W3C home > Mailing lists > Public > public-credentials@w3.org > July 2020

[MINUTES] W3C Credentials CG Call - 2020-07-14 12pm ET

From: W3C CCG Chairs <w3c.ccg@gmail.com>
Date: Wed, 15 Jul 2020 12:27:29 -0700 (PDT)
Message-ID: <5f0f58a1.1c69fb81.e1ea7.c615@mx.google.com>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/ 2020-07-14 

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials CG Telecon Minutes for 2020-07-14

  1. Introductions and reintroductions
  2. Announcements and Reminders
  3. Progress on Action Items
  4. Round table for what's in the wallet part 2.
  Heather Vescent and Wayne Chang and Kim Hamilton Duffy
  Dave Longley
  Simone Ravaoli, Wayne Chang, Mike Prorock, Ryan Grant, Nate Otto, 
  Erica Connell, Heather Vescent, Adrian Gropper, Orie Steele, Joe 
  Andrieu, Kerri Lemoie, Daniel Hardman, Joachim Lohkamp, Chris 
  Winczewski, Kim Hamilton Duffy, Kaliya Young, Isaac Patka, 
  Jonathan Holt, Darrell Duane, Dave Longley, Phil Archer, Adam 
  Lemmon, Jantine Derksen, James Chartrand, Andy Thomas, Juan 
  Caballero, Manu Sporny, Dan Burnett, Christopher Allen, Balázs 
  Némethi, Anil John, Dmitri Zagidulin, Nader Helmy, Alen Horvat, 
  Benjamin Young, Brent Zundel, Brent Shambaugh, Dan Pape, David 
  Mason, David I. Lehn, David Ward, Ganesh Annan, Rouven Heck, Sam 
  Curren, Margo Johnson, Jeff Orgel, loveish, Phil Long, Amy Guy, 
  Steve Magennis, Tom S, Tzviya Siegman, Yancy Ribbens

Simone Ravaoli: (No audio for me today)
Heather Vescent: Agenda for today's meeting: 
Daniel Hardman: My audio says "you are currently the only person 
  in this conference" -- must have wrong dialin?
Heather Vescent: Dial in numbers are:   US phone: 
  tel:+1.540.274.1034;6306    EU phone: tel:+;6306
Daniel Hardman: I figured out my audio problem. All good.
Darrell Duane: Darrell here (and just dialed in)
Dave Longley: Scribe+
Heather Vescent: Yay Dlongley!
Dave Longley is scribing.

Topic: Introductions and reintroductions

Darrell Duane:  Darrell here, heather asked me to come do the 
  digital wallet discussion.
Tony: This is my first call.
Kim Hamilton Duffy: That's phil-T3 speaking
Phil Archer:  I've been participating in the other wallet 
  discussions and am new to the group.
Isaac Patka: Hi all, Isaac Patka from Bloom. Here to listen in on 
  wallet discussion as we're working on an interop project
Daniel Hardman:  Hello, this is Daniel Hardman.
Jantine Derksen: Hi, Jantinehere from Berlin, just figuring out 
  how to join the audio

Topic: Announcements and Reminders

Juan Caballero: http://bit.ly/DIF-interop-kickoff
Juan Caballero: ^Link to interop session tomorrow
Adrian Gropper:  Next Wed 21st of July, Kantara will have a 
  Webinar about UMA in healthcare.
Wayne Chang:  Any other announcements?

Topic: Progress on Action Items

Kim Hamilton Duffy: 
Orie Steele: +1 To merging the vc http apis.... so we can make 
Kim Hamilton Duffy:  We just have one progress report item -- 
  merging the VC issuer and verifier HTTP APIs. This was discussed 
  on a call a while back and we're just now getting to it. There 
  were work items tracking two different APIs, issuer/verifier.
Kim Hamilton Duffy:  There was support among the owners for those 
  items to merge them into a new repo. We're just following up on 
  that. I emailed the descriptions -- we're going to create a new 
  repo, combine the existing issuer/verifier APIs into that.
Kim Hamilton Duffy:  We have a new baseline spec to update the 
  content to so that will be the new basis for any subsequent 
  discussion. So the work item isn't finished, there's just a new 
  baseline to do edits on.
Manu Sporny: +1 To merging -- been waiting for that to happen for 
  a while
Kim Hamilton Duffy:  We'll update the CCG work item page to merge 
  the items.
Kim Hamilton Duffy:  This is non-controversial, owners in 
  agreement, just calling it out unless there are any objections.
Kim Hamilton Duffy:  Add yourself to the queue if you have an 

Topic: Round table for what's in the wallet part 2.

