[MINUTES] W3C CCG Weekly Call - 2022-07-12

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2022-07-12/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2022-07-12/audio.ogg

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2022-07-12

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2022Jul/0021.html
Topics:
  1. Announcements and Reminders
  2. DHS SVIP Program Update
Organizer:
  Kimberly Linson, Mike Prorock
Scribe:
  Our Robot Overlords
Present:
  Kimberly Linson, Anil John, Orie Steele, Tim Bouma, TallTed // 
  Ted Thibodeau (he/him) (OpenLinkSw.com), Mario Bonito, Allison 
  Fromm, Paul Jackson, Kulpreet Singh, Mike Prorock, Harrison Tang, 
  Manu Sporny, Shawn Butterfield, Will Abramson, Jon St. John, Ben 
  (Transmute), Marty Reed, Sokeeffe, Chris Abernethy, Kerri Lemoie, 
  Lucy Yang, Kayode Ezike, David I. Lehn, Ted Thibodeau, Laura 
  Fowler, Brent Zundel, Phil L (P1), Jenn G, Kaliya, Annette 
  Muelller, Heather Vescent, Adrian Gropper, matt, Jeff O - 
  HumanOS, Erica Connell, Dmitri Zagidulin, Sapan Narang

Our Robot Overlords are scribing.
Video of this meeting is available here: 
  https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2022-07-12.mp4
Kimberly Linson:  Okay well quickly as you know we have a special 
  guest today and you'll John is going to be talking with us about 
  some of the tech standards that they all use to make decisions 
  and I'm going to let Mike introduce him in a little bit but first 
  of all let me just remind everyone of our code of ethics and 
  professional conduct you can find the link to that in the agenda 
  if you want to read it more thoroughly but we definitely want to 
  make sure that this is a collaborative community.
Kimberly Linson:  In one of the things I love most about it the 
  IP note anybody can participate in these calls however anyone who 
  wants to contribute substantial work that needs to be a member of 
  the ccg with full IP are agreements the links to those are also 
  in the agenda I will tell you I get an automatic notification 
  every time someone joins the ccg and it is has been really 
  interesting for me the last.
Kimberly Linson:  A couple of months how many people are joining 
  this community is really actively growing and I actually see some 
  folks who have recently joined here with us today on the call and 
  one of the things we've started doing is sending out some 
  hopefully entered some good introductory materials so if you want 
  to weigh in on those or I'm going to put the link in the chat 
  once I stop talking so that you can review those as well.
Kimberly Linson:  We minute and do audio recording of everything 
  that's said on these calls we definitely invite your 
  participation and if you want to to contribute to the 
  conversation please put Q Plus in the chat queue - if you change 
  your mind and we definitely will be keeping this in the audio 
  file so not held on IRC a few if you have comments in the chat 
  that are offline you know we.
Kimberly Linson:   We made those may be deleted.
Kimberly Linson:  We are not going to hopefully need a scribe 
  today we'll cross that bridge if we get to it and so now we are 
  at introductions and reintroductions do I have anybody who wants 
  to introduce themselves.

Topic: Announcements and Reminders

Kimberly Linson:  Okay next is announcements and reminders.
Kimberly Linson:  Any announcements and reminders yeah I know.
<manu_sporny> Call for DID Press Release testimonials: 
  https://lists.w3.org/Archives/Public/public-did-wg/2022Jul/0000.html
Manu Sporny:  Yeah I think Kimberly the there was a call so sorry 
  did core has been approved for promotion to a global standard so 
  hooray that's great there was a call for did press release 
  testimonials I'm going to put the link in here for the press 
  release test.
<mprorock> woot! dids are even more of a thing
Manu Sporny:  You do not have to be a w3c member to submit a 
  testimonial so basically there's going to be a press release that 
  goes out announcing dids to the world as a global web standard by 
  w3c at the bottom of that press release the the one that w3c kind 
  of keeps for all time there can be any number of testimonials 
  releasing members or non w3c members that liked it so if you have 
  an organization that is.
