- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 20 Jul 2022 17:34:28 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2022-07-12/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2022-07-12/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2022-07-12 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2022Jul/0021.html Topics: 1. Announcements and Reminders 2. DHS SVIP Program Update Organizer: Kimberly Linson, Mike Prorock Scribe: Our Robot Overlords Present: Kimberly Linson, Anil John, Orie Steele, Tim Bouma, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Mario Bonito, Allison Fromm, Paul Jackson, Kulpreet Singh, Mike Prorock, Harrison Tang, Manu Sporny, Shawn Butterfield, Will Abramson, Jon St. John, Ben (Transmute), Marty Reed, Sokeeffe, Chris Abernethy, Kerri Lemoie, Lucy Yang, Kayode Ezike, David I. Lehn, Ted Thibodeau, Laura Fowler, Brent Zundel, Phil L (P1), Jenn G, Kaliya, Annette Muelller, Heather Vescent, Adrian Gropper, matt, Jeff O - HumanOS, Erica Connell, Dmitri Zagidulin, Sapan Narang Our Robot Overlords are scribing. Video of this meeting is available here: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2022-07-12.mp4 Kimberly Linson: Okay well quickly as you know we have a special guest today and you'll John is going to be talking with us about some of the tech standards that they all use to make decisions and I'm going to let Mike introduce him in a little bit but first of all let me just remind everyone of our code of ethics and professional conduct you can find the link to that in the agenda if you want to read it more thoroughly but we definitely want to make sure that this is a collaborative community. Kimberly Linson: In one of the things I love most about it the IP note anybody can participate in these calls however anyone who wants to contribute substantial work that needs to be a member of the ccg with full IP are agreements the links to those are also in the agenda I will tell you I get an automatic notification every time someone joins the ccg and it is has been really interesting for me the last. Kimberly Linson: A couple of months how many people are joining this community is really actively growing and I actually see some folks who have recently joined here with us today on the call and one of the things we've started doing is sending out some hopefully entered some good introductory materials so if you want to weigh in on those or I'm going to put the link in the chat once I stop talking so that you can review those as well. Kimberly Linson: We minute and do audio recording of everything that's said on these calls we definitely invite your participation and if you want to to contribute to the conversation please put Q Plus in the chat queue - if you change your mind and we definitely will be keeping this in the audio file so not held on IRC a few if you have comments in the chat that are offline you know we. Kimberly Linson: We made those may be deleted. Kimberly Linson: We are not going to hopefully need a scribe today we'll cross that bridge if we get to it and so now we are at introductions and reintroductions do I have anybody who wants to introduce themselves. Topic: Announcements and Reminders Kimberly Linson: Okay next is announcements and reminders. Kimberly Linson: Any announcements and reminders yeah I know. <manu_sporny> Call for DID Press Release testimonials: https://lists.w3.org/Archives/Public/public-did-wg/2022Jul/0000.html Manu Sporny: Yeah I think Kimberly the there was a call so sorry did core has been approved for promotion to a global standard so hooray that's great there was a call for did press release testimonials I'm going to put the link in here for the press release test. <mprorock> woot! dids are even more of a thing Manu Sporny: You do not have to be a w3c member to submit a testimonial so basically there's going to be a press release that goes out announcing dids to the world as a global web standard by w3c at the bottom of that press release the the one that w3c kind of keeps for all time there can be any number of testimonials releasing members or non w3c members that liked it so if you have an organization that is. Manu Sporny: Using dids or planes to used its in the future. Manu Sporny: After submitting a testimonial by the end of this week There's a hard deadline by July 15th we have to have all those testimonials in and approved that's it. Kimberly Linson: Okay thanks anyone else with an announcement a reminder. Mike Prorock: I've got one more quick wonder if you are C at w3c proper or are in touch with your AC please do make sure folks are attending the actual AC calls today there are a seedings today and there's a lot of interesting topics rolling around especially related to governance board construction and timing that genuinely every AC needs to be paying attention to as far as. Mike Prorock: As you know future of W3. Mike Prorock: Action and financial stability etcetera so please do engage that as our voice right and that's why we are members of w3c if you're just a community group member this doesn't apply to you but didn't need to make sure to bring that up so. Kimberly Linson: So Mike would you explain what an AC is. Mike Prorock: Yeah basically member representative for w3c so you know and I know Kimberly for instance I think it's your CTO or CIO is the AC because I see him lists from time to time Etc so. Kimberly Linson: Great thank you anybody else. Kimberly Linson: All right I am going to go ahead and turn it over to you Mike to energy sodium. <kimberly_wilson_linson> Welcome to CCG link: https://docs.google.com/presentation/d/15BfjGKHEski3k1uFh88gNQcSYV0Laemx/edit#slide=id.gc5cf0950c6_0_3 Mike Prorock: Sure so I'll make this brief because I want to make sure Neil has plenty of time to talk but I've had the pleasure of engaging with a nail in this community and you know kind of kind of broadly in the conversations around decentralized identifiers and security and how do we make good verifiable claims about data and all sorts of different use cases and one thing that I genuinely liked about an ill is the fact that he is deeply committed to doing the right thing. Mike Prorock: Next one in attack it's always easy to get pulled away down solving fun problem versus necessarily things that scale and actually be practical and then solve the world problems around privacy and that stuff is very top of my no to him and it's always a pleasure to have him in to speak so with that nail going to pass over to you and your wonderfully high res screen share here. Anil John: I just wanted to make sure that you are getting The Full Experience Mike both on the video and the audio. Mike Prorock: Absolutely everything is coming through well. <tallted> "AC" = "Advisory Committee" ... often used as shorthand for "W3C AC Member", which is 1 individual from each W3C member organization/company. Also see https://www.w3.org/wiki/AdvisoryCommittee Topic: DHS SVIP Program Update Anil John: All right that obviously means that we are completely jinxed everything so we'll just go with that so you know thank you very much the projects of the w3c ccg core for inviting me to just give an update on our program agenda quick agenda for what I'll go through I've already sent these slides to the listserv and happy to answer you know questions at the end simply because I presented enough to the ccg to know. Anil John: Know that. Anil John: If I take one of you incredibly interesting questions in the middle we will immediately go down in a multiple Avenues and tangents and we will not get to you know everything that we need to go to so I'm happy to take the questions but let me let me make sure that I take it at the end so I know as Kimberly noted there's a lot of people who are who have joined the ccg and for those of you. Anil John: Who do not know. Anil John: I'm from and what we do I'm with the US Department of Homeland Security I'm with the science and technology directorate which is the part of the department that works with all of our operational and business units think you know FEMA think US citizenship and immigration service thing Customs and Border Protection we are the science advisor as well as the are di maama the department and in particular I look within a program called the Silicon Valley. Anil John: The Innovation program that is designed to bring. Anil John: Innovative technology from across the globe from small to small organizations that are truly Innovative typically do not work with government and bring those Technologies into use by the department itself right so regarding you know did some VCS which is what we're here to talk about we've been since our 2018 solicitation we've been contractually committed. Anil John: It too. Anil John: Open on all the work that we do this actually is part and parcel of the solicitation that went out that required that any companies that we basically awarded are required to actively work out in the open and do it in a manner to bring in the feedback from the global Community because we believe that it was really important with these standards and Technologies to actually get it done right and get it done openly at to get global. Anil John: Feedback you know 28. Anil John: More than 200 companies applied we ended up working with and selecting ultimately seven companies that are currently in the portfolio you will recognize many of them because they have act in fact you should recognize all of them because all of them are active members of this particular Community what you will also note is that we are one of the few programs within the US government that have the ability to you know fund and work with innovative. Anil John: Companies not just in the US but globally. Anil John: You have found that could be remarkably powerful for one particular reason it is often very very easy for a government organization that puts a contract into place with a specific vendor to sort of get caught up in the Echo chamber of that vendor's perspective we are fortunate in that we have a global cohort of companies that are bringing perspectives not just from the Americas you know not just from the US. Anil John: In Canada but also from EU. Anil John: Of the Pacific side as well right so and that has been really important because that diverse perspectives and diverse opinions gives us a way to ensure that we're not sort of you know being biased to one perspective of one ecosystem or one technology stack or a 1-1 something right so this is being mentally important for us and we also in order to reduce bias on the government side itself. Anil John: We multitrack we fund. Anil John: Companies simultaneously to solve the same problems again to make sure that we're not sort of got getting caught up in the you know ecosystem and the echo chamber of one companies or one platform providers or one technology providers perspective so DHS and w3c I'll keep it short we've been with you with our on the journey with this community. Anil John: Since the beginning. Anil John: Not lately not recently not when things were going right but from the beginning. Anil John: So why are we interested in verify the credentials and decentralized identifies we have actually three separate work streams one of them is led by our US citizenship and immigration service so this is the part of the DHS that is as old as America right so you know if you are looking at the US federal government and you're looking at the type of credentials that we issue other than the. Anil John: A sport which is issued by our Department of State. Anil John: Truly high value credentials think certificates of naturalization a u.s. permanent resident card that allows you to do to share information that you are eligible to live and work in the United States a certificate of citizenship a certificate of as I mentioned naturalization already employment authorization documents these are. Anil John: Are all credentials. Anil John: You to by the US citizenship and immigration service and they have a global footprint as you might well imagine so they're very interested in using Open Standards open Technologies as a way to digitally issue credentials that we currently already issue in a paper base for right so so from that perspective you know our implementation pattern is something that you're all very familiar with and this is you know sort of in a very much lined up with the combination of the use of. Anil John: VCS and did. Anil John: I would simply note that we make some nuances in how we articulate the role of what the VC data model called and verifiable data registry in our parlance we call that a metadata resolved or simply for one very simple reason right saying when you are an issue of a credential as you publish metadata about what you wish you and how you issue it that could be a document that basically contains the endpoints the. Anil John: Loki's and the like but it could also be information. Anil John: How we can check for the credential status of what we do so we sort of you know blend it into a conceptual unit called the metadata resolver that is analogous and is representation of what the VC data model calls a verifiable data registry and in our issuance infrastructure itself we are also very very much focused on the fact that we are requiring and implementing a bring your own did too. Anil John: