[MINUTES] W3C Credentials CG Call - 2020-12-01 12pm ET from W3C CCG Chairs on 2020-12-03 (public-credentials@w3.org from December 2020)

From: W3C CCG Chairs <w3c.ccg@gmail.com>
Date: Thu, 03 Dec 2020 11:51:22 -0800 (PST)
Message-ID: <5fc941ba.1c69fb81.c9c62.9404@mx.google.com>

Thanks to Amy Guy for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2020-12-01

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2020-12-01

Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2020Nov/0127.html
Topics:
1. Introductions and reintroductions
2. announcements and reminders
3. Jeff Stephens and Dignari team
Organizer:
Heather Vescent and Wayne Chang and Kim Hamilton Duffy
Scribe:
Amy Guy
Present:
Heather Vescent, Kim Hamilton Duffy, Wayne Chang, Chris
Winczewski, Amy Guy, Manu Sporny, Joe Andrieu, Charles E. Lehner,
Dmitri Zagidulin, Ryan Grant, Ted Thibodeau, Adrian Gropper, Jeff
Orgel, Orie Steele, Erica Connell, Mike Prorock, George Lund,
Kaliya Young, Jeff Stephens, Alex Jackl, Lusine Sargsyan, Phil
Archer, Kayode Ezike, Phil Long, Nate Otto
Audio:
https://w3c-ccg.github.io/meetings/2020-12-01/audio.ogg

Heather Vescent: Minutes: https://w3c-ccg.github.io/meetings/
Heather Vescent:
https://docs.google.com/document/d/1LkqZ10z7FeV3EgMIQEJ9achEYMzy1d_2S90Q_lQ0y8M/edit#
Amy Guy is scribing.

Topic: Introductions and reintroductions

Heather Vescent: Do we have anyone new who would like to
introduce themselves?
... add yourself to the q, or just pipe up
George Lund: I work for the government digital service in the UK
and I'm joining for the first time
Chris Winczewski: Formally with learning machine, learning
machine was acquired by highland software earlier this year,
we're working within that group
... I missed IIW this year, but have been around in the groups
for a while

