[MINUTES] W3C Credentials CG Call - 2020-12-01 12pm ET

Thanks to Amy Guy for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2020-12-01 

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2020-12-01

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2020Nov/0127.html
Topics:
  1. Introductions and reintroductions
  2. announcements and reminders
  3. Jeff Stephens and Dignari team
Organizer:
  Heather Vescent and Wayne Chang and Kim Hamilton Duffy
Scribe:
  Amy Guy
Present:
  Heather Vescent, Kim Hamilton Duffy, Wayne Chang, Chris 
  Winczewski, Amy Guy, Manu Sporny, Joe Andrieu, Charles E. Lehner, 
  Dmitri Zagidulin, Ryan Grant, Ted Thibodeau, Adrian Gropper, Jeff 
  Orgel, Orie Steele, Erica Connell, Mike Prorock, George Lund, 
  Kaliya Young, Jeff Stephens, Alex Jackl, Lusine Sargsyan, Phil 
  Archer, Kayode Ezike, Phil Long, Nate Otto
Audio:
  https://w3c-ccg.github.io/meetings/2020-12-01/audio.ogg

Heather Vescent: Minutes: https://w3c-ccg.github.io/meetings/
Heather Vescent: 
  https://docs.google.com/document/d/1LkqZ10z7FeV3EgMIQEJ9achEYMzy1d_2S90Q_lQ0y8M/edit#
Amy Guy is scribing.

Topic: Introductions and reintroductions

Heather Vescent:  Do we have anyone new who would like to 
  introduce themselves?
  ... add yourself to the q, or just pipe up
George Lund:  I work for the government digital service in the UK 
  and I'm joining for the first time
Chris Winczewski:  Formally with learning machine, learning 
  machine was acquired by highland software earlier this year, 
  we're working within that group
  ... I missed IIW this year, but have been around in the groups 
  for a while