The table implementation we are not. Anil John: You can identify it to are immigrants or our customers we are expecting them to come to the table with a with the identifier that we can ensure that we do approval possession of then we you know you bind that a fire to a verifiable credential now as I mentioned the we have multiple Works game the second work stream with is with the other part of the American government that is as old as America US Customs. Anil John: If you're familiar with them and if you even if you're not I know just in general if you are shipping Goods into the u.s. you need to provide data to the US Customs and such that they can basically evaluate yes no we want to talk to you more about what goods are moving into the US and Supply chains are complex beasts they have multiple hops that are owned by multiple entities and you know it is really really important for you as customers. Anil John: Alms in order to ensure that they have visibility. <mprorock> this is ultimately EDI replacement FYI for those coming in form more of a supply chain background Anil John: To the entities in the supply chain and what they are bringing into the u.s. so this is sort of a and our Focus tends to be currently with the VCS and dates our focus is on digitization digitizing the documentation that are related to the import of Steel e-commerce agriculture oil and gas products into the US that's our starting point and then we will expand from there you will note that the implementation pattern. Anil John: Here is actually going to be a little bit different. Anil John: These are about organizations talking to each other each organization are individually could be a issue of an attestation of a or a credential but it could also be a verifier of it and because we wanted to make a distinction between you know a personal digital work that is controlled by an individual and the organizational storage mechanism or whatever we are calling that organizational storage mechanism. Anil John: It did storyboard obviously a lot of these companies. Anil John: Stations are also using the encrypted data wall standards and others as a way to store that information but in general you know this is sort of the you know the implementation pattern that we see in our you know US Customs and important in a use cases and our work stream and it is really really important to note that both of these things are active for us and last but not least our third Works between. Anil John: Has to be a little bit big. Anil John: This is actually driven by some laws and policies within the US government about the minimization of the collection and use of the social security number for those folks from outside the US who do not know our challenges with this a social security number was a number that was created in the 1930s around the 1930s to identify a social benefit that has over time became. Anil John: Plated with an authenticator so people are. Anil John: The in a lot of cases using just the knowledge of ssin as an authenticator to identify people on the remote end of the wire which is obviously a really bad idea and as resulted in a significant amount of challenges with identity fraud within the u.s. context itself so our privacy officer Chief privacy officer officer and our privacy office is championing and looking at is. Anil John: There a way to sort of a used decent. Anil John: Identify is internally within the department as a mechanism for the to replace the day-to-day usage and storage of the SSN and we have a couple of use cases there that are that you can read I don't have a pretty diagram to talk about it but this tends to be a little bit bespoke to us and and and instead interesting you know case for us to move forward on this right so those are the three work streams that we currently have. Anil John: Have right so. <mprorock> /me sees Phil Anil John: It's really really important that as a government public entity we sort of ensure that we anchor our implementation on a set of principles and Open Standards that are truly traceable castable and ultimately can be used not just by us but by anybody who wants leverages because obviously we are a public entity that is using taxpayer funded money in order to do this work and we want to make sure that the work that we're doing is using. Anil John: Table by anybody who wants to use. Anil John: Restrictions so it is so let me walk you through some of the choices that we are making first and foremost right and one of the basic things whether we're talking about our personal credential work stream or all organizational cadastral workstream is we are absolutely committed to implement and encourage and support multiple independent interoperable and standard based implementation see here we've been in the past being walked into a corner by vendors with. Anil John: I agree ati's proprietary implementations. Anil John: Lock us into that particular platform or a standard or a technology we're not planning on doing that this time and we are absolutely not interested in in you know in a situation where you know technology providers and vendors become Gatekeepers between the relationship between government and our customers right so that is really important and some of the choices that we're making in order to. Anil John: To ensure. Anil John: That principle is supported obviously is working out in the open in the in areas such as the credential community group to build the calories test Suites and apis under your umbrella under the standards umbrella not under the DHS umbrella so that it is something that we can get feedback on other people can participate and provide input into and it is something that is a that is something that is usable by the broader community and not just us and again. Anil John: I'm absolutely. Anil John: All of the work that we're doing here to be something that is in a global visibility Global feedback require interoperability plugfest not just let me throw a profile out there and let me say that if I've organization implemented yeah that's not a path to success for it and I'll talk about how we're doing it in concretely as well right and the other piece of it is in a in this ecosystem in a lot of ways the locus of control and. Anil John: He's moving from as from what used to be identity providers that you're relying parties now to the digital wallet ecosystem so it is really really important for us to encourage choice in that area we support you know a lot of the the thinking that the the Canadian Mike our colleagues from Canada are you know doing in the space as well as the colleagues from the European commission are doing in the space regarding the