[MINUTES] W3C Credentials CG Call - 2020-05-19 12pm ET

Thanks to Kaliya Young for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2020-05-19/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2020-05-19

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2020May/0067.html
Topics:
  1. Introductions & Reintroductions
  2. Announcements & Reminders
Organizer:
  Christopher Allen and Joe Andrieu and Kim Hamilton Duffy
Scribe:
  Kaliya Young
Present:
  Jonathan Holt, Moses Ma, Orie Steele, Chris Winczewski, Joe 
  Andrieu, Jeff Orgel, Dave Longley, Kim Hamilton Duffy, Erica 
  Connell, Dmitri Zagidulin, Adrian Gropper, Kaliya Young, 
  Christopher Allen, Adam Lemmon, Manu Sporny, Dan Burnett, Juan 
  Caballero, Adrian Hope-Bailie, Chris Webber, Ganesh Annan
Audio:
  https://w3c-ccg.github.io/meetings/2020-05-19/audio.ogg

Kaliya Young is scribing.
Kaliya Young: Introduction & Reintroductions
I'm Alan from Accredible

Topic: Introductions & Reintroductions

Manu Sporny: Welcome Alan! Glad to see you here! :)
Thanks for the warm welcome
Manu Sporny: Welcome Adam, thanks for joining us! :)
Christopher Allen:  Introducing himself from Credible - digital 
  credentialing company [scribe assist by Kaliya Young]
Kaliya Young: Sorry that was Adam talking
Adam Lemmon: Thanks Manu!
Kaliya Young: @Kimhd: head of the digital identity consortium 
  rebuilding educational credentials based on VCs and DIDs - many 
  folks from educational call are joining this call too.
Joe Andrieu: https://w3c-ccg.github.io/announcements/
Kim Hamilton Duffy: VC-EDU task force 
  https://w3c-ccg.github.io/vc-ed/