Manu Sporny:   Using dids or planes to used its in the future.
Manu Sporny:  After submitting a testimonial by the end of this 
  week There's a hard deadline by July 15th we have to have all 
  those testimonials in and approved that's it.
Kimberly Linson:  Okay thanks anyone else with an announcement a 
  reminder.
Mike Prorock:  I've got one more quick wonder if you are C at w3c 
  proper or are in touch with your AC please do make sure folks are 
  attending the actual AC calls today there are a seedings today 
  and there's a lot of interesting topics rolling around especially 
  related to governance board construction and timing that 
  genuinely every AC needs to be paying attention to as far as.
Mike Prorock:   As you know future of W3.
Mike Prorock:  Action and financial stability etcetera so please 
  do engage that as our voice right and that's why we are members 
  of w3c if you're just a community group member this doesn't apply 
  to you but didn't need to make sure to bring that up so.
Kimberly Linson:  So Mike would you explain what an AC is.
Mike Prorock:  Yeah basically member representative for w3c so 
  you know and I know Kimberly for instance I think it's your CTO 
  or CIO is the AC because I see him lists from time to time Etc 
  so.
Kimberly Linson:  Great thank you anybody else.
Kimberly Linson:  All right I am going to go ahead and turn it 
  over to you Mike to energy sodium.
<kimberly_wilson_linson> Welcome to CCG link: 
  https://docs.google.com/presentation/d/15BfjGKHEski3k1uFh88gNQcSYV0Laemx/edit#slide=id.gc5cf0950c6_0_3
Mike Prorock:  Sure so I'll make this brief because I want to 
  make sure Neil has plenty of time to talk but I've had the 
  pleasure of engaging with a nail in this community and you know 
  kind of kind of broadly in the conversations around decentralized 
  identifiers and security and how do we make good verifiable 
  claims about data and all sorts of different use cases and one 
  thing that I genuinely liked about an ill is the fact that he is 
  deeply committed to doing the right thing.
Mike Prorock:  Next one in attack it's always easy to get pulled 
  away down solving fun problem versus necessarily things that 
  scale and actually be practical and then solve the world problems 
  around privacy and that stuff is very top of my no to him and 
  it's always a pleasure to have him in to speak so with that nail 
  going to pass over to you and your wonderfully high res screen 
  share here.
Anil John:  I just wanted to make sure that you are getting The 
  Full Experience Mike both on the video and the audio.
Mike Prorock:  Absolutely everything is coming through well.
<tallted> "AC" = "Advisory Committee" ... often used as shorthand 
  for "W3C AC Member", which is 1 individual from each W3C member 
  organization/company.  Also see 
  https://www.w3.org/wiki/AdvisoryCommittee

Topic: DHS SVIP Program Update

Anil John:  All right that obviously means that we are completely 
  jinxed everything so we'll just go with that so you know thank 
  you very much the projects of the w3c ccg core for inviting me to 
  just give an update on our program agenda quick agenda for what 
  I'll go through I've already sent these slides to the listserv 
  and happy to answer you know questions at the end simply because 
  I presented enough to the ccg to know.
Anil John:   Know that.
Anil John:  If I take one of you incredibly interesting questions 
  in the middle we will immediately go down in a multiple Avenues 
  and tangents and we will not get to you know everything that we 
  need to go to so I'm happy to take the questions but let me let 
  me make sure that I take it at the end so I know as Kimberly 
  noted there's a lot of people who are who have joined the ccg and 
  for those of you.
Anil John:   Who do not know.
Anil John:  I'm from and what we do I'm with the US Department of 
  Homeland Security I'm with the science and technology directorate 
  which is the part of the department that works with all of our 
  operational and business units think you know FEMA think US 
  citizenship and immigration service thing Customs and Border 
  Protection we are the science advisor as well as the are di maama 
  the department and in particular I look within a program called 
  the Silicon Valley.
Anil John:   The Innovation program that is designed to bring.
