[Minutes] Credentials CG Telecon Minutes for 2021-11-30

Thanks to Juan Caballero for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2021-11-30

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2021-11-30

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2021Nov/0102.html
Topics:
  1. Introductions & Reintroductions
  2. Announcements & Reminders
  3. Mobile Drivers License: Andrew Hughes
Organizer:
  Wayne Chang and Heather Vescent and Mike Prorock
Scribe:
  Juan Caballero
Present:
  Charles E. Lehner, Heather Vescent, Mike Prorock, TallTed // Ted
  Thibodeau (he/him) (OpenLinkSw.com), Kerri Lemoie, Chris
  Abernethy (mesur.io), Juan Caballero, Andrew Hughes, Manu Sporny,
  Jeff Orgel, Marty Reed, rgrant (Ryan Grant), Orie Steele, Phil L
  (P1), Steve Magennis, Ted Thibodeau, Adrian, Kaliya Young, Bob
  Wyman, Kayode Ezike, Dan, Dan Burnett, Brent Zundel, Christian
  Gribneau
Audio:
  https://w3c-ccg.github.io/meetings/2021-11-30/audio.ogg

Juan Caballero is scribing.
Juan Caballero is scribing.
Heather Vescent:  Intro, continuation of 9/28 CCG Call and IIW
  sessions led by our guest, Andrew Hughes (Ping Identity)
  ...: one set of questions we didn't have time for the last time
  this topic was discussed was the backstory of ISO WG
  decision-making and timelines
<mprorock> did jitsi break audio in latest chrome?
S/...:/.../
Heather Vescent:  Manu sent out an email about VC-mDL vocab
  recently, and i assume we will have time for that in Q&A without
  upstaging or stealing time from the main event
Andrew Hughes:  Sgtm
<manu_sporny> Sounds great, Heather... Andrew, I have some
  thunder to share, we'll make a great team :)
Heather Vescent:  IPR note
  ... call notes
  ... queuing guide for new folks
<mprorock> jitsi audio issue on chrome 96.0.4664.57 beta on linux
  and/or chromebook fyi - working on .45 on linux
<manu_sporny> /me curses.
<manu_sporny> /me will look into it.
Mike Prorock:  Bug report - chrome updates can break jitsi,
  beware!
Heather Vescent:  Intros & re

Topic: Introductions & Reintroductions

<phil_l_(p1)> Other browsers do exist ;-)
<tallted> standalone Jitsi Meet.app FTW!
<andrew_hughes> /me but that can wait :)
Heather Vescent:  Announcements and reminders

Topic: Announcements & Reminders

Manu Sporny:  Did-core formal objections: radio silence
  ... since asking for a timeline 80 days ago.  formal objection
  council met 2 weeks ago but no minutes published yet
  ... we will keep pushing for a timeline
<manu_sporny> Weekly updates:
  https://lists.w3.org/Archives/Public/public-credentials/2021Nov/0107.html
  ... other announcement: weekly updates from VCWG -- published
  1.1 of VC data model spec, from hereon in, the CCG will get
  updated any time there are major changes
  ... going forward, every monday there will be a github update
  email
  ... vc-edu and trace-vocab and other groups could also do the
  same, although it might lead to overload
<orie> you can also just subscribe to github repos... for
  notifications.
Heather Vescent:  Tooling?
Manu Sporny:  It's a W3C tool
https://github.com/w3c-ccg/did-pkh/pull/13/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R7
Juan.caballero: did-pkh meeting start this week, feel free to
  come if you're curious about blockchain PKI and
  pseudo-did-methods
Heather Vescent:  Question for manu: anything we can do to help
  with the did-core objection process?
<orie> /me this process seems to kinda not be working...
Manu Sporny:  We've met with the objectors, taken notes, written
  them detailed responses... i can't think of much more CCG members
  can do, particularly if they're not W3C members
  ... one thing that W3C members CAN do is ask as well for the
  timeline
Manu Sporny:  Definitely be polite and request timeline for the
  objection process (explaining that it's relevant to your
  organization's agenda and/or livelihood)
Heather Vescent:  Would it make sense for VCWG to come report to
  this group some time soon?
Manu Sporny:  I think probably not...
  ... unless people really want an update or have specific
  questions or issues they'd like to discuss with the whole CCG?
Heather Vescent:  Calendar for rest of year: 7dec - vc.edu update
  (and new cochairs?); 14dec - mprorock session, rest of dec-
  winter break
  ... anyone running task forces on CCG calendar, feel free to
  cancel meetings on CCG list and i'll update the calendar
  accordingly
<heather_vescent> New proposed work item:
  https://github.com/w3c-ccg/community/issues/218
Manu Sporny:  Update on mDL-VC vocab work item proposal
Manu Sporny: http://w3id.org/vdl/interop-reports
<juancaballero> manu: convergence discussion has felt a little
  unmoored so some of us (db, mattr, spruce) worked together to
  make a strawman and internal interop test to see if a 1:1 mapping
  of mdl --> VC could work as a LD vocab for VCs
Adrian: wondering about revocation convo in SMART healthcard
  discussion?
<manu_sporny> /me bites his tongue. :P
  ... lessons to be had there?
<orie> does Smart Health Cards even support revocation?
<orie> I am not sure.
<manu_sporny> /me Not because Adrian's questions wasn't good...
  but because we warned them about the problem and they chose to
  ignore it.

