- From: <kimdhamilton@gmail.com>
- Date: Fri, 09 Aug 2019 19:57:22 -0700
- To: Credentials CG <public-credentials@w3.org>
Thanks to Amy Guy for scribing this week! The minutes for this week's Credentials CG telecon are now available: https://w3c-ccg.github.io/meetings/2019-07-30/ Full text of the discussion follows for W3C archival purposes. Audio from the meeting is available as well (link provided below). ---------------------------------------------------------------- Credentials CG Telecon Minutes for 2019-07-30 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2019Jul/0074.html Topics: 1. intros and reintros 2. announcements and reminders 3. Progresson action items 4. Standards setting process Organizer: Christopher Allen and Kim Hamilton Duffy and Joe Andrieu Scribe: Amy Guy Present: Ted Thibodeau, Jonathan Holt, Joe Andrieu, Brent Zundel, Adrian Gropper, Manu Sporny, Amy Guy, Shivam Sethi, Justin Richer, Christopher Allen, Dave Longley, Dmitri Zagidulin, Yancy Ribbens, David I. Lehn, Heather Vescent, Drummond Reed, Jeff Orgel, Ryan Grant, Kayode Ezike, Kaliya Young, Dan Burnett, Ken Ebert, Sam Smith Audio: https://w3c-ccg.github.io/meetings/2019-07-30/audio.ogg +Present Andrew Jones DB Joe Andrieu: The call today is going to focus on what comes after DIDs? [scribe assist by Manu Sporny] Joe Andrieu: We're looking for what's the next big chunk - it'll take 4-5 years to incubate, work on a WG, take it through W3C process. We want to explore in an open ended way... what's worth our time? [scribe assist by Manu Sporny] Joe Andrieu: That's going to be our conversation today. [scribe assist by Manu Sporny] Manu Sporny: Joe provides Public IP Note - please sign the CCG Contribution Agreement, or don't make substantive contributions. Amy Guy is scribing. Joe Andrieu: If for some reason you're only on irc, please q+ anyway Topic: intros and reintros Joe Andrieu: Anyone who for this is their first call? Shivam Sethi: I was part of the DID calls but for the CCG this is the first call I am joining ... I'm from an Indian based company (?) Joe Andrieu: Anyone else new? ... How about a reintro Joe Andrieu: Invokes stonematt to reintro? Adrian Gropper: I'm CTO of a nonprofit called patient privacy rights, my role in this community is because there's an open source project that I'd like to think is a reference implementation ofhow VCs and DIDs can be used to manage health records ... We've implemented uPort about 3 years ago and are looking forward to aligning with the standard ... at the rate our developer (one person) can adapt ... One interesting tidbit, for 3 years I've been involved in the health records infrastructure for India ... Right now as of a week ago it's become a formal government policy, how they want to deal with medical identity, how they want to link it to adhaar and decentralised identity is one of the proposals, which they consider a little bit out there but it's actually under consideration Joe Andrieu: Thanks for the update, very cool Topic: announcements and reminders Joe Andrieu: Still doing dedicated DID calls on thursday Drummond Reed: We did skip last week, we'll be on this week and next week and then i'll be gone for 2 weeks but if markus and others are willing to keep going we'll keep going. We have until assumign there's a go ahead with the vote on the WG we have until that group formally starts, which I think would be at tpac Joe Andrieu: Next week August 5-9 we have the btcr hackathon Joe Andrieu: https://weboftrustinfo.github.io/btcr-hackathon-2019/ ... It's virtual, we'll be having a conference call on a daily basis ... please come join us. We're focussed on btcr, there are some other related issues around credentials and DIDs in general that are fair game ... We'd love to have you join us Joe Andrieu: Vienna Digital Identity Meetup September 1st, Sunday before RWOT ... The idea is a conversation witht he local community in vienna and people who are going to rebooting will take the train the next day and head up there Joe Andrieu: http://rwot9.eventbrite.com Joe Andrieu: And RWOT9 is after that ... August 18th is our next deadline for advanced topic papers ... Then after RWOT9 in Prague, the folks involved with ActivityPub are putting together a face to face https://dustycloud.org/blog/activitypub-conf-2019/ Drummond Reed: Ah, I didn't realize that producing a CCG Community Final Draft take a month. Manu Sporny: We need to produce a FCGS and get people to sign off on the IPR for when it goes into the WG ... It takes a week to prepare the doc, a week to give people notice, then 2 weeks for the IPR committments before we move it over to the WG ... Based on where we are we should start on that process this week Christopher Allen: What day is 4 weeks before tpac Shivam Sethi: First concern I tried to convert the minutes of the calls but there are some issues with the script, I couldn't get it working, maybe someone could help me, in future I can do that Drummond Reed: Agreed ... Second concern was I was thinking to push a document related to ?? iot devices using DID, there won't be any personal information, openID authentication to manage IOT devices Manu Sporny: This would be something for the DID Use Cases document... Shivam Sethi: Ok ,Thanks Chris Christopher Allen: We do appreciate you working on converting the minutes! Drummond Reed: I had no idea it was a 4 week process to get the community