[MINUTES] W3C CCG Credentials CG Call - 2022-12-06

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:


Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:


W3C CCG Weekly Teleconference Transcript for 2022-12-06

  1. Introductions and Reintroductions
  2. Announcements
  3. Use of VCs and DIDs in Government
  Mike Prorock, Kimberly Linson, Harrison Tang
  Our Robot Overlords
  Harrison Tang, Anil John, David Mason, Mike Prorock, Greg 
  Bernstein, Jeff O - HumanOS, Adrian Gropper, TallTed // Ted 
  Thibodeau (he/him) (OpenLinkSw.com), Phil L (P1), Marty Reed, 
  Manu Sporny, Gilad Rosner, Will, David Chadwick, Kimberly Linson, 
  Leo, Erica Connell, Dmitri Zagidulin, Tim Bouma, Lucy Yang, Phil 
  Long, Jack, Joe Andrieu, Brian Richter, Mateusz Lapsa-Malawski, 
  Drummond Reed, Steve Magennis, Andrew Whitehead, Ericko Deleon, 
  Gerard Iervolino, John Kuo, Ben (Transmute), Orie Steele, Kaliya 
  Young, Keith Kowal, Kerri Lemoie, Tomislav Markovski, Geun-Hyung 
  Kim, David I. Lehn, Juan Caballero, EDeleon, Leon Acreditta, John 
  Henderson, James Chartrand, Leon, Ted Thibodeau, .

Our Robot Overlords are scribing.
Mike Prorock: 
Mike Prorock: https://www.w3.org/Consortium/cepc/
Mike Prorock:  Hello all and welcome to the weekly Community 
  credentials Group. It is great to have everyone today we are 
  going to be talking about the use of verifiable credentials and 
  decentralized identifiers in government thanks to Anil John and 
  just a quick note first two things one is that this meeting as 
  with all meetings at w3c is covered under the code of ethics and 
Mike Prorock:   Professional conduct a link to which I have.
Mike Prorock: https://www.w3.org/community/credentials/join
Mike Prorock:  Put in the chat here and while this meeting is 
  open to the public and totally all fair game and feel free to 
  participate all you want if you are participating on any you know 
  actual technical work items or contributing in any significant 
  capacity to work items you must be a member of the community 
  credentials group and I put a link to join that as well largely 
  for Ipr reasons just to make sure that you know we don't get 
  saddled with something.
Mike Prorock:   That's copyrighted or patented so on.
Mike Prorock: https://w3c-ccg.github.io/meetings/
<mprorock> In IRC type “q+” to add yourself to the queue, with an 
Mike Prorock:  This meeting is being recorded and will go out to 
  our meetings page along with all the other ones we are finally I 
  think getting caught up on all of our transcripts and backlogs 
  cetera and just a quick note that while we do conduct this 
  meeting by voice we do use the jitsi chat or IRC so the chat box 
  there to manage queuing so I think this is tied to the raise hand 
  function as well.
Mike Prorock:   Now it does seem to be working that way.
Mike Prorock:  But you can also just type Q followed by plus into 
  the chat and we'll add yourself to the queue and Q- cetera that 
  and then at that point the moderator of the meeting in this case 
  me will go ahead and call on you when there's a good break in the 
  conversation etcetera that do be aware that we you know just be 
  respectful of time if you see a bunch of people stacked on the 
  Queue let's make sure everyone gets a chance to ask their 
  questions etcetera I'm going to pause here for.
Mike Prorock:   Any introductions and reintroductions is there 
  anyone new to the meeting.
Mike Prorock:  That has not been on before or who has changed 
  roles that would like to let us know about their role change.

Topic: Introductions and Reintroductions

Gilad_Rosner: Hello my name is gilad Rosner I've been 
  historically a researcher and consultant in the space of digital 
  identity and privacy and information policy and recently I joined 
  a consultancy called luminol strategy partners that focuses on 
  digital identity and a range of related topics and I'm 
  particularly interested in the verifiable credentials standards 
  work and.
Gilad_Rosner:  use cases and applications.
Mike Prorock:  Awesome great to have you and feel free to join 
  the ccg proper if you have not already otherwise just feel free 
  to hop into these meetings and everyone here is pretty friendly 
  and the mailing list is reasonably active so great to have you.
Gilad_Rosner: Thank you thank you very much.
Mike Prorock:  Any other introductions or anyone new.
Mateusz Lapsa-Malawski: Hi, I think I should introduce myself. 
  I’m Mateusz Lapsa-Malawski. I work on the part of the team in on 
  gov.uk. One log in and we do use VCs a lot. Yeah they’re awesome.
Mike Prorock:  Excellent any other new intros here.

Topic: Announcements

Mike Prorock:  All right cool with that quick check for any 
  announcements or reminders for the community.
Mike Prorock:  And mr. Manu.
Manu Sporny:  Hey Mike yeah a couple of announcements the first 
  one is as many of you know the World Wide Web Consortium is going 
  through the legal entity transition this month and next month and 
  that means that it is going to be a very busy time for people in 
  management at w3c and chartering and all that kind of stuff all 
  that to say that we do not expect any new.
Manu Sporny:   T' any new.
<mprorock> understatement of cenury
Manu Sporny:  Anything to happen at w3c in December and January 
  other than making sure that the legal entity makes the transition 
  successfully and and all that kind of the century stuff so that's 
  the first kind of level setting thing that means more than likely 
  that new work or work transitioned into verifiable credentials 
  working group is going to be delayed that probably also means 
  discussions around the verifiable credential api.
<drummond> Will the transition have any effect on community 
  groups like CCG?