Topic: Announcements & Reminders

Dmitri Zagidulin: Wait, that was 1pm Eastern
Kaliya Young: @Identitywoman: presenting tomorrow at Festival of 
  identity about book Domains of identity - 
  https://www.anthempress.com/the-domains-of-identity-pb
Manu Sporny: Secure Data Storage WG calls: 
  https://zoom.us/j/884468271
Manu Sporny: SDS WG calls happen 4pm ET on Thursdays
Joe Andrieu: 
  https://github.com/w3c-ccg/community/issues?q=is%3Aopen+is%3Aissue+label%3A%22action%3A+review+next%22
Manu Sporny: (And may be rescheduled soon)
Joe Andrieu: https://github.com/w3c-ccg/community/issues/105
Kaliya Young: Here is a link to the session tomorrow about 
  Domains of identity- 
  https://app.livestorm.co/science-media-partners/domains-of-identity-a-framework-for-understanding-identity-systems-in-contemporary-society
Kaliya Young: @Orie: as far  as I understand the only thing that 
  is remaining is to announce on the website it is closed - and 
  then following W3C procedures.
Kaliya Young: @Orie: the git hub pages preview is the last thing 
  to be shut down.
Orie Steele: Repo has notice that the group is closed: 
  https://github.com/w3c-dvcg/w3c-dvcg.github.io
Joe Andrieu: https://github.com/w3c-ccg/community/issues/94
Orie Steele: Website has notice: https://w3c-dvcg.github.io/
Kaliya Young: @Dan: manu and i talked about an outline of a 
  proposal. Main question is where do you want that process to 
  live.
Orie Steele: Remaining item is just to formally close the wg with 
  w3c.
Kaliya Young: @Joe: where do we put it?
Kaliya Young: @Chris: fine with it being in regular registration 
  part of the document
Kaliya Young: @Joe: we invited johnathan holt to give us a report 
  out.
Kaliya Young: @Johnathan: CMIO - chief medical informatics 
  officer. Started the company March 1. On stage. HIMS..before 
  trump.
Kaliya Young: @Johnathan: the hackathon was my idea of an 
  alternative because well we couldn't go to HIMS... I love 
  hackathons.
Juan Caballero: This was from a hackathon! 
  https://did-ipid.github.io/ipid-did-method/#continuation-did-document
Kaliya Young: @Johnathan: we have 400 participants from 70 
  countries we had 60+ mentors 40+ projects finalized and announced 
  winners yesterday. Wanted the mindset of digging in to solve 
  problem (vs passive bystanders).
Joe Andrieu: https://consensyshealth.com/covid-19/
Kaliya Young: @Johnathan: we had 3rd place winner - pandemic 
  reserves for pandemics. they used smart contracts.
Kaliya Young: @Johnathan: we didn't limit folks to etherium and 
  wanted to show interoperability
Kaliya Young: @Johnathan: 3D supply chain management - modeled 
  the roles of all the players in the system, and get a system 
  running
Kaliya Young: @Johnathan: Dplazma one - they used verifiable 
  credentials around plasma in the crisis.  you can donate your 
  plasma. Blood typing and privacy preserving.
Kaliya Young: @Johnathan: deep in the weeds on VCs and maybe was 
  hard on the projects that used them because of that.
Kaliya Young: @Johnathan: information - validated and secure,
Kaliya Young: Johnathan: ears on the ground
Kaliya Young: @Johnthan: data is the medicine we need
Present
Kaliya Young: So many buzzwords.
Kaliya Young: @Johnathan: REsilance in the crisis.
Kaliya Young: @Johnathan: reimagine new normal
Kaliya Young: @Johnathan: Vitalik and Joe Lubin. HHS head. Brian 
  Belendorf.
Kaliya Young: Johnathan: very successful.
Kaliya Young: @Kimhd: mentioned one aspect was privacy preserving 
  can you share details.
Kaliya Young: @Johnathan - ZKPs in the plasma - offer and accept 
  in the smart contract - including blood type - just pointer to 
  DID on chain. What was in the contract was the DID.
Kaliya Young: @Joe: main event today update on CHAPI
Kaliya Young: @Joe: and newly VP request spec.
Kaliya Young: @Chris: next week will be a town hall to talk to 
  any of the candidates.
Kaliya Young: @Joe: there are three seats available. 2,3 years.
Juan Caballero: Very cool @Jonathan_holt! Not seeing a writeup of 
  the prize-winning teams on the website, is that forthcoming? V 
  curious about the plasma project (having recently watched that 
  movie)
Kaliya Young: @Manu: will start and along with Dmitri & Dave 
  longly
Manu Sporny: 
  https://docs.google.com/presentation/d/1_h0-OKMpUJnEMAMZLgZl_ic726RSXtfKSgGyf1ksiag/edit
Kaliya Young: @Manu there is a slidedeck
Kaliya Young: @Manu: CHAPI became a work item several years ago 
  and then VCrequest just became a work item.
Dave Longley: S/VCrequest/VP Request/
Kaliya Young: @Manu: we were going to do a demo today might not 
  have time - may schedule another time.
Kaliya Young: @Manu: basics of credential handler API.
Kaliya Young: @Manu: slide 2 what we are talking about here how 
  it fits into the ecosystem.
Kaliya Young: @Manu: this should look familiar - issuer, holder, 
  verifier.
Kaliya Young: @Manu: Verifiers request VCs as presentations.
Kaliya Young: @Manu: CHAPI and DIDComm are about how to get data 
  from point a to b it is about getting data around between 
  different roles in the ecosystem.
Kaliya Young: Slide 3: expand those arrows and show what is going 
  on inside those arrows - these are really request response cycles 
  - send request to the other role. CHAPI is dumb pipe between 
  these roles - communication challenges that these request and 
  responses flow over. Fundamentally this is all it is.
Manu Sporny:  Way to get the data between these roles. [scribe 
  assist by Kaliya Young]
Kaliya Young: @Manu: next is more of the details. in Slide 4. 
  highlights how chapi really works and why we need it as a 
  transport mechanism. They think in terms of the web browser and 
  HTTP. that is one way of getting data around the web. That is not 
  the only way. Chapi does use HTTP. It uses another mechanism that 
  not a lot of people know about that exists in web browsers. it is 
  important to understand they security model for web browser - 
  every tab has a s[CUT]
Manu Sporny:  One tab can't talk to the other. by default the tab 
  open to yelp can talk to the tab you have open in gmail this is 
  how to keep data safe in web browser. The red dotted lines - 
  think of those as the firewall around your browser tabs. They can 
  talk to apps on your desk top or mobile phones. There is a link 
  that is a mail to link - when you click that you will open it in 
  a e-mail application (other examples, map app, uber app - deep 
  linking). [scribe assist by Kaliya Young]
Manu Sporny:  Can ping an app and ask it to open. The big problem 
  that needs to be solved - how do you get an issuer talk to 