final draft ... What I wanted to find out from manu is does that mean that by tpac we have to finalise something this week or can we get until next week? Christopher Allen: I think we have 2 weeks. Hi, may I introduce myself if we're still doing introductions? sorry for joining late Manu Sporny: It takes roughly 4 weeks, the fastes I've seen it happen is 2 weeks but that was a tiny group. We could do that drummond,t he most important thing is that we get that document in shape ideally it would have been done before the charter went out for review. The next deadline is before the WG starts ... In theory that should be before tpac ... probably a week before tpac ... that is our last date ... if we work backwards from there we can start in the last week of august but that would be cutting it really close Drummond Reed: This week and next week's DID spec calls will be for that ... I'll make sure markus is around. Anyone else with issues youw ant resolved in the next 2 weeks, we'll get it ready for review Manu Sporny: Yes I can make it Drummond Reed: We can talk about what we need to get done and what the process will be like Christopher Allen: What I would like to see is a last day we can put into our announcements for the next couple of meetings. The first thursday that drummond is back that we say last call for comments is that thursday ... That friday the editors are closing it for all comments and can take a few days to prepare a final version ... but have that very prominent what those two days are, we announce it Manu Sporny: We should not ask for comments, that will open us to comments ... we should say this CG.. we're cutting a version of the spec, we know it's incomplete, we're handing it over to the WG. Say that and wait for any kind of objections. But objections at this point, there's no outcome for objecting to handing it to a WG ... butw e can open it up to objections ... We just announce at this date the editors are cutting a final CG spec, we will be gathering IPR over the next couple of weeks and leave it at that Joe Andrieu: Ask sumita Sumita: I work at USA(?) which is a financial institution. Our interest is to pursue a blockchain solution for self sovereign identity. I've been reading a lot and it sounds like what you are doing is what we need to get involved with ... Is there anyone from a financial instituion here? Do we have private sector folks involved? Drummond Reed: I can't say that many of us here working on this are working .. .I work for evernym.. that are doing exactly what you just said. Working on adopting self soverign identity to address the problems of financial.. I just left a call about this.. A consortium of a credit unions which focusses on blockchain tech for credit unions have chosen SSI as a focus for what they're doing. You're certainly in the right place. ... THere are lots of materials available, happy to share Sumita: Just wanted to make sure I stumbled into the right room, I'll bring some of my colleagues into the next meeting Ryan Grant: Very glad to have you! Drummond Reed: Great! Welcome. Heather Vescent: It's really exciting that USAA is getting involved in this. You are really innovative. I am a consultant, I've worked with a variety of different companies including banks exploring this space ... I wrote this report with kaliya on npe identity looking at use cases or market gaps from the private sector having to do with banking and finance ... you might be interested, it is public Heather Vescent: NPE report: https://app.convertkit.com/landing_pages/457406 ... If you want more info I'm happy to walk you through what we've learned ... Primarily the report talks about the application of .. it does not specifically talk about the impact of SSI for individuals, it was exploring SSI for other legal entities and non human identity ... If that's interesting regarding LEI or risk management, or if you are primarily focussed on the individual identity ... I'll reiterate, ?? is doing some interesting stuff, and atb bank in canada have been doing interesting stuff on that too Joe Andrieu: Ls ... Feel free to reach out Joe Andrieu: https://www.youtube.com/watch?v=7KrSw81F4Us Joe Andrieu: We do have demos from the RWOT8, there's a presentation with raabobank with SSI Joe Andrieu: TPAC will be in Japan in September 16-20 Kaliya Young: Also I've talked to Sendander bank in Spain who has dabbled in exploring SSI ... The CCG does not have a space assigned but I do think we'll have a DID WG meeting of some flavour there ... MyData is at the tail end of September, 25-27 in Helsinki Topic: Progresson action items ... LD key format registry administrivia ... Did we assign this to you last week dmitriz? Your question from 2 weeks ago is what do we need to do Dmitri Zagidulin: I don't know, I left the comment on the issue asking to clarify Joe Andrieu: https://github.com/w3c-ccg/community/issues/56 Christopher Allen: My understanding is this particular document needed to have some sections added to it Manu Sporny: https://w3c-ccg.github.io/ld-cryptosuite-registry/ Manu Sporny: We had a registry called the linked data key format registry, we moved to change it to the cryptography suite registry. The purpose of the registry is to have a full list of all the crypto suites we support ... anything you need for ldproofs which we use for VCs, and a few other things ... the registry exists now and