- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 07 Dec 2022 09:52:32 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2022-12-06/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2022-12-06/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2022-12-06 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Dec&period_year=2022&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Topics: 1. Introductions and Reintroductions 2. Announcements 3. Use of VCs and DIDs in Government Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords Present: Harrison Tang, Anil John, David Mason, Mike Prorock, Greg Bernstein, Jeff O - HumanOS, Adrian Gropper, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Phil L (P1), Marty Reed, Manu Sporny, Gilad Rosner, Will, David Chadwick, Kimberly Linson, Leo, Erica Connell, Dmitri Zagidulin, Tim Bouma, Lucy Yang, Phil Long, Jack, Joe Andrieu, Brian Richter, Mateusz Lapsa-Malawski, Drummond Reed, Steve Magennis, Andrew Whitehead, Ericko Deleon, Gerard Iervolino, John Kuo, Ben (Transmute), Orie Steele, Kaliya Young, Keith Kowal, Kerri Lemoie, Tomislav Markovski, Geun-Hyung Kim, David I. Lehn, Juan Caballero, EDeleon, Leon Acreditta, John Henderson, James Chartrand, Leon, Ted Thibodeau, . Our Robot Overlords are scribing. Mike Prorock: https://lists.w3.org/Archives/Public/public-credentials/2022Dec/0000.html Mike Prorock: https://www.w3.org/Consortium/cepc/ Mike Prorock: Hello all and welcome to the weekly Community credentials Group. It is great to have everyone today we are going to be talking about the use of verifiable credentials and decentralized identifiers in government thanks to Anil John and just a quick note first two things one is that this meeting as with all meetings at w3c is covered under the code of ethics and professiona. Mike Prorock: Professional conduct a link to which I have. Mike Prorock: https://www.w3.org/community/credentials/join Mike Prorock: Put in the chat here and while this meeting is open to the public and totally all fair game and feel free to participate all you want if you are participating on any you know actual technical work items or contributing in any significant capacity to work items you must be a member of the community credentials group and I put a link to join that as well largely for Ipr reasons just to make sure that you know we don't get saddled with something. Mike Prorock: That's copyrighted or patented so on. Mike Prorock: https://w3c-ccg.github.io/meetings/ <mprorock> In IRC type “q+” to add yourself to the queue, with an optional Mike Prorock: This meeting is being recorded and will go out to our meetings page along with all the other ones we are finally I think getting caught up on all of our transcripts and backlogs cetera and just a quick note that while we do conduct this meeting by voice we do use the jitsi chat or IRC so the chat box there to manage queuing so I think this is tied to the raise hand function as well. Mike Prorock: Now it does seem to be working that way. Mike Prorock: But you can also just type Q followed by plus into the chat and we'll add yourself to the queue and Q- cetera that and then at that point the moderator of the meeting in this case me will go ahead and call on you when there's a good break in the conversation etcetera that do be aware that we you know just be respectful of time if you see a bunch of people stacked on the Queue let's make sure everyone gets a chance to ask their questions etcetera I'm going to pause here for. Mike Prorock: Any introductions and reintroductions is there anyone new to the meeting. Mike Prorock: That has not been on before or who has changed roles that would like to let us know about their role change. Topic: Introductions and Reintroductions Gilad_Rosner: Hello my name is gilad Rosner I've been historically a researcher and consultant in the space of digital identity and privacy and information policy and recently I joined a consultancy called luminol strategy partners that focuses on digital identity and a range of related topics and I'm particularly interested in the verifiable credentials standards work and. Gilad_Rosner: use cases and applications. Mike Prorock: Awesome great to have you and feel free to join the ccg proper if you have not already otherwise just feel free to hop into these meetings and everyone here is pretty friendly and the mailing list is reasonably active so great to have you. Gilad_Rosner: Thank you thank you very much. Mike Prorock: Any other introductions or anyone new. Mateusz Lapsa-Malawski: Hi, I think I should introduce myself. I’m Mateusz Lapsa-Malawski. I work on the part of the team in on gov.uk. One log in and we do use VCs a lot. Yeah they’re awesome. Mike Prorock: Excellent any other new intros here. Topic: Announcements Mike Prorock: All right cool with that quick check for any announcements or reminders for the community. Mike Prorock: And mr. Manu. Manu Sporny: Hey Mike yeah a couple of announcements the first one is as many of you know the World Wide Web Consortium is going through the legal entity transition this month and next month and that means that it is going to be a very busy time for people in management at w3c and chartering and all that kind of stuff all that to say that we do not expect any new. Manu Sporny: T' any new. <mprorock> understatement of cenury Manu Sporny: Anything to happen at w3c in December and January other than making sure that the legal entity makes the transition successfully and and all that kind of the century stuff so that's the first kind of level setting thing that means more than likely that new work or work transitioned into verifiable credentials working group is going to be delayed that probably also means discussions around the verifiable credential api. <drummond> Will the transition have any effect on community groups like CCG? <mprorock> @drummond - CCG will be unaffected unless there is anything that needs to go back to staff Manu Sporny: And the questions around you know whether the charter allows that or whether we need to recharter or any of that stuff now is probably not a good time to pursue that because of the larger existential thing that's going on at w3c so I think we can expect to see a bit of a pause in you know work transitioning new work being picked up you know in vcwg this is just me speaking as an individual but that. Manu Sporny: That is kind of what I'm. <drummond> Thanks Mike Manu Sporny: I'm seeing however work on things like crypto suites works on the verifiable credential API will continue in the credentials community group so today we are starting up our meetings again on verifiable credential API we will continue to process