Topic: announcements and reminders

Heather Vescent: Announcements: 
  https://w3c-ccg.github.io/announcements/
Heather Vescent:  There are 3 task forces that are meeting, VCs 
  for education on mondays, DID resolution on mondays, confidentail 
  storage calls on thursdays
https://github.com/w3c-ccg/community/issues/168
Wayne Chang:  I want to announce the proposal for an 
  infrastructure task force
  ... the meeting infra we're talking about now took a lot of 
  effort and will continue to take effort to maintain
  ... how can we resource this in temrs of time and finance?
  ... so chairs can be freed up to focus on other priorities
  ... the task force is an attempt at an inclusive way to address 
  this
  ... if you're interested in helping to set up infrastructure or 
  maintain it, this is a way to get involved
  ... there is some interest so far
  ... feel free to learn more on github
  ... the next announcement is that the nomination period for the 
  W3C technical architecture group
  ... some people in this group have self nominated
  ... it's important for us to have our technical concerns and 
  understanding influence the W3C standards devleopment
  ... anyone else from this ecosystem who wants to self nominate 
  and step up, it's very useful to build that connective tissues to 
  the rest of the WGs at the w3c
  ... and other groups such as ietf etc
  ... I'm not so partial as to who in our community steps up, but 
  I think it's useful if someone from our community has a voice
Heather Vescent: Action Items: 
  https://github.com/w3c-ccg/community/issues?q=is%3Aopen+is%3Aissue+label%3A%22action%3A+review+next%22
Heather Vescent:  Do you have anything else you want to talk 
  about for the infrastructure task force?
Wayne Chang:  I said the piece I needed to on that
  ... happy to take questions
Manu Sporny:  To speak to what wayne said about the Technical 
  Architecture Group
  ... for those of you not familiar with waht the w3c TAG does, 
  they effectively set the deign requirements for the entirety of 
  the web
  ... what we want the web to become is partly from an 
  architectural perspective the TAGs job
  ... people on the TAG are supposed to be there as individuals 
  first
  ... it's not supposed to be representing a compnay, but the 
  people of the Web and what's best for the Web
  ... it is very high level architectural position and it has 
  broad ramifications around the work that w3c does
  ... I wanted to +1 wayne for running and amy for running, I 
  think they would bring what our group does into the thought 
  process around what the future of the web looks like
  ... which is a really great thing to do
  ... the other thing to note is that multiple seats open up, so 
  we could find ourselves in a situation where both wayne and amy 
  are on the TAG and that would be really great for this community
  ... all that to say, the people that vote are the w3c members, 
  the AC reps who vote, so be aware that that election is happening
  ... I believe the timeline is nominations in the next couple of 
  days and a voting period for about a month, and the term starts 
  in February
Heather Vescent:  Anyone else have any questions or comments on 
  the infrastructure task force?
  ... My concern is that, while I appreciate all the efforts, I 
  believe the technical solution creates an obstacle for 
  participation for folks that are not currently participating in 
  this community
  ... I want to ask that the task force includes not the usual 
  suspects to gather feedback and usage data that it includes 
  people that would like to participate from the fringe, geographic 
  timezones,s different language structures, from different 
  skillsets, that are not just from a technical background
  ... but also from design, anthropological, ux, marketing and 
  usability, not just technical folks
  ... because I would like to see the importance of having a 
  meeting infra that's accessible is an improvement in the work we 
  do here
  ... and to date I still see technical obstacles being raised 
  with our current system
Wayne Chang:  I agree
  ... that there are things that have to do with running the 
  infra that require no ability to write code or even use git and 
  if we're able to convert more responsibilities toward that that 
  is definitely a win
  ... for example being able to help with the notes and 
  publishing them and clean them up, that shouldn't require anyone 
  to enter a commandline if they're' not used to it
  ... strive towards creating modes of engagement that don't 
  require a technical background so the surface are of upholding 
  the community can be spread over more people who are intersted
  ... if you're interested in contributing, technical or not, 
  comment on github or talk in the mailing list
Heather Vescent:  I want to alert the community to 2 activities 
  happening in the chair infrastructure
  ... we're doing some succession planning
  ... kim has been one of the most phenomenal chairs, but will be 
  moving on next year
  ... we want to capture everything and onboard new chairs
Heather Vescent: https://github.com/w3c-ccg/community/issues/165
  ... there was some documentation but not a lot
  ... I've been working on creating a job description and 
  instruciton manual for what chairs do
  ... this is everything the job requires
  ... including running minutes, meetings, speakers, the work 
  items, process
  ... a lot of these processes have been wrapped up
  ... we're putting the documentation together
  ... we're at a point where the chairs are reviewing this but 
  will be sharing it with you
  ... having a job description will be very useful when we do 
  have an open call for a new chair
Heather Vescent: https://github.com/w3c-ccg/community/issues/164
  ... The other thing I want to alert the community to is task 
  for documentation
  ... there's been a lot of interest in having task forces in the 
  ccg
  ... as a sub meeting of the ccg
  ... we'v ehad variosu folks approach us to start task forces
  ... all of our task forces to date have evolved out of this 
  meeting
  ... seemed like it was appropriate to put together some more 
  formal task force process docs and an faq
  ... so I'v ebeen working on that
  ... to define the taskforce scope, the relationship with the 
  main meetings, responsibilities of minutes etc
  ... we are looking to formalise that information
  ... it's a draft that the chairs will be reviewing and we'll 
  share it
  ... if you are interested in participatin gor contributing to 
  either the job description, activities that chairs do or task 
  force please get in touch with  me
  ... I'm driving the draft of these
  ... any questions?

