- From: W3C CCG Chairs <w3c.ccg@gmail.com>
- Date: Wed, 15 Jul 2020 12:27:29 -0700 (PDT)
Thanks to Dave Longley for scribing this week! The minutes for this week's Credentials CG telecon are now available: https://w3c-ccg.github.io/meetings/ 2020-07-14 Full text of the discussion follows for W3C archival purposes. Audio from the meeting is available as well (link provided below). ---------------------------------------------------------------- Credentials CG Telecon Minutes for 2020-07-14 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2020Jul/0011.html Topics: 1. Introductions and reintroductions 2. Announcements and Reminders 3. Progress on Action Items 4. Round table for what's in the wallet part 2. Organizer: Heather Vescent and Wayne Chang and Kim Hamilton Duffy Scribe: Dave Longley Present: Simone Ravaoli, Wayne Chang, Mike Prorock, Ryan Grant, Nate Otto, Erica Connell, Heather Vescent, Adrian Gropper, Orie Steele, Joe Andrieu, Kerri Lemoie, Daniel Hardman, Joachim Lohkamp, Chris Winczewski, Kim Hamilton Duffy, Kaliya Young, Isaac Patka, Jonathan Holt, Darrell Duane, Dave Longley, Phil Archer, Adam Lemmon, Jantine Derksen, James Chartrand, Andy Thomas, Juan Caballero, Manu Sporny, Dan Burnett, Christopher Allen, Balázs Némethi, Anil John, Dmitri Zagidulin, Nader Helmy, Alen Horvat, Benjamin Young, Brent Zundel, Brent Shambaugh, Dan Pape, David Mason, David I. Lehn, David Ward, Ganesh Annan, Rouven Heck, Sam Curren, Margo Johnson, Jeff Orgel, loveish, Phil Long, Amy Guy, Steve Magennis, Tom S, Tzviya Siegman, Yancy Ribbens Audio: https://w3c-ccg.github.io/meetings/2020-07-14/audio.ogg Simone Ravaoli: (No audio for me today) Heather Vescent: Agenda for today's meeting: https://lists.w3.org/Archives/Public/public-credentials/2020Jul/0011.html Daniel Hardman: My audio says "you are currently the only person in this conference" -- must have wrong dialin? Heather Vescent: Dial in numbers are: US phone: tel:+1.540.274.1034;6306 EU phone: tel:+33.9.74.59.31.06;6306 Daniel Hardman: I figured out my audio problem. All good. Darrell Duane: Darrell here (and just dialed in) Dave Longley: Scribe+ Heather Vescent: Yay Dlongley! Dave Longley is scribing. Topic: Introductions and reintroductions Darrell Duane: Darrell here, heather asked me to come do the digital wallet discussion. Tony: This is my first call. Kim Hamilton Duffy: That's phil-T3 speaking Phil Archer: I've been participating in the other wallet discussions and am new to the group. Isaac Patka: Hi all, Isaac Patka from Bloom. Here to listen in on wallet discussion as we're working on an interop project Daniel Hardman: Hello, this is Daniel Hardman. Jantine Derksen: Hi, Jantinehere from Berlin, just figuring out how to join the audio Topic: Announcements and Reminders Juan Caballero: http://bit.ly/DIF-interop-kickoff Juan Caballero: ^Link to interop session tomorrow Adrian Gropper: Next Wed 21st of July, Kantara will have a Webinar about UMA in healthcare. Wayne Chang: Any other announcements? Topic: Progress on Action Items Kim Hamilton Duffy: https://github.com/w3c-ccg/community/issues/143 Orie Steele: +1 To merging the vc http apis.... so we can make progress... Kim Hamilton Duffy: We just have one progress report item -- merging the VC issuer and verifier HTTP APIs. This was discussed on a call a while back and we're just now getting to it. There were work items tracking two different APIs, issuer/verifier. Kim Hamilton Duffy: There was support among the owners for those items to merge them into a new repo. We're just following up on that. I emailed the descriptions -- we're going to create a new repo, combine the existing issuer/verifier APIs into that. Kim Hamilton Duffy: We have a new baseline spec to update the content to so that will be the new basis for any subsequent discussion. So the work item isn't finished, there's just a new baseline to do edits on. Manu Sporny: +1 To merging -- been waiting for that to happen for a while Kim Hamilton Duffy: We'll update the CCG work item page to merge the items. Kim Hamilton Duffy: This is non-controversial, owners in agreement, just calling it out unless there are any objections. Kim Hamilton Duffy: Add yourself to the queue if you have an objection. Topic: Round table for what's in the wallet part 2. Wayne Chang: https://github.com/w3c-ccg/community/issues/140 Wayne Chang: Setting informal rules -- so we can have more effective communication. We've collected some resources at the link