. To happen over the summer - need 
  supporting materials etc

Topic: Current action items progress

Kim Hamilton Duffy:  New action items were added last week - but 
  they are not on the current action item list - will be added for 
  next week
Joe Andrieu:  Chairs were asked if ccg will do something at TPAC?
Manu Sporny:  Yes.
Manu Sporny:  But we have to prepare well
Manu Sporny:  Should focus heavilly on DIDs - to get everyone up 
  to speed and more comfortable with the work
Kim Hamilton Duffy: Chairs to ensure that work items are sticky 
  and have the right company support Chairs to find people to 
  produce DID use cases. Chairs to find people to produce DID 
  charter. Chairs to drum up W3C Member company support for DID WG. 
  Chairs to find people to work on DID test suite.
Kim Hamilton Duffy:  Will add TPAC prep to permanent list of 
  action items

Topic: Work items

Kim Hamilton Duffy:  First meeting of Educational and 
  Occupational Verifiable Credentials group - meeting info was sent 
  to list
  … OpenBadges/VC alignment has started
  … first meeting will be to ask the group about priorities. Kim 
  to resend invitation to ccg list
Joe Andrieu:  Summertime timezone chaos is underway for another 
  week - pay attention to UTC time of any calls
Joe Andrieu:  Seeking to add DID-Auth as a formal work item - 
  need a lead author
Kim Hamilton Duffy: EDU/OCC Verifiable Credentials meeting info: 
  https://lists.w3.org/Archives/Public/public-credentials/2018Mar/0043.html
Christopher Allen:  MyData conference - Helsinki - last week of 
  August - invited to participate in a panel - DID VC/ccg focus
  … want to talk specifically about DID-Auth proposal
Markus Sabadello:  The idea for mydata is to have a DID session 
  of some kind
  … 3-4 people / implementers to present what they are doing. 
  lots of audience that would not know what DIDs are & significance
  … Kim? Ruben? Sovrin people? Talk about their specific DID 
  method etc
  … to demonstrate that DIDs are interoperable
Joe Andrieu:  The Chairs want to support this
Kaliya Young: I am also working with the myData organizers to 
  organize an "un conference" within the MyData conference
Joe Andrieu:  Clearly there’s lots of support for this - so it 
  can become a work item.
Joe Andrieu:  Markus to lead - ccg will support
Markus Sabadello:  The call for proposals is still open - please 
  submit
Heather Vescent: I will be in the UK that week, so could meet 
  somewhere before/after if there is a RWOT.
Christopher Allen:  If you plan to attend, please inform Chairs 
  to help organize mini-rebooting web of trust session (RWOT)
Joe Andrieu:  Any other status updates? (nope)

RESOLUTION: Adopt MyData panel at Helsinki as a CG work item.

Topic: DID-based Authentication (DID-Auth)