  digital wallet OR how do get a digital wallet to talk to a 
  verifier. That is where CHAPI comes in - it uses tricks in the 
  browser. [scribe assist by Kaliya Young]
Juan Caballero: Illusions, michael!
Kaliya Young: @Manu: this slide is really important (4) so I want 
  to spend time on it. and things not obvious to the none-browser 
  literate.  WebSITE A and application A - the website gives you 
  HTML and java script. It executes as a 'web app" within your web 
  browser  - it is executing ON your machine. Two things to take 
  away from this. The web apps themselves are firewall from each 
  other. The website gives software to your web browser to Run. The 
  website is [CUT]
Manu Sporny:  Dave did I cover everything you wanted me to cover? 
  [scribe assist by Kaliya Young]
Kaliya Young: @Dave: to run a web application you download HTML & 
  java script to run in your browse r- CHAPI is a feature you add 
  to your browser to handle request for VCs and other types of 
  data. instead of having the web servers between you and your 
  digital wallet - this helps them maintain state in those 
  applications. you don't loose the state of the site this also 
  enables the browser to present multiple choices for multiple 
  wallets.
Kaliya Young: @Dave : CHAPI mediator piece lets you pick the 
  digital wallet you want to mediate that request. CHAPI just 
  passes through the request to the digital wallet to parse that 
  response.
Manu Sporny: Video of what CHAPI looks like in practice: 
  https://www.youtube.com/watch?v=bm3XBPB4cFY
Dan Burnett: I think Jonathan is asking where CHAPI info is 
  stored in the browser between sites/apps
Manu Sporny:  Without a demo this feels pretty abastract [scribe 
  assist by Kaliya Young]
Manu Sporny:  Video is almost three years old - things have come 
  a long way. [scribe assist by Kaliya Young]
Jonathan Holt: Yeah, how do you pass "state"?
Manu Sporny:  The chapi mediator on slide 4 new thing happens - 
  works across every major browser. [scribe assist by Kaliya Young]
Dmitri Zagidulin: Jonathan - I can address the question about 
  state when we talk about the VP Request spec
Manu Sporny:  Just available to 2.4 billion people - they don't 
  have to install a digital wallet - raw diffusion into populous. 
  it forwards request on - presentation request response router. 
  [scribe assist by Kaliya Young]
Kaliya Young: @Manu: so that is the architecture.
Kaliya Young: @Manu: Chapi is a dumb pile that is QR code - 
  multiple other things can move along chapi - VC request and 
  response. DIDComm messages could move over chapi. it is a low 
  transport layer thing something that is really important for us 
  to deploy for everyone to have web-based wallets.
Kaliya Young: @Manu: question about privacy - chapi doesn't have 
  an opinion - other people do have an opinion - this is why we 
  have secure data stores - key value store is on your machine the 
  you decrepit on your device - privacy implications on the layers 
  above chapi.
Kaliya Young: @Manu: VC request spec on slide 6
Kaliya Young: @Dmitri: if chapi is a dumb pipe and only has two 
  function calls. To get a store. CHAPI is that protocol - what are 
  you getting and what do you store - when an app is requesting..
Kaliya Young: @Dmitri: slide 7 this is just the datamodel
Kaliya Young: @Dmitri: can be serialized to a URL so pass around 
  to mobile applications any number of transport mechanisms. In the 
  browser.
Kaliya Young: @Dmitri: we are going to talk about in - what is 
  the thing in bold -
Kaliya Young: @Dmitri: on slide 9
Kaliya Young: @Dmitri: what do these queries actually look like - 
  query property (Slide 10)
Kaliya Young: @Dmitri: passing one or more queries - + recipiant 
  view - specifying key agreements to encrypt quires and results 
  coming back.
Dmitri Zagidulin:  The only thing that these quires are 
  requesting are verifiable presentation in response to some kind 
  of challenge from the web application. one more quires [scribe 
  assist by Kaliya Young]
Adrian Hope-Bailie:  What is the relationship between this format 
  and the transactional authorization data model [scribe assist by 
  Kaliya Young]
Juan Caballero: +1
Kaliya Young: @Dmitri: - nothing yet - cause in dialogue with 
  Justin Richer
Dave Longley: Note: When a digital wallet responds to a VP query, 
  it does so with a VerifiablePresentation, and that VP will 
  include the requested information (e.g., VCs) and an 
  authentication proof to demonstrate control, for example, over a 
  DID -- this authentication proof must include the challenge sent 
  by the requester.
Kaliya Young: @Dmitri: slide 11 on one of those queries on that 
  list of queries. One of the common type of query is a query by 
  example. Mongo DB or Couch DB or one of those types of 
  mechanisms. pass a template in the Database. Query by example 
  type.
Kaliya Young: @Dmitri: stating why you are requesting the 
  Verifiable presentation.
Kaliya Young: @Dmitri: you can specify all sorts of thing - 
  issuer, particular fields, the wallet does the processing - and 
  returns to you the verifiable presentation that contains the 
  result.
Chris Webber:  Special version of the firefox browser that allows 
  for the use of fido keys that allow for use with this? [scribe 
  assist by Kaliya Young]
Dmitri Zagidulin:  That was a modified browser to work with web 
  authentication protocol. [scribe assist by Kaliya Young]
Kaliya Young: @Manu: fundementally waiting for the WebAuthn to 
  interact within the browser - doesn't mean we can't do fito2 to 
  login to digital wallet.
Manu Sporny:  What that showed was a modified version of 
  chromium. we were using a digital key to sign it - we can't do 
  that yet. Visa, mastercard, PayPal need same functionality from 
  WebAuthn for that. [scribe assist by Kaliya Young]
Kaliya Young: @Dave: agrement to add support we need - browsers 
  just have to implement
Dmitri Zagidulin:  So, storage API in service workers? [scribe 
  assist by Jonathan Holt]
Kaliya Young: @Chris: where are the keys being generated? how 
  does someone protect:
Kaliya Young: ?
Kaliya Young: @Dmitri: keys are only handed by the server side 
  wallet providers.
Kaliya Young: @Dmitri: you would be using Chapi and 
  VCpresentation request can you sign this or
Kaliya Young: @Chris: always going to ask where they key is 
  stored.
Thanks all
Kaliya Young: @Joe: that is it for this week. next week is town 
  hall June 2 report out on the SVIP interop plug fest.

Received on Tuesday, 26 May 2020 00:42:52 UTC