importance of. Anil John: Of digital wallets. <mprorock> @ted Anil sent the deck to the list <mprorock> let me know if it did not come through Anil John: The ensuring that they are truly open and interoperable so you know we are very much committed to ensuring that you know we're not you know a focused on encouraging wallets that require proprietary implementations and ultimately I already talked about the fact that we multitrack our implementation to make sure that we ensure that multiple Innovative companies are able to bring technology. Anil John: Ecology and. <manu_sporny> Slide deck is attached here: https://lists.w3.org/Archives/Public/public-credentials/2022Jul/0026.html Anil John: A table given up that a lot of the work that is of interest to a lot of the people here are in the personal cadential and the individual digital identity piece I want to highlight something from the part of the work that is focused on that for my US citizen fit ship and immigration services that are truly principles that they are focused on right so for us for us and for them for individual. Anil John: Has it is a it is a it. <manu_sporny> Direct link to this slide deck: https://lists.w3.org/Archives/Public/public-credentials/2022Jul/att-0026/DHS.SVIP-Scaling.W3C.VC.DID.Interoperability-SHARE.pdf <phil_l_(p1)> Thanks Manu! Anil John: Whether you want a digital credential or not you are able to do all the businesses that you need to do with our physical credentials we continue to support them we will continue to support them for a variety of you are very good reason digital inclusion ensuring that people who either choose to or or cannot have access to digital credentials also have the same access to the services is. Anil John: Is really important so for us digital. <annette_muelller> thanks Manu! Anil John: Choice that have to be requested by a person before we issue something to them and at the paper-based credentials will continue to exist we are absolutely in a focused on ensuring and eliminating any type of phone home architecture and technology implementations and you can see the choices that we're making their in order to make sure that we are doing so in order to limitation we also want to make sure that back-channel interactions between better. Anil John: Fires of the credentials and issuers. <tallted> thanks mike, manu Anil John: Not visible to the holder or our customers are absolutely not something that we support as you all know the verifiable credentials data model standards actually does support the ability for a for example for a verified ask for a potential to be refreshed by from a issuer we saw that and we thought that that was while it is supported by the standard it is not. Anil John: T it is not something that we will see. Anil John: On the personal credential side as a implementation choice because we believe that that takes away visibility of that request and it establishes a back-channel interaction outside of the knowledge of the holder of the credentials of so that's not something that we will support we are absolutely committed to selective disclosure capabilities that did not have any lock into any platform or technology and we are currently in a very much supporting DB. Anil John: AS Plus signatures as the way forward on that. Anil John: And as I mentioned you know. Anil John: We've been consistent from the beginning that just because you're using standards does not mean that you are interoperable so we require in all the work that we do that we verify standards compliance using conformance test Suites of that are developed within this community and this is definitely something that our companies that we are funding are obviously contributing to such that it is usable and you know broadly available to. Anil John: Everybody but we go. Anil John: No and given all the politics around it this is this should be you know embedded within all of our psyche and displaying right point in time standards are created by people people make compromises people make choices in order to get a standard out the door which often means that there are multiple ways of implemented the same thing that is offered in the standard and to vendors could implement the standard and be fully standards-compliant. Anil John: And but completely. Anil John: Are operable because they've made different choices so for us interoperability that is standard Space is really important so we require contractually require that we have multi-party interoperability plugfest that ensure that multiple platforms multiple implementations multiple technology Stacks have the ability to truly interoperate in a mix and match manner let me be very clear I do not consider everybody choosing the. Anil John: The same platform with different use cases to be at. <mprorock> like in agriculture, monoculture is not ideal Anil John: Separation of interoperability it's not that is software monoculture and we've gone down that path before to not good places so I prune multi multi vendor interoperability that is demonstrated and testable is really important for us and for those who know me from before my DHS time you know that in a previous life I used to be the technical lead for the u.s.. Anil John: US federal government. Anil John: Ready grunts oh and access management program this is the program that ran the first famous Solutions program that certified and accredited private sector identity services that could be bought find the government and I learned some significant amount of lessons from that experience like one of them is you know I have had the pain and I have owned the you know the profiles of. Anil John: Sam'l and attribute Exchange. Anil John: It's for the. Anil John: Little government and you know this is typically where a whole bunch of really smart people get together and Define a profile then try to get people to implement that profiles we were successful to some degree but it is a very heavy lift so when we started this work on the DHS I'd we flipped the script and said what we will start from is truly demonstrated interoperability first and foremost so we will use the. Anil John: The interoperability. Anil John: And the choices that are being made within their as a way to document what needs to go into the going to the profile rather than starting from the profile and trying to work our way down and trying to get people implemented we wanted to start from cold that was working that was truly interoperability across multiple implementation and document that into a profile that bakes in the security privacy and interoperability expectations that are needed by all of us. Anil John: In our implementation. Anil John: So