Joe Andrieu:  Markus to talk about DID-Auth. At the highest 
  level, using DIDs for Authentication (NOT Authorization :)
Markus Sabadello:  DID-Auth - process or ceremony to prove 
  control of a DID
Manu Sporny: Example of Browser-based DID Authentication: 
  https://w3c-ccg.github.io/credential-handler-api/
Markus Sabadello:  It gets complex when covering different use 
  cases / scenarios; e.g. web authentication, mutual authentication 
  (like TLS authentication), service authentication. Many different 
  ways to prove control (signatures/crypto; biometric)
Markus Sabadello:  Still need to clarify/refine scope and outline 
  of what DID-Auth exactly is and represents
Markus Sabadello:  Hartog and markus_sabadello submitted topic 
  papers to RWOT. A draft paper came out of RWOT
Markus Sabadello:  Draft paper needs to decide/define what is and 
  is not DID-Auth - eg email signatures?
Markus Sabadello: RWoT DID Auth draft: 
  https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md
Markus Sabadello: RWoT topic paper by Markus: 
  https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/topics-and-advance-readings/DID%20Auth:%20Scope,%20Formats,%20and%20Protocols.md
Markus Sabadello: RWoT topic paper by Kyle: 
  https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/topics-and-advance-readings/DID-Auth%20protocol.md
Dave Longley: This page has links to browser-based DID Auth demo 
  and video: https://github.com/w3c-ccg/credential-handler-api
Christopher Allen:  Question - before RWOT meeting, lots of 
  questions about what DID-Auth was supposed to be - did RWOT help 
  to reconcile that quetion? are there still different views on 
  what it is? Should the abstract focus on more requirements?
Christopher Allen:  E.g. with DID the first paper was 
  requirements (not a spec)
Manu Sporny: Video demo of browser-based DID Authentication - 
  https://www.youtube.com/watch?v=bm3XBPB4cFY
Kyle Den Hartog:  At RWOT we scoped it down - DID-Auth does not 
  include authorization. Can be done in a few different ways.
Kaliya Young: It shouldn't include authorization - authentication 
  and authorization are different
Kyle Den Hartog:  Concern is how to do an interoperable 
  authentication protocol - thats where the issues will lie - 
  requirements will help clarify the concerns that need to be 
  resolved
Kyle Den Hartog:  Maybe implementations might have their own 
  ‘method specs’ in the same way the DID spec evolved
Christopher Allen:  What are next steps?
Heather Vescent: Mixes well with some ambient background music.
Christopher Allen:  Does markus_sabadello think that refocusing 
  on Requirements is the next step?
Joe Andrieu: Chris, could you restate your question for Markus?
Moses Ma: I had one question - Question: does anyone have a 
  functional block diagram for how DID and DIDauth work? Please 
  send to me - moses.ma@futurelabconsulting.com
Andrew Hughes:  Moses - we are developing sequence diagrams for 
  the DID-Auth paper
Joe Andrieu: Chris?
Joe Andrieu: You had a question for Markus
Markus Sabadello: I think next steps are to continue work on the 
  DID Auth RWoT paper to define scope and the various forms DID 
  Auth can take (browser based, qr scanning with mobile, DID Auth 
  service endpoint, DID-TLS, etc.), and incorporate content from 
  Kyle's and my topic papers.
Markus Sabadello: And ask for input from this group about what is 
  DID Auth and what is not DID Auth.
Markus Sabadello: And have at least 10 IIW sessions about it :)
Joe Andrieu: =)
Joe Andrieu: Definitely some IIW sessions.
Andrew Hughes:  One thing we did talk about at RWOT is that 
  DID-Auth requires _cryptographic_ proof of control - not other 
  types of ‘proof'
Manu Sporny: So, I guess the question is how many IIW sessions 
  and when?
Manu Sporny: I'm concerned that we may need to do some more 
  front-running/planning for that event.
Markus Sabadello: I can also demo DID Auth components I built for 
  BCGov. This includes use of HTTP Signatures and Verifiable 
  Credentials similar (but not equal) to the browser Credential 
  Handler API.
Christopher Allen: (…Or at least one cryptographic prof if 
  control)
Andrew Hughes:  _Cryptographic_ proof means that we had to focus 
  on the keys - we put a simplified flow into the document so that 
  we can ‘test’ scenarios to see if they fit the DID-Auth pattern
Andrew Hughes:  It was useful to avoid talking about 
  authorization
Kaliya Young: I just hung up - I literally couldn't hear anything
Joe Andrieu: One question for me is whether or not DID-AUTH is 
  only about control of the DID, e.g., the right to update the DID 