to finish off this issue we need to add a couple of sections in there Manu Sporny: https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519signature2018 ... right now we don't have key formats ... we have a link to the spec but we don't talk about the key ???? make the registry a bit more clean ... we have verification methods and key formats. We should split the registry into two things. It should have a section for verification methods and a new sectionf or key formats. That's it ... that's all we need to do, add some editorial stuff around it Dmitri Zagidulin: I think I understand I can do it (Probably :p) Manu Sporny: Thx rhiaro ! :) Manu Sporny: Also, ping me if there is any confusion, I think I know what needs to be done. Dmitri Zagidulin: I'll help Topic: Standards setting process Joe Andrieu: Some of the ideas we've kicked around about what's after DIDs, we've had conversations amongst chairs and community leaders, every idea that has come up has been we need to get the implementers into our conversation ... What is worth spending 5 years on that will advance the work of the CCG in the most effective way? ... We're going to be talkinga bout it for a couple of months, and at the meetings in september ... Try to get a sense of what's over the next horizon Manu Sporny: These things tend to go in 3 stages ... The first is the ideation process. This is what we depend on the IIW, RWOT, DWeb summit, conferences that happen, new ideas thrown out there, get momentum, until they get to a point people want to work on it ... Eg. for VC stuff ideation happened between the RWOT was one of the first places, moved to IIW and between RWOT and IIW the idea was kicked back and forth until it got to the point that there was a spec and it moved through the rest of the process. Same with DIDs. ... The first stage is ideation, doesn't happen here typically, this place is the second step in the process, which is incubation ... You come up with an diea that's stage 1. Stage 2 is incubate the idea. People start writing waht the first spec might be, putting pen to paper and talking about the thing and refining it ... That's more or less what this group does ... What we're trying to do is take these ideas, get someone to write about them, then get devs to implement them. Refine it, play around, incubate it. That's what the CG is about. At a certain point in time it hits the stage where it's ready for global standardization ... We decide where to put that work. Might go to the IETF if it's a low level protocal. OASIS if it's to do with business processes. Might go to the W3C if it has to do with the web or application layer stuff. Fundamentally we find the place where it should be globally standardized and send it off to the third stage ... The third stage is standardization at a standards setting body. These are special organisations, from a legal perspective they cover what it means. The timeline for those things... The three stages, ideation, incubation, standardization. Ideation stage can take anywhere from 6 months to 5 years. Who knows, sometimes it takes a long time for certain ideas to take hold ... The incubation stage takes about 1-2 years, and standardization takes 2 years ... Usually a 5 year process form idea to global standard. Sounds long but it goes by really quickly. The last 5 years are a blur to many people involved in VCs Joe Andrieu: It takes a while to get this stuff. What I'm looking at as a co-chair, is trying to work out what is worth 5 years of focussed attention that is aligned with the mission and community here of the CCG ... Now I want to open it up ... Some other folks have had some ideas ... Hop on the queue Christopher Allen: Speaking as chair with Joe and Kim, one of the question we have is where are the places that a multi year process of getting to an international standard is absolutely required or appropriate vs other things that we want to support or build that don't necessarily need to go through the entire international standardization process ... There are a lot of things where we can create an API or a recommendation that does not have the standing of an international standard and it can end here. We don't have to go through the entire process end to end ... Part of what I'm tryign to filter is what are the things that really deserve standardization. These are the things epople can use APIs, propocols, data formats etc, as a way to lock in to a single model, a single approach that doesn't allow for competition and collaboration ... Taking my hat off I know some of my pain points are how do we ??? ... how do you request a verifiable credential, a verifable presentation. How do you do so in a data minimizing protocol way. I do'nt want a static give me yoru VC, I want a negotiation between two parties so they can determine the max the client is going to give and the minimum the rquester is going to get. There's going to be a data minimization dance there ... That's a pain point for me right now Dave Longley: +1 To work on standardizing VC/VP queries ... Another is that we still don't have cryptographically reviewed signature proofs and things of that nature ... We need to be thinking not only about zero knowlege ways and blinding, but data minimization. Do we recommend to issuers they issue every single attirbute individually by itself so a person has a package of 100 claims with 100 attributes, or