Topic: announcements and reminders

Heather Vescent: Announcements:
https://w3c-ccg.github.io/announcements/
Heather Vescent: There are 3 task forces that are meeting, VCs
for education on mondays, DID resolution on mondays, confidentail
storage calls on thursdays
https://github.com/w3c-ccg/community/issues/168
Wayne Chang: I want to announce the proposal for an
infrastructure task force
... the meeting infra we're talking about now took a lot of
effort and will continue to take effort to maintain
... how can we resource this in temrs of time and finance?
... so chairs can be freed up to focus on other priorities
... the task force is an attempt at an inclusive way to address
this
... if you're interested in helping to set up infrastructure or
maintain it, this is a way to get involved
... there is some interest so far
... feel free to learn more on github
... the next announcement is that the nomination period for the
W3C technical architecture group
... some people in this group have self nominated
... it's important for us to have our technical concerns and
understanding influence the W3C standards devleopment
... anyone else from this ecosystem who wants to self nominate
and step up, it's very useful to build that connective tissues to
the rest of the WGs at the w3c
... and other groups such as ietf etc
... I'm not so partial as to who in our community steps up, but
I think it's useful if someone from our community has a voice
Heather Vescent: Action Items:
https://github.com/w3c-ccg/community/issues?q=is%3Aopen+is%3Aissue+label%3A%22action%3A+review+next%22
Heather Vescent: Do you have anything else you want to talk
about for the infrastructure task force?
Wayne Chang: I said the piece I needed to on that
... happy to take questions
Manu Sporny: To speak to what wayne said about the Technical
Architecture Group
... for those of you not familiar with waht the w3c TAG does,
they effectively set the deign requirements for the entirety of
the web
... what we want the web to become is partly from an
architectural perspective the TAGs job
... people on the TAG are supposed to be there as individuals
first
... it's not supposed to be representing a compnay, but the
people of the Web and what's best for the Web
... it is very high level architectural position and it has
broad ramifications around the work that w3c does
... I wanted to +1 wayne for running and amy for running, I
think they would bring what our group does into the thought
process around what the future of the web looks like
... which is a really great thing to do
... the other thing to note is that multiple seats open up, so
we could find ourselves in a situation where both wayne and amy
are on the TAG and that would be really great for this community
... all that to say, the people that vote are the w3c members,
the AC reps who vote, so be aware that that election is happening
... I believe the timeline is nominations in the next couple of
days and a voting period for about a month, and the term starts
in February
Heather Vescent: Anyone else have any questions or comments on
the infrastructure task force?
... My concern is that, while I appreciate all the efforts, I
believe the technical solution creates an obstacle for
participation for folks that are not currently participating in
this community
... I want to ask that the task force includes not the usual
suspects to gather feedback and usage data that it includes
people that would like to participate from the fringe, geographic
timezones,s different language structures, from different
skillsets, that are not just from a technical background
... but also from design, anthropological, ux, marketing and
usability, not just technical folks
... because I would like to see the importance of having a
meeting infra that's accessible is an improvement in the work we
do here
... and to date I still see technical obstacles being raised
with our current system
Wayne Chang: I agree
... that there are things that have to do with running the
infra that require no ability to write code or even use git and
if we're able to convert more responsibilities toward that that
is definitely a win
... for example being able to help with the notes and
publishing them and clean them up, that shouldn't require anyone
to enter a commandline if they're' not used to it
... strive towards creating modes of engagement that don't
require a technical background so the surface are of upholding
the community can be spread over more people who are intersted
... if you're interested in contributing, technical or not,
comment on github or talk in the mailing list
Heather Vescent: I want to alert the community to 2 activities
happening in the chair infrastructure
... we're doing some succession planning
... kim has been one of the most phenomenal chairs, but will be
moving on next year
... we want to capture everything and onboard new chairs
Heather Vescent: https://github.com/w3c-ccg/community/issues/165
... there was some documentation but not a lot
... I've been working on creating a job description and
instruciton manual for what chairs do
... this is everything the job requires
... including running minutes, meetings, speakers, the work
items, process
... a lot of these processes have been wrapped up
... we're putting the documentation together
... we're at a point where the chairs are reviewing this but
will be sharing it with you
... having a job description will be very useful when we do
have an open call for a new chair
Heather Vescent: https://github.com/w3c-ccg/community/issues/164
... The other thing I want to alert the community to is task
for documentation
... there's been a lot of interest in having task forces in the
ccg
... as a sub meeting of the ccg
... we'v ehad variosu folks approach us to start task forces
... all of our task forces to date have evolved out of this
meeting
... seemed like it was appropriate to put together some more
formal task force process docs and an faq
... so I'v ebeen working on that
... to define the taskforce scope, the relationship with the
main meetings, responsibilities of minutes etc
... we are looking to formalise that information
... it's a draft that the chairs will be reviewing and we'll
share it
... if you are interested in participatin gor contributing to
either the job description, activities that chairs do or task
force please get in touch with me
... I'm driving the draft of these
... any questions?

