[MINUTES] W3C Credentials CG Call - 2019-07-30 12pm ET

Thanks to Amy Guy for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2019-07-30/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2019-07-30

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2019Jul/0074.html
Topics:
  1. intros and reintros
  2. announcements and reminders
  3. Progresson action items
  4. Standards setting process
Organizer:
  Christopher Allen and Kim Hamilton Duffy and Joe Andrieu
Scribe:
  Amy Guy
Present:
  Ted Thibodeau, Jonathan Holt, Joe Andrieu, Brent Zundel, Adrian 
  Gropper, Manu Sporny, Amy Guy, Shivam Sethi, Justin Richer, 
  Christopher Allen, Dave Longley, Dmitri Zagidulin, Yancy Ribbens, 
  David I. Lehn, Heather Vescent, Drummond Reed, Jeff Orgel, Ryan 
  Grant, Kayode Ezike, Kaliya Young, Dan Burnett, Ken Ebert, Sam 
  Smith
Audio:
  https://w3c-ccg.github.io/meetings/2019-07-30/audio.ogg

+Present Andrew Jones DB
Joe Andrieu:  The call today is going to focus on what comes 
  after DIDs? [scribe assist by Manu Sporny]
Joe Andrieu:  We're looking for what's the next big chunk - it'll 
  take 4-5 years to incubate, work on a WG, take it through W3C 
  process. We want to explore in an open ended way... what's worth 
  our time? [scribe assist by Manu Sporny]
Joe Andrieu:  That's going to be our conversation today. [scribe 
  assist by Manu Sporny]
Manu Sporny: Joe provides Public IP Note - please sign the CCG 
  Contribution Agreement, or don't make substantive contributions.
Amy Guy is scribing.
Joe Andrieu:  If for some reason you're only on irc, please q+ 
  anyway

Topic: intros and reintros

Joe Andrieu:  Anyone who for this is their first call?
Shivam Sethi:  I was part of the DID calls but for the CCG this 
  is the first call I am joining
  ... I'm from an Indian based company (?)
Joe Andrieu:  Anyone else new?
  ... How about a reintro
Joe Andrieu:  Invokes stonematt to reintro?
Adrian Gropper:  I'm CTO of a nonprofit called patient privacy 
  rights, my role in this community is because there's an open 
  source project that I'd like to think is a reference 
  implementation ofhow VCs and DIDs can be used to manage health 
  records
  ... We've implemented uPort about 3 years ago and are looking 
  forward to aligning with the standard
  ... at the rate our developer (one person) can adapt
  ... One interesting tidbit, for 3 years I've been involved in 
  the health records infrastructure for India
  ... Right now as of a week ago it's become a formal government 
  policy, how they want to deal with medical identity, how they 
  want to link it to adhaar and decentralised identity is one of 
  the proposals, which they consider a little bit out there but 
  it's actually under consideration
Joe Andrieu:  Thanks for the update, very cool