Topic: Mobile Drivers License: Andrew Hughes

<cel> Refresh
< Screensharing hiccup >
Andrew Hughes:

https://docs.google.com/presentation/d/1xDoDIIQbmbGPjMj_xAFHsT1_RhRigs129hg7CygR8e4/edit?usp=sharing
<mprorock> permissions issue
<heather_vescent> Thanks Andrew and Manu!
Andrew Hughes:  Shareable version of slides forthcoming for the
  minutes
  ... and apologies for technical difficulties
  ... Long time since CCG, lead of identity standards team at
  Ping Identity; before that was identity standards lead at Idemia,
  which specializes in many identity products and flows
  ... I am trying to be a clear channel for information on the
  mDL
  ... (within bounds-- I can't share the specification itself,
  for example)
  ... i won't go through each slide 1 by 1 (this a longer
  slidedeck from IIW)
  ... and important disclaimer: I am presenting on my own
  behalf, not that of my employer
  ... Sept 2021 - 128013-5 (part 5) published, which covers
  connect, exchange, verify flow over specific set of transports
  (QR, NFC, BLE, Wifi aware)
  ... related standards: ISO 23220 pts 1-5 ->building blocks for
  mobile eID apps (which 18013-5 relies on... "backfill" order of
  operations is hard)
  ... 18013-6 test methods
  ... 18013-7 "day 2" topics - holder/prover authN, "verification
  without the verifier" (??), verification over the internet
<heather_vescent> Adrian, can we take your question at the end
  when we have others on the queue?
Andrew Hughes:  Requests and responses (protocol work)
<adrian> sure
  ... sidenote: uL presented on this to CCG in detail
  ... multiple documents and namespaces allowed in a single
  request/response
  ... but mDL (18013-5) is one such document type and namespace
  ... (for the international DLs); AMVA has added an additional
  namespace for state-level data models/overlays
<heather_vescent> Adrian, can you mute yourself please?
  ... s/AMVA/AAMVA/*
Andrew Hughes:  Although there are many private and state-level
  stakeholders, decision process has largely focused on NATIONAL
  scale
  ... motivations (IMHO and not my employers')
  ... issuer-centric (i.e. state drivers' bureaus); issuance
  definition deferred
  ... identification document was a secondary consideration,
  which happened in a later stage of the design after core drivers'
  licensing use-cases were fleshed out
Andrew Hughes:  Contextualizing the adoption path and likely
  future of the spec: too issuer-centric to get widespread private
  sector uptake; not web-native enough to get widespread web
  uptake; co-existence with more web-native standards like VC seems
  a realistic hope to hold, imho
Andrew Hughes:  Random addenda: android working on "identity
  credential API"; apple actively working on native mDL/mDocs
  support in Apple Wallet; AAMVA and international corollaries are
  making swift progress specifying trust frameworks (modelled on
  ICAO master CA list) for production-ready issuance infra a few
  years down the road
Andrew Hughes:  MDL app scope: data model/data shape sketch
Andrew Hughes:  Layering diagram
Andrew Hughes:  Flow overview: 1 device engagement (handshake), 2
  data retrieval (verifier scans holder's QR code with authorized
  reader hardware)
  ... "reverse engagement" still being discussed in ISO WG
Andrew Hughes:  MDL flow chart schematic
Andrew Hughes:  Security goals
Andrew Hughes:  Data elements: not ideal, there's some awkward
  stuff made to keep verifier from having to trust ANY compution on
  device (nothing like predicates-- data queries flattened into
  static values)
Andrew Hughes:  Session data is all in CBOR
  ... it keeps me up at night
Andrew Hughes:  Data integrity - a very hard problem, i hope the
  vocab work item group can make some progress on this
  ... namely, the Mobile Security Object sent as a whole in all
  protocols
Andrew Hughes:  Certificates - ICAO
Andrew Hughes:  What is not in 18013-5
  ... scope was limited so that a "day1" could be published, lots
  of this stuff was left out for this tactic
Adrian: My question goes back to the very beginning: wallet focus
  for in-person, but everything else is in day2? could someone like