issues in and work on that specification as many of you know we have 17 implementations. Manu Sporny: Of of. Manu Sporny: Various aspects of the verifiable credentials API thanks to the jobs for the future plugfest and so we're going to continue moving forward with that specification in crypto suites that are associated with some of the work that happened at JFF plugfest too. Manu Sporny: The last announcement is that there is going there's planning think planning is in in motion to have a face-to-face meeting for verifiable credentials working group early next year so just a heads up to those of you that might be interested in participating there that there is a plan there are plans of a US based face-to-face meeting early next year for verifiable credentials. Manu Sporny: That's it. Mike Prorock: Yeah thanks Manu I 100% concur with everything you said and I did want to note something that I did note to Drummond in the chat which is ccg should be basically unaffected so if you got new work you want to start on feel free to you know open an issue get the work item process started etcetera just be aware if there is something for some reason that has to go back to staff like things that are transitioning into working groups those are the things that will likely be delayed the other note before I call on Lucy here. Mike Prorock: Is that I with that transition there are two important. Mike Prorock: Things going on right now at w3c proper one is an election for a couple of open seats on the tags the technical architecture group as well as on The Advisory board so if you are an AC rep or if you're a member organization AC rep has not voted please do poke them and make sure that they get their votes in on that because it is an interesting time period from a transition standpoint the board has their hands full a number of the. Mike Prorock: Current members of the new board of. Mike Prorock: Directors has shifted over from ab so there are seats available on the AB and those do need to be backfilled so Lucy I see you on the queue. Lucy Yang: Thanks Michael can you hear me fine. Lucy Yang: Okay great thank you so I just want to share an update a few I think a few months ago I believe that Kaliya shared about on our project. <> mDL project open letter https://medium.com/@identitywoman-in-business/where-can-the-w3c-vcs-meet-the-iso-18013-5-mdl-b2d450bb19f8?source=friends_link&sk=8b30d2654a0692a5f471ff2da15bb0fa <drummond> It is a great paper, very nicely done. Lucy Yang: ….. Happened to protect so I want to share a link so in case you haven't read it yet so it's a friend a friend link so you know it will don't have to go through the pay wall of medium and and like the main findings from from our first phase of this community engagement projects pretty much we realize there are how Market are I can have better perspective or how Market are seeing kind of calm weather the conflicts where are the alignment between the standard to. Lucy Yang: Two standards and also we Define like the marketing in more like less. Lucy Yang: Two separate standards as we know many of us who are deep in standard world see but more like a how standards can work together to provide them a complete and end-to-end solutions so I'm coming out of that kind of like an understanding so we proposed a more kind of less standard technology-driven the more kind of Market implementation driven analysis and also related efforts in the in the letter and and the goal and also be based. Lucy Yang: On that recommendation we're also I'm gauging interest for the potential next. Lucy Yang: Phase of the project and I think want to be clear at the goal of this like does next phase where the this project is to identify how. Lucy Yang: We're still how these two things Collide but more so like in the market less so probably at this point in the standard group because at least we can’t influence too much what is going on the Standard Group and eventually to achieve and I think three things we mentioned very clearly in the latter first thing is how we can help the market to develop an understanding of where each standards can provide unique values and then second for implementers to build on these standards with ease and then lastly and very very importantly for users. Lucy Yang: Like each individual like us to manage credentials you know build on those those. Lucy Yang: Standards was very good experience so I just wanted to share this and you know we have a sign up form in the letter so if you're interested in full in keep getting updates and potentially participating in the next phase you can sign up through the form and we'll keep you updated thank you. <bumblefudge> 👏 <anil_john_[us/dhs/svip]> What I took away from that paper is that any attempt to drive the primacy of one standard over the other will result in failure for both technical and structural issues. We need a third way! Mike Prorock: Awesome thank you so much Lucy really appreciate all yours and Kaliya’s hard work on that and obviously appreciate all the support from Wayne and Spruce on that as well I mean it's a very very important topic and we are glad to see y'all putting all the hard work into it because it's not fun and it takes work so really can't give enough big cheers so for starting to work on that. Mike Prorock: Yes I see I'm sure Anil will not. <drummond> Kudos to Spruce for sponsoring the project. Mike Prorock: Comment at all about this at all when we finally let him talk I think there is one last item just to touch base on which Jack if you're on I know you got a good pull request out would you mind sharing a link to that and getting visibility and from the community as well as an ask on feedback Etc on that. Jack: Hey sure. You want me to briefly introduce it right now, right? https://blog.tonomy.foundation/verifiable-credentials-with-provable-delegated-and-multi-sig-signatures-e46ca74d7d87 Mike Prorock: Yeah that'd be great just a quick intro and then a link to the pr so that folks can comment. Jack: Sure. So at the Autonomy Foundation, me and my colleagues Rebel have been working on an implementation using one of the verification method proof types.It's currently called verifiable conditions, and this is the W3C CCG standard we have since the last meeting updated the name to conditional proof. This is to have a less less of an acronym clash with verifiable credentials of VCs. So the first thing is that we have a PR, it's been approved by one of the other coauthors and ready to just have that name change done in your repositories. I think it also makes sense for you guys to update the repository slug as well. That's the first thing. And the second thing is we've actually