Topic: Jeff Stephens and Dignari team

Heather Vescent:  If you joined the wallet meeting a month ago 
  you might have seen some of their work
  ... today Jeff and team are going to give an overview of the 
  work they did
  ... I was really impressed in particular by their work because 
  in my mind it really involves the entire team and ways of 
  thinking about things
Jeff Stephens:  Thank you for the opportunity to join the meeting 
  today
  ... Dignari was formed in 2013, a woman-owned small business in 
  washington dc
  ... we provide services like program strategy, data science, 
  analytics, as well as ui/ux and human centered design
  ... we dabble in a number of areas, a long history in identity 
  management
  ... we have the technical side as well as the ui/ux side
  ... allowed us to join forces
  ... here with a couple of my colleagues, I'm jeff stephnes, the 
  chief technology officer
Alex Jackl:  I'm a solution architect
Lusine Sargsyan:  I'm the creative director, focusing on ui/ux
Jeff Stephens:  We're going to show you the screens that we came 
  up with, the experience for a digital wallet
  ... alex is going to go through some use cases
  ... then we'll field some questions
Alex Jackl:  One of the thing swe wanted to do, we decided to 
  give you a presentation in real time
  ... we'll make available the video that was shared with the 
  community event with svip
  ... this gives us an opportunity to walk through it together
  ... and to take some of the feedback we got from that community 
  event and show you ways we've updated as a result of that
  ... we presented this thing at the end of october
  ... and submitted it in mid october for the DHS digital wallet 
  challenge
  ... this is our branding scheme for the digital wallet
  ... a colour scheme rendering of your desktop application and 
  mobile application
  ... the first thing an individual is going to do is to create 
  an account
  ... you provide basic information, username and passowrd
  ... this would b where you present your EULA agreement and 
  agree to that
  ... once the account is created you have the ability to log in 
  with that username and password and update to use biometric or 
  any identity assurance capability
  ... there's also potentially a link down here to that woudl 
  provide disclosures and privacy policies
  ... let's assume jane r user is logging in
  ... on the desktop there are 9 identity domains
  ... the areas where you can group the verifiable credentials 
  that you want to add
  ... here's a rendering of the same information in th emobile 
  app
  ... in her educational part is a copy of her degree
  ... in any of these identity domains, the same interface occurs
  ... you click, see any credentials, and there's a + sign to add 
  additional credentials
  ... as we looked at the digital wallet challenge, one of the 
  keys for us was the way you access information is consistent for 
  the user
  ... whether it's your legal identity or education information 
  you're doing everything the same way
  ... even the presentation is similar
  ... for the DHS digital wallet challenge we were presented with 
  a single use case
  ... jane is applying for a job and as aprt of the application 
  the employer has asked for a permanent resident card and her 
  degree
  ... the first thing that jane has to do is go to the issuers 
  and obtain these verifiable credentials from her educational 
  instutuition and USCIS
  ... first thing is to get degree information from her 
  university
<phil> What I don't see in the categories of credentials are 
  assertions about work such as those emerging from HR Open, e.g., 
  Work History.  Or Salary History. etc. Are the groupings 
  arbitrary, and more can be created?
  ... you can see that when she selects adding an education 
  degree to her wallet she can fill out information that lets them 
  look her up
  ... if she already has a login to the university she can use 
  that
  ... for further capabilities down the road, if instituations or 
  issues are doing biometric verification that can be incorporated
  ... for the demo, for jane's request, we assume she fills out 
  this form and submits the request
  ... the assumption here is that all of the work that the ccg 
  and w3c has done, the trust mechanisms in place to secure the 
  communication between the holder and issuer and verifier and 
  issuer, are all assumed to be behind the scenes
  ... it connected with the institution, secured as part of that, 
  did the verification based on the information provided, and once 
  it was deemed fit they provided the credential to her
  ... now you can see it's here to add to the wallet
  ... and now it's in the wallet
  ... the next thing we're going to do is to provide her 
  permanent resident card
  ... you can see how the mobile and desktop versions work and 
  are consistent
  ... now we add another item
  ... you can provide a username and password to login or provide 
  information by a form
  ... let's say she logged in
  ... the ocnnection is established, they provide all their 
  verification and provide the permanent resident card
  ... and jane adds it to wallet
  ... as part of that use case she was asked to provide both of 
  those