<mprorock> @drummond - CCG will be unaffected unless there is 
  anything that needs to go back to staff
Manu Sporny:  And the questions around you know whether the 
  charter allows that or whether we need to recharter or any of 
  that stuff now is probably not a good time to pursue that because 
  of the larger existential thing that's going on at w3c so I think 
  we can expect to see a bit of a pause in you know work 
  transitioning new work being picked up you know in vcwg this is 
  just me speaking as an individual but that.
Manu Sporny:   That is kind of what I'm.
<drummond> Thanks Mike
Manu Sporny:  I'm seeing however work on things like crypto 
  suites works on the verifiable credential API will continue in 
  the credentials community group so today we are starting up our 
  meetings again on verifiable credential API we will continue to 
  process issues in and work on that specification as many of you 
  know we have 17 implementations.
Manu Sporny:   Of of.
Manu Sporny:  Various aspects of the verifiable credentials API 
  thanks to the jobs for the future plugfest and so we're going to 
  continue moving forward with that specification in crypto suites 
  that are associated with some of the work that happened at JFF 
  plugfest too.
Manu Sporny:  The last announcement is that there is going 
  there's planning think planning is in in motion to have a 
  face-to-face meeting for verifiable credentials working group 
  early next year so just a heads up to those of you that might be 
  interested in participating there that there is a plan there are 
  plans of a US based face-to-face meeting early next year for 
  verifiable credentials.
Manu Sporny:   That's it.
Mike Prorock:  Yeah thanks Manu I 100% concur with everything you 
  said and I did want to note something that I did note to Drummond 
  in the chat which is ccg should be basically unaffected so if you 
  got new work you want to start on feel free to you know open an 
  issue get the work item process started etcetera just be aware if 
  there is something for some reason that has to go back to staff 
  like things that are transitioning into working groups those are 
  the things that will likely be delayed the other note before I 
  call on Lucy here.
Mike Prorock:   Is that I with that transition there are two 
Mike Prorock:  Things going on right now at w3c proper one is an 
  election for a couple of open seats on the tags the technical 
  architecture group as well as on The Advisory board so if you are 
  an AC rep or if you're a member organization AC rep has not voted 
  please do poke them and make sure that they get their votes in on 
  that because it is an interesting time period from a transition 
  standpoint the board has their hands full a number of the.
Mike Prorock:   Current members of the new board of.
Mike Prorock:  Directors has shifted over from ab so there are 
  seats available on the AB and those do need to be backfilled so 
  Lucy I see you on the queue.
Lucy Yang:  Thanks Michael can you hear me fine.
Lucy Yang:  Okay great thank you so I just want to share an 
  update a few I think a few months ago I believe that Kaliya 
  shared about on our project.
<> mDL project open letter 
<drummond> It is a great paper, very nicely done.
Lucy Yang:  ….. Happened to protect so I want to share a link so 
  in case you haven't read it yet so it's a friend a friend link so 
  you know it will don't have to go through the pay wall of medium 
  and and like the main findings from from our first phase of this 
  community engagement projects pretty much we realize there are 
  how Market are I can have better perspective or how Market are 
  seeing kind of calm weather the conflicts where are the alignment 
  between the standard to.
Lucy Yang:   Two standards and also we Define like the marketing 
  in more like less.
Lucy Yang:  Two separate standards as we know many of us who are 
  deep in standard world see but more like a how standards can work 
  together to provide them a complete and end-to-end solutions so 
  I'm coming out of that kind of like an understanding so we 
  proposed a more kind of less standard technology-driven the more 
  kind of Market implementation driven analysis and also related 
  efforts in the in the letter and and the goal and also be based.
Lucy Yang:   On that recommendation we're also I'm gauging 
  interest for the potential next.
Lucy Yang:  Phase of the project and I think want to be clear at 
  the goal of this like does next phase where the this project is 
  to identify how.
Lucy Yang:  We're still how these two things Collide but more so 
  like in the market less so probably at this point in the standard 
  group because at least we can’t influence too much what is going 
  on the Standard Group and eventually to achieve and I think three 
  things we mentioned very clearly in the latter first thing is how 
  we can help the market to develop an understanding of where each 
  standards can provide unique values and then second for 
  implementers to build on these standards with ease and then 
  lastly and very very importantly for users.
Lucy Yang:   Like each individual like us to manage credentials 
  you know build on those those.
Lucy Yang:  Standards was very good experience so I just wanted 
  to share this and you know we have a sign up form in the letter 
  so if you're interested in full in keep getting updates and 
  potentially participating in the next phase you can sign up 
  through the form and we'll keep you updated thank you.
<bumblefudge> 👏
<anil_john_[us/dhs/svip]> What I took away from that paper is 
  that any attempt to drive the primacy of one standard over the 
  other will result in failure for both technical and structural 
  issues. We need a third way!
Mike Prorock:  Awesome thank you so much Lucy really appreciate 
  all yours and Kaliya’s hard work on that and obviously appreciate 
  all the support from Wayne and Spruce on that as well I mean it's 
  a very very important topic and we are glad to see y'all putting 
  all the hard work into it because it's not fun and it takes work 
  so really can't give enough big cheers so for starting to work on 
Mike Prorock:   Yes I see I'm sure Anil will not.
<drummond> Kudos to Spruce for sponsoring the project.
Mike Prorock:  Comment at all about this at all when we finally 
  let him talk I think there is one last item just to touch base on 
  which Jack if you're on I know you got a good pull request out 
  would you mind sharing a link to that and getting visibility and 
  from the community as well as an ask on feedback Etc on that.
Jack: Hey sure. You want me to briefly introduce it right now, 
Mike Prorock:  Yeah that'd be great just a quick intro and then a 
  link to the pr so that folks can comment.