implemented this condition, verifiable conditions that allows you to present delegated and multi-signature condition types inside a did document. And we've implemented a verifiable credentials library that allows you to assign verifiable credentials with multiple or delegated signatures or combinations of the two. And it uses this verified verification method standard to prove that the condition was met. So I've just shared two links. The first is a blog article that introduces the bigger scope of work having verifiable, verifiable credentials with multi-signature and delegated signatures. So that gives an overview. I think this is a this work we've done from the Decentralized Identity Foundation repositories and we've now got the links to our work there with the pull requests to a branch to represent upstream. So you can see exactly what we've done on those repositories. We haven't got a a pull request to the upstream branches yet. I think it'd be great for the community to start understanding what this standard looks like and having a more in-depth discussion probably at a later call. The second link I have there is the link to the pull request on the Verifiable conditions W3C ccg repo which we would like approved. <kaliya_identitywoman> We are looking towards Phase 2 and open to talking to companies who want to support it. Mike Prorock: https://github.com/w3c-ccg/verifiable-conditions/pull/10 <manu_sporny> This is really interesting/exciting work -- I have concerns (of course), but really leveraging the power of what we've created here at CCG. <manu_sporny> ... and in a way that's pleasantly new -- breath of fresh air. Mike Prorock: Awesome and I move you're an editor on that work item so obviously you contributing that is good I think Marcus and or I forget who the other kind of core admin is on that looks like maybe Casper so at any point obviously just poke Marcus Etc as long as you know it's Purge I think you're fine so appreciate the hard work on this so. <bumblefudge> 💪 <kaliya_identitywoman> can whoever has the background noise mute <harrison_tang> Thanks, Jack! Jack: Thanks and looking forward to some feedback and people to get excited about multi several multi-signature VCs in the like Mike Prorock: Awesome cool sounds good well thanks so much again and with that let me just quick double check I think that is the last any any kind of final announcements or anything we missed here before we turn it over to Anil. Kaliya Young: I'll share that we are working on an event inspired by IIW happening in apac in Thailand specificaly so apac digital identity unconference and our dates for that are March 1 to 3 it's March 1 being an evening welcome reception two days of unconference in Bangkok so if you are in apac we invite you. Kaliya Young: If you have colleagues who are. <drummond> Link? Kaliya Young: Based in that region that you'd like to participate in a community event similar to IIW but centered around back and the community there I am sharing a save the date Drummond there isn't a link yet but it will be coming and as soon as it available I'll post it to the list. Mike Prorock: Thank you Kaliya cool well with that mr. Anil John I'm going to hand the ball to you to kick us off and talk about the topic for the day. Anil John: So Mike I have sort of a open-ended thing right so I will simply know that it's going to be a stream of consciousness forgive me but I'd rather you know have questions you know from the members here more than anything else and part of it is also I just got back from spending a week combination of London meeting with the the UK government folks as well as the European Commission. Anil John: As well as obviously attending along with Kaliya. Topic: Use of VCs and DIDs in Government Anil John: And some of the other members here the ease of slabs final event in Brussels as well so a little bit of pieces all over the place but I will simply start since Kaliya spoke recently I was simply felt that I had one of the strangest conversations that I have ever had in the in my government career this morning whereby it seems like one of the one of the one of the leaders of our office of biometric identity management open. Anil John: Attended the last IIw and was. Anil John: Incredibly became incredibly was enthusiastic about the you know the the conversations that they had and ended up talking to them about you know what they wanted to do in order to engage the community a whole lot more so I just found that it is rare when people who are sort of very much in the government space engage with communities like IIW and realize there is a broader. Anil John: Ecosystem that has a very interesting and diverse. Anil John: Viewpoint and it's even rarer when they recognize that there is incredible amount of value in engaging with them to understand the perspectives of not just the large technology vendors but the actual in the the people who actually end up being on the recipient and the use of the technology so I think whatever you guys did at the last iiw to engage with them please keep doing more of that because that was that was a refreshing engagement on. Anil John: My side so just want to let you know that separately. Anil John: Like I said I like I said I had a set of conversations that I had when I was in in Europe last week and what I'll do is I'll at least share the perspective that I was taking with me into those conversation even if I will defer from sharing what the response from the counterparty organizations were right I want to be respectful of their position but at least. Anil John: I’ll sort of articulate some of the conversation. <davidc> Apologies Anil Anil John: That that we brought to the table in in in doing that and I know that there are people from the European Union companies from there on the table and by the way I was hoping that I would actually run into David Chadwick in person and I did not I was I regret that in some ways because I thought that he was part of the ISA flab in Atkins group as well but hopefully one of these days we will in a meet up in person one of these days as well but. Anil John: Separately first and foremost it is. <davidc> I am currently in Spain Anil John: Interesting to engage with the startup community and the Innovative community in Europe and realize that for them blockchain is not a dirty word right so I think it was it was interesting for me in that realizing for them that is probably in some way shape or the EU perspective on you know ensuring a you know a competitive ecosystem and probably the you know. Anil John: The alignment of the philosophy around. Anil John: The blockchain technology more than anything else