that profile piece really becomes really really important and it is built from the ground up rather than top-down and so so I think that might be a in a good segue into giving you an outline of what are the things that we are truly profiling and how are we thinking about the profiles that we are envisioning and how we expect that to operate right because I've seen enough profiles to. Anil John: About the amount of hand waving that sort of goes into and I also know there are things that are completely moving on a regular basis right now so I'm I'm very concerned about the fact that there is there are things that people are talking about and there are paintings that are people are not talking about so you know profile and when we talk about profile these are some of the things that we are talking about you know a profiling the the identifiers. Anil John: Is that. Anil John: Are used to identify entities whether they are people but that they are organizations and for us at a very granular level we will for each of these things we intend to provide information you know informative information that is on tutorial guidance on why we chosen to do what we chose to do very normative text about what it requires in order to be combined with the profile and truly important. <mprorock> also products, things, etc broadly as note (think a product as identified by a GS1 GTIN) Anil John: Automated conformance tests that you can use in order to ensure that you are indeed you know walking the talk here it is not enough to basically put a profile out there and say hey five different companies implemented that is really not that helpful because there is a whole bunch of trust us we know what we're doing that goes on into those type of work right we actually wanted to be in the in the in the position that the profiles. Anil John: It'd be testable. Anil John: Be conformance tests that people can run on a regular basis in order to verify the the conformance against the things that we profile so you know profiling identifiers metadata about what we what an identifier is you know is sharing you know these are things like you know what goes on in it in a did Json file how do we profile status list 2021. Anil John: For in a credential verification. Anil John: In checking how do we resolve it you know one of the things that they resolve and needs to take care of what are the things that you need to check how do you know what are the questions that you can answer for us and what are the questions that it cannot answer for us and it's also really really important it in a and one of the reasons I sort of articulated a multiple work streams is to very clearly note that in some cases we have divers and in. Anil John: Some are almost competing. Anil John: Parties within what the different parts of the ages wants to do for example in the personal credential issuance a piece by USCIS and proof unlink ability and privacy and choice of the identifiers used how things are structured is really really really important providing selective disclosure providing. Anil John: Nobody can basically track you across space and time in how these credentials are used when you are an individual with these type of credentials that is that is a really important principle and the choices that we're making there are driving us towards that so we will have how we are implementing unlink ability and the profiling of the choices that we're making very clearly articulated their that is unlike ability is not a desired outcome for. Anil John: For our supply chain use cases I will. <tallted> ( @mprorock @manu -- the deck hit my inbox at 12:30, with sent time of 11:48 ... for future reference, best if such decks can be sent earlier, or just provided via persistent link ) Anil John: That supply chain use cases for US Customs requires visibility into the actors in the supply chain requires understanding of if those entities are using forced labor practices or child labor which are not allowed by US law whether they are sanctioned entities that are trying to pretend to be somebody that they're not in the supply chain so the ability to use technology and standards to hide. Anil John: Yourself from. Mike Prorock: +1 - Thanks ted <mprorock> that is helpful Anil John: Information is not a desired outcome for our organizational credential use cases that come into play in the supply chain so we are going to be talking about how the traceability aspects of the supply chain pieces are also going to be implemented in the profile as well and again what is what is real right now is also with all of the discussions that we are. Anil John: Talking about. Anil John: Around Quantum resistant cryptography and the cryptographic choice is fundamentally a lot of the choices within our standards are obviously enabled by the use of cryptography the US government has very hard requirements on the type of cryptography that can be used in systems that connect to and are used by them so for us fips-compliant cryptography is first and foremost a hard requirement in the choices that we're making. Anil John: But we are also. Anil John: Looking at is there an opportunity to you know profile that for example a json-ld base verifiable credential with a linked data proved can actually have multiple different types of probes attached to it one proof could be a using a cryptographic primitive that is fully fips-compliant the second one could be something that is more experimental using a Quantum resistant cryptography you know for example I think the three big choices. Anil John: Nist announced recently dilithium falcon. Anil John: Pause our Autumn play right now so can you have one of those that is appropriate in addition to the fips-compliant topography that obviously the BBS for Signature is moving through the ietf and CC FRG going forward I've been talking to this day are actively tracking that work as well so is there a way to sort of provide that as an option as well so we are trying to figure out how best we make choices that give us cryptographic flexibility now. Anil John: Now and. Anil John: Would without impacting the user experience and those are things that we are going to be profiling with in there as well and obviously within the you know the credential itself you know how what are the data models that we support I will be very clear on noting that a required at Charles here will be json-ld with linked data proves right now the question becomes are there others that could be a should. Anil John: We'll come down to the cryptographic flexibility and things like that that are possible and we are working through that right now you know again profiling how we deliver a