Jack: Sure. So at the Autonomy Foundation, me and my colleagues 
  Rebel have been working on an implementation using one of the 
  verification method proof types.It's currently called verifiable 
  conditions, and this is the W3C CCG standard we have since the 
  last meeting updated the name to conditional proof. This is to 
  have a less less of an acronym clash with verifiable credentials 
  of VCs. So the first thing is that we have a PR, it's been 
  approved by one of the other coauthors and ready to just have 
  that name change done in your repositories. I think it also makes 
  sense for you guys to update the repository slug as well. That's 
  the first thing. And the second thing is we've actually 
  implemented this condition, verifiable conditions that allows you 
  to present delegated and multi-signature condition types inside a 
  did document. And we've implemented a verifiable credentials 
  library that allows you to assign verifiable credentials with 
  multiple or delegated signatures or combinations of the two. And 
  it uses this verified verification method standard to prove that 
  the condition was met. So I've just shared two links. The first 
  is a blog article that introduces the bigger scope of work having 
  verifiable, verifiable credentials with multi-signature and 
  delegated signatures. So that gives an overview. I think this is 
  a this work we've done from the Decentralized Identity Foundation 
  repositories and we've now got the links to our work there with 
  the pull requests to a branch to represent upstream. So you can 
  see exactly what we've done on those repositories. We haven't got 
  a a pull request to the upstream branches yet. I think it'd be 
  great for the community to start understanding what this standard 
  looks like and having a more in-depth discussion probably at a 
  later call. The second link I have there is the link to the pull 
  request on the Verifiable conditions W3C ccg repo which we would 
  like approved.
<kaliya_identitywoman> We are looking towards Phase 2 and open to 
  talking to companies who want to support it.
Mike Prorock: 
<manu_sporny> This is really interesting/exciting work -- I have 
  concerns (of course), but really leveraging the power of what 
  we've created here at CCG.
<manu_sporny> ... and in a way that's pleasantly new -- breath of 
  fresh air.
Mike Prorock:  Awesome and I move you're an editor on that work 
  item so obviously you contributing that is good I think Marcus 
  and or I forget who the other kind of core admin is on that looks 
  like maybe Casper so at any point obviously just poke Marcus Etc 
  as long as you know it's Purge I think you're fine so appreciate 
  the hard work on this so.
<bumblefudge> 💪
<kaliya_identitywoman> can whoever has the background noise mute
<harrison_tang> Thanks, Jack!
Jack: Thanks and looking forward to some feedback and people to 
  get excited about multi several multi-signature VCs in the like 
Mike Prorock:  Awesome cool sounds good well thanks so much again 
  and with that let me just quick double check I think that is the 
  last any any kind of final announcements or anything we missed 
  here before we turn it over to Anil.
Kaliya Young:  I'll share that we are working on an event 
  inspired by IIW happening in apac in Thailand specificaly so apac 
  digital identity unconference and our dates for that are March 1 
  to 3 it's March 1 being an evening welcome reception two days of 
  unconference in Bangkok so if you are in apac we invite you.
Kaliya Young:   If you have colleagues who are.
<drummond> Link?
Kaliya Young:  Based in that region that you'd like to 
  participate in a community event similar to IIW but centered 
  around back and the community there I am sharing a save the date 
  Drummond there isn't a link yet but it will be coming and as soon 
  as it available I'll post it to the list.
Mike Prorock:  Thank you Kaliya cool well with that mr. Anil John 
  I'm going to hand the ball to you to kick us off and talk about 
  the topic for the day.
Anil John:  So Mike I have sort of a open-ended thing right so I 
  will simply know that it's going to be a stream of consciousness 
  forgive me but I'd rather you know have questions you know from 
  the members here more than anything else and part of it is also I 
  just got back from spending a week combination of London meeting 
  with the the UK government folks as well as the European 
Anil John:   As well as obviously attending along with Kaliya.

Topic: Use of VCs and DIDs in Government

Anil John:  And some of the other members here the ease of slabs 
  final event in Brussels as well so a little bit of pieces all 
  over the place but I will simply start since Kaliya spoke 
  recently I was simply felt that I had one of the strangest 
  conversations that I have ever had in the in my government career 
  this morning whereby it seems like one of the one of the one of 
  the leaders of our office of biometric identity management open.
Anil John:   Attended the last IIw and was.
Anil John:  Incredibly became incredibly was enthusiastic about 
  the you know the the conversations that they had and ended up 
  talking to them about you know what they wanted to do in order to 
  engage the community a whole lot more so I just found that it is 
  rare when people who are sort of very much in the government 
  space engage with communities like IIW and realize there is a 
Anil John:   Ecosystem that has a very interesting and diverse.
Anil John:  Viewpoint and it's even rarer when they recognize 
  that there is incredible amount of value in engaging with them to 
  understand the perspectives of not just the large technology 
  vendors but the actual in the the people who actually end up 
  being on the recipient and the use of the technology so I think 
  whatever you guys did at the last iiw to engage with them please 
  keep doing more of that because that was that was a refreshing 
  engagement on.
Anil John:   My side so just want to let you know that 
Anil John:  Like I said I like I said I had a set of 
  conversations that I had when I was in in Europe last week and 
  what I'll do is I'll at least share the perspective that I was 
  taking with me into those conversation even if I will defer from 
  sharing what the response from the counterparty organizations 
  were right I want to be respectful of their position but at 
Anil John:  I’ll sort of articulate some of the conversation.
<davidc> Apologies Anil
Anil John:  That that we brought to the table in in in doing that 
  and I know that there are people from the European Union 
  companies from there on the table and by the way I was hoping 
  that I would actually run into David Chadwick in person and I did 
  not I was I regret that in some ways because I thought that he 
  was part of the ISA flab in Atkins group as well but hopefully 
  one of these days we will in a meet up in person one of these 
  days as well but.
Anil John:   Separately first and foremost it is.