do we come up with some other scheme wehre they don't have to give proofs for all of those entries ... Those are my early pain points. I need answers like, this fall. Adrian Gropper: Going forward from the data minimization. I want to put a plug in for working on the self soverign agent as a service endpoint in the DID Document. It seems there's a lot of evidence that this is really the next thing that needs to be standardized. The evidence being conversations in DIF and Hyperledger Ares around this which I don't think is converging particularly quickly and I think it needs a very strong dose of the kind of incubation That this group is able to do. To link this proposal to what Chris was just saying, a major component of having an agent as a service endpoint is to negotitate back and forth semi autonomosuly for this data minimization point Joe Andrieu: One of the ideas i've floated in most conversations, may not survive the bubble up in prioritization, but it seems to me an API for how you interact with a wallet would be very useful. The wallet is one of the key points of leverage in this whole ecosystem, if we want software from different parties to be ablet o interact with a variety of wallets some sort of API there would be useufl. I see it in the way that the DOM API int he browser Gives JS a standard way to interact with the Document Object Model ... Also to have formal guarantees about what's behind that API ... That may include guarantees about where keys are stored or what kind of keys are generated. THe idea is an API that has deep guarantees about cryptographic proof or process. ... that's somethign I could see us working on Jonathan Holt: Seems to be a lot of overlap with the DID comm(?) coming out of project Ares ... How do we interact and create a synergistic goal with those other groups Joe Andrieu: Great question Drummond Reed: +1 To synergy with DIDComm at the Hyperledger Aries project Drummond Reed: I was going to amplify what jonathan was saying. Standardizing the API for the wallet and the interactions, the protocols for key exchange and accessing and sending messages to the wallet, th whole dkms project that we've undertaken to develop interopeable decentralized key management is part of what's being implemented at hyperledger aries ... I want to reinforce what jonathan was saying. We should figure out how to work togehter with that group Christopher Allen: Want to add to the agenda the things the CCG can help with which is the area around the nature of what's in a verifiable presentation, how they're packaged up, what is the schemas within those so we can exchange things ... Feels like there isn't a standard for educational claims per se that everybody agrees to. W3C already has some schemas around education. Obviously blockcerts and some of the other educational things are working on that, I'd like to see that reach anotehr level of interop ... I'm very interested in peer claims, how does one person issue a claim rather than it coming from some authority that is major ... How does peer claims work from an individual ... I will say peer claims between issuers will also be imporatn. DMV giving a peer claim to one in another state ... There's a lot of stuff in the actual details of interop the claim data ... There's a bunch ofinterop expectations that people have because of DIDs, and the reality is that the various domains of message can't talk with each other, they use different proof methods, different keys etc ... We need to begin bridging some of those ... There's a meeting in wyoming in september where I'm really hoping to be able to present some solutions around corporate records ... I already know from them they don't want to select a single DID method or a single vendor. They want to say we can work with multiples of those. The reality is we can't actually meet that expectation. Sovrin can't work with btcr or veres1 or the uport variants ... Figuring out where we can begin to interop, there are some small wins in being able to valdiate each others' claims and be able to have a mutual key on two chains(?) but the market will demand we can do more than that Joe Andrieu: There's an evolving relationship with DIF. We're glad that kim is involved over at DIF. My understanding is that's largely about implementation. I see it as proof of concept and proof of an approach which we'd like to fold into whatever standards work we might start down the pipeline Dmitri Zagidulin: Two topics hinted at ... THe use of credentials in authentication and authorization Just wanted to say congratulations folks. ... We've been very careful int he VC community to say VCs by themselves are not to be used for active control(?) ... a lot of people view the natural next step is to build that next layer up, using DIDs and VCs in actual authentication protocols ... Ir ealise that Aries and DIF have already started working on that Dave Longley: S/active control/access control/ Sumita: have we heard anything from plastic manufacturers? Not sure about the international market.. Ken Ebert: I wanted to talk abot the interop issue. To verify the formats for signature styles that are not native, eg. sovrin doesn't use jwts natively but we should be able to recognise it. And using the types so interop becomes more universal. That's all going on in Aries right now. Beginning stages are happening, nowhere near beinga ble to issue