  ... from a user experience perspective we really wanted to give 
  the digital wallet interface an ability to create 'packages' - 
  that's your verifiable presentation
  ... here jane is going to click on packages and create a new 
  one
  ... and add her permanent resident card
  ... then we'll click on another item and add her education
  ... she has multiple pieces of information available, her 
  degree and transcripts
  ... sh eobtained all that from the issuer
  ... we'r egoing to assume they only need the degree
<phil> How is the educational credential represented?  Via a CLR? 
  Or are there a set of credential data model standard payloads? 
  Alternately, is this just a image of the diploma?
  ... when she adds it to th epackage only her degree is added, 
  not her transcripts
  ... her package has the permanent resident card and her 
  university credential
  ... and click create
  ... one of two things can happen
  ... say jane is going to visit the employer for an interview
  ... at that point she could save the qr code and retrieve it 
  when she sees the employer for the interview, who can scan it and 
  get the information
  ... alternatively, submit remotely
  ... from the mobile application you would scan a qr code that's 
  provided by the employer remotely
  ... let's do that scenario
  ... jane is going to submit her digital package to the employer
  ... she's gonna click share, and provide consent to release her 
  permanent resident card and her degree
  ... her job application will go from pending to sent
  ... the last thing to show is the different ways through this 
  ui/ux of managing your verifiable credential or your packages
  ... you see here there are multiple packages
  ... she has a package for a mortgage refinance
  ... another for an application for a graduate degree
  ... let's assume she completed the mortgage and no longer needs 
  this package
  ... she can delete it
  ... it'll ask to confirm
  ... and it removes it from the list
Lusine Sargsyan:  Our goal is to create the most adaptable user 
  interface and experience design
  ... we kept it consistent between desktop and mobile
  ... as we go through our redesign and refinement to better 
  align with us web design standards we are curious and would like 
  to put this to the community as to waht would provide most value
  ... we're open to any questions about the user experience and 
  ui
Ted Thibodeau:  Looking at the interaction windows, the first 
  thing was the login, which on the desktop app asked for email 
  address and on the phone asked for username
  ... blurring those two will be troublesome
  ... i've run into this in different places, it's getting worse
  ... particularly with something like a digital wallet where 
  you're trying to combine identities.. you're going to have logins 
  with their own usernames and email addresses to get details from 
  them
<phil> How are you enabling selective disclosure of a rich set of 
  data in a standard data model payload?
  ... presuming it's stored somewhere at dignari or in the cloud, 
  becuase it's on all of my devices
  ... maybe I don't want it on all my devies
  ... or maybe not in the cloud, *just* on my device
Jeff Stephens:  Some of the architecture of where data is stored 
  is handled by digital wallet providers
  ... issues to work through there
  ... our challenge was just the ui/ux piece of it
  ... all the underlying wiring of those systems is not what we 
  designed to, it's from a user perspective, how to interact, how 
  to use credentials
<phil> queue+
  ... significant challenges for the solution providers that are 
  building the digital wallet itself
Ted Thibodeau:  I see, this is a mockup of ui/ux with no 
  connection behind it
Alex Jackl:  Thank you for that comment, we want to make sure 
  we're consistent, that's an oversight. You're right
  ... the callouts provided need to be consistent
  ... it's an interesting point - the challenge of these 
  connections to issuers and verifiers, any time we're connecting 
  with an external entity, from a ui/ux perspective our goal is to 
  make it consistent regardless of how you're connecting
  ... thats' the challenge
  ... you're right that certain issues require a username, others 
  require an email
  ... for us to work with the ccg to figure out how to make that 
  easier, that would be how we as ui/ux designers could provide 
  some help there to bridge that
Jeff Stephens:  One of the main intent was to get in front of it 
  and design from a user standpoint even while the tech is being 
  baked behind the scenes
  ... so they can get interest in adoptin gdigital wallet 
  concepts
  ... the pieces they're looking for, the ui/ux design to serve 
  as a bootstrap design package for peopel that want to build 
  digital wallets
Ted Thibodeau:  The fact that this was a dhs challenge also puts 
  a different spin on it. they want to unify all of my identies and 
  know me whereve rI am
  ... I don't want the DHS to know I'm in the rebel alliance, but 
  want that number card in my wallet
Jeff Stephens:  I can't speak for dhs, but i think their positon 
  is they don't want to be the digital wallet provider or any sort 
  of authority
  ... just trying to serve as the accelerator for the community