Anil John:  Innovative technology from across the globe from 
  small to small organizations that are truly Innovative typically 
  do not work with government and bring those Technologies into use 
  by the department itself right so regarding you know did some VCS 
  which is what we're here to talk about we've been since our 2018 
  solicitation we've been contractually committed.
Anil John:   It too.
Anil John:  Open on all the work that we do this actually is part 
  and parcel of the solicitation that went out that required that 
  any companies that we basically awarded are required to actively 
  work out in the open and do it in a manner to bring in the 
  feedback from the global Community because we believe that it was 
  really important with these standards and Technologies to 
  actually get it done right and get it done openly at to get 
  global.
Anil John:   Feedback you know 28.
Anil John:  More than 200 companies applied we ended up working 
  with and selecting ultimately seven companies that are currently 
  in the portfolio you will recognize many of them because they 
  have act in fact you should recognize all of them because all of 
  them are active members of this particular Community what you 
  will also note is that we are one of the few programs within the 
  US government that have the ability to you know fund and work 
  with innovative.
Anil John:   Companies not just in the US but globally.
Anil John:  You have found that could be remarkably powerful for 
  one particular reason it is often very very easy for a government 
  organization that puts a contract into place with a specific 
  vendor to sort of get caught up in the Echo chamber of that 
  vendor's perspective we are fortunate in that we have a global 
  cohort of companies that are bringing perspectives not just from 
  the Americas you know not just from the US.
Anil John:   In Canada but also from EU.
Anil John:  Of the Pacific side as well right so and that has 
  been really important because that diverse perspectives and 
  diverse opinions gives us a way to ensure that we're not sort of 
  you know being biased to one perspective of one ecosystem or one 
  technology stack or a 1-1 something right so this is being 
  mentally important for us and we also in order to reduce bias on 
  the government side itself.
Anil John:   We multitrack we fund.
Anil John:  Companies simultaneously to solve the same problems 
  again to make sure that we're not sort of got getting caught up 
  in the you know ecosystem and the echo chamber of one companies 
  or one platform providers or one technology providers perspective 
  so DHS and w3c I'll keep it short we've been with you with our on 
  the journey with this community.
Anil John:   Since the beginning.
Anil John:  Not lately not recently not when things were going 
  right but from the beginning.
Anil John:  So why are we interested in verify the credentials 
  and decentralized identifies we have actually three separate work 
  streams one of them is led by our US citizenship and immigration 
  service so this is the part of the DHS that is as old as America 
  right so you know if you are looking at the US federal government 
  and you're looking at the type of credentials that we issue other 
  than the.
Anil John:   A sport which is issued by our Department of State.
Anil John:  Truly high value credentials think certificates of 
  naturalization a u.s. permanent resident card that allows you to 
  do to share information that you are eligible to live and work in 
  the United States a certificate of citizenship a certificate of 
  as I mentioned naturalization already employment authorization 
  documents these are.
Anil John:   Are all credentials.
Anil John:  You to by the US citizenship and immigration service 
  and they have a global footprint as you might well imagine so 
  they're very interested in using Open Standards open Technologies 
  as a way to digitally issue credentials that we currently already 
  issue in a paper base for right so so from that perspective you 
  know our implementation pattern is something that you're all very 
  familiar with and this is you know sort of in a very much lined 
  up with the combination of the use of.
Anil John:   VCS and did.
Anil John:  I would simply note that we make some nuances in how 
  we articulate the role of what the VC data model called and 
  verifiable data registry in our parlance we call that a metadata 
  resolved or simply for one very simple reason right saying when 
  you are an issue of a credential as you publish metadata about 
  what you wish you and how you issue it that could be a document 
  that basically contains the endpoints the.
Anil John:   Loki's and the like but it could also be 
  information.
Anil John:  How we can check for the credential status of what we 
  do so we sort of you know blend it into a conceptual unit called 
  the metadata resolver that is analogous and is representation of 
  what the VC data model calls a verifiable data registry and in 
  our issuance infrastructure itself we are also very very much 
  focused on the fact that we are requiring and implementing a 
  bring your own did too.
