- From: W3C CCG Chairs <w3c.ccg@gmail.com>
- Date: Thu, 03 Dec 2020 11:51:22 -0800 (PST)
Thanks to Amy Guy for scribing this week! The minutes for this week's Credentials CG telecon are now available: https://w3c-ccg.github.io/meetings/2020-12-01 Full text of the discussion follows for W3C archival purposes. Audio from the meeting is available as well (link provided below). ---------------------------------------------------------------- Credentials CG Telecon Minutes for 2020-12-01 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2020Nov/0127.html Topics: 1. Introductions and reintroductions 2. announcements and reminders 3. Jeff Stephens and Dignari team Organizer: Heather Vescent and Wayne Chang and Kim Hamilton Duffy Scribe: Amy Guy Present: Heather Vescent, Kim Hamilton Duffy, Wayne Chang, Chris Winczewski, Amy Guy, Manu Sporny, Joe Andrieu, Charles E. Lehner, Dmitri Zagidulin, Ryan Grant, Ted Thibodeau, Adrian Gropper, Jeff Orgel, Orie Steele, Erica Connell, Mike Prorock, George Lund, Kaliya Young, Jeff Stephens, Alex Jackl, Lusine Sargsyan, Phil Archer, Kayode Ezike, Phil Long, Nate Otto Audio: https://w3c-ccg.github.io/meetings/2020-12-01/audio.ogg Heather Vescent: Minutes: https://w3c-ccg.github.io/meetings/ Heather Vescent: https://docs.google.com/document/d/1LkqZ10z7FeV3EgMIQEJ9achEYMzy1d_2S90Q_lQ0y8M/edit# Amy Guy is scribing. Topic: Introductions and reintroductions Heather Vescent: Do we have anyone new who would like to introduce themselves? ... add yourself to the q, or just pipe up George Lund: I work for the government digital service in the UK and I'm joining for the first time Chris Winczewski: Formally with learning machine, learning machine was acquired by highland software earlier this year, we're working within that group ... I missed IIW this year, but have been around in the groups for a while Topic: announcements and reminders Heather Vescent: Announcements: https://w3c-ccg.github.io/announcements/ Heather Vescent: There are 3 task forces that are meeting, VCs for education on mondays, DID resolution on mondays, confidentail storage calls on thursdays https://github.com/w3c-ccg/community/issues/168 Wayne Chang: I want to announce the proposal for an infrastructure task force ... the meeting infra we're talking about now took a lot of effort and will continue to take effort to maintain ... how can we resource this in temrs of time and finance? ... so chairs can be freed up to focus on other priorities ... the task force is an attempt at an inclusive way to address this ... if you're interested in helping to set up infrastructure or maintain it, this is a way to get involved ... there is some interest so far ... feel free to learn more on github ... the next announcement is that the nomination period for the W3C technical architecture group ... some people in this group have self nominated ... it's important for us to have our technical concerns and understanding influence the W3C standards devleopment ... anyone else from this ecosystem who wants to self nominate and step up, it's very useful to build that connective tissues to the rest of the WGs at the w3c ... and other groups such as ietf etc ... I'm not so partial as to who in our community steps up, but I think it's useful if someone from our community has a voice Heather Vescent: Action Items: https://github.com/w3c-ccg/community/issues?q=is%3Aopen+is%3Aissue+label%3A%22action%3A+review+next%22 Heather Vescent: Do you have anything else you want to talk about for the infrastructure task force? Wayne Chang: I said the piece I needed to on that ... happy to take questions Manu Sporny: To speak to what wayne said about the Technical Architecture Group ... for those of you not familiar with waht the w3c TAG does, they effectively set the deign requirements for the entirety of the web ... what we want the web to become is partly from an architectural perspective the TAGs job ... people on the TAG are supposed to be there as individuals first ... it's not supposed to be representing a compnay, but the people of the Web and what's best for the Web ... it is very high level architectural position and it has broad ramifications around the work that w3c does ... I wanted to +1 wayne for running and amy for running, I think they would bring what our group does into the thought process around what the future of the web looks like ... which is a really great thing to do ... the other thing to note is that multiple seats open up, so we could find ourselves in a situation where both wayne and amy are on the TAG and that would be really great for this community ... all that to say, the people that vote are the w3c members, the AC reps who vote, so be aware that that election is happening ... I believe the timeline is nominations in the next couple of days and a voting period for about a month, and the term starts in February Heather Vescent: Anyone else have any questions or comments on the infrastructure task force? ... My concern is that, while I appreciate all the efforts, I believe the technical solution creates an obstacle for participation for folks that are not currently participating in this community ... I want to ask that the task force includes not the usual suspects to gather feedback and usage data that it includes people that would like to participate from the fringe, geographic timezones,s different language structures, from different skillsets, that are not just from a technical background ... but also from design, anthropological, ux, marketing and usability, not just technical folks ... because I would like to see the importance of having a meeting infra that's accessible is an improvement in the work we do here ... and to date I still see technical obstacles being raised with our current system Wayne Chang: I agree ... that there are things that have to do with running the infra that require no ability to write code or even use git and if we're able to convert more responsibilities toward that that is definitely a win ... for example being able to help with the notes and publishing them and clean them up, that shouldn't require anyone to enter a commandline if they're' not used to it ... strive towards creating modes of engagement that don't require a technical background so the surface are of upholding the community can be spread over more people who are intersted ... if you're interested in contributing, technical or not, comment on github or talk in the mailing list Heather Vescent: I want to alert the community to 2 activities happening in the chair infrastructure ... we're doing some succession planning ... kim has been one of the most phenomenal chairs, but will be moving on next year ... we want to capture everything and onboard new chairs Heather Vescent: https://github.com/w3c-ccg/community/issues/165 ... there was some documentation but not a lot ... I've been working on creating a job description and instruciton manual for what chairs do ... this is everything the job requires ... including running minutes, meetings, speakers, the work items, process ... a lot of these processes have been wrapped up ... we're putting the documentation together ... we're at a point where the chairs are reviewing this but will be sharing it with you ... having a job description will be very useful when we do have an open call for a new chair Heather Vescent: https://github.com/w3c-ccg/community/issues/164 ... The other thing I want to alert the community to is task for documentation ... there's been a lot of interest in having task forces in the ccg ... as a sub meeting of the ccg ... we'v ehad variosu folks approach us to start task forces ... all of our task forces to date have evolved out of this meeting ... seemed like it was appropriate to put together some more formal task force process docs and an faq ... so I'v ebeen working on that ... to define the taskforce scope, the relationship with the main meetings, responsibilities of minutes etc ... we are looking to formalise that information ... it's a draft that the chairs will be reviewing and we'll share it ... if you are interested in participatin gor contributing to either the job description, activities that chairs do or task force please get in touch with me ... I'm driving the draft of these ... any questions? Topic: Jeff Stephens and Dignari team Heather Vescent: If you joined the wallet meeting a month ago you might have seen some of their work ... today Jeff and team are going to give an overview of the work they did ... I was really impressed in particular by their work because in my mind it really involves the entire team and ways of thinking about things Jeff Stephens: Thank you for the opportunity to join the meeting today ... Dignari was formed in 2013, a woman-owned small business in washington dc ... we provide services like program strategy, data science, analytics, as well as ui/ux and human centered design ... we dabble in a number of areas, a long history in identity management ... we have the technical side as well as the ui/ux side ... allowed us to join forces ... here with a couple of my colleagues, I'm jeff stephnes, the chief technology officer Alex Jackl: I'm a solution architect Lusine Sargsyan: I'm the creative director, focusing on ui/ux Jeff Stephens: We're going to show you the screens that we came up with, the experience for a digital wallet ... alex is going to go through some use cases ... then we'll field some questions Alex Jackl: One of the thing swe wanted to do, we decided to give you a presentation in real time ... we'll make available the video that was shared with the community event with svip ... this gives us an opportunity to walk through it together ... and to take some of the feedback we got from that community event and show you ways we've updated as a result of that ... we presented this thing at the end of october ... and submitted it in mid october for the DHS digital wallet challenge ... this is our branding scheme for the digital wallet ... a colour scheme rendering of your desktop application and mobile application ... the first thing an individual is going to do is to create an account ... you provide basic information, username and passowrd ... this would b where you present your EULA agreement and agree to that ... once the account is created you have the ability to log in with that username and password and update to use biometric or any identity assurance capability ... there's also potentially a link down here to that woudl provide disclosures and privacy policies ... let's assume jane r user is logging in ... on the desktop there are 9 identity domains ... the areas where you can group the verifiable credentials that you want to add ... here's a rendering of the same information in th emobile app ... in her educational part is a copy of her degree ... in any of these identity domains, the same interface occurs ... you click, see any credentials, and there's a + sign to add additional credentials ... as we looked at the digital wallet challenge, one of the keys for us was the way you access information is consistent for the user ... whether it's your legal identity or education information you're doing everything the same way ... even the presentation is similar ... for the DHS digital wallet challenge we were presented with a single use case ... jane is applying for a job and as aprt of the application the