[MINUTES] W3C CCG Verifiable Credentials for Education Task Force Call - 2020-03-23 12pm ET

Thanks to Stuart Freeman for scribing this week! The minutes
for this week's CCG Verifiable Credentials for Education Task Force telecon are now available:

https://w3c-ccg.github.io/meetings/2020-03-23/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
CCG Verifiable Credentials for Education Task Force Telecon Minutes for 2020-03-23

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2020Mar/0064.html
Topics:
  1. Introductions and Re-introductions
  2. Guest expert Orie Steele presents open source libraries and 
    VC-EDU demos
Organizer:
  Kim Hamilton Duffy and Christopher Allen and Joe Andrieu
Scribe:
  Stuart Freeman
Present:
  Leonard Rosenthal, Orie Steele, Kim Hamilton Duffy, James 
  Chartrand, Adam Lemmon, Stuart Freeman, Nate Otto, Chris 
  Winczewski, Scott Fehrman, Juan Caballero, Nick Hathaway, Laura 
  Fowler, Joshua Marks
Audio:
  https://w3c-ccg.github.io/meetings/2020-03-23/audio.ogg

Kim Hamilton Duffy: https://www.w3.org/community/credentials/join
Kim Hamilton Duffy: https://www.w3.org/accounts/request
Help
Kim Hamilton Duffy: 
  https://www.w3.org/community/about/agreements/cla/
Kim Hamilton Duffy: https://w3c-ccg.github.io/meetings/
Stuart Freeman is scribing.

Topic: Introductions and Re-introductions

Kim Hamilton Duffy: S_Gallant is Scott Gallant introducing 
  himself
Scott Fehrman:  20+ Years ed tech, heathcare interop
  ... webshield, also does privacy consulting
Kim Hamilton Duffy: Nick Hathaway introducing himself
Nick Hathaway:  Elcocker, 25+ years ed tech experience, working 
  on wallets
Kim Hamilton Duffy: Lauraj is at UWashington
Laura Fowler:  Business analyst at U washington, higher ed vc use 
  cases
Kim Hamilton Duffy: Joshua Marks PCG
Joshua Marks:  Ims global comprehensive learner spec