  me who participates in W3C or IETF participate in the ISO?
  ... perhaps this is leverage for us to intervene in day 2?
<mprorock> that is honestly totally unrealistic - ISO is where
  this will stay, and from a US standpoint NIST is the path
Andrew Hughes:  TBH it's quite unlikely that the ISO group would
  take substantial feedback from CCG, or W3C, or anywhere else;
  front door is ISO via ANSI or your national body
  ... I have no good answer; it is what it is, all I can do is
  volunteer to relay some signals from outside
<mprorock> Join ISO, or work through NIST - open comms and
  practical implementable examples, etc
Heather Vescent:  Is there a vice-versa? Any way we can send
  someone to the ISO WG?
Andrew Hughes:  Invited guests can come to meetings and speak
  ... there are people in the decentralized id/VC world at the
  table already, i'm hardly the only one
  ... I personally look forward to seeing the work put together
  by DB, Mattr and Spruce, and I think implementable, tested code
  is the strongest inticement to invite guests
  ... The conversation is ongoing with many stakeholders, and all
  of the member orgs are contributing to expanding the scope and
  bringing in input from the market and the communities we know
Manu Sporny:  Thank you so much for taking the initiative and
  donating your time here. you mentioned the "MSO" object and how
  it fits-- i have no easy answer
  ... there are ways to make it work, but it would require
  cooperation/dialogue with the mDocs implementers
  ... which can be quite hard to have from outside the ISO WG and
  its IPR perimeter
Andrew Hughes:  Anyone who wants to talk about implementation
  details, feel free to reach out, those implementers aren't
  completely closed off to dialogue, although it might need to be
  indirect and definitely wouldn't happen at WG meetings proper
Manu Sporny:  What is the best way for us to engage? What we've
  been doing doesn't seem to be working
  ... the WG was listed as an official liaison in the VCWG
  chartering process, and there was essentially no interaction
  until very recently
  ... I would imagine we're going to continue that activity as
  much as we can
  ... and of course we'll continue this VC vocab work in the open
  so that people can engage at least on our side of the
  conversation
  ... and the work-item team, all W3C members, could take the
  conversation via W3C liaison channels?
Andrew Hughes:  ISO works on "paper, in-person meetings, and
  formality" - liaison officers are the formal channel for these
  kinds of inputs.  I am such a liaison and there are others as
  well, I will look into seeing if anyone else wants to be
  designated for this
<mprorock> @andrew - would love to have that discussion re
  liaison - can you fire an email to the chairs on that topic?
Heather Vescent: +1 Mprorock
  ... a test suite and interop artefacts are always a welcome
  conversation-starter
<heather_vescent> "we all win together when the specs work
  together" Love it!
  ... when the specs work as broadly as possible and as
  designed/imagined, this convo is easier to have
  ... and if there are use-cases or formats or transports needed
  for the mDL to be useful in the world, that's another good inroad
  to conversation
<juan_caballero_(spruce)> thanks andrew! great stuff
<kerri_lemoie> Thank you!
<cel> thanks

-- 
Heather Vescent <http://www.heathervescent.com/>
Co-Chair, Credentials Community Group @W3C
<https://www.w3.org/community/credentials/>
President, The Purple Tornado, Inc <https://thepurpletornado.com/>
Author, The Secret of Spies <https://amzn.to/2GfJpXH>
Author, The Cyber Attack Survival Manual
<https://www.amazon.com/Cyber-Attack-Survival-Manual-Apocalypse/dp/1681886545/>
Author, A Comprehensive Guide to Self Sovereign Identity
<https://ssiscoop.com/>

@heathervescent <https://twitter.com/heathervescent> | Film Futures
<https://vimeo.com/heathervescent> | Medium
<https://medium.com/@heathervescent/> | LinkedIn
<https://www.linkedin.com/in/heathervescent/> | Future of Security Updates
<https://app.convertkit.com/landing_pages/325779/>

Received on Monday, 20 December 2021 19:21:06 UTC