Topic: Jeff Stephens and Dignari team

Heather Vescent: If you joined the wallet meeting a month ago
you might have seen some of their work
... today Jeff and team are going to give an overview of the
work they did
... I was really impressed in particular by their work because
in my mind it really involves the entire team and ways of
thinking about things
Jeff Stephens: Thank you for the opportunity to join the meeting
today
... Dignari was formed in 2013, a woman-owned small business in
washington dc
... we provide services like program strategy, data science,
analytics, as well as ui/ux and human centered design
... we dabble in a number of areas, a long history in identity
management
... we have the technical side as well as the ui/ux side
... allowed us to join forces
... here with a couple of my colleagues, I'm jeff stephnes, the
chief technology officer
Alex Jackl: I'm a solution architect
Lusine Sargsyan: I'm the creative director, focusing on ui/ux
Jeff Stephens: We're going to show you the screens that we came
up with, the experience for a digital wallet
... alex is going to go through some use cases
... then we'll field some questions
Alex Jackl: One of the thing swe wanted to do, we decided to
give you a presentation in real time
... we'll make available the video that was shared with the
community event with svip
... this gives us an opportunity to walk through it together
... and to take some of the feedback we got from that community
event and show you ways we've updated as a result of that
... we presented this thing at the end of october
... and submitted it in mid october for the DHS digital wallet
challenge
... this is our branding scheme for the digital wallet
... a colour scheme rendering of your desktop application and
mobile application
... the first thing an individual is going to do is to create
an account
... you provide basic information, username and passowrd
... this would b where you present your EULA agreement and
agree to that
... once the account is created you have the ability to log in
with that username and password and update to use biometric or
any identity assurance capability
... there's also potentially a link down here to that woudl
provide disclosures and privacy policies
... let's assume jane r user is logging in
... on the desktop there are 9 identity domains
... the areas where you can group the verifiable credentials
that you want to add
... here's a rendering of the same information in th emobile
app
... in her educational part is a copy of her degree
... in any of these identity domains, the same interface occurs
... you click, see any credentials, and there's a + sign to add
additional credentials
... as we looked at the digital wallet challenge, one of the
keys for us was the way you access information is consistent for
the user
... whether it's your legal identity or education information
you're doing everything the same way
... even the presentation is similar
... for the DHS digital wallet challenge we were presented with
a single use case
... jane is applying for a job and as aprt of the application
the employer has asked for a permanent resident card and her
degree
... the first thing that jane has to do is go to the issuers
and obtain these verifiable credentials from her educational
instutuition and USCIS
... first thing is to get degree information from her
university
<phil> What I don't see in the categories of credentials are
assertions about work such as those emerging from HR Open, e.g.,
Work History. Or Salary History. etc. Are the groupings
arbitrary, and more can be created?
... you can see that when she selects adding an education
degree to her wallet she can fill out information that lets them
look her up
... if she already has a login to the university she can use
that
... for further capabilities down the road, if instituations or
issues are doing biometric verification that can be incorporated
... for the demo, for jane's request, we assume she fills out
this form and submits the request
... the assumption here is that all of the work that the ccg
and w3c has done, the trust mechanisms in place to secure the
communication between the holder and issuer and verifier and
issuer, are all assumed to be behind the scenes
... it connected with the institution, secured as part of that,
did the verification based on the information provided, and once
it was deemed fit they provided the credential to her
... now you can see it's here to add to the wallet
... and now it's in the wallet
... the next thing we're going to do is to provide her
permanent resident card
... you can see how the mobile and desktop versions work and
are consistent
... now we add another item
... you can provide a username and password to login or provide
information by a form
... let's say she logged in
... the ocnnection is established, they provide all their
verification and provide the permanent resident card
... and jane adds it to wallet
... as part of that use case she was asked to provide both of
those
... from a user experience perspective we really wanted to give
the digital wallet interface an ability to create 'packages' -
that's your verifiable presentation
... here jane is going to click on packages and create a new
one
... and add her permanent resident card
... then we'll click on another item and add her education
... she has multiple pieces of information available, her
degree and transcripts
... sh eobtained all that from the issuer
... we'r egoing to assume they only need the degree
<phil> How is the educational credential represented? Via a CLR?
Or are there a set of credential data model standard payloads?
Alternately, is this just a image of the diploma?
... when she adds it to th epackage only her degree is added,
not her transcripts
... her package has the permanent resident card and her
university credential
... and click create
... one of two things can happen
... say jane is going to visit the employer for an interview
... at that point she could save the qr code and retrieve it
when she sees the employer for the interview, who can scan it and
get the information
... alternatively, submit remotely
... from the mobile application you would scan a qr code that's
provided by the employer remotely
... let's do that scenario
... jane is going to submit her digital package to the employer
... she's gonna click share, and provide consent to release her
permanent resident card and her degree
... her job application will go from pending to sent
... the last thing to show is the different ways through this
ui/ux of managing your verifiable credential or your packages
... you see here there are multiple packages
... she has a package for a mortgage refinance