but as it relates to the verifiable credential and the decentralised identity Community are one recommendation that I would absolutely have regarding that is to engage actually with the EU’s EBCI initiative which is the European blockchain something in I forget the last two words that goes with the acronym primarily because they what. Anil John: I took away from the conversations with them in some of the questions. Anil John: I had with them is they are suffering from the same branding challenge that I have on the Silicon Valley Innovation program like my program is called the Silicon Valley Innovation program but majority of our companies from outside the valley and we fund companies you know globally as well so Silicon Valley tends to be a branding for us and for them I think when they started obviously blockchain technology was the globally visible bright and shiny objects so they basically use that but when you talk to. Anil John: To them what you realize is that. Anil John: They sort of evolved with the times and they're very much champions of using verifiable credentials and decentralised identifiers in the broader ecosystem and when they think about quote-unquote blockchain they sort of look at it as a resilient content distribution Network for metadata and not for anything else so I think there is value in this community sort of putting aside there you know in some ways they are instinctive aversion to. Anil John: The term blockchain and engaging with them because there are actually doing some. Anil John: Interesting work there that's worth while to sort of understand and I think you will find you know them to be receptive to what we are doing in this ecosystem as well right so separately the from the from the government perspective there were a couple of things that I sort of in it took as on behalf of my partners and the work that we're doing whether it is. Anil John: Is USCI or OCB. Anil John: Our office of privacy there right and one of them was very simple right I think I think there was a public announcement just recently that the European Union has actually awarded the contract the European commission has awarded the contract for the development of the EU d i European digital identity wallet to a to a combination of companies hang on for just one second. Anil John: And you know not. Anil John: Somebody that I. Anil John: I normally interact with a net company intro self-intro soft and get Tails ab I'm sure I'm angle the pronunciation of the last one the last one is important because they are a company that is that obviously spends a lot of work in the mobile driver's license space in fact an old friend of mine Jeff Schlegel who used to be the head of identity management at AAMVA is actually works for them there as well so. Anil John: You know they are they are obviously in a remarkably competent company. Anil John: It's going to be interesting in that where they sort of take it and will be obviously given their background and mdl in the support for the iso mdl standard is going to be I'm sure something that they're going to be putting into place my sense in the variety of conversations that I had was there is a significant amount of EU member states who are also interested in verifiable credentials and dids as well so I would not be surprised if there is a broader acceptance for the standards more than anything else there. Anil John: From from the from the messages and the conversation that I was conveying. Anil John: In this was something along this line right so I think as a sovereign talking to another Sovereign we fully recognize that the European Union and the member states have actually have full remedy over how they want to conduct their business when it comes to the identity and the digital wallet piece of it and obviously the policies that they're putting into place regarding you know who is authoritative how they determine whose authoritative and things like that. Anil John: That are obviously. Anil John: That is fully under their remit and in at their decision to do I think the question that I sort of asked them was two layers down at the end of the road one of the work streams that we have is with US citizenship and immigration service that we are in the business of issuing high-value digital immigration credentials to people who are citizens of other countries and one of the questions. Anil John: That and. Anil John: One of the things. Anil John: That we sort of opened the door for is twofold one of them is I think USCIs I think they felt about this publicly so I'm not sharing anything magical secret they are absolutely interested in working with other jurisdictions in order to consume their digital credentials as part of the adjudication process of granting somebody a benefit you know a benefit being a permanent resident card or a you know immigration other types of immigration document of things like that so there was. Anil John: A question that I asked on behalf of my partner's about. Anil John: We believe this is a value to your citizens in order to make their life easier would there be any opportunity to work together on that there was also a separate question that we asked as well and that was very simple we are going down the path with the USCIS in for lack of a better word bring your own did bring your own wallet to our front door approach right that basically means that we are not going to basically you know push. Anil John: You know USCIS or DHS or the US government as of right now. Anil John: Have no. Anil John: Plans to basically build a wallet for government that will be deployed to the community in general our desire is to basically Leverage The broader ecosystem in order to do that having said that the European Union has obviously made very clear that they are give me just one second. Anil John: That they are going down the path of obviously ensuring that every EU citizen would have a digital wallet of their own so one of the questions that we asked was we would love a future where a European citizen with the EU member state issued digital wallet has the ability to come to a USCIS infrastructure and be able to actually receive a digital immigration credentials form. Anil John: Us rather than them having to find some other approved wallet. Anil John: In order to get to that point obviously that has to be some conversation about you know is there a common equivalency between the security privacy and interoperability aspects of the wallet on a so that we can all you know build on the same common foundation and the question that was being that that we asked was is that an interest in doing so right so that's like I said I want to be transparent from