Topic: announcements and reminders

Joe Andrieu:  Still doing dedicated DID calls on thursday
Drummond Reed:  We did skip last week, we'll be on this week and 
  next week and then i'll be gone for 2 weeks but if markus and 
  others are willing to keep going we'll keep going. We have until 
  assumign there's a go ahead with the vote on the WG we have until 
  that group formally starts, which I think would be at tpac
Joe Andrieu:  Next week August 5-9 we have the btcr hackathon
Joe Andrieu: 
  https://weboftrustinfo.github.io/btcr-hackathon-2019/
  ... It's virtual, we'll be having a conference call on a daily 
  basis
  ... please come join us. We're focussed on btcr, there are some 
  other related issues around credentials and DIDs in general that 
  are fair game
  ... We'd love to have you join us
Joe Andrieu:  Vienna Digital Identity Meetup September 1st, 
  Sunday before RWOT
  ... The idea is a conversation witht he local community in 
  vienna and people who are going to rebooting will take the train 
  the next day and head up there
Joe Andrieu: http://rwot9.eventbrite.com
Joe Andrieu:  And RWOT9 is after that
  ... August 18th is our next deadline for advanced topic papers
  ... Then after RWOT9 in Prague, the folks involved with 
  ActivityPub are putting together a face to face
https://dustycloud.org/blog/activitypub-conf-2019/
Drummond Reed: Ah, I didn't realize that producing a CCG 
  Community Final Draft take a month.
Manu Sporny:  We need to produce a FCGS and get people to sign 
  off on the IPR for when it goes into the WG
  ... It takes a week to prepare the doc, a week to give people 
  notice, then 2 weeks for the IPR committments before we move it 
  over to the WG
  ... Based on where we are we should start on that process this 
  week
Christopher Allen: What day is 4 weeks before tpac
Shivam Sethi:  First concern I tried to convert the minutes of 
  the calls but there are some issues with the script, I couldn't 
  get it working, maybe someone could help me, in future I can do 
  that
Drummond Reed: Agreed
  ... Second concern was I was thinking to push a document 
  related to ?? iot devices using DID, there won't be any personal 
  information, openID authentication to manage IOT devices
Manu Sporny: This would be something for the DID Use Cases 
  document...
Shivam Sethi: Ok ,Thanks Chris
Christopher Allen: We do appreciate you working on converting the 
  minutes!
Drummond Reed:  I had no idea it was a 4 week process to get the 
  community final draft
  ... What I wanted to find out from manu is does that mean that 
  by tpac we have to finalise something this week or can we get 
  until next week?
Christopher Allen: I think we have 2 weeks.
Hi, may I introduce myself if we're still doing introductions? 
  sorry for joining late
Manu Sporny:  It takes roughly 4 weeks, the fastes I've seen it 
  happen is 2 weeks but that was a tiny group. We could do that 
  drummond,t he most important thing is that we get that document 
  in shape ideally it would have been done before the charter went 
  out for review. The next deadline is before the WG starts
  ... In theory that should be before tpac
  ... probably a week before tpac
  ... that is our last date
  ... if we work backwards from there we can start in the last 
  week of august but that would be cutting it really close
Drummond Reed:  This week and next week's DID spec calls will be 
  for that
  ... I'll make sure markus is around. Anyone else with issues 
  youw ant resolved in the next 2 weeks, we'll get it ready for 
  review
Manu Sporny:  Yes I can make it
Drummond Reed:  We can talk about what we need to get done and 
  what the process will be like
Christopher Allen:  What I would like to see is a last day we can 
  put into our announcements for the next couple of meetings. The 
  first thursday that drummond is back that we say last call for 
  comments is that thursday
  ... That friday the editors are closing it for all comments and 
  can take a few days to prepare a final version
  ... but have that very prominent what those two days are, we 
  announce it
Manu Sporny:  We should not ask for comments, that will open us 
  to comments
  ... we should say this CG.. we're cutting a version of the 
  spec, we know it's incomplete, we're handing it over to the WG. 
  Say that and wait for any kind of objections. But objections at 
  this point, there's no outcome for objecting to handing it to a 
  WG
  ... butw e can open it up to objections
  ... We just announce at this date the editors are cutting a 
  final CG spec, we will be gathering IPR over the next couple of 
  weeks and leave it at that
Joe Andrieu: Ask sumita
Sumita: I work at USA(?) which is a financial institution. Our 
  interest is to pursue a blockchain solution for self sovereign 
  identity. I've been reading a lot and it sounds like what you are 
  doing is what we need to get involved with
  ... Is there anyone from a financial instituion here? Do we 
  have private sector folks involved?
Drummond Reed:  I can't say that many of us here working on this 
  are working .. .I work for evernym.. that are doing exactly what 
  you just said. Working on adopting self soverign identity to 
  address the problems of financial.. I just left a call about 
  this.. A consortium of a credit unions which focusses on 
  blockchain tech for credit unions have chosen SSI as a focus for 
  what they're doing. You're certainly in the right place.
  ... THere are lots of materials available, happy to share
Sumita: Just wanted to make sure I stumbled into the right room, 
  I'll bring some of my colleagues into the next meeting
Ryan Grant: Very glad to have you!
Drummond Reed: Great! Welcome.
Heather Vescent:  It's really exciting that USAA is getting 
  involved in this. You are really innovative. I am a consultant, 
  I've worked with a variety of different companies including banks 
  exploring this space
  ... I wrote this report with kaliya on npe identity looking at 
  use cases or market gaps from the private sector having to do 
  with banking and finance
  ... you might be interested, it is public
Heather Vescent: NPE report: 
  https://app.convertkit.com/landing_pages/457406
  ... If you want more info I'm happy to walk you through what 
  we've learned
  ... Primarily the report talks about the application of .. it 
  does not specifically talk about the impact of SSI for 
  individuals, it was exploring SSI for other legal entities and 
  non human identity
  ... If that's interesting regarding LEI or risk management, or 
  if you are primarily focussed on the individual identity
  ... I'll reiterate, ?? is doing some interesting stuff, and atb 
  bank in canada have been doing interesting stuff on that too
Joe Andrieu: Ls
  ... Feel free to reach out
Joe Andrieu: https://www.youtube.com/watch?v=7KrSw81F4Us
Joe Andrieu:  We do have demos from the RWOT8, there's a 
  presentation with raabobank with SSI
Joe Andrieu:  TPAC will be in Japan in September 16-20
Kaliya Young: Also I've talked to Sendander bank in Spain who has 
  dabbled in exploring SSI
  ... The CCG does not have a space assigned but I do think we'll 
  have a DID WG meeting of some flavour there
  ... MyData is at the tail end of September, 25-27 in Helsinki