in IRC. Adrian Gropper: Kantara Webinar on UMA in Healthcare https://kantarainitiative.org/kantara-webinar-uma-health-info-interop-user-control-registration-form/ Wayne Chang: If you've agreed to the above you will follow community guidelines for behavior, social rules, etc. There are no set consequences for violating these rules they are just things to keep in mind so we think about how others feel when we communicate. Wayne Chang: These are typically logical/technical discussions but still important to make sure we don't accidentally tear people down, etc. "No actually" that corrects a minor point that isn't the main point or isn't that relevant to the conversation ... Wayne Chang: If you say "Oh, you didn't know about this thing?" That's not productive either and alienating for people who are trying to learn, etc. Wayne Chang: No back seat driving, if two people are having a discussion here, we use the queue to avoid this usually, but don't chime in without using the queue/don't interrupt. Orie Steele: Can we just link directly to the code of conduct, so people can read it on their own time / from the meeting minutes? Balázs Némethi: Wayne, CCG, DIF has worked a lot on a Code of Conduct that is under OS licenses to use by other orgs. Balázs Némethi: https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md Wayne Chang: Don't say things like "windows is so easy to use, your mom can use it" -- Moms are tech savvy -- Moms are people too! Don't stereotype and stereotypes can be quite wrong. Heather Vescent: @Orie_ and https://github.com/w3c-ccg/community/issues/140 Balázs Némethi: We would be very happy if CCG would consider taking a deeper look at it Dan Burnett: W3C also has a code of conduct https://w3c.github.io/PWETF/ Wayne Chang: If you are not speaking, please mute! thanks Kaliya Young: This is primarily the work we did in the group for while. We took 27 responses and sorted them, we found a range of meaning that people had in their definitions. For wallets specifically, 12 of the definitions highlighted that it was about key/secret storage. Kaliya Young: Next most common was that they stored credentials, next highest was that they aided with agent control. Juan Caballero: I believe this is the slide deck, not sure if it's the newest version tho: Juan Caballero: https://docs.google.com/presentation/d/1gIEPmbtLNVuaHxdawGBe6ZwFqP43m7iqmIEeUUm3sjI/edit#slide=id.g752184a474_0_4 Wayne Chang: Nice Kaliya Young: Facilitated storing keys/secrets/vcs often controlled by an agent. The meaning that folks had in between ... Lost identitywoman's audio for a minute there. Kaliya Young: Agents may have wallets, agents let you work with and connect to wallets and agents support delegation and back up wallets. Kaliya Young: This definition that we came up with about wallets feels good. Juan Caballero: Rage- Orie Steele: https://github.com/transmute-industries/universal-wallet Orie Steele: My summary is going to be something... I will talk about things I presented here in the hyperledger identity group and aries call. We proposed a universal wallet spec work item. It attempts to describe what's in wallets. My five minutes will be on that and what people organize and store in wallets today. Orie Steele: It links to existing specs in the wild, VC, DID specs, etc. We've seen in the hyperledger community, schemas, connections, pairwise connectors, people think about payments and fiat currency or other cryptocurrency/token wallets. Orie Steele: Bitcoin wallets, that sort of thing. What we've tried to do with this universal wallet spec is to describe the way people are using wallets. Orie Steele: You can think of it by analogy with what's in your physical wallet today. Maybe a few dollars or none or some other currency. Identity documents, coupons, maybe specific types of credentials like healthcare/insurance cards. Orie Steele: Other things related to your family might be in there. Orie Steele: I learned this from SICPA, hopefully they can share on a future call. People share sensitive things in their wallets that aren't necessarily credential stuff. Orie Steele: https://medium.com/transmute-techtalk/nfc-dids-6d56fda45831 Orie Steele: But here, it's relationships with crypto keys, secrets, VCs, so on. Orie Steele: We have a blog post about our work with the Tangem cards. Orie Steele: It's about transferring VCs with hardware backed cards over NFC, etc. Sometimes the key material doesn't exist in the wallet