credential to a digital wallet in the personal credential use case how we deliver it to a digital wallet in an organization to organization use case credential verification revocation refresh aggregation selective disclosure these are all you know ingredients that go into. Anil John: Into a recipe. <mprorock> note that "shall comment" - JSON-LD with Linked Data Proofs is a key note that implementer should be considering Anil John: Right so so we consider this to be you need to basically profile at the ingredient level and each of them will have informative normative and conformance tests associated with that and again this is where you know I keep saying that basically there's a lot of things that need to be considered in order to get to a full implementation some of the feedback that we got when we engage with the advocacy community. Anil John: OT and the privacy. Anil John: Liberty Community you know something about a couple of months ago we got some really good feedback from them about information and implementation things that we need to consider from a technical perspective in Atkins it's not just about consent to share data with the verifier it is also is there a way to notify in credential holders about the verify is intended use of that share data so that they. Anil John: Can such that a person can make an informed. Anil John: Should about what to share and what not to share I talked about the fact that basically digital wallets are becoming more of a locus of control in this ecosystem as can be seen by all the work that is going on both in our ecosystem as well as in the European Union as well as in our Canadian colleagues ecosystems as well right not to mention in a much more globally as well so how do we come up with a mechanism that provides a you know wallet selector. Anil John: ISM that is truly interoperable I also consider that. Anil John: A lot of these things also have mechanism that allows us to you know signal intent I am an issue or that basically is in a signal into a digital wallet that basically tells them these are my capabilities that I have what can you support and this is a I'm a digital wallet that is signaling to a verifier hey these are the things that I can support you know how do I do that and how I'm a verify that is signaling to a digital wallet that shows. Anil John: Shows up at the at my front door saying that these are the things that I. <mprorock> @Tim Bouma - would love a similar presentation from your side with thoughts if you are open to it Anil John: You know and you know it sort of comes Under The Limited umbrella of query language but I think it is broader than that and we are looking at what are the ways that we sort of need to Signal intent in each of these places and also have the ability to technically Implement that and I'm a I'm a big believer in feature detection rather than product detection I think when it comes to digital. Anil John: Wallet and digital wall. Anil John: Just I think it is very easy when you go down the product detection thing in order to get yourself siloed into the implementations that are out there but if you're truly about ensuring choice in that new locus of control which is the wallet you need to basically have the ability to sort of detect the features that are supported by the word so that you can basically interact with it in a truly open Manner and that. Anil John: Are different ways of doing. Anil John: You could do it in a boob Force manner using independent testing of the warrant itself but is there a way to sort of do some sort of a cryptographic challenge or response in the long term I fully think that there needs to be there has to be some matter of a certification accreditation by truly competent third parties around the features that are in a wallet that we consume as cross marks of that allow us to know that yeah barely these wallets have these features. Anil John: Features of because these have been verified by entity and they. Anil John: Give It Up. Anil John: Cross mark So as such they are good for us to use within our ecosystem so so the intent about you know with all these what I call ingredients is to you know basically have a combination of recipes so our intent here when the profile is you should be using each of the things that I just talked about as ingredients that go into building a recipe a recipe for a personal credential issuance. Anil John: Workflow organizational credential. Anil John: Flow and the important thing they all are not going to be identical they are all actually going to be very different the way that our supply chain issuance flow works is very much going to be different from a personal cadential you know issuance flow and that is perfectly fine so one of the things is really that's why the granularity of these ingredients become. Anil John: Becomes really important. Anil John: Open because then what we are able to do is obviously mix-and-match them even in these workflows and Journeys in order to enable capabilities using the vocabularies that are out there right so this is sort of this is not this is sort of this is the way that we are looking at this profile this is a profile that is a work in progress we it will be have all this Define out of the gate absolutely not will we are these things that we. Anil John: Need to keep in mind so that the choices that we make. Anil John: Do not close off other choices that are articulated here absolutely so you know again I know that for some of you who are new to the ccg you can find obviously you know where to find the link to the standards but a lot of the things that we've contributed to that are available to all of you the citizenship vocabulary which is something that we are using in our immigration. Anil John: Ation credential peace. Mike Prorock: https://github.com/w3c-ccg/citizenship-vocab/ Mike Prorock: https://github.com/w3c-ccg/traceability-vocab Mike Prorock: https://github.com/w3c-ccg/traceability-interop Anil John: To increase ability vocabulary that is being used within our supply chain use case the traceability interoperability work that is being part done by the supply chain piece as I mentioned one of the things that we are very much into is demonstrating how interoperability will work then using that to document what goes in the profile so you can see that ongoing work going on our supply chain side in the you know traceability interoperability. Anil John: We work link that is there and you can see that. Anil John: The open API that is a profile of the VC API that is actually using that using that concretely right so again walking the talk here publicly with full feedback and you know input from all of