Heather Vescent:  No-one from DHS SVIP is here, but I think he 
  would take umbridge with some of your comments Ted
  ... I don't think your comment about that is fully reflective 
  of the nuances of SVIP's motivation in supporting the work in 
  this space
Manu Sporny:  Thank you for the presentation, fantastic work, 
  loved seeing the ui mockups
  ... one of the things that jumped out at me was the interaction 
  between the walle tand the issuer
  ... there are two interaction paradigms in play
  ... the sovrin/indy interaction paradigm which I think was 
  mocked up
  ... there's also the crednetial handler / browser baed 
  interaction paradigm
  ... they're very different
  ... had you made a decision to use one path vs the other?
  ... and if you wer enot aware that there was this other 
  interaction paradigm, maybe one of the things we could talk about 
  next time is how that interaction paradigm is different
  ... for example, the uis that you have have this concept of the 
  individual creating the packages
  ... whereas the other has the entity requesting a set of 
  credentials from you
  ... you don't need to know what to put together, they ask for 
  as et of things and you decide whether to share
  ... it's very different
  ... where are you in that thought process?
Jeff Stephens:  That's awesome feedback, we want clarity on that, 
  we are not experts, getting these nuanced pieces of tech from the 
  community is valuable
  ... I didn't kn othe two interactions but I see what you're 
  saying
  ... driven by the end user or requesitng entity as the two 
  interactions
  ... we did from the perspective of the individual because it's 
  a digital wallet
  ... where the entity, would they have a similar concept? I'm 
  going to interact with a number of people
Manu Sporny:  Yes and no, use cases where you might
  ... that's a sideline thing
  ... the main thing I was wondering is that there are a set of 
  dhs videos showing testing of all these wallets
  ... that video is good to look at because it flip sthe 
  paradigm, it shows you the other paradigm
  ... I get that what you did was individual centric
  ... the other is organisation centric
  ... both legitimate
  ... if we're going to do a good job we need to understand both 
  and when you use one over the other
Alex Jackl:  I didn't see the other videos, thanks
<phil> Can someone (Anil) post the link to the wallet videos that 
  Manu referred to?
  ... from our perspective we went with the concept of providing 
  the optimcal control for the holder
  ... I think what we're learning is from a ui/ux we have to 
  provide the capability or guidence to support not only the holder 
  creating the pacakge but the issuer/verifiers having that ability
<heathervescent> This is an opportunity to have clear, explicit 
  use cases.
  ... from the ui/ux perspective we can create designs to support 
  both
  ... this could be an opportunity for us in the community to 
  have explicit use cases
Adrian Gropper:  Thank you very much for tackling these things
  ... the fact that you're demonstration is so thorough in 
  addressing different componants moves us to the point manu made
  ... I struggled with building wireframes
  ... from the subject's perspective
  ... a question I have in seeing your demo is I expect that 
  people will not be familiar with this duality that manu has 
  mentioned
  ... specificially they wil not understand when qr codes are 
  used other than in an airline boarding situation
  ... using the qr codes in any other way is going to have to be 
  presumably explained
  ... this is a question.. how we deal with this duality
  ... sometimes the qr code is a request and sometimes a 
  presentation
  ... this overlaps with manu's point
  ... then the related point has to do with the form that you 
  showed
  ... again, very good that you put it in there becuase it shows 
  the reality of the situation
  ... in that case the user needs to be clear as to whether the 
  information on the form is going directly to the issuer or the 
  verifier
  ... in the oauth sense you kind of know when you look who you 
  are talking to, what domain you are entering the information to
  ... whether you had this problem or understand it as a privacy 
  issue when it comes to introducing these forms into the app
Jeff Stephens:  It's true that a lot of these concepts are new 
  and strange to common users
<tallted> Verifier -- needs ability to request collection ; 
  Holder -- needs ability to request (from issuer or other holders) 
  or assemble (for verifier or other holders) collection ; Issuer 
  -- needs ability to assemble collection ; where "collection" is 
  "package" or "verifiable presentation"
  ... more instructions might need to be put into the UI
  ... to provide guidnece on what they're looking at or what the 
  ramifications are
<mprorock> have to jump for another call, but wanted to call out 
  to Jeff and company that this is awesome and the work is much 
  appreciated
Phil Long:  Great presentation
  ... seeing the wireframs allows us to ask better questions
  ... manu was getting at the question of being ablet o use 
  selective disclosure
  ... so you can create a presentation containing only the things 
  you want disclosed