employer has asked for a permanent resident card and her degree ... the first thing that jane has to do is go to the issuers and obtain these verifiable credentials from her educational instutuition and USCIS ... first thing is to get degree information from her university <phil> What I don't see in the categories of credentials are assertions about work such as those emerging from HR Open, e.g., Work History. Or Salary History. etc. Are the groupings arbitrary, and more can be created? ... you can see that when she selects adding an education degree to her wallet she can fill out information that lets them look her up ... if she already has a login to the university she can use that ... for further capabilities down the road, if instituations or issues are doing biometric verification that can be incorporated ... for the demo, for jane's request, we assume she fills out this form and submits the request ... the assumption here is that all of the work that the ccg and w3c has done, the trust mechanisms in place to secure the communication between the holder and issuer and verifier and issuer, are all assumed to be behind the scenes ... it connected with the institution, secured as part of that, did the verification based on the information provided, and once it was deemed fit they provided the credential to her ... now you can see it's here to add to the wallet ... and now it's in the wallet ... the next thing we're going to do is to provide her permanent resident card ... you can see how the mobile and desktop versions work and are consistent ... now we add another item ... you can provide a username and password to login or provide information by a form ... let's say she logged in ... the ocnnection is established, they provide all their verification and provide the permanent resident card ... and jane adds it to wallet ... as part of that use case she was asked to provide both of those ... from a user experience perspective we really wanted to give the digital wallet interface an ability to create 'packages' - that's your verifiable presentation ... here jane is going to click on packages and create a new one ... and add her permanent resident card ... then we'll click on another item and add her education ... she has multiple pieces of information available, her degree and transcripts ... sh eobtained all that from the issuer ... we'r egoing to assume they only need the degree <phil> How is the educational credential represented? Via a CLR? Or are there a set of credential data model standard payloads? Alternately, is this just a image of the diploma? ... when she adds it to th epackage only her degree is added, not her transcripts ... her package has the permanent resident card and her university credential ... and click create ... one of two things can happen ... say jane is going to visit the employer for an interview ... at that point she could save the qr code and retrieve it when she sees the employer for the interview, who can scan it and get the information ... alternatively, submit remotely ... from the mobile application you would scan a qr code that's provided by the employer remotely ... let's do that scenario ... jane is going to submit her digital package to the employer ... she's gonna click share, and provide consent to release her permanent resident card and her degree ... her job application will go from pending to sent ... the last thing to show is the different ways through this ui/ux of managing your verifiable credential or your packages ... you see here there are multiple packages ... she has a package for a mortgage refinance ... another for an application for a graduate degree ... let's assume she completed the mortgage and no longer needs this package ... she can delete it ... it'll ask to confirm ... and it removes it from the list Lusine Sargsyan: Our goal is to create the most adaptable user interface and experience design ... we kept it consistent between desktop and mobile ... as we go through our redesign and refinement to better align with us web design standards we are curious and would like to put this to the community as to waht would provide most value ... we're open to any questions about the user experience and ui Ted Thibodeau: Looking at the interaction windows, the first thing was the login, which on the desktop app asked for email address and on the phone asked for username ... blurring those two will be troublesome ... i've run into this in different places, it's getting worse ... particularly with something like a digital wallet where you're trying to combine identities.. you're going to have logins with their own usernames and email addresses to get details from them <phil> How are you enabling selective disclosure of a rich set of data in a standard data model payload? ... presuming it's stored somewhere at dignari or in the cloud, becuase it's on all of my devices ... maybe I don't want it on all my devies ... or maybe not in the cloud, *just* on my device Jeff Stephens: Some of the architecture of where data is stored is handled by digital wallet providers ... issues to work through there ... our challenge was just the ui/ux piece of it ... all the underlying wiring of those systems is not what we designed to, it's from a user perspective, how to interact, how to use credentials <phil> queue+ ... significant challenges for the solution providers that are building the digital wallet itself Ted Thibodeau: I see, this is a mockup of ui/ux with no connection behind it Alex Jackl: Thank you for that comment, we want to make sure we're consistent, that's an oversight. You're right ... the callouts provided need to be consistent ... it's an interesting point - the challenge of these connections to issuers and verifiers, any time we're connecting with an external entity, from a ui/ux perspective our goal is to make it consistent regardless of how you're connecting ... thats' the challenge ... you're right that certain issues require a username, others require an email ... for us to work with the ccg to figure out how to make that easier, that would be how we as ui/ux designers could provide some help there to bridge that Jeff Stephens: One of the main intent was to get in front of it and design from a user standpoint even while the tech is being baked behind the scenes ... so they can get interest in adoptin gdigital wallet concepts ... the pieces they're looking for, the ui/ux design to serve as a bootstrap design package for peopel that want to build digital wallets Ted Thibodeau: The fact that this was a dhs challenge also puts a different spin on it. they want to unify all of my identies and know me whereve rI am ... I don't want the DHS to know I'm in the rebel alliance, but want that number card in my wallet Jeff Stephens: I can't speak for dhs, but i think their positon is they don't want to be the digital wallet provider or any sort of authority ... just trying to serve as the accelerator for the community Heather Vescent: No-one from DHS SVIP is here, but I think he would take umbridge with some of your comments Ted ... I don't think your comment about that is fully reflective of the nuances of SVIP's motivation in supporting the work in this space Manu Sporny: Thank you for the presentation, fantastic work, loved seeing the ui mockups ... one of the things that jumped out at me was the interaction between the walle tand the issuer ... there are two interaction paradigms in play ... the sovrin/indy interaction paradigm which I think was mocked up ... there's also the crednetial handler / browser baed interaction paradigm ... they're very different ... had you made a decision to use one path vs the other? ... and if you wer enot aware that there was this other interaction paradigm, maybe one of the things we could talk about next time is how that interaction paradigm is different ... for example, the uis that you have have this concept of the individual creating the packages ... whereas the other has the entity requesting a set of credentials from you ... you don't need to know what to put together, they ask for as et of things and you decide whether to share ... it's very different ... where are you in that thought process? Jeff Stephens: That's awesome feedback, we want clarity on that, we are not experts, getting these nuanced pieces of tech from the community is valuable ... I didn't kn othe two interactions but I see what you're saying ... driven by the end user or requesitng entity as the two interactions ... we did from the perspective of the individual because it's a digital wallet ... where the entity, would they have a similar concept? I'm going to interact with a number of people Manu Sporny: Yes and no, use cases where you might ... that's a sideline thing ... the main thing I was wondering is that there are a set of dhs videos showing testing of all these wallets ... that video is good to look at because it flip sthe paradigm, it shows you the other paradigm ... I get that what you did was individual centric ... the other is organisation centric ... both legitimate ... if we're going to do a good job we need to understand both and when you use one over the other Alex Jackl: I didn't see the other videos, thanks <phil> Can someone (Anil) post the link to the wallet videos that Manu referred to? ... from our perspective we went with the concept of providing the optimcal control for the holder ... I think what we're learning is from a ui/ux we have to provide the capability or guidence to support not only the holder creating the pacakge but the issuer/verifiers having that ability <heathervescent> This is an opportunity to have clear, explicit use cases. ... from the ui/ux perspective we can create designs to support both ... this could be an opportunity for us in the community to have explicit use cases Adrian Gropper: Thank you very much for tackling these things ... the fact that you're demonstration is so thorough in addressing different componants moves us to the point manu made ... I struggled with building wireframes ... from the subject's perspective ... a question I have in seeing your demo is I expect that people will not be familiar with this duality that manu has mentioned ... specificially they wil not understand when qr codes are used other than in an airline boarding situation ... using the qr codes in any other way is going to have to be presumably explained ... this is a question.. how we deal with this duality ... sometimes the qr code is a request and sometimes a presentation ... this overlaps with manu's point ... then the related point has to do with the form that you showed ... again, very good that you put it in there becuase it shows the reality of the situation ... in that case the user needs to be clear as to whether the information on the form is going directly to the issuer or the verifier ... in the oauth sense you kind of know when you look who you are talking to, what domain you are entering the information to ... whether you had this problem or understand it as a privacy issue when it comes to introducing these forms into the app Jeff Stephens: It's true that a lot of these concepts are new and strange to common users <tallted> Verifier -- needs ability to request collection ; Holder -- needs ability to request (from issuer or other holders) or assemble (for verifier or other holders) collection ; Issuer -- needs ability to assemble collection ; where "collection" is "package" or "verifiable presentation" ... more instructions might need to be put into the UI ... to provide guidnece on what they're looking at or what the ramifications are <mprorock> have to jump for another call, but wanted to call out to Jeff and company that this is awesome and the work is much appreciated Phil Long: Great presentation ... seeing the wireframs allows us to ask better questions ... manu was getting at the question of being ablet o use selective disclosure ... so you can create a presentation containing only the things you want disclosed Ted Thibodeau: +1 Selective disclosure <nate_otto_(@ottonomy)_badgr/csky> * though make sure to disambiguate selective disclosure of claims from a single credential vs selecting which credentials form a presentation. ... so I was sort of expecting to see mechanisms in the UI to take that complex acitivity and make it easy for the individual to pick the stuff they'd like to convey ... I didn't see that, want to emphasis that seems like an important dimension ... The data modesl we have to choose from, there was no reference to the different sorts of packages that these credentials were bieng conveyed in ... these things are useful because they have richer ability to convey information about what a person has learned and can do ... which is a tremendous benefit other than I got a degree or not ... one of the benefits we hope for is to enable the individual to have that expressive ability tod escribe elements of their assertion ... I didn't see any reference into I got a degree, just an image of a diploma <tallted> random related concern -- university VC about degree may include year of attainment -- which hints at subject's *age* which can feed into discrimination issues, so may not be desired as inclusion in disclosure... ... was curious to know whether that's in a second phase of consideration or just wans't the choice of the data model that the different VCs may have, wans't anywhere referenced int the choice of what i had as a user Jeff Stephens: We tried to show selective disclosure with the degree ... you can choose just the degree or add in the transcripts ... you can select which part of the data to release ... that was our interpretation, don't know if that was enough Phil Long: The data models are typically much richer than that ... like evidence of work ... that was ahint of the first level of adding ... additional work could expand that Jeff Stephens: If we get a degree, there's a set in the data model with attirbutes you coudl select from Alex Jackl: We have seen cases where down to th eattribute level giving the holder control, part of the assumption here is from the users perspective the challenge becomes what can you present that makes sense to the user ... although you saw the picture of the diploma doesn't mean the information sent was a picture ... the qr code can represent information that allows the verifier to go to the inssuer and retreive the diploma and related information ... it's a delicate balance with what we show to a user ... if you show a user a ton of information and checkboxes and ahve to ask what to select, it becomes challenge for the user ... but very much an important part ... this is where we love to get input from the ccg - what kind of things do we have to present to the user with regards to selective disclosure/ do we have to get down to the attribute level? Heather Vescent: This was a great discussion and we have a vibrant q ... I was so impressed by this work and the user perspective <phil> Interesting - one of the design goals of the VC model is disintermediation of the issuer and the need to go back to them for verification of assertions. ... it reminded me of some work that some of us worked in with swift, eu banking consortium, 8 years ago ... one of th emain concepts of that back then was that users have data ll over the web ... even though it's data about ourselves, it's not necessarily stuff we control ... the digital asset grid was the concept of a wallet where you could go out an dmake connections to all our data ... your wallet wa sa control panel and you could choose how to share data about yourself ... i'd forgotten about this project, but here it is, the UI, the concept ... all of us in this community are working on the technology Wayne Chang: Want to highlight two work item opportunities ... how we use out of band comms such as qr codes - what's a standard way to include connection information, what should a wallet support ... there has been some work in the aries community ... great potential work item ... and also being able to take a page out of the accessibility guidelines from w3c which have been adopted worldwide in terms of how to have accessible access to the web ... can we tailor some notions of that to users working with credentials ... having some guidelines like that could help a lot to help the standard experience, allowing more interop and for users to have choice Nate Otto: When we talk about selective disclosure we should not confuse selective disclosure within a single credential vs allwong a user to select which credentials go into a presentation, ux for those concepts might be different Jeff Stephens: Thank you for the great questions, just what we needed ... what we'd like to do is send you al ink to the youtube video so people can visit later ... and send the presentation over and some questions and let the community tear at it offline Heather Vescent: That's great, we can discuss on the mailing list ... thank you jeff, lusine and alex for presenting <cel> thank you
Received on Thursday, 3 December 2020 19:51:39 UTC