<davidc> I am currently in Spain
Anil John:  Interesting to engage with the startup community and 
  the Innovative community in Europe and realize that for them 
  blockchain is not a dirty word right so I think it was it was 
  interesting for me in that realizing for them that is probably in 
  some way shape or the EU perspective on you know ensuring a you 
  know a competitive ecosystem and probably the you know.
Anil John:   The alignment of the philosophy around.
Anil John:  The blockchain technology more than anything else but 
  as it relates to the verifiable credential and the decentralised 
  identity Community are one recommendation that I would absolutely 
  have regarding that is to engage actually with the EU’s EBCI 
  initiative which is the European blockchain something in I forget 
  the last two words that goes with the acronym primarily because 
  they what.
Anil John:   I took away from the conversations with them in some 
  of the questions.
Anil John:  I had with them is they are suffering from the same 
  branding challenge that I have on the Silicon Valley Innovation 
  program like my program is called the Silicon Valley Innovation 
  program but majority of our companies from outside the valley and 
  we fund companies you know globally as well so Silicon Valley 
  tends to be a branding for us and for them I think when they 
  started obviously blockchain technology was the globally visible 
  bright and shiny objects so they basically use that but when you 
  talk to.
Anil John:   To them what you realize is that.
Anil John:  They sort of evolved with the times and they're very 
  much champions of using verifiable credentials and decentralised 
  identifiers in the broader ecosystem and when they think about 
  quote-unquote blockchain they sort of look at it as a resilient 
  content distribution Network for metadata and not for anything 
  else so I think there is value in this community sort of putting 
  aside there you know in some ways they are instinctive aversion 
Anil John:   The term blockchain and engaging with them because 
  there are actually doing some.
Anil John:  Interesting work there that's worth while to sort of 
  understand and I think you will find you know them to be 
  receptive to what we are doing in this ecosystem as well right so 
  separately the from the from the government perspective there 
  were a couple of things that I sort of in it took as on behalf of 
  my partners and the work that we're doing whether it is.
Anil John:   Is USCI or OCB.
Anil John:  Our office of privacy there right and one of them was 
  very simple right I think I think there was a public announcement 
  just recently that the European Union has actually awarded the 
  contract the European commission has awarded the contract for the 
  development of the EU d i European digital identity wallet to a 
  to a combination of companies hang on for just one second.
Anil John:   And you know not.
Anil John:  Somebody that I.
Anil John:  I normally interact with a net company intro 
  self-intro soft and get Tails ab I'm sure I'm angle the 
  pronunciation of the last one the last one is important because 
  they are a company that is that obviously spends a lot of work in 
  the mobile driver's license space in fact an old friend of mine 
  Jeff Schlegel who used to be the head of identity management at 
  AAMVA is actually works for them there as well so.
Anil John:   You know they are they are obviously in a remarkably 
  competent company.
Anil John:  It's going to be interesting in that where they sort 
  of take it and will be obviously given their background and mdl 
  in the support for the iso mdl standard is going to be I'm sure 
  something that they're going to be putting into place my sense in 
  the variety of conversations that I had was there is a 
  significant amount of EU member states who are also interested in 
  verifiable credentials and dids as well so I would not be 
  surprised if there is a broader acceptance for the standards more 
  than anything else there.
Anil John:   From from the from the messages and the conversation 
  that I was conveying.
Anil John:  In this was something along this line right so I 
  think as a sovereign talking to another Sovereign we fully 
  recognize that the European Union and the member states have 
  actually have full remedy over how they want to conduct their 
  business when it comes to the identity and the digital wallet 
  piece of it and obviously the policies that they're putting into 
  place regarding you know who is authoritative how they determine 
  whose authoritative and things like that.
Anil John:   That are obviously.
Anil John:  That is fully under their remit and in at their 
  decision to do I think the question that I sort of asked them was 
  two layers down at the end of the road one of the work streams 
  that we have is with US citizenship and immigration service that 
  we are in the business of issuing high-value digital immigration 
  credentials to people who are citizens of other countries and one 
  of the questions.
Anil John:   That and.
Anil John:  One of the things.
Anil John:  That we sort of opened the door for is twofold one of 
  them is I think USCIs I think they felt about this publicly so 
  I'm not sharing anything magical secret they are absolutely 
  interested in working with other jurisdictions in order to 
  consume their digital credentials as part of the adjudication 
  process of granting somebody a benefit you know a benefit being a 
  permanent resident card or a you know immigration other types of 
  immigration document of things like that so there was.
Anil John:   A question that I asked on behalf of my partner's 
Anil John:  We believe this is a value to your citizens in order 
  to make their life easier would there be any opportunity to work 
  together on that there was also a separate question that we asked 
  as well and that was very simple we are going down the path with 
  the USCIS in for lack of a better word bring your own did bring 
  your own wallet to our front door approach right that basically 
  means that we are not going to basically you know push.
Anil John:   You know USCIS or DHS or the US government as of 
  right now.
Anil John:  Have no.
Anil John:  Plans to basically build a wallet for government that 
  will be deployed to the community in general our desire is to 
  basically Leverage The broader ecosystem in order to do that 
  having said that the European Union has obviously made very clear 
  that they are give me just one second.
Anil John:  That they are going down the path of obviously 
  ensuring that every EU citizen would have a digital wallet of 
  their own so one of the questions that we asked was we would love 
  a future where a European citizen with the EU member state issued 
  digital wallet has the ability to come to a USCIS infrastructure 
  and be able to actually receive a digital immigration credentials 
Anil John:   Us rather than them having to find some other 
  approved wallet.
Anil John:  In order to get to that point obviously that has to 
  be some conversation about you know is there a common equivalency 
  between the security privacy and interoperability aspects of the 
  wallet on a so that we can all you know build on the same common 
  foundation and the question that was being that that we asked was 
  is that an interest in doing so right so that's like I said I 
  want to be transparent from at least from our perspective on what 
  the questions that we were asking were so that.