Topic: Progresson action items

  ... LD key format registry administrivia
  ... Did we assign this to you last week dmitriz? Your question 
  from 2 weeks ago is what do we need to do
Dmitri Zagidulin:  I don't know, I left the comment on the issue 
  asking to clarify
Joe Andrieu: https://github.com/w3c-ccg/community/issues/56
Christopher Allen:  My understanding is this particular document 
  needed to have some sections added to it
Manu Sporny: https://w3c-ccg.github.io/ld-cryptosuite-registry/
Manu Sporny:  We had a registry called the linked data key format 
  registry, we moved to change it to the cryptography suite 
  registry. The purpose of the registry is to have a full list of 
  all the crypto suites we support
  ... anything you need for ldproofs which we use for VCs, and a 
  few other things
  ... the registry exists now and to finish off this issue we 
  need to add a couple of sections in there
Manu Sporny: 
  https://w3c-ccg.github.io/ld-cryptosuite-registry/#ed25519signature2018
  ... right now we don't have key formats
  ... we have a link to the spec but we don't talk about the key 
  ???? make the registry a bit more clean
  ... we have verification methods and key formats. We should 
  split the registry into two things. It should have a section for 
  verification methods and a new sectionf or key formats. That's it
  ... that's all we need to do, add some editorial stuff around 
  it
Dmitri Zagidulin:  I think I understand
I can do it
(Probably :p)
Manu Sporny: Thx rhiaro ! :)
Manu Sporny: Also, ping me if there is any confusion, I think I 
  know what needs to be done.
Dmitri Zagidulin:  I'll help

