[MINUTES] W3C Credentials CG Call - 2020-07-14 12pm ET from W3C CCG Chairs on 2020-07-15 (public-credentials@w3.org from July 2020)

From: W3C CCG Chairs <w3c.ccg@gmail.com>
Date: Wed, 15 Jul 2020 12:27:29 -0700 (PDT)
Message-ID: <5f0f58a1.1c69fb81.e1ea7.c615@mx.google.com>

Thanks to Dave Longley for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/ 2020-07-14

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2020-07-14

Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2020Jul/0011.html
Topics:
1. Introductions and reintroductions
2. Announcements and Reminders
3. Progress on Action Items
4. Round table for what's in the wallet part 2.
Organizer:
Heather Vescent and Wayne Chang and Kim Hamilton Duffy
Scribe:
Dave Longley
Present:
Simone Ravaoli, Wayne Chang, Mike Prorock, Ryan Grant, Nate Otto,
Erica Connell, Heather Vescent, Adrian Gropper, Orie Steele, Joe
Andrieu, Kerri Lemoie, Daniel Hardman, Joachim Lohkamp, Chris
Winczewski, Kim Hamilton Duffy, Kaliya Young, Isaac Patka,
Jonathan Holt, Darrell Duane, Dave Longley, Phil Archer, Adam
Lemmon, Jantine Derksen, James Chartrand, Andy Thomas, Juan
Caballero, Manu Sporny, Dan Burnett, Christopher Allen, Balázs
Némethi, Anil John, Dmitri Zagidulin, Nader Helmy, Alen Horvat,
Benjamin Young, Brent Zundel, Brent Shambaugh, Dan Pape, David
Mason, David I. Lehn, David Ward, Ganesh Annan, Rouven Heck, Sam
Curren, Margo Johnson, Jeff Orgel, loveish, Phil Long, Amy Guy,
Steve Magennis, Tom S, Tzviya Siegman, Yancy Ribbens
Audio:
https://w3c-ccg.github.io/meetings/2020-07-14/audio.ogg

Simone Ravaoli: (No audio for me today)
Heather Vescent: Agenda for today's meeting:
https://lists.w3.org/Archives/Public/public-credentials/2020Jul/0011.html
Daniel Hardman: My audio says "you are currently the only person
in this conference" -- must have wrong dialin?
Heather Vescent: Dial in numbers are: US phone:
tel:+1.540.274.1034;6306 EU phone: tel:+33.9.74.59.31.06;6306
Daniel Hardman: I figured out my audio problem. All good.
Darrell Duane: Darrell here (and just dialed in)
Dave Longley: Scribe+
Heather Vescent: Yay Dlongley!
Dave Longley is scribing.

Topic: Introductions and reintroductions

Darrell Duane: Darrell here, heather asked me to come do the
digital wallet discussion.
Tony: This is my first call.
Kim Hamilton Duffy: That's phil-T3 speaking
Phil Archer: I've been participating in the other wallet
discussions and am new to the group.
Isaac Patka: Hi all, Isaac Patka from Bloom. Here to listen in on
wallet discussion as we're working on an interop project
Daniel Hardman: Hello, this is Daniel Hardman.
Jantine Derksen: Hi, Jantinehere from Berlin, just figuring out
how to join the audio

Topic: Announcements and Reminders

Juan Caballero: http://bit.ly/DIF-interop-kickoff
Juan Caballero: ^Link to interop session tomorrow
Adrian Gropper: Next Wed 21st of July, Kantara will have a
Webinar about UMA in healthcare.
Wayne Chang: Any other announcements?

Topic: Progress on Action Items

Kim Hamilton Duffy:
https://github.com/w3c-ccg/community/issues/143
Orie Steele: +1 To merging the vc http apis.... so we can make
progress...
Kim Hamilton Duffy: We just have one progress report item --
merging the VC issuer and verifier HTTP APIs. This was discussed
on a call a while back and we're just now getting to it. There
were work items tracking two different APIs, issuer/verifier.
Kim Hamilton Duffy: There was support among the owners for those
items to merge them into a new repo. We're just following up on
that. I emailed the descriptions -- we're going to create a new
repo, combine the existing issuer/verifier APIs into that.
Kim Hamilton Duffy: We have a new baseline spec to update the
content to so that will be the new basis for any subsequent
discussion. So the work item isn't finished, there's just a new
baseline to do edits on.
Manu Sporny: +1 To merging -- been waiting for that to happen for
a while
Kim Hamilton Duffy: We'll update the CCG work item page to merge
the items.
Kim Hamilton Duffy: This is non-controversial, owners in
agreement, just calling it out unless there are any objections.
Kim Hamilton Duffy: Add yourself to the queue if you have an
objection.