at least from our perspective on what the questions that we were asking were so that. Anil John: Is one the second one obviously we saw on the other trade side obviously global trade is a. Anil John: Big deal for us and one of the other work streams that we have is the digitization of trade documents whether it is for agriculture or oil and natural gas steel e-commerce Imports into the us and we are also going down the path for our trusted Trader program potentially to be issuing credentials to our exporters with mutual recognition by other counterparties as well so the question is you know we are interested in this. Anil John: Global trade is obviously a mutual interest to all of it is there interesting on working together. Anil John: On this and so those are some of the questions that we were asking and last but not least separately on the svip side we are actually a currently you know having discussions with our you know DHS office of privacy potentially around a future time frame to be determined specifics to be determined around a. Anil John: A open solicitation around privacy. Anil John: Enhancing Technologies which is I think a something of great interest to a variety of communities are both on the private sector side and on the public sector side in general I want to be very clear that when we talk about privacy and talented Technologies we often run into what some of my colleagues called the Privacy industrial complex which is a way of describing people who would love to. Anil John: To look at a problem admire it from. Anil John: 15 Different directions articulate how wonderful and beautiful the problem is then ask for funding to admire it some more which is not what we want for a sort of cetacean to SVIP we're looking for something that is very very near term and useful across a broader community and is there an opportunity to sort of ensure that any type of solution obviously is interoperable on a global basis so that's. Anil John: That's my one thing to the community in general Anil John: I'm really interested in getting your perspective on on the Privacy side of the house what are some perhaps tractable problems that you see that people are not addressing in any way shape or form and not you know magical you know homomorphic encryption zero knowledge proof-y kind of thing is where there's a whole bunch of other things that come along for the ride as well really I'm happy to you know happy to get the feedback from the community again. Anil John: Mike I think that's like sort of the the random bit of conversations. Anil John: On the government perspective both in the public and the private sector I'd rather take questions and sort of answer everything else. Mike Prorock: You know that was awesome and on the Privacy side I mean I'll just chip in something that you know we're dealing with obviously which is privacy around machine learning data especially as we're looking at things like you know debts passage retrieval and sparse indexing and things like well it's powering chechi BT and a whole bunch of other systems we've been layering in models to try to. Mike Prorock: To intersect and prevent that. Mike Prorock: Data that could be identifying an individual before it even gets into the system but there's no standardized way of approaching this or way of dealing with those that might be the web ml group over here at w3c it might be somewhere else I don't know but that's an area that's very that you do is very nebulous and is very problematic across the industry and all I see is a bunch of hand waving around and saying bias bad privacy data you know you know pii bad but no real practical like well let's all agree on a way to go. Mike Prorock: Take some concrete steps to solve it. Mike Prorock: But I mean do you have any thoughts on that side of it. Mike Prorock: Yeah I know great yeah. Anil John: I do and I agree with you in a from that perspective also again that is not really my swim Lane more than anything else so anything that I say can be is either going to be incomplete or misconstrued so I'd rather provide you the feedback directly rather than publicly because I know I will get wrong and I'd rather be corrected more than anything else I would also note that one of the things that I've. Anil John: I've spent in my. Anil John: Rd days was around the fact that it is very hard for a government organization in order to provide training data to somebody that we're working with it simply you know it's not a path to success right so I spend a lot of time in basically trying to generate synthetic data that is actually really modeled to the greatest extent on how real data looks and I'm not sure how much work is being done in order to sort of understand the Fidelity of the. Anil John: Data because fundamentally. Anil John: I do not believe in Deanonymizing Technologies. Right so so so I believe that they are you know they're snake oil and so we need a better approach to you know it training that training information and things like that the the other piece that I think that you know I'm sort of struggling with this basically we selective disclosure is something that is incredibly important. Anil John: To the people that I'm working with. Anil John: And the technology that we're looking at whether it is BBS signatures or some other scheme and what I don't see is a path to ensuring that selective disclosure capabilities can be implemented using Quantum safe cryptography so really really interested in that aspect of it and if people have have a sense of where who is thinking about it what they're doing with it I would love to learn a little bit more and pick their brains and things like that. Anil John: And it. Mike Prorock: Yeah and and and Tobias and I have been having that conversation a lot the only folks I know who are looking at that in any serious way right now is IBM research I've been yeah so and I can obviously make some intros over there but to date that's the only folks that are seriously hammering that side of selective disclosure and potential approaches but it's early right it's moved I mean it's like 2-3 years into like hard testing on some stuff but that's. Mike Prorock: Early in cryptography right so Manu. Manu Sporny: Yeah thanks Mike and good to good to hear your voice Anil so I've got a question it's on the selective disclosure thing right because this was a question that was raised by a number of people that are operating out of the EU and hoping to discuss you know deploy verifiable credentials and they basically said you know why is BBS plus the only selective disclosure mechanism that's being looked at you know why are. Manu Sporny: There not other