Topic: Standards setting process

Joe Andrieu:  Some of the ideas we've kicked around about what's 
  after DIDs, we've had conversations amongst chairs and community 
  leaders, every idea that has come up has been we need to get the 
  implementers into our conversation
  ... What is worth spending 5 years on that will advance the 
  work of the CCG in the most effective way?
  ... We're going to be talkinga bout it for a couple of months, 
  and at the meetings in september
  ... Try to get a sense of what's over the next horizon
Manu Sporny:  These things tend to go in 3 stages
  ... The first is the ideation process. This is what we depend 
  on the IIW, RWOT, DWeb summit, conferences that happen, new ideas 
  thrown out there, get momentum, until they get to a point people 
  want to work on it
  ... Eg. for VC stuff ideation happened between the RWOT was one 
  of the first places, moved to IIW and between RWOT and IIW the 
  idea was kicked back and forth until it got to the point that 
  there was a spec and it moved through the rest of the process. 
  Same with DIDs.
  ... The first stage is ideation, doesn't happen here typically, 
  this place is the second step in the process, which is incubation
  ... You come up with an diea that's stage 1. Stage 2 is 
  incubate the idea. People start writing waht the first spec might 
  be, putting pen to paper and talking about the thing and refining 
  it
  ... That's more or less what this group does
  ... What we're trying to do is take these ideas, get someone to 
  write about them, then get devs to implement them. Refine it, 
  play around, incubate it. That's what the CG is about. At a 
  certain point in time it hits the stage where it's ready for 
  global standardization
  ... We decide where to put that work. Might go to the IETF if 
  it's a low level protocal. OASIS if it's to do with business 
  processes. Might go to the W3C if it has to do with the web or 
  application layer stuff. Fundamentally we find the place where it 
  should be globally standardized and send it off to the third 
  stage
  ... The third stage is standardization at a standards setting 
  body. These are special organisations, from a legal perspective 
  they cover what it means. The timeline for those things...
The three stages, ideation, incubation, standardization. Ideation 
  stage can take anywhere from 6 months to 5 years. Who knows, 
  sometimes it takes a long time for certain ideas to take hold
  ... The incubation stage takes about 1-2 years, and 
  standardization takes 2 years
  ... Usually a 5 year process form idea to global standard. 
  Sounds long but it goes by really quickly. The last 5 years are a 
  blur to many people involved in VCs
Joe Andrieu:  It takes a while to get this stuff. What I'm 
  looking at as a co-chair, is trying to work out what is worth 5 
  years of focussed attention that is aligned with the mission and 
  community here of the CCG
  ... Now I want to open it up
  ... Some other folks have had some ideas
  ... Hop on the queue
Christopher Allen:  Speaking as chair with Joe and Kim, one of 
  the question we have is where are the places that a multi year 
  process of getting to an international standard is absolutely 
  required or appropriate vs other things that we want to support 
  or build that don't necessarily need to go through the entire 
  international standardization process
  ... There are a lot of things where we can create an API or a 
  recommendation that does not have the standing of an 
  international standard and it can end here. We don't have to go 
  through the entire process end to end
  ... Part of what I'm tryign to filter is what are the things 
  that really deserve standardization. These are the things epople 
  can use APIs, propocols, data formats etc, as a way to lock in to 
  a single model, a single approach that doesn't allow for 
  competition and collaboration
  ... Taking my hat off I know some of my pain points are how do 
  we ???
  ... how do you request a verifiable credential, a verifable 
  presentation. How do you do so in a data minimizing protocol way. 
  I do'nt want a static give me yoru VC, I want a negotiation 
  between two parties so they can determine the max the client is 
  going to give and the minimum the rquester is going to get. 
  There's going to be a data minimization dance there
  ... That's a pain point for me right now
Dave Longley: +1 To work on standardizing VC/VP queries
  ... Another is that we still don't have cryptographically 
  reviewed signature proofs and things of that nature
  ... We need to be thinking not only about zero knowlege ways 
  and blinding, but data minimization. Do we recommend to issuers 
  they issue every single attirbute individually by itself so a 
  person has a package of 100 claims with 100 attributes, or do we 
  come up with some other scheme wehre they don't have to give 
  proofs for all of those entries
  ... Those are my early pain points. I need answers like, this 
  fall.
Adrian Gropper:  Going forward from the data minimization. I want 
  to put a plug in for working on the self soverign agent as a 
  service endpoint in the DID Document. It seems there's a lot of 
  evidence that this is really the next thing that needs to be 
  standardized. The evidence being conversations in DIF and 