  document, or does it also include work flows for logging in AS 
  the referent of the DID, which might use keys or methods other 
  than master key proof of control.
Markus Sabadello: Regarding authorization, I agree that's out of 
  scope for DID Auth, but the data formats and flows are related. 
  If you look at the Credential Handler API, or if you look at 
  uPort, then "proving control of an identifier" is not so 
  different from "proving something else".
Dave Longley: Was wondering if anyone working on DID-based TLS 
  looked into potentially defining a new `TokenBindingID` type of 
  DID (see 
  https://tools.ietf.org/html/draft-ietf-tokbind-protocol-16 and 
  https://tools.ietf.org/html/draft-ietf-tokbind-https-12)
Manu Sporny: Markus_sabadello and Hartog, what's next wrt. DID 
  Auth - it feels like we're kinda all over the place with it... 
  use cases, requirements?
Manu Sporny: Where is the focus going to be? Fundamentally, there 
  needs to be a spec if we're going to drive toward a standard of 
  any kind.
Christopher Allen: I would like to see Marcus and team continue 
  to work on the RWoT paper, but seperately I'd like to see a CCG 
  work item abstract for a requirements, which may be less than 
  RWoT paper.
Manu Sporny: There also has to be deployment... who's deploying 
  this stuff commercially in the next year or so?
Christopher Allen: I'd like to see a goal that we have a 
  requirements document suitable for CCG use by summer.
Christopher Allen: (Done)
Joe Andrieu: Chris, you bring up a good point. The RWOT paper is 
  *not* a CCG work item, although once written, could be the 
  foundation for or input to a CCG work item.
Kyle Den Hartog: Two things: I know there's concerns about zoom, 
  but in order to continue this call today I can supply a zoom room 
  until we resolve SIP concerns. Anyone opposed to that idea?
Joe Andrieu: Thanks, Kyle. I think we are better of making the 
  most of IRC in the limited time we have left.
Markus Sabadello: I think the RWoT paper should be an initial 
  overview of requirements, flows, data formats, to get to a common 
  understanding what is DID Auth. It also has examples, but it's 
  not going to be a spec.
Kyle Den Hartog: Second: I'd primarily like to see a requirements 
  doc be built in parallel to the RWoT paper with the CCG work 
  coming out to be the standard based work.
Alberto Elias: I think we're already covering requirements in the 
  RWoT paper, as that sets the line for the rest of the paper
Ryan Grant: Joe, I can answer this one quickly.  BTCR will not do 
  any DID-auth for authorization to control the DID, since its 
  authorization is rooted in access to keys on the blockchain that 
  DID-auth cannot refuse.
Kaliya Young: Can someone please post a link to the RWoT paper we 
  are talking about :)  thanks
Alberto Elias: 
  https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/draft-documents/did_auth_draft.md
Joe Andrieu: Thanks, rgrant
Kyle Den Hartog: @Alberto, great point, now that I think about it 
  we did address this fairly well, we just need feedback on it from 
  the larger community.
Joe Andrieu: And thanks, albertoalias
Joe Andrieu: Markus, would it be appropriate to ask folks to 
  review the current doc and provide feedback?
Joe Andrieu: What would be the best venue for that? Issues?
Joe Andrieu: Thanks, dlongley
Markus Sabadello: Yes if people have time, reviewing that draft 
  paper (and Kyle's and my topic papers) would be helpful.
Markus Sabadello: There's also a did-auth channel on the 
  weboftrustinfo slack.
Ryan Grant: Sorry, already done.
Kyle Den Hartog: @Joe, I'd suggest github issues in the RWoT repo 
  being used, but I'm not opposed to the RWoT slack channel to 
  facilitate discussion
Joe Andrieu: Ok.
Joe Andrieu: Kyle, could you send an email to the list with the 
  URL and ask for feedback on Github?
Kyle Den Hartog: Yea, I can do that
Joe Andrieu: Perfect.
Dennis Yurkevich: Markus_sabadello how does one join the RWOT 
  slack?
Joe Andrieu: Sorry for the technical challenges folks.
Joe Andrieu: Chris, for the slack, they should email Shannon?
Dennis Yurkevich:  Go to weboftrust.info and follow the 
  instructions
Joe Andrieu: Perfect. Thanks, Andrew
Andrew Hughes:  The links to the github repos for all the RWOT 
  events are there too
Andrew Hughes:  And the published papers
Joe Andrieu: With that, let's draw this meeting to a close. Does 
  anyone have any parting comments?
Joe Andrieu: Oh.
Joe Andrieu: I do. =)
Joe Andrieu: Who will be editor(s) of the DID-Auth output of the 
  CCG?
Joe Andrieu: (Not the RWOT paper)

Received on Tuesday, 20 March 2018 21:30:01 UTC