mechanisms. <mprorock> SD_JWT with dilithium? <orie> There are a few lattice based systems for ZKP being developed, but I am not aware of any that have made their way to IETF CFRG yet. Manu Sporny: Being looked at now there is work and in SD jot but I would I would say that you know the community in general seems to be targeting BBS plus as the selective disclosure plus unlinkable signature mechanism and it seems that the E some of the folks in the EU are saying no that's not good enough because what we what we actually need is we need. Manu Sporny: Need nist approved cryptography. Manu Sporny: So the plain old vanilla stuff that's been used for 20 plus years but we need a Selective disclosure mechanism there and what I've noticed is that the second we start hinting that we're going to work on something like that something like SD jot you get people that push back and say oh no no no you shouldn't do that because you you get traceability with that type of selective disclosure and so you should be doing something more akin to CL signatures. Manu Sporny: Or BBS + so I think one of. Manu Sporny: The traps we're in right now is we're stuck between a rock and a hard place where we have the EU saying you will do selective disclosure but not being very specific about what they mean as far as I know and you've got you know people that are really pushing the unlinkability stuff going you should not do selective disclosure unless you also do unlinkability and if you work on something that's not that expect to be attacked. Manu Sporny: Right I mean it. Manu Sporny: Expect to have the Privacy you know quote-unquote Defenders of privacy come after you because you're providing a mechanism that allows you know tracking of individuals so what I'm wanting Anil I'm wondering if you found out anything about kind of this this line of thinking out of the EU and your meetings last week with them and I'm wondering if there's anyone you know from the EU that's been looking at those regulations a bit more closely. Manu Sporny: That is reading something different. Manu Sporny: Out of that requirement that's it. Anil John: So Manu I'll be blind in saying that I don't think we got into that level of looking under In The Weeds on this one right I would simply note The Selective disclosure is important capability for us simply because in the predicate proofs and implementations of it I've learned you know pretty painfully in past lives that unless there is a liability model around when things go wrong wrapped around it and no technology vendor. Anil John: Seems to be want to be hold themselves liable for that beautiful map. Anil John: You know and no line party will actually believe that so for us selective disclosure is important you know the there was a receptiveness to ensuring that the quantum safe signature Quantum safe implementation of selective disclosure is something that is worthwhile you know you know got positive reception to that in a particular conversational thread but I have I didn't really go down to that level of detail on nuance. Anil John: In the policy so couldn’t. Anil John: Give you a good answer there. Mike Prorock: Anil kind of following on to that I mean would you have any opposition to use of like SD JWT now that it's been getting significantly streamlined and improved with like dilithium and or P 256 or something like that as mechanisms to provide that in a hypnotist compliant manner. <orie> Nice dodge :) Mike Prorock: https://github.com/OR13/draft-osteele-vc-jose Anil John: Mr. Prorock are you trying to like walk me into a corner at this point so show me how they can work with semantically aware Json linked data structure json-ld based credential format so I would simply note that you know it is it is it is going to be so so I got asked this question publicly by I think Paul knows I know that he he participates here as well. Anil John: Also about the. <mprorock> rather, https://or13.github.io/draft-osteele-vc-jose/ <orie> Thats an older link, here are the newer ones Anil John: The current shall we say interesting discussions around add contacts and things like that which I basically said that I would not engage on in general I would simply note that some of the arguments from as a end user and a of a technology what I will convey from from from the usage of this technology within the context of both. Anil John: USCIS and US customs. <mprorock> and from orie - more up to date https://transmute-industries.github.io/vc-jws/ Anil John: Is that you know verifiable credentials and digitally signed at the stations are a piece of the puzzle and piece of the business process that they look at on the CBP side in order to determine whether Goods coming into the country are something that they can allow in whether they will stop or they want to learn more about and for us the semantic overlay to Json a a json-ld. Anil John: Is basically something that is. <drummond> CBP essentially has no need for selective disclosure. Anil John: Important to us to do the analysis on the data that is coming in so it is not about making life easier for developers or harder for developers or the like it is about actually solving a business problem on our send and we need that data to actually be commonly understood on both sides of the wire so from my perspective you know feel free to have the conversations that you guys need to have. Anil John: Have from a technical implementation perspective but. <mprorock> @drummond - i think that is incorrect Anil John: Do make sure that your conversations are also going down the path of actually solving the problems of end customers and not making it easy just for selling product right so. Mike Prorock: Yeah no fully agree and I think you're getting in something important which is those semantics are really important for machine learning side Orie I see you on the queue. Orie Steele: Yeah I was just queued to to comment on some of what's there's a lot of topics coming here which it's their frustratingly all tangled together the comment that I'm queued to make is that post Quantum resiliency is something that benefits all higher order schemes and envelope formats and so I think it is a mistake to conflate benefits of a new. Orie Steele: New system with fundamental. Mike Prorock: +1 Orie Orie Steele: New cryptography and I like to have nice clean layers where I can add Quantum resilience to Json web signature and cozy sign 1 and then layer on top of Json Web signature and cozy sign one other higher order pieces and if you have to sort of buy into an entirely new envelope format to get a fundamentally new cryptographic benefit or primitive I think there's risks associated with that kind of. Orie