  Hyperledger Ares around this which I don't think is converging 
  particularly quickly and I think it needs a very strong dose of 
  the kind of incubation
That this group is able to do. To link this proposal to what 
  Chris was just saying, a major component of having an agent as a 
  service endpoint is to negotitate back and forth semi 
  autonomosuly for this data minimization point
Joe Andrieu:  One of the ideas i've floated in most 
  conversations, may not survive the bubble up in prioritization, 
  but it seems to me an API for how you interact with a wallet 
  would be very useful. The wallet is one of the key points of 
  leverage in this whole ecosystem, if we want software from 
  different parties to be ablet o interact with a variety of 
  wallets some sort of API there would be useufl. I see it in the 
  way that the DOM API int he browser
Gives JS a standard way to interact with the Document Object 
  Model
  ... Also to have formal guarantees about what's behind that API
  ... That may include guarantees about where keys are stored or 
  what kind of keys are generated. THe idea is an API that has deep 
  guarantees about cryptographic proof or process.
  ... that's somethign I could see us working on
Jonathan Holt:  Seems to be a lot of overlap with the DID comm(?) 
  coming out of project Ares
  ... How do we interact and create a synergistic goal with those 
  other groups
Joe Andrieu:  Great question
Drummond Reed: +1 To synergy with DIDComm at the Hyperledger 
  Aries project
Drummond Reed:  I was going to amplify what jonathan was saying. 
  Standardizing the API for the wallet and the interactions, the 
  protocols for key exchange and accessing and sending messages to 
  the wallet, th whole dkms project that we've undertaken to 
  develop interopeable decentralized key management is part of 
  what's being implemented at hyperledger aries
  ... I want to reinforce what jonathan was saying. We should 
  figure out how to work togehter with that group
Christopher Allen:  Want to add to the agenda the things the CCG 
  can help with which is the area around the nature of what's in a 
  verifiable presentation, how they're packaged up, what is the 
  schemas within those so we can exchange things
  ... Feels like there isn't a standard for educational claims 
  per se that everybody agrees to. W3C already has some schemas 
  around education. Obviously blockcerts and some of the other 
  educational things are working on that, I'd like to see that 
  reach anotehr level of interop
  ... I'm very interested in peer claims, how does one person 
  issue a claim rather than it coming from some authority that is 
  major
  ... How does peer claims work from an individual
  ... I will say peer claims between issuers will also be 
  imporatn. DMV giving a peer claim to one in another state 
  ... There's a lot of stuff in the actual details of interop the 
  claim data
  ... There's a bunch ofinterop expectations that people have 
  because of DIDs, and the reality is that the various domains of 
  message can't talk with each other, they use different proof 
  methods, different keys etc
  ... We need to begin bridging some of those
  ... There's a meeting in wyoming in september where I'm really 
  hoping to be able to present some solutions around corporate 
  records
  ... I already know from them they don't want to select a single 
  DID method or a single vendor. They want to say we can work with 
  multiples of those. The reality is we can't actually meet that 
  expectation. Sovrin can't work with btcr or veres1 or the uport 
  variants
  ... Figuring out where we can begin to interop, there are some 
  small wins in being able to valdiate each others' claims and be 
  able to have a mutual key on two chains(?) but the market will 
  demand we can do more than that
Joe Andrieu:  There's an evolving relationship with DIF. We're 
  glad that kim is involved over at DIF. My understanding is that's 
  largely about implementation. I see it as proof of concept and 
  proof of an approach which we'd like to fold into whatever 
  standards work we might start down the pipeline
Dmitri Zagidulin:  Two topics hinted at
  ... THe use of credentials in authentication and authorization
Just wanted to say congratulations folks.
  ... We've been very careful int he VC community to say VCs by 
  themselves are not to be used for active control(?)
  ... a lot of people view the natural next step is to build that 
  next layer up, using DIDs and VCs in actual authentication 
  protocols
  ... Ir ealise that Aries and DIF have already started working 
  on that
Dave Longley: S/active control/access control/
Sumita: have we heard anything from plastic manufacturers? Not 
  sure about the international market..
Ken Ebert:  I wanted to talk abot the interop issue. To verify 
  the formats for signature styles that are not native, eg. sovrin 
  doesn't use jwts natively but we should be able to recognise it. 
  And using the types so interop becomes more universal. That's all 
  going on in Aries right now. Beginning stages are happening, 
  nowhere near beinga ble to issue a different type of credential
Joe Andrieu:  How do you see us being able to work with the work 
  at Aries?
Ken Ebert:  The main focus is to first establish interop between 
  various issuers of credentials, also focus on universal wallet 