itself. Orie Steele: Tangem provides a hardware based key -- sometimes you can port keys from one wallet to another and still issue VCs by using those cards. PIV cards, etc. physical cards people store in their wallet and you can move meta data about key materials without having to move the key material itself. Orie Steele: There are also Yubikeys, other key/web mechanisms, Amazon key management software, there are ways to manage keys where the key material isn't in the wallet itself. Orie Steele: The point of this spec is to describe what people are doing and to provide data models for portability. Orie Steele: And to describe a set of interfaces for questions like: If I move from Wallet A to Wallet B, will I still be able to use these things in my Wallet A? Orie Steele: I yield back the remainder of my time. Wayne Chang: We're working on a better infrastructure for meetings this summer. Daniel Hardman: Here are the slides that I'm going to talk to: https://j.mp/3e4HuAw Wayne Chang: Daniel Hardman is up next. Daniel Hardman: Slide link is in IRC, 5 slides. Daniel Hardman: The basic message is that I feel like a wallet is an intersection of design tension. Physical wallets aren't a great multipurpose container, can put some things in it, not others. Daniel Hardman: You can put a physical key in there, but lots isn't great. We don't expect a wallet to contain all of our assets, or our transaction history, or our bank account. It's still not uncommon to see wallets that are stuffed. Daniel Hardman: I think that's because wallets are super convenient and it's tempting to use them. Daniel Hardman: I'm here to admit the fuzziness, not to provide a definition. Daniel Hardman: There are two graphs ... about sensitivity of data. Different degrees of sensitivity for the data and the stakes for exposing the data is different. Daniel Hardman: Other graphic is about data size and richness. Daniel Hardman: Two axes, two dimensional view, I'm claiming data that is highly rich and very large, a genome is an extreme example there. On the other extreme there is super small and not very rich like a cryptographic key. Daniel Hardman: There are also all types of data related to SSI. There's more than 14 obviously, but these are interesting for test cases. Orie Steele: Great question regarding presentations Daniel Hardman: Would we put a biometric template in a wallet, I don't know, would presentations from others go in wallet, I don't know. Maybe things at the bottom of the list don't go in a wallet, it's debatable. Anil John: Given all the good discussions & materials on Digital Wallets that is happening at the CCG, it would be good if there was landing page off https://www.w3.org/community/credentials/ that aggregates and provides pointers to all of this goodness! Nader Helmy: Feels like health records would fall under “held credentials” Daniel Hardman: The next slide is making the point that wallets and remoteness is interesting ... some secrets can be remote and others can't. You must have a secret that unlocks the remoteness. Orie Steele: These slides are really great... this is excellent Daniel Hardman: One of these characteristics is that the wallet is local. It could be in a database off of the current machine, that's not what I mean by local, you can access it without extra work is more like what I mean. Daniel Hardman: A wallet is not just a mobile app, there could be paper versions of wallets. A wallet is a locus of control in the "DID controller" sense. There's a complicated relationship in that sense, there's an interesting nexus there. Daniel Hardman: Please wrap up, thank you! [scribe assist by Wayne Chang] Daniel Hardman: Backup and replication are there. Replicating wallets is interesting because never copying private keys may cause some differences. Wallets may be subdivided by work vs. personal or by identities like parents vs. children. Daniel Hardman: A wallet is certainly a hacking target. Daniel Hardman: The last observation on this slide is that a wallet is not necessarily in a containment relationship with all the things it's associated with -- it may just reference data that it doesn't contain in the most literal sense. Daniel Hardman: "What's *in* a wallet" the word "in" is worth thinking about. Daniel Hardman: My sixth slide is where I wanted to end up so go look at it. Darrell Duane: Darrell's deck - https://docs.google.com/presentation/d/1shW4GzjG0HE2uxLCcYdSkaG-nCRBVZrwRFpa8Gs709U/edit?usp=sharing