Topic: Round table for what's in the wallet part 2.

Wayne Chang: https://github.com/w3c-ccg/community/issues/140
Wayne Chang: Setting informal rules -- so we can have more
effective communication. We've collected some resources at the
link in IRC.
Adrian Gropper: Kantara Webinar on UMA in Healthcare
https://kantarainitiative.org/kantara-webinar-uma-health-info-interop-user-control-registration-form/
Wayne Chang: If you've agreed to the above you will follow
community guidelines for behavior, social rules, etc. There are
no set consequences for violating these rules they are just
things to keep in mind so we think about how others feel when we
communicate.
Wayne Chang: These are typically logical/technical discussions
but still important to make sure we don't accidentally tear
people down, etc. "No actually" that corrects a minor point that
isn't the main point or isn't that relevant to the conversation
...
Wayne Chang: If you say "Oh, you didn't know about this thing?"
That's not productive either and alienating for people who are
trying to learn, etc.
Wayne Chang: No back seat driving, if two people are having a
discussion here, we use the queue to avoid this usually, but
don't chime in without using the queue/don't interrupt.
Orie Steele: Can we just link directly to the code of conduct, so
people can read it on their own time / from the meeting minutes?
Balázs Némethi: Wayne, CCG, DIF has worked a lot on a Code of
Conduct that is under OS licenses to use by other orgs.
Balázs Némethi:
https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md
Wayne Chang: Don't say things like "windows is so easy to use,
your mom can use it" -- Moms are tech savvy -- Moms are people
too! Don't stereotype and stereotypes can be quite wrong.
Heather Vescent: @Orie_ and
https://github.com/w3c-ccg/community/issues/140
Balázs Némethi: We would be very happy if CCG would consider
taking a deeper look at it
Dan Burnett: W3C also has a code of conduct
https://w3c.github.io/PWETF/
Wayne Chang: If you are not speaking, please mute! thanks
Kaliya Young: This is primarily the work we did in the group for
while. We took 27 responses and sorted them, we found a range of
meaning that people had in their definitions. For wallets
specifically, 12 of the definitions highlighted that it was about
key/secret storage.
Kaliya Young: Next most common was that they stored credentials,
next highest was that they aided with agent control.
Juan Caballero: I believe this is the slide deck, not sure if
it's the newest version tho:
Juan Caballero:
https://docs.google.com/presentation/d/1gIEPmbtLNVuaHxdawGBe6ZwFqP43m7iqmIEeUUm3sjI/edit#slide=id.g752184a474_0_4
Wayne Chang: Nice
Kaliya Young: Facilitated storing keys/secrets/vcs often
controlled by an agent. The meaning that folks had in between ...
Lost identitywoman's audio for a minute there.
Kaliya Young: Agents may have wallets, agents let you work with
and connect to wallets and agents support delegation and back up
wallets.
Kaliya Young: This definition that we came up with about wallets
feels good.
Juan Caballero: Rage-
Orie Steele:
https://github.com/transmute-industries/universal-wallet
Orie Steele: My summary is going to be something... I will talk
about things I presented here in the hyperledger identity group
and aries call. We proposed a universal wallet spec work item. It
attempts to describe what's in wallets. My five minutes will be
on that and what people organize and store in wallets today.
Orie Steele: It links to existing specs in the wild, VC, DID
specs, etc. We've seen in the hyperledger community, schemas,
connections, pairwise connectors, people think about payments and
fiat currency or other cryptocurrency/token wallets.
Orie Steele: Bitcoin wallets, that sort of thing. What we've
tried to do with this universal wallet spec is to describe the
way people are using wallets.
Orie Steele: You can think of it by analogy with what's in your
physical wallet today. Maybe a few dollars or none or some other
currency. Identity documents, coupons, maybe specific types of
credentials like healthcare/insurance cards.
Orie Steele: Other things related to your family might be in
there.
Orie Steele: I learned this from SICPA, hopefully they can share
on a future call. People share sensitive things in their wallets
that aren't necessarily credential stuff.
Orie Steele:
https://medium.com/transmute-techtalk/nfc-dids-6d56fda45831
Orie Steele: But here, it's relationships with crypto keys,
secrets, VCs, so on.