Anil John:   The table implementation we are not.
Anil John:  You can identify it to are immigrants or our 
  customers we are expecting them to come to the table with a with 
  the identifier that we can ensure that we do approval possession 
  of then we you know you bind that a fire to a verifiable 
  credential now as I mentioned the we have multiple Works game the 
  second work stream with is with the other part of the American 
  government that is as old as America US Customs.
Anil John:  If you're familiar with them and if you even if 
  you're not I know just in general if you are shipping Goods into 
  the u.s. you need to provide data to the US Customs and such that 
  they can basically evaluate yes no we want to talk to you more 
  about what goods are moving into the US and Supply chains are 
  complex beasts they have multiple hops that are owned by multiple 
  entities and you know it is really really important for you as 
  customers.
Anil John:   Alms in order to ensure that they have visibility.
<mprorock> this is ultimately EDI replacement FYI for those 
  coming in form more of a supply chain background
Anil John:  To the entities in the supply chain and what they are 
  bringing into the u.s. so this is sort of a and our Focus tends 
  to be currently with the VCS and dates our focus is on 
  digitization digitizing the documentation that are related to the 
  import of Steel e-commerce agriculture oil and gas products into 
  the US that's our starting point and then we will expand from 
  there you will note that the implementation pattern.
Anil John:   Here is actually going to be a little bit different.
Anil John:  These are about organizations talking to each other 
  each organization are individually could be a issue of an 
  attestation of a or a credential but it could also be a verifier 
  of it and because we wanted to make a distinction between you 
  know a personal digital work that is controlled by an individual 
  and the organizational storage mechanism or whatever we are 
  calling that organizational storage mechanism.
Anil John:   It did storyboard obviously a lot of these 
  companies.
Anil John:  Stations are also using the encrypted data wall 
  standards and others as a way to store that information but in 
  general you know this is sort of the you know the implementation 
  pattern that we see in our you know US Customs and important in a 
  use cases and our work stream and it is really really important 
  to note that both of these things are active for us and last but 
  not least our third Works between.
Anil John:   Has to be a little bit big.
Anil John:  This is actually driven by some laws and policies 
  within the US government about the minimization of the collection 
  and use of the social security number for those folks from 
  outside the US who do not know our challenges with this a social 
  security number was a number that was created in the 1930s around 
  the 1930s to identify a social benefit that has over time became.
Anil John:   Plated with an authenticator so people are.
Anil John:  The in a lot of cases using just the knowledge of 
  ssin as an authenticator to identify people on the remote end of 
  the wire which is obviously a really bad idea and as resulted in 
  a significant amount of challenges with identity fraud within the 
  u.s. context itself so our privacy officer Chief privacy officer 
  officer and our privacy office is championing and looking at is.
Anil John:   There a way to sort of a used decent.
Anil John:  Identify is internally within the department as a 
  mechanism for the to replace the day-to-day usage and storage of 
  the SSN and we have a couple of use cases there that are that you 
  can read I don't have a pretty diagram to talk about it but this 
  tends to be a little bit bespoke to us and and and instead 
  interesting you know case for us to move forward on this right so 
  those are the three work streams that we currently have.
Anil John:   Have right so.
<mprorock> /me sees Phil
Anil John:  It's really really important that as a government 
  public entity we sort of ensure that we anchor our implementation 
  on a set of principles and Open Standards that are truly 
  traceable castable and ultimately can be used not just by us but 
  by anybody who wants leverages because obviously we are a public 
  entity that is using taxpayer funded money in order to do this 
  work and we want to make sure that the work that we're doing is 
  using.
Anil John:   Table by anybody who wants to use.
Anil John:  Restrictions so it is so let me walk you through some 
  of the choices that we are making first and foremost right and 
  one of the basic things whether we're talking about our personal 
  credential work stream or all organizational cadastral workstream 
  is we are absolutely committed to implement and encourage and 
  support multiple independent interoperable and standard based 
  implementation see here we've been in the past being walked into 
  a corner by vendors with.