Orie Steele: Yes, the last slide is critical... its about how wallets relate to other ecosystem components like hubs and vaults. Darrell Duane: I'm going to be talking about a report we pushed out last year. Created for two reasons, address concerns over ambiguity of what a digital wallet is. One report is a public report -- link in the chat. Another is a business strategy report. Darrell Duane: There was a lot of handwaving that wallets mean a lot of different things to different people. "Oh the wallet will do that" is too much handwaving. Darrell Duane: We went over ~300 projects, lots of discussion. Deep dived, we covered "what are the capabilities of a wallet", from a user/enterprise perspective not a dev one. Darrell Duane: What stuff do we put in a wallet, enterprise specific concerns, multiperson/organization concerns. Cryptocurrencies vs. layman's term for a wallet. We covered the state of tech as of March 2019. Darrell Duane: Lots of progress in some areas and not so much in others. Darrell Duane: We identified immediately the user experience is the biggest problem. Darrell Duane: Update on what we've learned since. The wallets in the wild and being used by non-techies -- people just using apps to do their work. These are single credential/single connection types of apps. I've been at an advising role at CULedger -- most apps have been single credential, etc. These have been dead simple use cases. Darrell Duane: Other key thing that Daniel hit on -- backup/recovery is terrifying on a mere mortal basis. It's an attack vector. It's a surprise to credit unions and banks, can people operate on two phones, can someone else take my phone and bank on my behalf and rip me off, etc. Darrell Duane: Lots of crypto/tech centric... Darrell Duane: If you want to get access to report, hit me up on twitter and I'll link in the chat. Doc is almost 90 pages long. Darrell Duane: One of the funders wanted a summary but that would be 3x-4x the actual doc. Wayne Chang: On to Katryna. Darrell Duane: Direct link to the wallet report: https://thewalletwars.s3.amazonaws.com/The-Current-and-Future-State-of-Digital-Wallets-v1.0-FINAL.pdf Wayne Chang: On to Charles, Katryna has audio trouble. Charles_cunningham: I work for an SSI company in Berlin Germany. Charles_cunningham: I work for Jolocom. Joachim Lohkamp: https://jolocom.io/wp-content/uploads/2020/05/Jolocom-WhatisinaWallet-CCG-W3C.pdf Charles_cunningham: We have looked extensively at what goes in a wallet for sometime. We offer a wallet as an app on iOS, etc. We have a wallet for enterprise use cases but slightly less sophisticated. Charles_cunningham: We have some simple graphics for what we think goes in a wallet. Charles_cunningham: Key material. Everyone knows key material is the foundation for all wallets -- the simplest definition is a wallet manages that key material for you. Charles_cunningham: Managing keys is fine for a cryptocurrency wallet. Obviously credentials go right into a wallet. The analogy is right there with physical wallets like driver's licenses. Charles_cunningham: Capabilities, similar to credentials. They can present signed data. In the UI for our wallets, we've separated the representations. Charles_cunningham: More in particular it's about authorization. Credentials are more about presenting information about yourself. Charles_cunningham: History and metadata. They are closely related and represented in our wallets. If I'm being issued a credential our issuance protocol finds a way to indicate how to display the credential in the wallet. Charles_cunningham: This metadata and the history includes all of the interactions with other identities. This includes pairwise identities, IDs for the credentials exchanged, so on. Charles_cunningham: In a functional sense, wallets can be defined as stores of sensitive information. But they can also be modeled as agents. Presenting a credential to someone or participating in some kind of interaction. Charles_cunningham: We've included non-credential based interactions, using the keys in your wallet ... looking for ways to mix personal version vs. enterprise version. We've been exploring this through a capabilities model. Charles_cunningham: How an individual might interact with a larger entity through capabilities. Charles_cunningham: Through key operations. Darrell Duane: Dang - I've lost my phone connection here. Juan Caballero: @Joachim was there a second link/page? Charles_cunningham: We have an image on our SDK ... we use a wallet for both mobile and server side ... simple interfaces to give it the full functionality. Wayne Chang: Katryna is up next. Wayne Chang: We welcome you to give a brief intro and answer what's in a wallet. Katryna: My name is Katryna Dow, founder of Meeco. Katryna: This is all valid and interesting, but taking a slightly different direction. Katryna: Starting in this space over a decade ago. Data and information that was important... working backwards from that over the last few years. It's really interesting the way language shapes tech. Katryna: From the evolution of our products and services, we've moved from something ... we've moved from saying all the things about yourself over your life to categorizing it, to having a consent layer, to having an API to connect. Katryna: The evolution of that comes down to portability. How things become light weight. The thing that's emerging in listening to everyone. The idea of portable, reusability. Real digital transformation vs. digitization. We've been through a decade or so with taking data and information and digitizing it. Katryna: The wallet can focus on things that are really critical and light weight that you want with you in an everyday sense. And then move to the digitally connected world vs. just mirroring the physical world. Katryna: Wallets also allow ecosystems to develop quickly without a need for tight integration. Katryna: The standards group that many of us are part of ... interop and portability mean that ecosystems can develop quickly with the individual, service provider, and trust anchor that can be universally recognized. Katryna: From our perspective, all the things we've been building, uni transcript, health provider, etc. -- these things are becoming more important anchor points around things that are more light weight and used every day. Katryna: The language and evolution from data storage to connectivity and integration ... now down to the use of the term "wallet" ... it helps give people an understanding around how those things might fit into everyday life. Katryna: Also, how do you bring this lightweight decentralized human solution into the enterprise world. We've been doing interesting work around OIDC around infrastructure and emerging infrastructure. Katryna: To allow people to be free and independent but also come into an ecosystem and help with B2B value. Katryna: The evolution is interesting to me and how the language has helped shape the tech and create the clarity that Kaliya talked about earlier on. Orie Steele: What organization is Katryna with again? Wayne Chang: Feel free to email the admins as needed if you have any concerns. Wayne Chang: Nathan, thanks for stepping in at the last minute, please give a brief intro and your answer to what's in a wallet. Nathan-lef: Nathan with Learning Economy Foundation. Nathan-lef: We have been collaborating with gov't for running pilots. Nathan-lef: Digital wallets, enabling true ownership of education credentials. Nathan-lef: Working on an initiative ... the open wallet architecture. https://docs.google.com/document/u/4/d/e/2PACX-1vR6GMNrBzDuMvhHGlVeENEMZjijHTVKUueG5f6KshFlsIfcqt1QjsTGNgB8vjEGfDVFRB-dWhe5-Hxc/pub Nathan-lef: We're in the initial stages of this. Working on defining it and collecting data. Nathan-lef: What's a wallet: Very high level. A wallet is an abstraction that represents everything that's important enough for things to be stored in it. Nathan-lef: Focusing on how digital data is stored, not specifically what -- so working with arbitrary storage. Nathan-lef: We want to leverage the existing ecosystem and looking at current solutions and requirements so as not to preclude anything. Nathan-lef: We are calling on these use cases for the wallet domains. Nathan-lef: We want to ensure that the value of the wallet appreciates over time. Tremendous value -- in interop and portability. Nathan-lef: Discussions have been there and we want to build on top of that. We want to see that through setting standards for more mass adoption from customer perspective. Nathan-lef: Application and hardware agnostic -- not tied to any particular user experience. Perhaps counter to some -- we want to imagine the wallet being everywhere at once. Supporting remote storage, hierarchies, supporting offline too with balance. Nathan-lef: We are in agreement with most everything we've seen through these presenters today and last