Steele: Approach and it also it's less sort of helpful. Orie Steele: To the broader community that might already have built dependencies on Json Webb signature cozy sign one and so you know I think in terms of the post Quantum side I think we should be focused on making sure post Quantum is solved for in a generic Manner and in terms of the selective disclosure versus unlinkability comments I think there are problems with the approach when. Orie Steele: Adding those two. Orie Steele: Constraints together limits you essentially to you know one or two schemes and I think that the industry needs to solve for those problems with the appropriate layering so that there's enough cryptographic agility around unlinkability or Progressive or selective disclosure so that you're not committed to one cryptographic hardness problem in the unlikely event that that hardness problem ends up being not. Orie Steele: Not so hard that’s it. Anil John: Thank you Orie I actually wanted to answer the comment that actually Drummond made that CBP does not have a need for for Selective disclosure I would simply note that in an internal conversation that we were having with CBP I made the exact same comment Drummond and I was basically yelled at out of the room right and their comment very simply. Anil John: Was you know they. Anil John: It was this right so for the I will contrast the perspectives right USCIS considers selective disclosure for the credentials that issues to be incredibly important from a privacy and giving control to individuals in what they discussed your counterparty CBP on the others hand does not look at selective disclosure from a quote unquote in a privacy perspective they look at it. Anil John: Actually from a. <mprorock> "Need to Know" Anil John: Selective disclosure of business information that is relevant to CBP from the private sector so there's a whole bunch of information that are that is presented by trade to CBP that may or may not be relevant to the CBP from a from a business perspective and what they are asking for and giving the in a trade counterparties who interact with CBP using verifiable credentials based and decentralised identifier. Anil John: Based you know digital documents. Anil John: And giving them the ability to selectively share only portions of that information with CBP is something that is really really of value to both the trading counterparties and to CBP so for them they don't look at it from the Privacy perspective but they do not look at it from The Selective disclosure of business perspective to CBP as as a use case there hopefully that was helpful. <drummond> Anil, that makes lots of sense. I stand corrected. Mike Prorock: Yeah and I'll add in an agricultural case that I'm just like very intimately familiar with like when you think about and this I think extends Beyond government right this is more just in general right if you think about like a health and safety inspection at a facility well the inspecting body may not may wish to reveal to someone purchasing from you know say a food processing facility you know Jam right so they I want to buy the strawberry jam well did they pass the health and safety inspections sure. Mike Prorock: Sure that party. Mike Prorock: Does not necessarily need to know all of the details or other suppliers that that you know sellers working from etcetera so there are a lot of selective disclosure use cases in trade Drummond so hey. Anil John: So I also want to move Beyond selective disclosure some of the other privacy pieces as well the one thing that I'll note and one of the things that we are very concerned about is basically informed consent and the implications to the Mosaic effect right so I think one of the challenges that I think that we Face particularly when you're actually providing a lot of agency and control to an individual. Anil John: And what they can basically selective diclose. Anil John: To a counterparty with consent is that over time cognitively you lose track of the amount of consent that you've given to a counterparty and over time that counterparty could actually build up a very good profile of you that you are based on the data that you shared with consent because you've actually lost track of the amount of consent that you given so you know consent management at scale revocation of. Anil John: Consent both from a UI from a larger cognitive. Anil John: Perspective feels like a problem space that we are not adequately addressing so I'm so it feels as though that is an area that we need to put some emphasis on and at that we need some Clear Solutions that are actually potentially you know integrated into whether it is a digital wallet or whether it is a issuer infrastructure or whether it is a verifier infrastructure I don't know I'm not sure where the right places are but that's also one of the other things that we are sort of thinking. Anil John: Over as being something that is very near-term and very real. <greg_bernstein> CDP? Manu Sporny: Yeah I wholeheartedly agree with that have no clear answers on the best way to approach that I do agree that it's probably a big area that this community as well as its you know Sister communities need to need to focus on I was going to ask a slightly different question or a concern right voice a concern and then ask a question of kind of. Manu Sporny: You as a. <mprorock> @Greg CBP - US Customs <tallted> CBP = U.S. Customs and Border Protection Manu Sporny: As someone that works for government Anil So as everyone has probably seen there's like this big rush to make wallets make digital wallets a thing right there's all this talk about digital wallet standardization and open source versus Open Standards and they all seem like they're on a collision course in 2023 there are various groups and companies that are saying that. Manu Sporny: They know what the Next Generation protocol is going to be or it’s going to be. <greg_bernstein> Thanks. My sister works for CBP... Manu Sporny: X and wallets are going to work exactly like Y and you know personally I think this is just all premature and grandstanding right but that is going to be what one of the big things that happens in 2023 you've got EU pushing out with this I mean they've allocated money to someone to build an open digital wallet there are as we saw in the jobs for the future plugfest. Manu Sporny: Multiple speaking wallets multiple different protocols with multiple different kind of wire level data formats that does not seem like it's going to be reconciled anytime soon some people are claiming that there will be one winner others are saying no we're looking at a multi-protocol multi-format future I'm