Wayne Chang: https://github.com/w3c-ccg/community/issues/140
Wayne Chang:  Setting informal rules -- so we can have more 
  effective communication. We've collected some resources at the 
  link in IRC.
Adrian Gropper: Kantara Webinar on UMA in Healthcare 
Wayne Chang:  If you've agreed to the above you will follow 
  community guidelines for behavior, social rules, etc. There are 
  no set consequences for violating these rules they are just 
  things to keep in mind so we think about how others feel when we 
Wayne Chang:  These are typically logical/technical discussions 
  but still important to make sure we don't accidentally tear 
  people down, etc. "No actually" that corrects a minor point that 
  isn't the main point or isn't that relevant to the conversation 
Wayne Chang:  If you say "Oh, you didn't know about this thing?" 
  That's not productive either and alienating for people who are 
  trying to learn, etc.
Wayne Chang:  No back seat driving, if two people are having a 
  discussion here, we use the queue to avoid this usually, but 
  don't chime in without using the queue/don't interrupt.
Orie Steele: Can we just link directly to the code of conduct, so 
  people can read it on their own time / from the meeting minutes?
Balázs Némethi: Wayne, CCG, DIF has worked a lot on a Code of 
  Conduct that is under OS licenses to use by other orgs.
Balázs Némethi: 
Wayne Chang:  Don't say things like "windows is so easy to use, 
  your mom can use it" -- Moms are tech savvy -- Moms are people 
  too! Don't stereotype and stereotypes can be quite wrong.
Heather Vescent: @Orie_ and 
Balázs Némethi: We would be very happy if CCG would consider 
  taking a deeper look at it
Dan Burnett: W3C also has a code of conduct 
Wayne Chang: If you are not speaking, please mute! thanks
Kaliya Young:  This is primarily the work we did in the group for 
  while. We took 27 responses and sorted them, we found a range of 
  meaning that people had in their definitions. For wallets 
  specifically, 12 of the definitions highlighted that it was about 
  key/secret storage.
Kaliya Young:  Next most common was that they stored credentials, 
  next highest was that they aided with agent control.
Juan Caballero: I believe this is the slide deck, not sure if 
  it's the newest version tho:
Juan Caballero: 
Wayne Chang: Nice
Kaliya Young:  Facilitated storing keys/secrets/vcs often 
  controlled by an agent. The meaning that folks had in between ...
Lost identitywoman's audio for a minute there.
Kaliya Young:  Agents may have wallets, agents let you work with 
  and connect to wallets and agents support delegation and back up 
Kaliya Young:  This definition that we came up with about wallets 
  feels good.
Juan Caballero: Rage-
Orie Steele: 
Orie Steele:  My summary is going to be something... I will talk 
  about things I presented here in the hyperledger identity group 
  and aries call. We proposed a universal wallet spec work item. It 
  attempts to describe what's in wallets. My five minutes will be 
  on that and what people organize and store in wallets today.
Orie Steele:  It links to existing specs in the wild, VC, DID 
  specs, etc. We've seen in the hyperledger community, schemas, 
  connections, pairwise connectors, people think about payments and 
  fiat currency or other cryptocurrency/token wallets.
Orie Steele:  Bitcoin wallets, that sort of thing. What we've 
  tried to do with this universal wallet spec is to describe the 
  way people are using wallets.
Orie Steele:  You can think of it by analogy with what's in your 
  physical wallet today. Maybe a few dollars or none or some other 
  currency. Identity documents, coupons, maybe specific types of 
  credentials like healthcare/insurance cards.
Orie Steele:  Other things related to your family might be in 
Orie Steele:  I learned this from SICPA, hopefully they can share 
  on a future call. People share sensitive things in their wallets 
  that aren't necessarily credential stuff.
Orie Steele: 
Orie Steele:  But here, it's relationships with crypto keys, 
  secrets, VCs, so on.
Orie Steele:  We have a blog post about our work with the Tangem 
Orie Steele:  It's about transferring VCs with hardware backed 
  cards over NFC, etc. Sometimes the key material doesn't exist in 
  the wallet itself.
Orie Steele:  Tangem provides a hardware based key -- sometimes 
  you can port keys from one wallet to another and still issue VCs 