Ted Thibodeau: +1 Selective disclosure
<nate_otto_(@ottonomy)_badgr/csky> * though make sure to 
  disambiguate selective disclosure of claims from a single 
  credential vs selecting which credentials form a presentation.
  ... so I was sort of expecting to see mechanisms in the UI to 
  take that complex acitivity and make it easy for the individual 
  to pick the stuff they'd like to convey
  ... I didn't see that, want to emphasis that seems like an 
  important dimension
  ... The data modesl we have to choose from, there was no 
  reference to the different sorts of packages that these 
  credentials were bieng conveyed in
  ... these things are useful because they have richer ability to 
  convey information about what a person has learned and can do
  ... which is a tremendous benefit other than I got a degree or 
  not
  ... one of the benefits we hope for is to enable the individual 
  to have that expressive ability tod escribe elements of their 
  assertion
  ... I didn't see any reference into I got a degree, just an 
  image of a diploma
<tallted> random related concern -- university VC about degree 
  may include year of attainment -- which hints at subject's *age* 
  which can feed into discrimination issues, so may not be desired 
  as inclusion in disclosure...
  ... was curious to know whether that's in a second phase of 
  consideration or just wans't the choice of the data model that 
  the different VCs may have, wans't anywhere referenced int the 
  choice of what i had as a user
Jeff Stephens:  We tried to show selective disclosure with the 
  degree
  ... you can choose just the degree or add in the transcripts
  ... you can select which part of the data to release
  ... that was our interpretation, don't know if that was enough
Phil Long:  The data models are typically much richer than that
  ... like evidence of work
  ... that was ahint of the first level of adding
  ... additional work could expand that
Jeff Stephens:  If we get a degree, there's a set in the data 
  model with attirbutes you coudl select from
Alex Jackl:  We have seen cases where down to th eattribute level 
  giving the holder control, part of the assumption here is from 
  the users perspective the challenge becomes what can you present 
  that makes sense to the user
  ... although you saw the picture of the diploma doesn't mean 
  the information sent was a picture
  ... the qr code can represent information that allows the 
  verifier to go to the inssuer and retreive the diploma and 
  related information
  ... it's a delicate balance with what we show to a  user
  ... if you show a user a ton of information and checkboxes and 
  ahve to ask what to select, it becomes challenge for the user
  ... but very much an important part
  ... this is where we love to get input from the ccg - what kind 
  of things do we have to present to the user with regards to 
  selective disclosure/ do we have to get down to the attribute 
  level?
Heather Vescent:  This was a great discussion and we have a 
  vibrant q
  ... I was so impressed by this work and the user perspective
<phil> Interesting - one of the design goals of the VC model is 
  disintermediation of the issuer and the need to go back to them 
  for verification of assertions.
  ... it reminded me of some work that some of us worked in with 
  swift, eu banking consortium, 8 years ago
  ... one of th emain concepts of that back then was that users 
  have data ll over the web
  ... even though it's data about ourselves, it's not necessarily 
  stuff we control
  ... the digital asset grid was the concept of a wallet where 
  you could go out an dmake connections to all our data
  ... your wallet wa sa control panel and you could choose how to 
  share data about yourself
  ... i'd forgotten about this project, but here it is, the UI, 
  the concept
  ... all of us in this community are working on the technology
Wayne Chang:  Want to highlight two work item opportunities
  ... how we use out of band comms such as qr codes - what's a 
  standard way to include connection information, what should a 
  wallet support
  ... there has been some work in the aries community
  ... great potential work item
  ... and also being able to take a page out of the accessibility 
  guidelines from w3c which have been adopted worldwide in terms of 
  how to have accessible access to the web
  ... can we tailor some notions of that to users working with 
  credentials
  ... having some guidelines like that could help a lot to help 
  the standard experience, allowing more interop and for users to 
  have choice
Nate Otto:  When we talk about selective disclosure we should not 
  confuse selective disclosure within a single credential vs 
  allwong a user to select which credentials go into a 
  presentation, ux for those concepts might be different
Jeff Stephens:  Thank you for the great questions, just what we 
  needed
  ... what we'd like to do is send you al ink to the youtube 
  video so people can visit later
  ... and send the presentation over and some questions and let 
  the community tear at it offline
Heather Vescent:  That's great, we can discuss on the mailing 
  list
  ... thank you jeff, lusine and alex for presenting
<cel> thank you

Received on Thursday, 3 December 2020 19:51:39 UTC