you in the global Community we've done in cryptography and Analysis of both the in a VC and the did standards that is using allowing us to you know Drive our implementation on our choices. Anil John: BBS plus signatures are the. Anil John: Envision for Selective disclosure going forward water could point to the Fine work that is being done by you know transmute measure I/O Google IBM and I believe one more company who name who's name just thank you thank you that are you know on in the ietf around Json encoding for the post-mortem signatures which becomes a building block for how to incorporate that within the. Anil John: Linked data. <mprorock> NXP on PQC as well Anil John: You know proof ecosystem going forward as well again and I think you're aware of from the emails in the list about the wallet selector playground that is using choppy as well so that's sort of you know my you know mock my bitch and an update here I am happy to sort of let me let me kill the sharing here if I if you don't mind so that you're not seeing this. Anil John: Hopefully at that stop the sharing Mike. Mike Prorock: I did indeed and I know I had seen Phil On Cue earlier Phil did you have a question or was that just in regard to getting a copy of the deck because I know that lag. Phil_L_(P1): That was just that was just getting powerchute hello. Mike Prorock: Yep you're good. Phil_L_(P1): Okay good that was just in copy for getting a copy the deck which I have now thank you. Anil John: No worries again I'm happy to answer any questions wanted to make sure I sort of articulated at least where we are going and obviously happy to answer questions point you to the test Suites and things like that that are on there and Adrian would love to speak and I would love to hear from you Adrian. <phil_l_(p1)> A bit thanks though to Anil for the update. Adrian_Gropper_: I am I I really appreciated towards the end when you mentioned that you reached out to the privacy and advocacy Community for their input and that slide labeled three or four that listed the basically the requirement that are coming up at least that's the way I treat them. Anil John: It is I can send you up in there were three things that actually we got back as feedback I'll simply note Adrian that our Chief privacy officer link pocket debris is pretty damn awesome and she basically reached out on our behalf to the civil liberty and privacy advocacy community and it was a pretty pretty intense you know four to five hour pretty much an entire day you know session with them too. Anil John: To articulate them in the choices that we're making getting their. Anil John: And you know taking their feedback and trying to figure out how to bake it into the engineering on the things that we are not thought of. Adrian_Gropper_: Right so I just have one question of you like I say that that was a great slide and I'm glad to see you're doing this what I don't understand yet in your in your roadmap is where delegation comes in into the protocol picture that obviously threats through both where we are now and where we're going I did not see. Adrian_Gropper_: see that. Adrian_Gropper_: And I'm curious because it also impacts the interaction between ccg and ITF for example that I've been you know focusing on in the last couple of months so is the creation go up. Anil John: No no this is a new dropping the ball on you delegation should have been one of the things that we profile in there so I will make sure that it's corrected and added as part of what the end game for us is but having said that I think I've responded on this back to you but I will reiterate by three private responses on this as well right so. Anil John: You know one of the things that is really important for us is to ensure that we are bootstrapping off of our existing physical credentials and there is existing processes around delegation of authority in how a immigration credential is used that currently exists and is used by that ecosystem so there is an option for that within the physical credential ecosystem so which is why it is. Anil John: Is it. Anil John: Something that we want to have as a capability in the digital side eventually but it is also not something that we're going to tackle first and foremost out of the gate no worries now I thank you for I knew you work out as soon as eight you got on the call you know that I knew that you are and I think I was thinking to myself oh God I forgot that yeah. Mike Prorock: Ha ha ha awesome yeah thanks for the call that a nail because it is an important topic Allison I say you want to queue. Anil John: So as the person who seven years ago basically when the bottles spun around the table around the applicability of blockchain Technologies to DHS the person who ended up holding the bag was me I you know the I own the R&D program around blockchain and and DLT Technologies are there is a separate set of you know Genesis documents for lack of a better. Anil John: Word yes I am overly. Anil John: That comes into how we ended up putting our support behind did Cindy sees that are coming from the blocks in Arena the long and the short of it is we learned very quickly that 80 to 90 90 to 95% of the use cases that are being articulated for blockchain Technologies does not require any type of blockchain at also at the same time we also realize that our counter parties in the. Anil John: Good community in the other communities were also. Anil John: Very enthusiastic about blockchain technology so we needed a mechanism that allowed our Enterprise systems to work with both blockchain Technologies and non blockchain Technologies and across blockchain Technologies and the choice that we made was to ensure that if you are bringing a blockchain to DHS you need to ensure that there is a interoperability layer that is built on top of that block. Anil John: Chain that consists of verifiable. <mprorock> case note did:ion interop with did:web as part of did resolution Anil John: As the data model decentralized identifiers as the as the identifier mechanism and a set of standard ABI so my job over the last three or four years within DHS has been to make blockchain go away by ensuring that we have a layer of interoperability around it which is why we are we are using these standards which are applicable and have no dependency on blockchain but also. Anil John: So can be used with the Block Chain as well. Anil John: Come back to your question originally that was a long-winded answer sorry about that come back coming back your question we are not anchoring anything within a block chain at this point out for example though that way that we identify ourselves as an entity USCIS and