... another for an application for a graduate degree
... let's assume she completed the mortgage and no longer needs
this package
... she can delete it
... it'll ask to confirm
... and it removes it from the list
Lusine Sargsyan: Our goal is to create the most adaptable user
interface and experience design
... we kept it consistent between desktop and mobile
... as we go through our redesign and refinement to better
align with us web design standards we are curious and would like
to put this to the community as to waht would provide most value
... we're open to any questions about the user experience and
ui
Ted Thibodeau: Looking at the interaction windows, the first
thing was the login, which on the desktop app asked for email
address and on the phone asked for username
... blurring those two will be troublesome
... i've run into this in different places, it's getting worse
... particularly with something like a digital wallet where
you're trying to combine identities.. you're going to have logins
with their own usernames and email addresses to get details from
them
<phil> How are you enabling selective disclosure of a rich set of
data in a standard data model payload?
... presuming it's stored somewhere at dignari or in the cloud,
becuase it's on all of my devices
... maybe I don't want it on all my devies
... or maybe not in the cloud, *just* on my device
Jeff Stephens: Some of the architecture of where data is stored
is handled by digital wallet providers
... issues to work through there
... our challenge was just the ui/ux piece of it
... all the underlying wiring of those systems is not what we
designed to, it's from a user perspective, how to interact, how
to use credentials
<phil> queue+
... significant challenges for the solution providers that are
building the digital wallet itself
Ted Thibodeau: I see, this is a mockup of ui/ux with no
connection behind it
Alex Jackl: Thank you for that comment, we want to make sure
we're consistent, that's an oversight. You're right
... the callouts provided need to be consistent
... it's an interesting point - the challenge of these
connections to issuers and verifiers, any time we're connecting
with an external entity, from a ui/ux perspective our goal is to
make it consistent regardless of how you're connecting
... thats' the challenge
... you're right that certain issues require a username, others
require an email
... for us to work with the ccg to figure out how to make that
easier, that would be how we as ui/ux designers could provide
some help there to bridge that
Jeff Stephens: One of the main intent was to get in front of it
and design from a user standpoint even while the tech is being
baked behind the scenes
... so they can get interest in adoptin gdigital wallet
concepts
... the pieces they're looking for, the ui/ux design to serve
as a bootstrap design package for peopel that want to build
digital wallets
Ted Thibodeau: The fact that this was a dhs challenge also puts
a different spin on it. they want to unify all of my identies and
know me whereve rI am
... I don't want the DHS to know I'm in the rebel alliance, but
want that number card in my wallet
Jeff Stephens: I can't speak for dhs, but i think their positon
is they don't want to be the digital wallet provider or any sort
of authority
... just trying to serve as the accelerator for the community
Heather Vescent: No-one from DHS SVIP is here, but I think he
would take umbridge with some of your comments Ted
... I don't think your comment about that is fully reflective
of the nuances of SVIP's motivation in supporting the work in
this space
Manu Sporny: Thank you for the presentation, fantastic work,
loved seeing the ui mockups
... one of the things that jumped out at me was the interaction
between the walle tand the issuer
... there are two interaction paradigms in play
... the sovrin/indy interaction paradigm which I think was
mocked up
... there's also the crednetial handler / browser baed
interaction paradigm
... they're very different
... had you made a decision to use one path vs the other?
... and if you wer enot aware that there was this other
interaction paradigm, maybe one of the things we could talk about
next time is how that interaction paradigm is different
... for example, the uis that you have have this concept of the
individual creating the packages
... whereas the other has the entity requesting a set of
credentials from you
... you don't need to know what to put together, they ask for
as et of things and you decide whether to share
... it's very different
... where are you in that thought process?
Jeff Stephens: That's awesome feedback, we want clarity on that,
we are not experts, getting these nuanced pieces of tech from the
community is valuable
... I didn't kn othe two interactions but I see what you're
saying
... driven by the end user or requesitng entity as the two
interactions
... we did from the perspective of the individual because it's
a digital wallet
... where the entity, would they have a similar concept? I'm
going to interact with a number of people
Manu Sporny: Yes and no, use cases where you might
... that's a sideline thing
... the main thing I was wondering is that there are a set of
dhs videos showing testing of all these wallets
... that video is good to look at because it flip sthe
paradigm, it shows you the other paradigm
... I get that what you did was individual centric
... the other is organisation centric
... both legitimate
... if we're going to do a good job we need to understand both
and when you use one over the other
Alex Jackl: I didn't see the other videos, thanks
<phil> Can someone (Anil) post the link to the wallet videos that
Manu referred to?
... from our perspective we went with the concept of providing
the optimcal control for the holder
... I think what we're learning is from a ui/ux we have to
provide the capability or guidence to support not only the holder
creating the pacakge but the issuer/verifiers having that ability
<heathervescent> This is an opportunity to have clear, explicit
use cases.
... from the ui/ux perspective we can create designs to support
both
... this could be an opportunity for us in the community to
have explicit use cases
Adrian Gropper: Thank you very much for tackling these things
... the fact that you're demonstration is so thorough in
addressing different componants moves us to the point manu made
... I struggled with building wireframes
... from the subject's perspective
... a question I have in seeing your demo is I expect that
people will not be familiar with this duality that manu has
mentioned
... specificially they wil not understand when qr codes are
used other than in an airline boarding situation
... using the qr codes in any other way is going to have to be