  by using those cards. PIV cards, etc. physical cards people store 
  in their wallet and you can move meta data about key materials 
  without having to move the key material itself.
Orie Steele:  There are also Yubikeys, other key/web mechanisms, 
  Amazon key management software, there are ways to manage keys 
  where the key material isn't in the wallet itself.
Orie Steele:  The point of this spec is to describe what people 
  are doing and to provide data models for portability.
Orie Steele:  And to describe a set of interfaces for questions 
  like: If I move from Wallet A to Wallet B, will I still be able 
  to use these things in my Wallet A?
Orie Steele:  I yield back the remainder of my time.
Wayne Chang:  We're working on a better infrastructure for 
  meetings this summer.
Daniel Hardman: Here are the slides that I'm going to talk to: 
Wayne Chang:  Daniel Hardman is up next.
Daniel Hardman:  Slide link is in IRC, 5 slides.
Daniel Hardman:  The basic message is that I feel like a wallet 
  is an intersection of design tension. Physical wallets aren't a 
  great multipurpose container, can put some things in it, not 
Daniel Hardman:  You can put a physical key in there, but lots 
  isn't great. We don't expect a wallet to contain all of our 
  assets, or our transaction history, or our bank account. It's 
  still not uncommon to see wallets that are stuffed.
Daniel Hardman:  I think that's because wallets are super 
  convenient and it's tempting to use them.
Daniel Hardman:  I'm here to admit the fuzziness, not to provide 
  a definition.
Daniel Hardman:  There are two graphs ... about sensitivity of 
  data. Different degrees of sensitivity for the data and the 
  stakes for exposing the data is different.
Daniel Hardman:  Other graphic is about data size and richness.
Daniel Hardman:  Two axes, two dimensional view, I'm claiming 
  data that is highly rich and very large, a genome is an extreme 
  example there. On the other extreme there is super small and not 
  very rich like a cryptographic key.
Daniel Hardman:  There are also all types of data related to SSI. 
  There's more than 14 obviously, but these are interesting for 
  test cases.
Orie Steele: Great question regarding presentations
Daniel Hardman:  Would we put a biometric template in a wallet, I 
  don't know, would presentations from others go in wallet, I don't 
  know. Maybe things at the bottom of the list don't go in a 
  wallet, it's debatable.
Anil John: Given all the good discussions & materials on Digital 
  Wallets that is happening at the CCG, it would be good if there 
  was landing page off https://www.w3.org/community/credentials/ 
  that aggregates and provides pointers to all of this goodness!
Nader Helmy: Feels like health records would fall under “held 
Daniel Hardman:  The next slide is making the point that wallets 
  and remoteness is interesting ... some secrets can be remote and 
  others can't. You must have a secret that unlocks the remoteness.
Orie Steele: These slides are really great... this is excellent
Daniel Hardman:  One of these characteristics is that the wallet 
  is local. It could be in a database off of the current machine, 
  that's not what I mean by local, you can access it without extra 
  work is more like what I mean.
Daniel Hardman:  A wallet is not just a mobile app, there could 
  be paper versions of wallets. A wallet is a locus of control in 
  the "DID controller" sense. There's a complicated relationship in 
  that sense, there's an interesting nexus there.
Daniel Hardman:  Please wrap up, thank you! [scribe assist by 
  Wayne Chang]
Daniel Hardman:  Backup and replication are there. Replicating 
  wallets is interesting because never copying private keys may 
  cause some differences. Wallets may be subdivided by work vs. 
  personal or by identities like parents vs. children.
Daniel Hardman:  A wallet is certainly a hacking target.
Daniel Hardman:  The last observation on this slide is that a 
  wallet is not necessarily in a containment relationship with all 
  the things it's associated with -- it may just reference data 
  that it doesn't contain in the most literal sense.
Daniel Hardman:  "What's *in* a wallet" the word "in" is worth 
  thinking about.
Daniel Hardman:  My sixth slide is where I wanted to end up so go 
  look at it.
Darrell Duane: Darrell's deck - 
Orie Steele: Yes, the last slide is critical... its about how 