CBP will identify ourselves as issuers and verify is in the ecosystem is using did web as a mechanism the.gov top-level domain is owned and operated by the. Anil John: U.s. government we have a significant amount of. Anil John: In that domain infrastructure we have a significant amount of confidence in our web infrastructure so it makes sense for us to use that we are not on the personal credential side actually issuing any decentralised identifiers to an immigrant of for a variety of reasons the simplest and most expedient being we do not want to have any question whatsoever that we are issuing some. Anil John: A manner of an identifier that. Anil John: Using to track people's usage across space and time and the easiest way to not sort of go down that idiotic rabbit hole is to Simply ensure that we don't issue a did to that person right so so when are anchoring them in that type of thing on the trade side obviously you know there might be entities within the broader trade Community who might be bringing decentralised identifiers that are. Anil John: Are anchored in dlts or. Anil John: Blockchains so that is perfectly fine for us it is not something that we are issuing or you know implementing it is something that we need to verify we just need to ensure that the security privacy and interoperable properties of that implementation are something that we find acceptable or not does that help Alison. Mike Prorock: Awesome and I'm looking at time here we've got about three and a half minutes or so less are there any final questions in or any kind of closing thoughts I if not I'd love to put Tim Boma on the spot just for his feedback and thoughts since I see him on the line unless he dropped off he may have. Mike Prorock: You did that yeah. Anil John: If he hasn't up you know I'm going to basically so the Tim as you know if Tim is on the line by all means would love to hear from me he's moved on to a new role within the Canadian government into the standards and verifications I would love to know what he's doing but I'd also put I hate to put you on the spot here but the person who's actually currently within the US. Anil John: Who is who's taken over the identity file in the treasury board secretary is actually purchasing I noticed that he is present I am hoping that he will would love to I'm sorry my friend to put you on the spot I hope that you you can pretend that you are you're completely dropped off by the way if you don't want to answer it anyway. Kulpreet Singh: No no thanks no no I'm right here I'm listening and yeah great great presentation lots of other questions were very very interested in actually some of the conformance sort of the criteria that is coming out of the work that you guys are doing I think that will help us a lot to sort of you know leverage that approach and maybe build on it I think it would be very very interesting. Anil John: Thank you sir my back to you Tim are you still on by any chance or are you have you have you love for fighter pastures. Anil John: Okay never mind. <heather_vescent> Always great to get an update from Anil! Mike Prorock: Am I still on did Tim Ali I believe Tim left so yeah the but yeah no I um yeah I think any I would just kind of I guess open it up for any kind of final closing thoughts you know this is a great session is very helpful to just kind of look at this stuff I appreciate the openness around this initiative because I think it's important right for the reasons that Adrian's noted etcetera. Mike Prorock: This is stuff that definitely concerns. Mike Prorock: Some concerns as. Mike Prorock: Right in and this approach is unique in government and is something that I am a huge fan of so any closing thoughts as we wrap up here. Anil John: Do we closing thought is basically if we're. Anil John: Even though there are many competitors in this space and in the vendor Community here there is a foundation that is useful and important for all of us to work together on but we want to make sure that the foundation is as you truly interoperable and that interoperability is actually testable right so so please you know I would encourage anybody in a globally to take a look at the work that is being done. Anil John: Done in the ccg. Anil John: You the test Suites that are being developed and implemented and to provide feedback you know open pull request against it you know contribute to it and integrate with them on a regular basis so that we are all sort of moving in the general direction it is going to be a real that different jurisdictions will have different priorities in what they are doing but I also think that there is an opportunity for us to have a set of in a common foundational ingredients that we can all share that we put together. Anil John: Together in different in two different drop is press the PS that are up. Anil John: So let's work on those ingredients together and let's make sure that they are testable through the interoperable and so then we can mix and match them into what makes sense for all of you within your different verticals different use cases and different jurisdictions. Mike Prorock: Now that's it's awesome and yeah obviously I think we've gotten to the point where a lot of these test Suites are now you know moving forward in a pretty good way and you know what so would it be fair to say you know if you've got implementations or you're working with generally speaking please register with those test Suites and start showing that interoperability or what your final comment there. Mike Prorock: Or did I lose in the hell now now. Anil John: No you did not use and I see that Adrienne has his hand up by the way just in case. Adrian_Gropper_: Just a quick question if you can how do how should we or you react to the initiatives on the mobile driver's license ISO standards and on the passkey wallet announcements as they relate to the work that we're promoting here. Anil John: Can I use the time has run out in order to run away from that question a dream. Mike Prorock: You make because I think that's going to Meredith actually I it's an important question I think that's going to be eating itself. <phil_l_(p1)> Next time then! Anil John: It's an important person I'm happy to answer but I it's also a nuanced answer so I don't want I don't want to be in a position where a half-assed answer is weaponized by people for other things. Mike Prorock: Adrian that's an important enough topic will make sure that that gets a full dedicated meeting by the way. <harrison_tang> Thank you, Anil, for a great presentation !! Kimberly Linson: Got it yep. Kimberly Linson: Recording has stopped.
Received on Wednesday, 20 July 2022 17:34:28 UTC