a different type of credential Joe Andrieu: How do you see us being able to work with the work at Aries? Ken Ebert: The main focus is to first establish interop between various issuers of credentials, also focus on universal wallet standards to be able to collect and stores those types of credentials. Part of that project is the separation out of things specific to hyperledger indy or sovrin to a layer below so other ledgers can plug in and operate with the higher level layers that operate with the storage of credentials ... This community can be helpful in provding input and contributing signature styles and interop of their own favourite flavour so we can coalesce some of those things Sam Smith: SOmething that came up at the solid workshop was vcards and I was thinkign dmitriz could speak to it better, but it seems like a verifiable vcard you could share would be a really cool first use case before a wallet because that would be something that touches human and would be a clear data shape based off what's already there Manu Sporny: Should we do this again next week? Many ideas. But with a focus on hearing from people we don't normally hear from Heather Vescent: A++ maybe do a survey? ;-) ... I'd really like to hear from the people we don't hear from on a regular basis. Maybe some of the newer people, just to get some more input Heather Vescent: Also, we did ask a similar question on the EOD survey Heather Vescent: So we can take those as one data points moving forward ... heather is saying maybe do a survey. In some cases it's really difficult for people new to speak up. It can be intimidating. That's where written communication is good. Maybe through the mailing list. But on the call one of the things we need to do better is make space for other people to talk on here ... We shouldnt' be picky about how we gather the data. Hit us with a flood of info and we can sort it out Joe Andrieu: +1 To more voices and a future call ... I'm going to run down a list pretty quicky, I sent it to the mailing list Heather Vescent: Capital One data breach, yay! ... Today there was another massive data breach, people lost their PII for the fifitieth time. THere is a quesiton around data portability. We're going to store these VCs and our health records somewhere. How do we make sure it's ours and not locked into another vendor? The secure data hubs, identiy hubs work, hyperledger aries is very imporant, but focussing encrypted data portability is something we have in common ... And +1 the interop problem that we have ... We're all implementing to the standard but we're still not interoperable with one another. Includes wallet issuer, verifier, DID interop ... Takes constant tending to make sure that works ... Also +1 for how we get VCs from point A to point B. There is a credentail handler API around for a while, does achieve some things, but clearly other things it doens't like data minimization ... Linked data proofs and signatures stuff is hard thankless work but does needs to be done ... The formatily of the digital signatures andc ryotpgraphic proofs, we need to work on that ... There is VC 1.1 and extensions, we're not done with VCs Drummond Reed: Just to make sure Sumita gets her answer RE Idemia: there have been many months of discussions within the driver license industry about the arrival of open standard verifiable credentials and SSI architecture. Idemia has not been in favor of adopting it but hopefully that will change. IBM has been very involved in these discussions along with Evernym and others. ... We need to help people get it out in industry ... Then of course the registries work ... All that's technical work. There's also nontechnical work we need to do Dave Longley: +1 To focusing on common APIs, backend agent communication and Credential Handler API for user interaction via Web browser, DKMS for backend key management, Web KMS for Web apps, +1 for common VC/VP query formats ... Nonviolent communication discussion recently. There cotinues to be friction between various communities and people and we should attempt to tend to that on a continuing basis ... The other thing is field work. There have been concerns we are coming up with use cases without contact with the problem ... If we're going to work on refugee or online bullying use cases we should go and working with people who work with that on a week to week basis ... We do have a communication problem. it's really easy for us to discuss these things in this group but it is drinking from a massive firehose to join the group and we need to get better at communicating our ideas ... RWOT and IIW help to some extent, but a well written one pager about DIDs or VCs or secure data hubs, would help us go out and talk to other people about it or empower other people to talk about the work we're doing here ... I'd really like during the next call to hear from people we don' thear from that often Drummond Reed: There have been a lot of discussions there, they (?who?) have not been interested to embrace SSI or VCs, they've been promoting a different standard, an ISO standard. It's something that iBM has been more involved with than anyone I know Joe Andrieu: Sorry it went over, let's wrap ... We will revisit this in a future week ... Echo manu's interest in getting more folks to chime in Dave Longley: S/(\?who\?)/Idemia/
Received on Saturday, 10 August 2019 02:57:51 UTC