  wallets relate to other ecosystem components like hubs and 
Darrell Duane:  I'm going to be talking about a report we pushed 
  out last year. Created for two reasons, address concerns over 
  ambiguity of what a digital wallet is. One report is a public 
  report -- link in the chat. Another is a business strategy 
Darrell Duane:  There was a lot of handwaving that wallets mean a 
  lot of different things to different people. "Oh the wallet will 
  do that" is too much handwaving.
Darrell Duane:  We went over ~300 projects, lots of discussion. 
  Deep dived, we covered "what are the capabilities of a wallet", 
  from a user/enterprise perspective not a dev one.
Darrell Duane:  What stuff do we put in a wallet, enterprise 
  specific concerns, multiperson/organization concerns. 
  Cryptocurrencies vs. layman's term for a wallet. We covered the 
  state of tech as of March 2019.
Darrell Duane:  Lots of progress in some areas and not so much in 
Darrell Duane:  We identified immediately the user experience is 
  the biggest problem.
Darrell Duane:  Update on what we've learned since. The wallets 
  in the wild and being used by non-techies -- people just using 
  apps to do their work. These are single credential/single 
  connection types of apps. I've been at an advising role at 
  CULedger -- most apps have been single credential, etc. These 
  have been dead simple use cases.
Darrell Duane:  Other key thing that Daniel hit on -- 
  backup/recovery is terrifying on a mere mortal basis. It's an 
  attack vector. It's a surprise to credit unions and banks, can 
  people operate on two phones, can someone else take my phone and 
  bank on my behalf and rip me off, etc.
Darrell Duane:  Lots of crypto/tech centric...
Darrell Duane:  If you want to get access to report, hit me up on 
  twitter and I'll link in the chat. Doc is almost 90 pages long.
Darrell Duane:  One of the funders wanted a summary but that 
  would be 3x-4x the actual doc.
Wayne Chang:  On to Katryna.
Darrell Duane: Direct link to the wallet report: 
Wayne Chang:  On to Charles, Katryna has audio trouble.
Charles_cunningham: I work for an SSI company in Berlin Germany.
Charles_cunningham: I work for Jolocom.
Joachim Lohkamp: 
Charles_cunningham: We have looked extensively at what goes in a 
  wallet for sometime. We offer a wallet as an app on iOS, etc. We 
  have a wallet for enterprise use cases but slightly less 
Charles_cunningham: We have some simple graphics for what we 
  think goes in a wallet.
Charles_cunningham: Key material. Everyone knows key material is 
  the foundation for all wallets -- the simplest definition is a 
  wallet manages that key material for you.
Charles_cunningham: Managing keys is fine for a cryptocurrency 
  wallet. Obviously credentials go right into a wallet. The analogy 
  is right there with physical wallets like driver's licenses.
Charles_cunningham: Capabilities, similar to credentials. They 
  can present signed data. In the UI for our wallets, we've 
  separated the representations.
Charles_cunningham: More in particular it's about authorization. 
  Credentials are more about presenting information about yourself.
Charles_cunningham: History and metadata. They are closely 
  related and represented in our wallets. If I'm being issued a 
  credential our issuance protocol finds a way to indicate how to 
  display the credential in the wallet.
Charles_cunningham: This metadata and the history includes all of 
  the interactions with other identities. This includes pairwise 
  identities, IDs for the credentials exchanged, so on.
Charles_cunningham: In a functional sense, wallets can be defined 
  as stores of sensitive information. But they can also be modeled 
  as agents. Presenting a credential to someone or participating in 
  some kind of interaction.
Charles_cunningham: We've included non-credential based 
  interactions, using the keys in your wallet ... looking for ways 
  to mix personal version vs. enterprise version. We've been 
  exploring this through a capabilities model.
Charles_cunningham: How an individual might interact with a 
  larger entity through capabilities.
Charles_cunningham: Through key operations.
Darrell Duane: Dang - I've lost my phone connection here.
Juan Caballero: @Joachim was there a second link/page?
Charles_cunningham: We have an image on our SDK ... we use a 
  wallet for both mobile and server side ... simple interfaces to 
  give it the full functionality.