  standards to be able to collect and stores those types of 
  credentials. Part of that project is the separation out of things 
  specific to hyperledger indy or sovrin to a layer below so other 
  ledgers can plug in and operate with the higher level layers that 
  operate with the storage of credentials
  ... This community can be helpful in provding input and 
  contributing signature styles and interop of their own favourite 
  flavour so we can coalesce some of those things
Sam Smith:  SOmething that came up at the solid workshop was 
  vcards and I was thinkign dmitriz could speak to it better, but 
  it seems like a verifiable vcard you could share would be a 
  really cool first use case before a wallet because that would be 
  something that touches human and would be a clear data shape 
  based off what's already there
Manu Sporny:  Should we do this again next week? Many ideas. But 
  with a focus on hearing from people we don't normally hear from
Heather Vescent: A++ maybe do a survey? ;-)
  ... I'd really like to hear from the people we don't hear from 
  on a regular basis. Maybe some of the newer people, just to get 
  some more input
Heather Vescent: Also, we did ask a similar question on the EOD 
  survey
Heather Vescent: So we can take those as one data points moving 
  forward
  ... heather is saying maybe do a survey. In some cases it's 
  really difficult for people new to speak up. It can be 
  intimidating. That's where written communication is good. Maybe 
  through the mailing list. But on the call one of the things we 
  need to do better is make space for other people to talk on here
  ... We shouldnt' be picky about how we gather the data. Hit us 
  with a flood of info and we can sort it out
Joe Andrieu: +1 To more voices and a future call
  ... I'm going to run down a list pretty quicky, I sent it to 
  the mailing list
Heather Vescent: Capital One data breach, yay!
  ... Today there was another massive data breach, people lost 
  their PII for the fifitieth time. THere is a quesiton around data 
  portability. We're going to store these VCs and our health 
  records somewhere. How do we make sure it's ours and not locked 
  into another vendor? The secure data hubs, identiy hubs work, 
  hyperledger aries is very imporant, but focussing encrypted data 
  portability is something we have in common
  ... And +1 the interop problem that we have
  ... We're all implementing to the standard but we're still not 
  interoperable with one another. Includes wallet issuer, verifier, 
  DID interop
  ... Takes constant tending to make sure that works
  ... Also +1 for how we get VCs from point A to point B. There 
  is a credentail handler API around for a while, does achieve some 
  things, but clearly other things it doens't like data 
  minimization
  ... Linked data proofs and signatures stuff is hard thankless 
  work but does needs to be done
  ... The formatily of the digital signatures andc ryotpgraphic 
  proofs, we need to work on that
  ... There is VC 1.1 and extensions, we're not done with VCs
Drummond Reed: Just to make sure Sumita gets her answer RE 
  Idemia: there have been many months of discussions within the 
  driver license industry about the arrival of open standard 
  verifiable credentials and SSI architecture. Idemia has not been 
  in favor of adopting it but hopefully that will change. IBM has 
  been very involved in these discussions along with Evernym and 
  others.
  ... We need to help people get it out in industry
  ... Then of course the registries work
  ... All that's technical work. There's also nontechnical work 
  we need to do
Dave Longley: +1 To focusing on common APIs, backend agent 
  communication and Credential Handler API for user interaction via 
  Web browser, DKMS for backend key management, Web KMS for Web 
  apps, +1 for common VC/VP query formats
  ... Nonviolent communication discussion recently. There 
  cotinues to be friction between various communities and people 
  and we should attempt to tend to that on a continuing basis
  ... The other thing is field work. There have been concerns we 
  are coming up with use cases without contact with the problem
  ... If we're going to work on refugee or online bullying use 
  cases we should go and working with people who work with that on 
  a week to week basis
  ... We do have a communication problem. it's really easy for us 
  to discuss these things in this group but it is drinking from a 
  massive firehose to join the group and we need to get better at 
  communicating our ideas
  ... RWOT and IIW help to some extent, but a well written one 
  pager about DIDs or VCs or secure data hubs, would help us go out 
  and talk to other people about it or empower other people to talk 
  about the work we're doing here
  ... I'd really like during the next call to hear from people we 
  don' thear from that often
Drummond Reed:  There have been a lot of discussions there, they 
  (?who?) have not been interested to embrace SSI or VCs, they've 
  been promoting a different standard, an ISO standard. It's 
  something that iBM has been more involved with than anyone I know
Joe Andrieu:  Sorry it went over, let's wrap
  ... We will revisit this in a future week
  ... Echo manu's interest in getting more folks to chime in
Dave Longley: S/(\?who\?)/Idemia/

Received on Saturday, 10 August 2019 02:57:51 UTC