Anil John:   Is one the second one obviously we saw on the other 
  trade side obviously global trade is a.
Anil John:  Big deal for us and one of the other work streams 
  that we have is the digitization of trade documents whether it is 
  for agriculture or oil and natural gas steel e-commerce Imports 
  into the us and we are also going down the path for our trusted 
  Trader program potentially to be issuing credentials to our 
  exporters with mutual recognition by other counterparties as well 
  so the question is you know we are interested in this.
Anil John:   Global trade is obviously a mutual interest to all 
  of it is there interesting on working together.
Anil John:  On this and so those are some of the questions that 
  we were asking and last but not least separately on the svip side 
  we are actually a currently you know having discussions with our 
  you know DHS office of privacy potentially around a future time 
  frame to be determined specifics to be determined around a.
Anil John:   A open solicitation around privacy.
Anil John:  Enhancing Technologies which is I think a something 
  of great interest to a variety of communities are both on the 
  private sector side and on the public sector side in general I 
  want to be very clear that when we talk about privacy and 
  talented Technologies we often run into what some of my 
  colleagues called the Privacy industrial complex which is a way 
  of describing people who would love to.
Anil John:   To look at a problem admire it from.
Anil John:  15 Different directions articulate how wonderful and 
  beautiful the problem is then ask for funding to admire it some 
  more which is not what we want for a sort of cetacean to SVIP 
  we're looking for something that is very very near term and 
  useful across a broader community and is there an opportunity to 
  sort of ensure that any type of solution obviously is 
  interoperable on a global basis so that's.
Anil John:   That's my one thing to the community in general
Anil John:  I'm really interested in getting your perspective on 
  on the Privacy side of the house what are some perhaps tractable 
  problems that you see that people are not addressing in any way 
  shape or form and not you know magical you know homomorphic 
  encryption zero knowledge proof-y kind of thing is where there's 
  a whole bunch of other things that come along for the ride as 
  well really I'm happy to you know happy to get the feedback from 
  the community again.
Anil John:   Mike I think that's like sort of the the random bit 
  of conversations.
Anil John:  On the government perspective both in the public and 
  the private sector I'd rather take questions and sort of answer 
  everything else.
Mike Prorock:  You know that was awesome and on the Privacy side 
  I mean I'll just chip in something that you know we're dealing 
  with obviously which is privacy around machine learning data 
  especially as we're looking at things like you know debts passage 
  retrieval and sparse indexing and things like well it's powering 
  chechi BT and a whole bunch of other systems we've been layering 
  in models to try to.
Mike Prorock:   To intersect and prevent that.
Mike Prorock:  Data that could be identifying an individual 
  before it even gets into the system but there's no standardized 
  way of approaching this or way of dealing with those that might 
  be the web ml group over here at w3c it might be somewhere else I 
  don't know but that's an area that's very that you do is very 
  nebulous and is very problematic across the industry and all I 
  see is a bunch of hand waving around and saying bias bad privacy 
  data you know you know pii bad but no real practical like well 
  let's all agree on a way to go.
Mike Prorock:   Take some concrete steps to solve it.
Mike Prorock:  But I mean do you have any thoughts on that side 
  of it.
Mike Prorock:  Yeah I know great yeah.
Anil John:  I do and I agree with you in a from that perspective 
  also again that is not really my swim Lane more than anything 
  else so anything that I say can be is either going to be 
  incomplete or misconstrued so I'd rather provide you the feedback 
  directly rather than publicly because I know I will get wrong and 
  I'd rather be corrected more than anything else I would also note 
  that one of the things that I've.
Anil John:   I've spent in my.
Anil John:  Rd days was around the fact that it is very hard for 
  a government organization in order to provide training data to 
  somebody that we're working with it simply you know it's not a 
  path to success right so I spend a lot of time in basically 
  trying to generate synthetic data that is actually really modeled 
  to the greatest extent on how real data looks and I'm not sure 
  how much work is being done in order to sort of understand the 
  Fidelity of the.
Anil John:   Data because fundamentally.
Anil John:  I do not believe in Deanonymizing Technologies. Right 
  so so so I believe that they are you know they're snake oil and 
  so we need a better approach to you know it training that 
  training information and things like that the the other piece 
  that I think that you know I'm sort of struggling with this 
  basically we selective disclosure is something that is incredibly 
Anil John:   To the people that I'm working with.
Anil John:  And the technology that we're looking at whether it 
  is BBS signatures or some other scheme and what I don't see is a 
  path to ensuring that selective disclosure capabilities can be 
  implemented using Quantum safe cryptography so really really 
  interested in that aspect of it and if people have have a sense 
  of where who is thinking about it what they're doing with it I 
  would love to learn a little bit more and pick their brains and 
  things like that.
Anil John:   And it.
Mike Prorock:  Yeah and and and Tobias and I have been having 
  that conversation a lot the only folks I know who are looking at 
  that in any serious way right now is IBM research I've been yeah 
  so and I can obviously make some intros over there but to date 
  that's the only folks that are seriously hammering that side of 
  selective disclosure and potential approaches but it's early 
  right it's moved I mean it's like 2-3 years into like hard 
  testing on some stuff but that's.
Mike Prorock:   Early in cryptography right so Manu.
Manu Sporny:  Yeah thanks Mike and good to good to hear your 
  voice Anil so I've got a question it's on the selective 
  disclosure thing right because this was a question that was 
  raised by a number of people that are operating out of the EU and 
  hoping to discuss you know deploy verifiable credentials and they 
  basically said you know why is BBS plus the only selective 
  disclosure mechanism that's being looked at you know why are.
Manu Sporny:   There not other mechanisms.
<mprorock> SD_JWT with dilithium?