Wayne Chang:  Katryna is up next.
Wayne Chang:  We welcome you to give a brief intro and answer 
  what's in a wallet.
Katryna: My name is Katryna Dow, founder of Meeco.
Katryna: This is all valid and interesting, but taking a slightly 
  different direction.
Katryna: Starting in this space over a decade ago. Data and 
  information that was important... working backwards from that 
  over the last few years. It's really interesting the way language 
  shapes tech.
Katryna: From the evolution of our products and services, we've 
  moved from something ... we've moved from saying all the things 
  about yourself over your life to categorizing it, to having a 
  consent layer, to having an API to connect.
Katryna: The evolution of that comes down to portability. How 
  things become light weight. The thing that's emerging in 
  listening to everyone. The idea of portable, reusability. Real 
  digital transformation vs. digitization. We've been through a 
  decade or so with taking data and information and digitizing it.
Katryna: The wallet can focus on things that are really critical 
  and light weight that you want with you in an everyday sense. And 
  then move to the digitally connected world vs. just mirroring the 
  physical world.
Katryna: Wallets also allow ecosystems to develop quickly without 
  a need for tight integration.
Katryna: The standards group that many of us are part of ... 
  interop and portability mean that ecosystems can develop quickly 
  with the individual, service provider, and trust anchor that can 
  be universally recognized.
Katryna: From our perspective, all the things we've been 
  building, uni transcript, health provider, etc. -- these things 
  are becoming more important anchor points around things that are 
  more light weight and used every day.
Katryna: The language and evolution from data storage to 
  connectivity and integration ... now down to the use of the term 
  "wallet" ... it helps give people an understanding around how 
  those things might fit into everyday life.
Katryna: Also, how do you bring this lightweight decentralized 
  human solution into the enterprise world. We've been doing 
  interesting work around OIDC around infrastructure and emerging 
Katryna: To allow people to be free and independent but also come 
  into an ecosystem and help with B2B value.
Katryna: The evolution is interesting to me and how the language 
  has helped shape the tech and create the clarity that Kaliya 
  talked about earlier on.
Orie Steele: What organization is Katryna with again?
Wayne Chang:  Feel free to email the admins as needed if you have 
  any concerns.
Wayne Chang:  Nathan, thanks for stepping in at the last minute, 
  please give a brief intro and your answer to what's in a wallet.
Nathan-lef: Nathan with Learning Economy Foundation.
Nathan-lef: We have been collaborating with gov't for running 
Nathan-lef: Digital wallets, enabling true ownership of education 
Nathan-lef: Working on an initiative ... the open wallet 
Nathan-lef: We're in the initial stages of this. Working on 
  defining it and collecting data.
Nathan-lef: What's a wallet: Very high level. A wallet is an 
  abstraction that represents everything that's important enough 
  for things to be stored in it.
Nathan-lef: Focusing on how digital data is stored, not 
  specifically what -- so working with arbitrary storage.
Nathan-lef: We want to leverage the existing ecosystem and 
  looking at current solutions and  requirements so as not to 
  preclude anything.
Nathan-lef: We are calling on these use cases for the wallet 
Nathan-lef: We want to ensure that the value of the wallet 
  appreciates over time. Tremendous value -- in interop and 
Nathan-lef: Discussions have been there and we want to build on 
  top of that. We want to see that through setting standards for 
  more mass adoption from customer perspective.
Nathan-lef: Application and hardware agnostic -- not tied to any 
  particular user experience. Perhaps counter to some -- we want to 
  imagine the wallet being everywhere at once. Supporting remote 
  storage, hierarchies, supporting offline too with balance.
Nathan-lef: We are in agreement with most everything we've seen 
  through these presenters today and last week. We want to 
  emphasize things that might not have been before. The wallet is 
  not tied to an application.
Nathan-lef: That lets apps get some view into the wallet but the 