week. We want to emphasize things that might not have been before. The wallet is not tied to an application. Nathan-lef: That lets apps get some view into the wallet but the customer is dealing with one wallet. Nathan-lef: The wallet itself does not define data boundaries, but has pluggable functional components for all use cases whether that's local or remote storage. Nathan-lef: Focus on VCs, etc. Nathan-lef: From the existing ecosystem from hyperledger to universal wallet, we see what's needed right now. I want to encourage anyone who wants to help with this initiative to reach out. We are trying to be as open and inclusive as possible and want to synthesize all these efforts. Nathan@learningeconomy.io Wayne Chang: Thanks for your contribution. Wayne Chang: We will move to Q&A now -- please keep things to about 30 seconds. Wayne Chang: Up to two of the people would have 30 seconds to queue and answer or comment. Christopher Allen: Wyoming Private Key Disclosure Bill "No person shall be compelled to produce a private key or make a private key known to any other person in any civil, administrative, legislative or other proceeding in this state that only relates to a digital security or virtual currency to which the private key provides access. This paragraph shall not be interpreted to prohibit any lawful proceeding that compels a person to produce or disclose a Christopher Allen: Digital security or virtual currency to which a private key provides access, or to disclose information about the digital security or virtual currency, provided that the proceeding does not require production or disclosure of the private key." https://wyoleg.gov/Legislation/2020/HB0041 Christopher Allen: One lense -- focus/direction -- that seems to be missing from our models is from a legal perspective. Christopher Allen: I'll share a link in IRC, it's a bill that I helped propose in Wyoming to help protect your private keys. There's an assumption that they are yours, they can't be compelled from you. Christopher Allen: I'd like to ask the wallet arch people -- have you looked at the line where it's "yours" and where other things are maybe not totally "yours". Christopher Allen: It stops being a wallet perhaps when people can pull from it. Manu Sporny: https://github.com/w3c-ccg/community/issues/144 [scribe assist by Wayne Chang] Wayne Chang: Just opened this Daniel Hardman: I think that's fascinating and important. And where you put the presentations you receive from others -- you may be receiving a moral/legal responsibility to safeguard the data. Daniel Hardman: Other entanglements there, I agree. Adrian Gropper: I want to say that I ascribe closest to Daniel Hardman's presentation and say that we've been lax in what's an agent and what's a wallet since the beginning. My definition of what's a wallet is what can't be done by an agent. Non-repudiation tied to biometrics and what's useful offline. Juan Caballero: +100 Heather Vescent: Already planning to do that Manu. :-) Curate+++ Juan Caballero: Rage- Manu Sporny: I just wanted to highlight a comment that Anil John made earlier. It would be great if we could curate these conversations and we have great perspectives on what a wallet is. Next step could be driving towards consensus in the community on what these things are and being able to link to them from the landing page of the CG would be great. Wayne Chang: Great. I just opened a github issue towards exactly this. It's wonderful idea, people drop a note in that github issue to help contribute. Daniel Hardman: Which repo is the github issue in? Wayne Chang: Github.com/w3c-ccg/community Wayne Chang: https://github.com/w3c-ccg/community/issues/144 Ryan Grant: Thanks for all these presentations. What I want from a wallet standard is a way to understand if my wallet successfully accepts all the things it needs to and can generate all the things that your wallet may need to accept so we can complete whatever our thing is. Jonathan Holt: There is a difference perhaps between what is my wallet that I use and what is a commercial wallet that is being vendored. Juan Caballero: +1 Wayne Chang: Thanks for our great speakers! Juan Caballero: Huge thanks to all the great presenters! Dave Longley: You did an amazing job with the notes, we are eternally grateful [scribe assist by Wayne Chang] Wayne Chang: Sorry i ran out of time to give a thanks Heather Vescent: +1 Dlongley!
Received on Wednesday, 15 July 2020 19:27:45 UTC