Orie Steele: We have a blog post about our work with the Tangem
cards.
Orie Steele: It's about transferring VCs with hardware backed
cards over NFC, etc. Sometimes the key material doesn't exist in
the wallet itself.
Orie Steele: Tangem provides a hardware based key -- sometimes
you can port keys from one wallet to another and still issue VCs
by using those cards. PIV cards, etc. physical cards people store
in their wallet and you can move meta data about key materials
without having to move the key material itself.
Orie Steele: There are also Yubikeys, other key/web mechanisms,
Amazon key management software, there are ways to manage keys
where the key material isn't in the wallet itself.
Orie Steele: The point of this spec is to describe what people
are doing and to provide data models for portability.
Orie Steele: And to describe a set of interfaces for questions
like: If I move from Wallet A to Wallet B, will I still be able
to use these things in my Wallet A?
Orie Steele: I yield back the remainder of my time.
Wayne Chang: We're working on a better infrastructure for
meetings this summer.
Daniel Hardman: Here are the slides that I'm going to talk to:
https://j.mp/3e4HuAw
Wayne Chang: Daniel Hardman is up next.
Daniel Hardman: Slide link is in IRC, 5 slides.
Daniel Hardman: The basic message is that I feel like a wallet
is an intersection of design tension. Physical wallets aren't a
great multipurpose container, can put some things in it, not
others.
Daniel Hardman: You can put a physical key in there, but lots
isn't great. We don't expect a wallet to contain all of our
assets, or our transaction history, or our bank account. It's
still not uncommon to see wallets that are stuffed.
Daniel Hardman: I think that's because wallets are super
convenient and it's tempting to use them.
Daniel Hardman: I'm here to admit the fuzziness, not to provide
a definition.
Daniel Hardman: There are two graphs ... about sensitivity of
data. Different degrees of sensitivity for the data and the
stakes for exposing the data is different.
Daniel Hardman: Other graphic is about data size and richness.
Daniel Hardman: Two axes, two dimensional view, I'm claiming
data that is highly rich and very large, a genome is an extreme
example there. On the other extreme there is super small and not
very rich like a cryptographic key.
Daniel Hardman: There are also all types of data related to SSI.
There's more than 14 obviously, but these are interesting for
test cases.
Orie Steele: Great question regarding presentations
Daniel Hardman: Would we put a biometric template in a wallet, I
don't know, would presentations from others go in wallet, I don't
know. Maybe things at the bottom of the list don't go in a
wallet, it's debatable.
Anil John: Given all the good discussions & materials on Digital
Wallets that is happening at the CCG, it would be good if there
was landing page off https://www.w3.org/community/credentials/
that aggregates and provides pointers to all of this goodness!
Nader Helmy: Feels like health records would fall under “held
credentials”
Daniel Hardman: The next slide is making the point that wallets
and remoteness is interesting ... some secrets can be remote and
others can't. You must have a secret that unlocks the remoteness.
Orie Steele: These slides are really great... this is excellent
Daniel Hardman: One of these characteristics is that the wallet
is local. It could be in a database off of the current machine,
that's not what I mean by local, you can access it without extra
work is more like what I mean.
Daniel Hardman: A wallet is not just a mobile app, there could
be paper versions of wallets. A wallet is a locus of control in
the "DID controller" sense. There's a complicated relationship in
that sense, there's an interesting nexus there.
Daniel Hardman: Please wrap up, thank you! [scribe assist by
Wayne Chang]
Daniel Hardman: Backup and replication are there. Replicating
wallets is interesting because never copying private keys may
cause some differences. Wallets may be subdivided by work vs.
personal or by identities like parents vs. children.
Daniel Hardman: A wallet is certainly a hacking target.
Daniel Hardman: The last observation on this slide is that a
wallet is not necessarily in a containment relationship with all
the things it's associated with -- it may just reference data
that it doesn't contain in the most literal sense.
Daniel Hardman: "What's *in* a wallet" the word "in" is worth
thinking about.
Daniel Hardman: My sixth slide is where I wanted to end up so go