wondering how you Anil and if you've had a chance to talk with anyone in the EU are going to navigate that kind of. Manu Sporny: Tumult in the in the ecosystem thoughts. Anil John: Always have a lot of thoughts on this in a primarily because I think the reality is that I think I think I think first of all let me just back up as a you know a two-lane constrained that I saw you know regarding the ongoing in a fascinating conversation around mdl versus and and it's very easy to say versus VC when the reality. Anil John: Of our identity ecosystem is we still. Anil John: Work with systems that use that dreaded wstr protocols we still work with systems that use some oh and we use obviously things like open ID connect and or as well so I do fully anticipate that going forward we absolutely will live in a multi-protocol multi credential format world the question and any desire by one community in order to sort of make the other community bend. Anil John: The knee is going to result in. <drummond> On the topic of W3C VC and ISO mDL, I know it was shared once, but I'm sharing the link to Kaliya and Lucy's excellent article again because it's advice is really spot on: https://medium.com/@identitywoman-in-business/where-can-the-w3c-vcs-meet-the-iso-18013-5-mdl-b2d450bb19f8 Anil John: Basically allergic reaction and a lack of a path to success right so I do think that we do need a better approach that recognizes the fact that basically the starting point for the mdl and the VCS were actually very different VCs were focused on presentation of credentials over the web mdl was focused on presentation of credentials in person and that specific choices were. Anil John: Made in order to enable that and now you sort. Anil John: Trying to you know conquer the world and we sort of need to find a way to sort of make sure that we have a path forward I do not know what the path forward is but I definitely resonated with Kaliya’s and and Lucy's in-depth research on a given that they actually spend the time to do the research and talk to a variety of people on that I do think that I want to be very clear at least my perspective of the. Anil John: The award that they everything. Anil John: Made is not for building a wallet for the EU it was for building for lack of a better word a reference implementation of a wallet that actually they're going to use to inform you know their policy on what standards to support what the scalability of that implementation are so if you actually look at the award and I'll actually you know try to put a link to the actual tender award piece. Anil John: You know somebody sent me a link to that actually. Anil John: You will notice that it is very much about a reference implementation so it's not a done deal it's a my sense of that is there's they're using that to make sure that the rubber actually meets the road on their policy right so and not trying to make sure that you have a policy without actually closing the loop with the technology implementation and they're using this tender as a mechanism to build and sort of figure out what is real what can be. Anil John: Supported so I think it is important for the. Anil John: Community in general to sort of ensure that feedback is provided to that effort so that it actually informs what the ultimate end state is beyond that obviously you know we're very interested in the work that we're doing in making sure that the at the end of the road we want to make it easy for our customers the citizens the immigrants are the people who actually consumed our credentials and to whom we issue our credentials. Anil John: Such that they can actually manage own and control. Anil John: Their interactions whether it is a private sector the public sector in a manner that is not that does that makes their life easier and they have confidence in the integrity and the privacy of the data that that is theirs to to begin with I don't have magical answers for you Manu other than I think it is really important for us to continue the conversation make sure that we bring the diversity of perspectives whether it is you know on. Anil John: Across jurisdictional level. Anil John: Or if it is from different communities together and any desire to play a zero-sum game is is fundamentally a bad strategy in the current ecosystem because it's not going to get you what you think you're going to get that's the best I can offer you at this point in time Manu. <manu_sporny> Very helpful, thank you! :) <drummond> Many thanks, Anil. <kimberly_wilson_linson> Thank you Anil! Mike Prorock: Awesome that was super helpful well I think we're kind of at time here unfortunately it's a great conversation Anil I really appreciate your time today as I'm sure many others do the and then just keep us posted obviously on the chair side if you have any other updates around things like profiles and other things that can be shared broader with the community to help provide implementation guidance etcetera so that we can all work with government systems and. Mike Prorock: Vice versa better and make our whole. Anil John: Yeah yeah I just want to be very clear right you know absolutely happy to do that for the primary reason from a self preservation perspective which is we do not want government bespoke only systems that work we work at scale globally and so anything that we can do in order to make sure that we do it but we are also going to be very mindful of desires to. Anil John: Sort of you know. Anil John: In order to create the rails that sort of limit competition and limit choice so that's something that we're going to be watching as we obviously ensure that whatever we are we're supporting is moving down the the very visible and open ecosystem in a side of the house here. <bumblefudge> 💖 <bumblefudge> 💪 <drummond> Thanks much, Mike. Mike Prorock: Well it is much much appreciated as always in a big breath of fresh air compared to a lot of behind closed doors locked up stuff so once again thank you as always for the broad support with that I'm going to say thank you everyone really appreciate your time questions comments in the chat Etc feel free to continue conversation on the list and obviously feedback into the chairs if we need to add remove topics change topics Etc as always but we've been. Mike Prorock: Been so far hearing great feedback thanks especially to my co-chairs Harrison. Phil Long: :Clap: Mike Prorock: And Kimberly for really working together on this stuff so it's been great to kind of see everything coming together here with that we can go ahead and stop recording and happy Tuesday and on to the next meetings so thank you again all.
Received on Wednesday, 7 December 2022 09:52:33 UTC