Anil John:   I agree ati's proprietary implementations.
Anil John:  Lock us into that particular platform or a standard 
  or a technology we're not planning on doing that this time and we 
  are absolutely not interested in in you know in a situation where 
  you know technology providers and vendors become Gatekeepers 
  between the relationship between government and our customers 
  right so that is really important and some of the choices that 
  we're making in order to.
Anil John:   To ensure.
Anil John:  That principle is supported obviously is working out 
  in the open in the in areas such as the credential community 
  group to build the calories test Suites and apis under your 
  umbrella under the standards umbrella not under the DHS umbrella 
  so that it is something that we can get feedback on other people 
  can participate and provide input into and it is something that 
  is a that is something that is usable by the broader community 
  and not just us and again.
Anil John:   I'm absolutely.
Anil John:  All of the work that we're doing here to be something 
  that is in a global visibility Global feedback require 
  interoperability plugfest not just let me throw a profile out 
  there and let me say that if I've organization implemented yeah 
  that's not a path to success for it and I'll talk about how we're 
  doing it in concretely as well right and the other piece of it is 
  in a in this ecosystem in a lot of ways the locus of control and.
Anil John:  He's moving from as from what used to be identity 
  providers that you're relying parties now to the digital wallet 
  ecosystem so it is really really important for us to encourage 
  choice in that area we support you know a lot of the the thinking 
  that the the Canadian Mike our colleagues from Canada are you 
  know doing in the space as well as the colleagues from the 
  European commission are doing in the space regarding the 
  importance of.
Anil John:   Of digital wallets.
<mprorock> @ted Anil sent the deck to the list
<mprorock> let me know if it did not come through
Anil John:  The ensuring that they are truly open and 
  interoperable so you know we are very much committed to ensuring 
  that you know we're not you know a focused on encouraging wallets 
  that require proprietary implementations and ultimately I already 
  talked about the fact that we multitrack our implementation to 
  make sure that we ensure that multiple Innovative companies are 
  able to bring technology.
Anil John:   Ecology and.
<manu_sporny> Slide deck is attached here: 
  https://lists.w3.org/Archives/Public/public-credentials/2022Jul/0026.html
Anil John:  A table given up that a lot of the work that is of 
  interest to a lot of the people here are in the personal 
  cadential and the individual digital identity piece I want to 
  highlight something from the part of the work that is focused on 
  that for my US citizen fit ship and immigration services that are 
  truly principles that they are focused on right so for us for us 
  and for them for individual.
Anil John:   Has it is a it is a it.
<manu_sporny> Direct link to this slide deck: 
  https://lists.w3.org/Archives/Public/public-credentials/2022Jul/att-0026/DHS.SVIP-Scaling.W3C.VC.DID.Interoperability-SHARE.pdf
<phil_l_(p1)> Thanks Manu!
Anil John:  Whether you want a digital credential or not you are 
  able to do all the businesses that you need to do with our 
  physical credentials we continue to support them we will continue 
  to support them for a variety of you are very good reason digital 
  inclusion ensuring that people who either choose to or or cannot 
  have access to digital credentials also have the same access to 
  the services is.
Anil John:   Is really important so for us digital.
<annette_muelller> thanks Manu!
Anil John:  Choice that have to be requested by a person before 
  we issue something to them and at the paper-based credentials 
  will continue to exist we are absolutely in a focused on ensuring 
  and eliminating any type of phone home architecture and 
  technology implementations and you can see the choices that we're 
  making their in order to make sure that we are doing so in order 
  to limitation we also want to make sure that back-channel 
  interactions between better.
Anil John:   Fires of the credentials and issuers.
<tallted> thanks mike, manu
Anil John:  Not visible to the holder or our customers are 
  absolutely not something that we support as you all know the 
  verifiable credentials data model standards actually does support 
  the ability for a for example for a verified ask for a potential 
  to be refreshed by from a issuer we saw that and we thought that 
  that was while it is supported by the standard it is not.