look at it.
Darrell Duane: Darrell's deck -
https://docs.google.com/presentation/d/1shW4GzjG0HE2uxLCcYdSkaG-nCRBVZrwRFpa8Gs709U/edit?usp=sharing
Orie Steele: Yes, the last slide is critical... its about how
wallets relate to other ecosystem components like hubs and
vaults.
Darrell Duane: I'm going to be talking about a report we pushed
out last year. Created for two reasons, address concerns over
ambiguity of what a digital wallet is. One report is a public
report -- link in the chat. Another is a business strategy
report.
Darrell Duane: There was a lot of handwaving that wallets mean a
lot of different things to different people. "Oh the wallet will
do that" is too much handwaving.
Darrell Duane: We went over ~300 projects, lots of discussion.
Deep dived, we covered "what are the capabilities of a wallet",
from a user/enterprise perspective not a dev one.
Darrell Duane: What stuff do we put in a wallet, enterprise
specific concerns, multiperson/organization concerns.
Cryptocurrencies vs. layman's term for a wallet. We covered the
state of tech as of March 2019.
Darrell Duane: Lots of progress in some areas and not so much in
others.
Darrell Duane: We identified immediately the user experience is
the biggest problem.
Darrell Duane: Update on what we've learned since. The wallets
in the wild and being used by non-techies -- people just using
apps to do their work. These are single credential/single
connection types of apps. I've been at an advising role at
CULedger -- most apps have been single credential, etc. These
have been dead simple use cases.
Darrell Duane: Other key thing that Daniel hit on --
backup/recovery is terrifying on a mere mortal basis. It's an
attack vector. It's a surprise to credit unions and banks, can
people operate on two phones, can someone else take my phone and
bank on my behalf and rip me off, etc.
Darrell Duane: Lots of crypto/tech centric...
Darrell Duane: If you want to get access to report, hit me up on
twitter and I'll link in the chat. Doc is almost 90 pages long.
Darrell Duane: One of the funders wanted a summary but that
would be 3x-4x the actual doc.
Wayne Chang: On to Katryna.
Darrell Duane: Direct link to the wallet report:
https://thewalletwars.s3.amazonaws.com/The-Current-and-Future-State-of-Digital-Wallets-v1.0-FINAL.pdf
Wayne Chang: On to Charles, Katryna has audio trouble.
Charles_cunningham: I work for an SSI company in Berlin Germany.
Charles_cunningham: I work for Jolocom.
Joachim Lohkamp:
https://jolocom.io/wp-content/uploads/2020/05/Jolocom-WhatisinaWallet-CCG-W3C.pdf
Charles_cunningham: We have looked extensively at what goes in a
wallet for sometime. We offer a wallet as an app on iOS, etc. We
have a wallet for enterprise use cases but slightly less
sophisticated.
Charles_cunningham: We have some simple graphics for what we
think goes in a wallet.
Charles_cunningham: Key material. Everyone knows key material is
the foundation for all wallets -- the simplest definition is a
wallet manages that key material for you.
Charles_cunningham: Managing keys is fine for a cryptocurrency
wallet. Obviously credentials go right into a wallet. The analogy
is right there with physical wallets like driver's licenses.
Charles_cunningham: Capabilities, similar to credentials. They
can present signed data. In the UI for our wallets, we've
separated the representations.
Charles_cunningham: More in particular it's about authorization.
Credentials are more about presenting information about yourself.
Charles_cunningham: History and metadata. They are closely
related and represented in our wallets. If I'm being issued a
credential our issuance protocol finds a way to indicate how to
display the credential in the wallet.
Charles_cunningham: This metadata and the history includes all of
the interactions with other identities. This includes pairwise
identities, IDs for the credentials exchanged, so on.
Charles_cunningham: In a functional sense, wallets can be defined
as stores of sensitive information. But they can also be modeled
as agents. Presenting a credential to someone or participating in
some kind of interaction.
Charles_cunningham: We've included non-credential based
interactions, using the keys in your wallet ... looking for ways
to mix personal version vs. enterprise version. We've been
exploring this through a capabilities model.
Charles_cunningham: How an individual might interact with a
larger entity through capabilities.
Charles_cunningham: Through key operations.