Topic: Guest expert Orie Steele presents open source libraries and VC-EDU demos

Joshua Marks: Is there we screen share for this call?
Kim Hamilton Duffy:  There are a few libraries that orie called 
  attention to, signature suite, and vc demo
Joshua Marks: Is there a screen share for this call?
  ... repo of vc examples, we might consider adding our stuff to
Orie Steele: 
  https://gist.github.com/OR13/0b8be9d8c43c2acd2d7cf09f6887a8a0
Orie Steele:  Transmute, works on decentralized identifiers
  ... demo regarding working with dhs
  ... open source interop with credentials
Kim Hamilton Duffy: Reminder, links are here: 
  https://gist.github.com/OR13/0b8be9d8c43c2acd2d7cf09f6887a8a0
Kim Hamilton Duffy: Note: if you're using Brave browser, you may 
  have to "lower your shields" for these sites
Kim Hamilton Duffy: Verifier repo: 
  https://github.com/w3c-ccg/vc-verifier-http-api
Kim Hamilton Duffy: Issuer repo: 
  https://github.com/w3c-ccg/vc-issuer-http-api
Kim Hamilton Duffy: Ach kimhd
Kim Hamilton Duffy:  Credential handler api?
Orie Steele:  Api for interacting with creds on websites
Kim Hamilton Duffy: Chapi: 
  https://w3c-ccg.github.io/credential-handler-api/
I may not be the best scribe choice, voip keeps hanging up on me
Orie/kim: other apis are being developed such as did-com and 
  badge connect
Nate Otto: I am getting phone calls, could add to queue to talk 
  about Badge connect in 5min
Leonard Rosenthal:  Looking at chapi, appears to be tied to 
  browser implementations
Kim Hamilton Duffy: Stuartf I'll see if we can get another 
  volunteer
Orie Steele:  This is addressing long standing issues in the 
  browser space, very browser oriented
Leonard Rosenthal:  Server-to-server in the future>
Kim Hamilton Duffy: Stuartf -- one other thought, you can dial in 
  by phone. I can scribe for you while that's happening
Kim Hamilton Duffy: Let me know
Orie Steele:  Chapi requests could be put over other media, but 
  hasn't been done yet
Nate Otto:  Re server-to-server transmission [scribe assist by 
  Kim Hamilton Duffy]
Kim Hamilton Duffy: ...Spec that operates over OBs called 
  BadgeConnect, part of OB 2.1
Kim Hamilton Duffy: ...Will be publicly available soon
Kim Hamilton Duffy: ...Oauth2 + auth grants to enable users to 
  provide permissions to transfer creds from service to service
Kim Hamilton Duffy: ...Badgeconnect is s2s
Kim Hamilton Duffy: ...Id provider can also be resource for 
  credentials
Kim Hamilton Duffy: ...Need to know domain name of badgeconnect 
  host
Kim Hamilton Duffy: ...Once it has permission it can send creds
Kim Hamilton Duffy: ...Api is fairly extensible
Error: (IRC nickname 'andy_' not 
  recognized)[2020-03-23T15:39:15.678Z] <andy_> Badge Connect API 
  (aka OB 2.1) is public (still Candidate Final) at 
  https://www.imsglobal.org/activity/digital-badges
Kim Hamilton Duffy: ...Content can be flexible
Kim Hamilton Duffy: ...Interested in broader conversation about 
  compatibility, and IMS is interested in VC alignment
Kim Hamilton Duffy: ...If compatible, we should talk about how 
  this would work
I'm back
Still a slow typist\
But yes
Orie Steele:  Spec about badge connect is interesting, would like 
  to check out reference impl and examples
  ... could be dropped into the demo we just saw on issuer side
  ... possibly a direct integration
Nate Otto: Badge Connect (Open Badges 2.1) is now in "Candidate 
  Final (Public)" status available here: 
  https://www.imsglobal.org/spec/ob/v2p1/ more links here 
  https://www.imsglobal.org/activity/digital-badges
  ... vc signature suites being worked on by transmute
  ... same key to issue multiple types of credential with json 
  web token
  ... or linked data
  ... gpg signature suite does the same but using gpg keys
Leonard Rosenthal:  Any consideration or plan for ??? standard
  ... etsi standard
  ... EU standards must comply
Nate Otto:  Discussion about selecting suites and how we can 
  avoid confusing users about what can communicate with what
  ... what do we need in terms of agreements to assure that 
  compatibility happens
Leonard Rosenthal: ETSI_ESI - 
  https://portal.etsi.org/TB-SiteMap/esi/esi-activities
Leonard Rosenthal: JAdES - 
  https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=52897
Orie Steele:  There's a risk that diff companies go off and do 
  similar looking things that don't interop
  ... agree to a key representation
  ... number of reasons for everyone to use jwk
  ... works with JOSE, many things already work with this
Kim Hamilton Duffy: Thanks Leonard!
  ... agree on signature representation
  ... reccommend jose
  ... as a community identify software that is aleready 
  widespread and adapt it instead of building whole new stacks
Leonard Rosenthal:  Badge connect considereing signed software 
  statement signed with jwk in jose
  ... key question "what should we do to select did methods and 
  sig suites to ensure compatibility"
Kim Hamilton Duffy:  Already it was unclear what the best choice
Orie Steele: For example: 
  https://w3c-ccg.github.io/ld-cryptosuite-registry/
  ... ccg is acting as a gatekeeper where it shouldn't, we're not 
  crypto experts
  ... vc data model spec complicated if using jots
Orie Steele: See the (harmful) optionality here: 
  https://www.w3.org/TR/vc-data-model/#jwt-encoding
  ... we're green field so can save effort by choosing existing 
  standards
Orie Steele: (Harmful is my opinion)
  ... what is the context of vc examples?
Orie Steele:  Starting point is spec, look for examples
  ... make things that look like the example
  ... problem when the example is very hypothetical
  ... try to prepare examples with real sigs that really verify
  ... pick did method that you can actually implement, did:web is 
  good for this
  ... anything that uses a browser can use it, no need for lots 
  of blockchain signatures
  ... a few things you have to do, define the context and host it
Orie Steele: 
  https://github.com/w3c-ccg/vc-examples/tree/master/docs/cmtr/examples/v0.1
  ... markdown file in link defines the format
Orie Steele: https://w3c-ccg.github.io/vc-examples/
  ... links have to be resolvable for the example to make sense
Orie Steele: 
  https://w3c-ccg.github.io/vc-examples/cmtr/examples/v0.1/cmtr-verifiable-credential-v0.1.json
Orie Steele: 
  https://w3c-ccg.github.io/vc-examples/cmtr/examples/v0.1/cmtr-v0.1
  ... context definition for this defines cmtr property
  ... can contain anything because this spec is in flux, as we 
  become more confident in the structure become more specific
Orie Steele: https://www.w3.org/TR/vc-data-model/#contexts
Leonard Rosenthal:  Disagree, it's not required that the 
  documents be available and resolvable
Orie Steele: @Context is REQUIRED :)
Leonard Rosenthal: Must be present but need not be resolvable
  ... curious about harmful nature of jwt optionality
Orie Steele:  Jwt has reserved terms that come from jose, want to 
  have short names and make sure no one overrides them
  ... when extended for vc having things always map resulted in 
  having the data end up in various optional places
  ... makes implementation complex
  ... trying to verify means figuring out which options the 
  issuer chose
Leonard Rosenthal: Ah - I see what you mean.  I misread that part 
  of the spec.  I read it as requirement to use the JOSE/JWT naming 
  and *not* the VC ones
Orie Steele: "For backward compatibility with JWT processors, the 
  following JWT-registered claim names MUST be used instead of, or 
  in addition to, their respective standard verifiable credential 
  counterparts:"
Leonard Rosenthal: Yeah, missed that "or" - we should get that 
  fixed :)
Kim Hamilton Duffy:  If uris are missing and terms are defined, 
  there may be security problems, or problems invalidating
Orie Steele: Yes :)
  ... longer discussion will follow up
Anybody here?

Received on Tuesday, 24 March 2020 03:21:03 UTC