Anil John:   T it is not something that we will see.
Anil John:  On the personal credential side as a implementation 
  choice because we believe that that takes away visibility of that 
  request and it establishes a back-channel interaction outside of 
  the knowledge of the holder of the credentials of so that's not 
  something that we will support we are absolutely committed to 
  selective disclosure capabilities that did not have any lock into 
  any platform or technology and we are currently in a very much 
  supporting DB.
Anil John:   AS Plus signatures as the way forward on that.
Anil John:  And as I mentioned you know.
Anil John:  We've been consistent from the beginning that just 
  because you're using standards does not mean that you are 
  interoperable so we require in all the work that we do that we 
  verify standards compliance using conformance test Suites of that 
  are developed within this community and this is definitely 
  something that our companies that we are funding are obviously 
  contributing to such that it is usable and you know broadly 
  available to.
Anil John:   Everybody but we go.
Anil John:  No and given all the politics around it this is this 
  should be you know embedded within all of our psyche and 
  displaying right point in time standards are created by people 
  people make compromises people make choices in order to get a 
  standard out the door which often means that there are multiple 
  ways of implemented the same thing that is offered in the 
  standard and to vendors could implement the standard and be fully 
  standards-compliant.
Anil John:   And but completely.
Anil John:  Are operable because they've made different choices 
  so for us interoperability that is standard Space is really 
  important so we require contractually require that we have 
  multi-party interoperability plugfest that ensure that multiple 
  platforms multiple implementations multiple technology Stacks 
  have the ability to truly interoperate in a mix and match manner 
  let me be very clear I do not consider everybody choosing the.
Anil John:   The same platform with different use cases to be at.
<mprorock> like in agriculture, monoculture is not ideal
Anil John:  Separation of interoperability it's not that is 
  software monoculture and we've gone down that path before to not 
  good places so I prune multi multi vendor interoperability that 
  is demonstrated and testable is really important for us and for 
  those who know me from before my DHS time you know that in a 
  previous life I used to be the technical lead for the u.s..
Anil John:   US federal government.
Anil John:  Ready grunts oh and access management program this is 
  the program that ran the first famous Solutions program that 
  certified and accredited private sector identity services that 
  could be bought find the government and I learned some 
  significant amount of lessons from that experience like one of 
  them is you know I have had the pain and I have owned the you 
  know the profiles of.
Anil John:   Sam'l and attribute Exchange.
Anil John:  It's for the.
Anil John:  Little government and you know this is typically 
  where a whole bunch of really smart people get together and 
  Define a profile then try to get people to implement that 
  profiles we were successful to some degree but it is a very heavy 
  lift so when we started this work on the DHS I'd we flipped the 
  script and said what we will start from is truly demonstrated 
  interoperability first and foremost so we will use the.
Anil John:   The interoperability.
Anil John:  And the choices that are being made within their as a 
  way to document what needs to go into the going to the profile 
  rather than starting from the profile and trying to work our way 
  down and trying to get people implemented we wanted to start from 
  cold that was working that was truly interoperability across 
  multiple implementation and document that into a profile that 
  bakes in the security privacy and interoperability expectations 
  that are needed by all of us.
Anil John:   In our implementation.
Anil John:  So that profile piece really becomes really really 
  important and it is built from the ground up rather than top-down 
  and so so I think that might be a in a good segue into giving you 
  an outline of what are the things that we are truly profiling and 
  how are we thinking about the profiles that we are envisioning 
  and how we expect that to operate right because I've seen enough 
  profiles to.
Anil John:  About the amount of hand waving that sort of goes 
  into and I also know there are things that are completely moving 
  on a regular basis right now so I'm I'm very concerned about the 
  fact that there is there are things that people are talking about 
  and there are paintings that are people are not talking about so 
  you know profile and when we talk about profile these are some of 
  the things that we are talking about you know a profiling the the 
  identifiers.
Anil John:   Is that.