<orie> There are a few lattice based systems for ZKP being 
  developed, but I am not aware of any that have made their way to 
  IETF CFRG yet.
Manu Sporny:  Being looked at now there is work and in SD jot but 
  I would I would say that you know the community in general seems 
  to be targeting BBS plus as the selective disclosure plus 
  unlinkable signature mechanism and it seems that the E some of 
  the folks in the EU are saying no that's not good enough because 
  what we what we actually need is we need.
Manu Sporny:   Need nist approved cryptography.
Manu Sporny:  So the plain old vanilla stuff that's been used for 
  20 plus years but we need a Selective disclosure mechanism there 
  and what I've noticed is that the second we start hinting that 
  we're going to work on something like that something like SD jot 
  you get people that push back and say oh no no no you shouldn't 
  do that because you you get traceability with that type of 
  selective disclosure and so you should be doing something more 
  akin to CL signatures.
Manu Sporny:   Or BBS + so I think one of.
Manu Sporny:  The traps we're in right now is we're stuck between 
  a rock and a hard place where we have the EU saying you will do 
  selective disclosure but not being very specific about what they 
  mean as far as I know and you've got you know people that are 
  really pushing the unlinkability stuff going you should not do 
  selective disclosure unless you also do unlinkability and if you 
  work on something that's not that expect to be attacked.
Manu Sporny:   Right I mean it.
Manu Sporny:  Expect to have the Privacy you know quote-unquote 
  Defenders of privacy come after you because you're providing a 
  mechanism that allows you know tracking of individuals so what 
  I'm wanting Anil I'm wondering if you found out anything about 
  kind of this this line of thinking out of the EU and your 
  meetings last week with them and I'm wondering if there's anyone 
  you know from the EU that's been looking at those regulations a 
  bit more closely.
Manu Sporny:   That is reading something different.
Manu Sporny:  Out of that requirement that's it.
Anil John:  So Manu I'll be blind in saying that I don't think we 
  got into that level of looking under In The Weeds on this one 
  right I would simply note The Selective disclosure is important 
  capability for us simply because in the predicate proofs and 
  implementations of it I've learned you know pretty painfully in 
  past lives that unless there is a liability model around when 
  things go wrong wrapped around it and no technology vendor.
Anil John:   Seems to be want to be hold themselves liable for 
  that beautiful map.
Anil John:  You know and no line party will actually believe that 
  so for us selective disclosure is important you know the there 
  was a receptiveness to ensuring that the quantum safe signature 
  Quantum safe implementation of selective disclosure is something 
  that is worthwhile you know you know got positive reception to 
  that in a particular conversational thread but I have I didn't 
  really go down to that level of detail on nuance.
Anil John:   In the policy so couldn’t.
Anil John:  Give you a good answer there.
Mike Prorock:  Anil kind of following on to that I mean would you 
  have any opposition to use of like SD JWT now that it's been 
  getting significantly streamlined and improved with like 
  dilithium and or P 256 or something like that as mechanisms to 
  provide that in a hypnotist compliant manner.
<orie> Nice dodge :)
Mike Prorock: https://github.com/OR13/draft-osteele-vc-jose
Anil John:  Mr. Prorock are you trying to like walk me into a 
  corner at this point so show me how they can work with 
  semantically aware Json linked data structure json-ld based 
  credential format so I would simply note that you know it is it 
  is it is going to be so so I got asked this question publicly by 
  I think Paul knows I know that he he participates here as well.
Anil John:   Also about the.
<mprorock> rather, https://or13.github.io/draft-osteele-vc-jose/
<orie> Thats an older link, here are the newer ones
Anil John:  The current shall we say interesting discussions 
  around add contacts and things like that which I basically said 
  that I would not engage on in general I would simply note that 
  some of the arguments from as a end user and a of a technology 
  what I will convey from from from the usage of this technology 
  within the context of both.
Anil John:   USCIS and US customs.
<mprorock> and from orie - more up to date 
Anil John:  Is that you know verifiable credentials and digitally 
  signed at the stations are a piece of the puzzle and piece of the 
  business process that they look at on the CBP side in order to 
  determine whether Goods coming into the country are something 
  that they can allow in whether they will stop or they want to 
  learn more about and for us the semantic overlay to Json a a 
Anil John:   Is basically something that is.
<drummond> CBP essentially has no need for selective disclosure.
Anil John:  Important to us to do the analysis on the data that 
  is coming in so it is not about making life easier for developers 
  or harder for developers or the like it is about actually solving 
  a business problem on our send and we need that data to actually 
  be commonly understood on both sides of the wire so from my 
  perspective you know feel free to have the conversations that you 
  guys need to have.
Anil John:   Have from a technical implementation perspective 
<mprorock> @drummond - i think that is incorrect
Anil John:  Do make sure that your conversations are also going 
  down the path of actually solving the problems of end customers 
  and not making it easy just for selling product right so.
Mike Prorock:  Yeah no fully agree and I think you're getting in 
  something important which is those semantics are really important 
  for machine learning side Orie I see you on the queue.
Orie Steele:  Yeah I was just queued to to comment on some of 
  what's there's a lot of topics coming here which it's their 
  frustratingly all tangled together the comment that I'm queued to 
  make is that post Quantum resiliency is something that benefits 
  all higher order schemes and envelope formats and so I think it 
  is a mistake to conflate benefits of a new.
Orie Steele:   New system with fundamental.
Mike Prorock: +1 Orie
Orie Steele:  New cryptography and I like to have nice clean 
  layers where I can add Quantum resilience to Json web signature 
  and cozy sign 1 and then layer on top of Json Web signature and 
  cozy sign one other higher order pieces and if you have to sort 
  of buy into an entirely new envelope format to get a 
  fundamentally new cryptographic benefit or primitive I think 
  there's risks associated with that kind of.