  customer is dealing with one wallet.
Nathan-lef: The wallet itself does not define data boundaries, 
  but has pluggable functional components for all use cases whether 
  that's local or remote storage.
Nathan-lef: Focus on VCs, etc.
Nathan-lef: From the existing ecosystem from hyperledger to 
  universal wallet, we see what's needed right now. I want to 
  encourage anyone who wants to help with this initiative to reach 
  out. We are trying to be as open and inclusive as possible and 
  want to synthesize all these efforts.
Wayne Chang:  Thanks for your contribution.
Wayne Chang:  We will move to Q&A now -- please keep things to 
  about 30 seconds.
Wayne Chang:  Up to two of the people would have 30 seconds to 
  queue and answer or comment.
Christopher Allen: Wyoming Private Key Disclosure Bill "No person 
  shall be compelled to produce a private key or make a private key 
  known to any other person in any civil, administrative, 
  legislative or other proceeding in this state that only relates 
  to a digital security or virtual currency to which the private 
  key provides access.  This paragraph shall not be interpreted to 
  prohibit any lawful proceeding that compels a person to produce 
  or disclose a
Christopher Allen: Digital security or virtual currency to which 
  a private key provides access, or to disclose information about 
  the digital security or virtual currency, provided that the 
  proceeding does not require production or disclosure of the 
  private key." https://wyoleg.gov/Legislation/2020/HB0041
Christopher Allen:  One lense -- focus/direction -- that seems to 
  be missing from our models is from a legal perspective.
Christopher Allen:  I'll share a link in IRC, it's a bill that I 
  helped propose in Wyoming to help protect your private keys. 
  There's an assumption that they are yours, they can't be 
  compelled from you.
Christopher Allen:  I'd like to ask the wallet arch people -- 
  have you looked at the line where it's "yours" and where other 
  things are maybe not totally "yours".
Christopher Allen:  It stops being a wallet perhaps when people 
  can pull from it.
Manu Sporny:  https://github.com/w3c-ccg/community/issues/144 
  [scribe assist by Wayne Chang]
Wayne Chang: Just opened this
Daniel Hardman:  I think that's fascinating and important. And 
  where you put the presentations you receive from others -- you 
  may be receiving a moral/legal responsibility to safeguard the 
Daniel Hardman:  Other entanglements there, I agree.
Adrian Gropper:  I want to say that I ascribe closest to Daniel 
  Hardman's presentation and say that we've been lax in what's an 
  agent and what's a wallet since the beginning. My definition of 
  what's a wallet is what can't be done by an agent. 
  Non-repudiation tied to biometrics and what's useful offline.
Juan Caballero: +100
Heather Vescent: Already planning to do that Manu. :-)
Juan Caballero: Rage-
Manu Sporny:  I just wanted to highlight a comment that Anil John 
  made earlier. It would be great if we could curate these 
  conversations and we have great perspectives on what a wallet is. 
  Next step could be driving towards consensus in the community on 
  what these things are and being able to link to them from the 
  landing page of the CG would be great.
Wayne Chang:  Great. I just opened a github issue towards exactly 
  this. It's wonderful idea, people drop a note in that github 
  issue to help contribute.
Daniel Hardman: Which repo is the github issue in?
Wayne Chang: Github.com/w3c-ccg/community
Wayne Chang: https://github.com/w3c-ccg/community/issues/144
Ryan Grant:  Thanks for all these presentations. What I want from 
  a wallet standard is a way to understand if my wallet 
  successfully accepts all the things it needs to and can generate 
  all the things that your wallet may need to accept so we can 
  complete whatever our thing is.
Jonathan Holt:  There is a difference perhaps between what is my 
  wallet that I use and what is a commercial wallet that is being 
Juan Caballero: +1
Wayne Chang:  Thanks for our great speakers!
Juan Caballero: Huge thanks to all the great presenters!
Dave Longley:  You did an amazing job with the notes, we are 
  eternally grateful [scribe assist by Wayne Chang]
Wayne Chang: Sorry i ran out of time to give a thanks
Heather Vescent: +1 Dlongley!
Received on Wednesday, 15 July 2020 19:27:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:01 UTC