presumably explained
... this is a question.. how we deal with this duality
... sometimes the qr code is a request and sometimes a
presentation
... this overlaps with manu's point
... then the related point has to do with the form that you
showed
... again, very good that you put it in there becuase it shows
the reality of the situation
... in that case the user needs to be clear as to whether the
information on the form is going directly to the issuer or the
verifier
... in the oauth sense you kind of know when you look who you
are talking to, what domain you are entering the information to
... whether you had this problem or understand it as a privacy
issue when it comes to introducing these forms into the app
Jeff Stephens: It's true that a lot of these concepts are new
and strange to common users
<tallted> Verifier -- needs ability to request collection ;
Holder -- needs ability to request (from issuer or other holders)
or assemble (for verifier or other holders) collection ; Issuer
-- needs ability to assemble collection ; where "collection" is
"package" or "verifiable presentation"
... more instructions might need to be put into the UI
... to provide guidnece on what they're looking at or what the
ramifications are
<mprorock> have to jump for another call, but wanted to call out
to Jeff and company that this is awesome and the work is much
appreciated
Phil Long: Great presentation
... seeing the wireframs allows us to ask better questions
... manu was getting at the question of being ablet o use
selective disclosure
... so you can create a presentation containing only the things
you want disclosed
Ted Thibodeau: +1 Selective disclosure
<nate_otto_(@ottonomy)_badgr/csky> * though make sure to
disambiguate selective disclosure of claims from a single
credential vs selecting which credentials form a presentation.
... so I was sort of expecting to see mechanisms in the UI to
take that complex acitivity and make it easy for the individual
to pick the stuff they'd like to convey
... I didn't see that, want to emphasis that seems like an
important dimension
... The data modesl we have to choose from, there was no
reference to the different sorts of packages that these
credentials were bieng conveyed in
... these things are useful because they have richer ability to
convey information about what a person has learned and can do
... which is a tremendous benefit other than I got a degree or
not
... one of the benefits we hope for is to enable the individual
to have that expressive ability tod escribe elements of their
assertion
... I didn't see any reference into I got a degree, just an
image of a diploma
<tallted> random related concern -- university VC about degree
may include year of attainment -- which hints at subject's *age*
which can feed into discrimination issues, so may not be desired
as inclusion in disclosure...
... was curious to know whether that's in a second phase of
consideration or just wans't the choice of the data model that
the different VCs may have, wans't anywhere referenced int the
choice of what i had as a user
Jeff Stephens: We tried to show selective disclosure with the
degree
... you can choose just the degree or add in the transcripts
... you can select which part of the data to release
... that was our interpretation, don't know if that was enough
Phil Long: The data models are typically much richer than that
... like evidence of work
... that was ahint of the first level of adding
... additional work could expand that
Jeff Stephens: If we get a degree, there's a set in the data
model with attirbutes you coudl select from
Alex Jackl: We have seen cases where down to th eattribute level
giving the holder control, part of the assumption here is from
the users perspective the challenge becomes what can you present
that makes sense to the user
... although you saw the picture of the diploma doesn't mean
the information sent was a picture
... the qr code can represent information that allows the
verifier to go to the inssuer and retreive the diploma and
related information
... it's a delicate balance with what we show to a user
... if you show a user a ton of information and checkboxes and
ahve to ask what to select, it becomes challenge for the user
... but very much an important part
... this is where we love to get input from the ccg - what kind
of things do we have to present to the user with regards to
selective disclosure/ do we have to get down to the attribute
level?
Heather Vescent: This was a great discussion and we have a
vibrant q
... I was so impressed by this work and the user perspective
<phil> Interesting - one of the design goals of the VC model is
disintermediation of the issuer and the need to go back to them
for verification of assertions.
... it reminded me of some work that some of us worked in with
swift, eu banking consortium, 8 years ago
... one of th emain concepts of that back then was that users
have data ll over the web
... even though it's data about ourselves, it's not necessarily
stuff we control
... the digital asset grid was the concept of a wallet where
you could go out an dmake connections to all our data
... your wallet wa sa control panel and you could choose how to
share data about yourself
... i'd forgotten about this project, but here it is, the UI,
the concept
... all of us in this community are working on the technology
Wayne Chang: Want to highlight two work item opportunities
... how we use out of band comms such as qr codes - what's a
standard way to include connection information, what should a
wallet support
... there has been some work in the aries community
... great potential work item
... and also being able to take a page out of the accessibility
guidelines from w3c which have been adopted worldwide in terms of
how to have accessible access to the web
... can we tailor some notions of that to users working with
credentials
... having some guidelines like that could help a lot to help
the standard experience, allowing more interop and for users to
have choice
Nate Otto: When we talk about selective disclosure we should not
confuse selective disclosure within a single credential vs
allwong a user to select which credentials go into a
presentation, ux for those concepts might be different
Jeff Stephens: Thank you for the great questions, just what we
needed
... what we'd like to do is send you al ink to the youtube
video so people can visit later
... and send the presentation over and some questions and let
the community tear at it offline
Heather Vescent: That's great, we can discuss on the mailing
list
... thank you jeff, lusine and alex for presenting
<cel> thank you

Received on Thursday, 3 December 2020 19:51:39 UTC