Orie Steele:   Approach and it also it's less sort of helpful.
Orie Steele:  To the broader community that might already have 
  built dependencies on Json Webb signature cozy sign one and so 
  you know I think in terms of the post Quantum side I think we 
  should be focused on making sure post Quantum is solved for in a 
  generic Manner and in terms of the selective disclosure versus 
  unlinkability comments I think there are problems with the 
  approach when.
Orie Steele:   Adding those two.
Orie Steele:  Constraints together limits you essentially to you 
  know one or two schemes and I think that the industry needs to 
  solve for those problems with the appropriate layering so that 
  there's enough cryptographic agility around unlinkability or 
  Progressive or selective disclosure so that you're not committed 
  to one cryptographic hardness problem in the unlikely event that 
  that hardness problem ends up being not.
Orie Steele:   Not so hard that’s it.
Anil John:  Thank you Orie I actually wanted to answer the 
  comment that actually Drummond made that CBP does not have a need 
  for for Selective disclosure I would simply note that in an 
  internal conversation that we were having with CBP I made the 
  exact same comment Drummond and I was basically yelled at out of 
  the room right and their comment very simply.
Anil John:   Was you know they.
Anil John:  It was this right so for the I will contrast the 
  perspectives right USCIS considers selective disclosure for the 
  credentials that issues to be incredibly important from a privacy 
  and giving control to individuals in what they discussed your 
  counterparty CBP on the others hand does not look at selective 
  disclosure from a quote unquote in a privacy perspective they 
  look at it.
Anil John:   Actually from a.
<mprorock> "Need to Know"
Anil John:  Selective disclosure of business information that is 
  relevant to CBP from the private sector so there's a whole bunch 
  of information that are that is presented by trade to CBP that 
  may or may not be relevant to the CBP from a from a business 
  perspective and what they are asking for and giving the in a 
  trade counterparties who interact with CBP using verifiable 
  credentials based and decentralised identifier.
Anil John:   Based you know digital documents.
Anil John:  And giving them the ability to selectively share only 
  portions of that information with CBP is something that is really 
  really of value to both the trading counterparties and to CBP so 
  for them they don't look at it from the Privacy perspective but 
  they do not look at it from The Selective disclosure of business 
  perspective to CBP as as a use case there hopefully that was 
<drummond> Anil, that makes lots of sense. I stand corrected.
Mike Prorock:  Yeah and I'll add in an agricultural case that I'm 
  just like very intimately familiar with like when you think about 
  and this I think extends Beyond government right this is more 
  just in general right if you think about like a health and safety 
  inspection at a facility well the inspecting body may not may 
  wish to reveal to someone purchasing from you know say a food 
  processing facility you know Jam right so they I want to buy the 
  strawberry jam well did they pass the health and safety 
  inspections sure.
Mike Prorock:   Sure that party.
Mike Prorock:  Does not necessarily need to know all of the 
  details or other suppliers that that you know sellers working 
  from etcetera so there are a lot of selective disclosure use 
  cases in trade Drummond so hey.
Anil John:  So I also want to move Beyond selective disclosure 
  some of the other privacy pieces as well the one thing that I'll 
  note and one of the things that we are very concerned about is 
  basically informed consent and the implications to the Mosaic 
  effect right so I think one of the challenges that I think that 
  we Face particularly when you're actually providing a lot of 
  agency and control to an individual.
Anil John:   And what they can basically selective diclose.
Anil John:  To a counterparty with consent is that over time 
  cognitively you lose track of the amount of consent that you've 
  given to a counterparty and over time that counterparty could 
  actually build up a very good profile of you that you are based 
  on the data that you shared with consent because you've actually 
  lost track of the amount of consent that you given so you know 
  consent management at scale revocation of.
Anil John:   Consent both from a UI from a larger cognitive.
Anil John:  Perspective feels like a problem space that we are 
  not adequately addressing so I'm so it feels as though that is an 
  area that we need to put some emphasis on and at that we need 
  some Clear Solutions that are actually potentially you know 
  integrated into whether it is a digital wallet or whether it is a 
  issuer infrastructure or whether it is a verifier infrastructure 
  I don't know I'm not sure where the right places are but that's 
  also one of the other things that we are sort of thinking.
Anil John:   Over as being something that is very near-term and 
  very real.
<greg_bernstein> CDP?
Manu Sporny:  Yeah I wholeheartedly agree with that have no clear 
  answers on the best way to approach that I do agree that it's 
  probably a big area that this community as well as its you know 
  Sister communities need to need to focus on I was going to ask a 
  slightly different question or a concern right voice a concern 
  and then ask a question of kind of.
Manu Sporny:   You as a.
<mprorock> @Greg CBP - US Customs
<tallted> CBP = U.S. Customs and Border Protection
Manu Sporny:  As someone that works for government Anil So as 
  everyone has probably seen there's like this big rush to make 
  wallets make digital wallets a thing right there's all this talk 
  about digital wallet standardization and open source versus Open 
  Standards and they all seem like they're on a collision course in 
  2023 there are various groups and companies that are saying that.
Manu Sporny:   They know what the Next Generation protocol is 
  going to be or it’s going to be.
<greg_bernstein> Thanks. My sister works for CBP...
Manu Sporny:  X and wallets are going to work exactly like Y and 
  you know personally I think this is just all premature and 
  grandstanding right but that is going to be what one of the big 
  things that happens in 2023 you've got EU pushing out with this I 
  mean they've allocated money to someone to build an open digital 
  wallet there are as we saw in the jobs for the future plugfest.
Manu Sporny:  Multiple speaking wallets multiple different 
  protocols with multiple different kind of wire level data formats 
  that does not seem like it's going to be reconciled anytime soon 
  some people are claiming that there will be one winner others are 
  saying no we're looking at a multi-protocol multi-format future 
  I'm wondering how you Anil and if you've had a chance to talk 
  with anyone in the EU are going to navigate that kind of.