Darrell Duane: Dang - I've lost my phone connection here.
Juan Caballero: @Joachim was there a second link/page?
Charles_cunningham: We have an image on our SDK ... we use a
wallet for both mobile and server side ... simple interfaces to
give it the full functionality.
Wayne Chang: Katryna is up next.
Wayne Chang: We welcome you to give a brief intro and answer
what's in a wallet.
Katryna: My name is Katryna Dow, founder of Meeco.
Katryna: This is all valid and interesting, but taking a slightly
different direction.
Katryna: Starting in this space over a decade ago. Data and
information that was important... working backwards from that
over the last few years. It's really interesting the way language
shapes tech.
Katryna: From the evolution of our products and services, we've
moved from something ... we've moved from saying all the things
about yourself over your life to categorizing it, to having a
consent layer, to having an API to connect.
Katryna: The evolution of that comes down to portability. How
things become light weight. The thing that's emerging in
listening to everyone. The idea of portable, reusability. Real
digital transformation vs. digitization. We've been through a
decade or so with taking data and information and digitizing it.
Katryna: The wallet can focus on things that are really critical
and light weight that you want with you in an everyday sense. And
then move to the digitally connected world vs. just mirroring the
physical world.
Katryna: Wallets also allow ecosystems to develop quickly without
a need for tight integration.
Katryna: The standards group that many of us are part of ...
interop and portability mean that ecosystems can develop quickly
with the individual, service provider, and trust anchor that can
be universally recognized.
Katryna: From our perspective, all the things we've been
building, uni transcript, health provider, etc. -- these things
are becoming more important anchor points around things that are
more light weight and used every day.
Katryna: The language and evolution from data storage to
connectivity and integration ... now down to the use of the term
"wallet" ... it helps give people an understanding around how
those things might fit into everyday life.
Katryna: Also, how do you bring this lightweight decentralized
human solution into the enterprise world. We've been doing
interesting work around OIDC around infrastructure and emerging
infrastructure.
Katryna: To allow people to be free and independent but also come
into an ecosystem and help with B2B value.
Katryna: The evolution is interesting to me and how the language
has helped shape the tech and create the clarity that Kaliya
talked about earlier on.
Orie Steele: What organization is Katryna with again?
Wayne Chang: Feel free to email the admins as needed if you have
any concerns.
Wayne Chang: Nathan, thanks for stepping in at the last minute,
please give a brief intro and your answer to what's in a wallet.
Nathan-lef: Nathan with Learning Economy Foundation.
Nathan-lef: We have been collaborating with gov't for running
pilots.
Nathan-lef: Digital wallets, enabling true ownership of education
credentials.
Nathan-lef: Working on an initiative ... the open wallet
architecture.
https://docs.google.com/document/u/4/d/e/2PACX-1vR6GMNrBzDuMvhHGlVeENEMZjijHTVKUueG5f6KshFlsIfcqt1QjsTGNgB8vjEGfDVFRB-dWhe5-Hxc/pub
Nathan-lef: We're in the initial stages of this. Working on
defining it and collecting data.
Nathan-lef: What's a wallet: Very high level. A wallet is an
abstraction that represents everything that's important enough
for things to be stored in it.
Nathan-lef: Focusing on how digital data is stored, not
specifically what -- so working with arbitrary storage.
Nathan-lef: We want to leverage the existing ecosystem and
looking at current solutions and requirements so as not to
preclude anything.
Nathan-lef: We are calling on these use cases for the wallet
domains.
Nathan-lef: We want to ensure that the value of the wallet
appreciates over time. Tremendous value -- in interop and
portability.
Nathan-lef: Discussions have been there and we want to build on
top of that. We want to see that through setting standards for
more mass adoption from customer perspective.
Nathan-lef: Application and hardware agnostic -- not tied to any
particular user experience. Perhaps counter to some -- we want to
imagine the wallet being everywhere at once. Supporting remote
storage, hierarchies, supporting offline too with balance.
Nathan-lef: We are in agreement with most everything we've seen