Manu Sporny:  Tumult in the in the ecosystem thoughts.
Anil John:  Always have a lot of thoughts on this in a primarily 
  because I think the reality is that I think I think I think first 
  of all let me just back up as a you know a two-lane constrained 
  that I saw you know regarding the ongoing in a fascinating 
  conversation around mdl versus and and it's very easy to say 
  versus VC when the reality.
Anil John:   Of our identity ecosystem is we still.
Anil John:  Work with systems that use that dreaded wstr 
  protocols we still work with systems that use some oh and we use 
  obviously things like open ID connect and or as well so I do 
  fully anticipate that going forward we absolutely will live in a 
  multi-protocol multi credential format world the question and any 
  desire by one community in order to sort of make the other 
  community bend.
Anil John:   The knee is going to result in.
<drummond> On the topic of W3C VC and ISO mDL, I know it was 
  shared once, but I'm sharing the link to Kaliya and Lucy's 
  excellent article again because it's advice is really spot on: 
Anil John:  Basically allergic reaction and a lack of a path to 
  success right so I do think that we do need a better approach 
  that recognizes the fact that basically the starting point for 
  the mdl and the VCS were actually very different VCs were focused 
  on presentation of credentials over the web mdl was focused on 
  presentation of credentials in person and that specific choices 
Anil John:   Made in order to enable that and now you sort.
Anil John:  Trying to you know conquer the world and we sort of 
  need to find a way to sort of make sure that we have a path 
  forward I do not know what the path forward is but I definitely 
  resonated with Kaliya’s and and Lucy's in-depth research on a 
  given that they actually spend the time to do the research and 
  talk to a variety of people on that I do think that I want to be 
  very clear at least my perspective of the.
Anil John:   The award that they everything.
Anil John:  Made is not for building a wallet for the EU it was 
  for building for lack of a better word a reference implementation 
  of a wallet that actually they're going to use to inform you know 
  their policy on what standards to support what the scalability of 
  that implementation are so if you actually look at the award and 
  I'll actually you know try to put a link to the actual tender 
  award piece.
Anil John:   You know somebody sent me a link to that actually.
Anil John:  You will notice that it is very much about a 
  reference implementation so it's not a done deal it's a my sense 
  of that is there's they're using that to make sure that the 
  rubber actually meets the road on their policy right so and not 
  trying to make sure that you have a policy without actually 
  closing the loop with the technology implementation and they're 
  using this tender as a mechanism to build and sort of figure out 
  what is real what can be.
Anil John:   Supported so I think it is important for the.
Anil John:  Community in general to sort of ensure that feedback 
  is provided to that effort so that it actually informs what the 
  ultimate end state is beyond that obviously you know we're very 
  interested in the work that we're doing in making sure that the 
  at the end of the road we want to make it easy for our customers 
  the citizens the immigrants are the people who actually consumed 
  our credentials and to whom we issue our credentials.
Anil John:   Such that they can actually manage own and control.
Anil John:  Their interactions whether it is a private sector the 
  public sector in a manner that is not that does that makes their 
  life easier and they have confidence in the integrity and the 
  privacy of the data that that is theirs to to begin with I don't 
  have magical answers for you Manu other than I think it is really 
  important for us to continue the conversation make sure that we 
  bring the diversity of perspectives whether it is you know on.
Anil John:   Across jurisdictional level.
Anil John:  Or if it is from different communities together and 
  any desire to play a zero-sum game is is fundamentally a bad 
  strategy in the current ecosystem because it's not going to get 
  you what you think you're going to get that's the best I can 
  offer you at this point in time Manu.
<manu_sporny> Very helpful, thank you! :)
<drummond> Many thanks, Anil.
<kimberly_wilson_linson> Thank you Anil!
Mike Prorock:  Awesome that was super helpful well I think we're 
  kind of at time here unfortunately it's a great conversation Anil 
  I really appreciate your time today as I'm sure many others do 
  the and then just keep us posted obviously on the chair side if 
  you have any other updates around things like profiles and other 
  things that can be shared broader with the community to help 
  provide implementation guidance etcetera so that we can all work 
  with government systems and.
Mike Prorock:   Vice versa better and make our whole.
Anil John:  Yeah yeah I just want to be very clear right you know 
  absolutely happy to do that for the primary reason from a self 
  preservation perspective which is we do not want government 
  bespoke only systems that work we work at scale globally and so 
  anything that we can do in order to make sure that we do it but 
  we are also going to be very mindful of desires to.
Anil John:   Sort of you know.
Anil John:  In order to create the rails that sort of limit 
  competition and limit choice so that's something that we're going 
  to be watching as we obviously ensure that whatever we are we're 
  supporting is moving down the the very visible and open ecosystem 
  in a side of the house here.
<bumblefudge> 💖
<bumblefudge> 💪
<drummond> Thanks much, Mike.
Mike Prorock:  Well it is much much appreciated as always in a 
  big breath of fresh air compared to a lot of behind closed doors 
  locked up stuff so once again thank you as always for the broad 
  support with that I'm going to say thank you everyone really 
  appreciate your time questions comments in the chat Etc feel free 
  to continue conversation on the list and obviously feedback into 
  the chairs if we need to add remove topics change topics Etc as 
  always but we've been.
Mike Prorock:   Been so far hearing great feedback thanks 
  especially to my co-chairs Harrison.
Phil Long: :Clap:
Mike Prorock:  And Kimberly for really working together on this 
  stuff so it's been great to kind of see everything coming 
  together here with that we can go ahead and stop recording and 
  happy Tuesday and on to the next meetings so thank you again all.

Received on Wednesday, 7 December 2022 09:52:33 UTC