through these presenters today and last week. We want to
emphasize things that might not have been before. The wallet is
not tied to an application.
Nathan-lef: That lets apps get some view into the wallet but the
customer is dealing with one wallet.
Nathan-lef: The wallet itself does not define data boundaries,
but has pluggable functional components for all use cases whether
that's local or remote storage.
Nathan-lef: Focus on VCs, etc.
Nathan-lef: From the existing ecosystem from hyperledger to
universal wallet, we see what's needed right now. I want to
encourage anyone who wants to help with this initiative to reach
out. We are trying to be as open and inclusive as possible and
want to synthesize all these efforts.
Nathan@learningeconomy.io
Wayne Chang: Thanks for your contribution.
Wayne Chang: We will move to Q&A now -- please keep things to
about 30 seconds.
Wayne Chang: Up to two of the people would have 30 seconds to
queue and answer or comment.
Christopher Allen: Wyoming Private Key Disclosure Bill "No person
shall be compelled to produce a private key or make a private key
known to any other person in any civil, administrative,
legislative or other proceeding in this state that only relates
to a digital security or virtual currency to which the private
key provides access. This paragraph shall not be interpreted to
prohibit any lawful proceeding that compels a person to produce
or disclose a
Christopher Allen: Digital security or virtual currency to which
a private key provides access, or to disclose information about
the digital security or virtual currency, provided that the
proceeding does not require production or disclosure of the
private key." https://wyoleg.gov/Legislation/2020/HB0041
Christopher Allen: One lense -- focus/direction -- that seems to
be missing from our models is from a legal perspective.
Christopher Allen: I'll share a link in IRC, it's a bill that I
helped propose in Wyoming to help protect your private keys.
There's an assumption that they are yours, they can't be
compelled from you.
Christopher Allen: I'd like to ask the wallet arch people --
have you looked at the line where it's "yours" and where other
things are maybe not totally "yours".
Christopher Allen: It stops being a wallet perhaps when people
can pull from it.
Manu Sporny: https://github.com/w3c-ccg/community/issues/144
[scribe assist by Wayne Chang]
Wayne Chang: Just opened this
Daniel Hardman: I think that's fascinating and important. And
where you put the presentations you receive from others -- you
may be receiving a moral/legal responsibility to safeguard the
data.
Daniel Hardman: Other entanglements there, I agree.
Adrian Gropper: I want to say that I ascribe closest to Daniel
Hardman's presentation and say that we've been lax in what's an
agent and what's a wallet since the beginning. My definition of
what's a wallet is what can't be done by an agent.
Non-repudiation tied to biometrics and what's useful offline.
Juan Caballero: +100
Heather Vescent: Already planning to do that Manu. :-)
Curate+++
Juan Caballero: Rage-
Manu Sporny: I just wanted to highlight a comment that Anil John
made earlier. It would be great if we could curate these
conversations and we have great perspectives on what a wallet is.
Next step could be driving towards consensus in the community on
what these things are and being able to link to them from the
landing page of the CG would be great.
Wayne Chang: Great. I just opened a github issue towards exactly
this. It's wonderful idea, people drop a note in that github
issue to help contribute.
Daniel Hardman: Which repo is the github issue in?
Wayne Chang: Github.com/w3c-ccg/community
Wayne Chang: https://github.com/w3c-ccg/community/issues/144
Ryan Grant: Thanks for all these presentations. What I want from
a wallet standard is a way to understand if my wallet
successfully accepts all the things it needs to and can generate
all the things that your wallet may need to accept so we can
complete whatever our thing is.
Jonathan Holt: There is a difference perhaps between what is my
wallet that I use and what is a commercial wallet that is being
vendored.
Juan Caballero: +1
Wayne Chang: Thanks for our great speakers!
Juan Caballero: Huge thanks to all the great presenters!
Dave Longley: You did an amazing job with the notes, we are
eternally grateful [scribe assist by Wayne Chang]
Wayne Chang: Sorry i ran out of time to give a thanks
Heather Vescent: +1 Dlongley!

Received on Wednesday, 15 July 2020 19:27:45 UTC