Anil John:  Are used to identify entities whether they are people 
  but that they are organizations and for us at a very granular 
  level we will for each of these things we intend to provide 
  information you know informative information that is on tutorial 
  guidance on why we chosen to do what we chose to do very 
  normative text about what it requires in order to be combined 
  with the profile and truly important.
<mprorock> also products, things, etc broadly as note (think a 
  product as identified by a GS1 GTIN)
Anil John:  Automated conformance tests that you can use in order 
  to ensure that you are indeed you know walking the talk here it 
  is not enough to basically put a profile out there and say hey 
  five different companies implemented that is really not that 
  helpful because there is a whole bunch of trust us we know what 
  we're doing that goes on into those type of work right we 
  actually wanted to be in the in the in the position that the 
  profiles.
Anil John:   It'd be testable.
Anil John:  Be conformance tests that people can run on a regular 
  basis in order to verify the the conformance against the things 
  that we profile so you know profiling identifiers metadata about 
  what we what an identifier is you know is sharing you know these 
  are things like you know what goes on in it in a did Json file 
  how do we profile status list 2021.
Anil John:   For in a credential verification.
Anil John:  In checking how do we resolve it you know one of the 
  things that they resolve and needs to take care of what are the 
  things that you need to check how do you know what are the 
  questions that you can answer for us and what are the questions 
  that it cannot answer for us and it's also really really 
  important it in a and one of the reasons I sort of articulated a 
  multiple work streams is to very clearly note that in some cases 
  we have divers and in.
Anil John:   Some are almost competing.
Anil John:  Parties within what the different parts of the ages 
  wants to do for example in the personal credential issuance a 
  piece by USCIS and proof unlink ability and privacy and choice of 
  the identifiers used how things are structured is really really 
  really important providing selective disclosure providing.
Anil John:  Nobody can basically track you across space and time 
  in how these credentials are used when you are an individual with 
  these type of credentials that is that is a really important 
  principle and the choices that we're making there are driving us 
  towards that so we will have how we are implementing unlink 
  ability and the profiling of the choices that we're making very 
  clearly articulated their that is unlike ability is not a desired 
  outcome for.
Anil John:   For our supply chain use cases I will.
<tallted> ( @mprorock @manu -- the deck hit my inbox at 12:30, 
  with sent time of 11:48 ... for future reference, best if such 
  decks can be sent earlier, or just provided via persistent link )
Anil John:  That supply chain use cases for US Customs requires 
  visibility into the actors in the supply chain requires 
  understanding of if those entities are using forced labor 
  practices or child labor which are not allowed by US law whether 
  they are sanctioned entities that are trying to pretend to be 
  somebody that they're not in the supply chain so the ability to 
  use technology and standards to hide.
Anil John:   Yourself from.
Mike Prorock: +1 - Thanks ted
<mprorock> that is helpful
Anil John:  Information is not a desired outcome for our 
  organizational credential use cases that come into play in the 
  supply chain so we are going to be talking about how the 
  traceability aspects of the supply chain pieces are also going to 
  be implemented in the profile as well and again what is what is 
  real right now is also with all of the discussions that we are.
Anil John:   Talking about.
Anil John:  Around Quantum resistant cryptography and the 
  cryptographic choice is fundamentally a lot of the choices within 
  our standards are obviously enabled by the use of cryptography 
  the US government has very hard requirements on the type of 
  cryptography that can be used in systems that connect to and are 
  used by them so for us fips-compliant cryptography is first and 
  foremost a hard requirement in the choices that we're making.
Anil John:   But we are also.
Anil John:  Looking at is there an opportunity to you know 
  profile that for example a json-ld base verifiable credential 
  with a linked data proved can actually have multiple different 
  types of probes attached to it one proof could be a using a 
  cryptographic primitive that is fully fips-compliant the second 
  one could be something that is more experimental using a Quantum 
  resistant cryptography you know for example I think the three big 
  choices.
Anil John:   Nist announced recently dilithium falcon.
Anil John:  Pause our Autumn play right now so can you have one 
  of those that is appropriate in addition to the fips-compliant 
  topography that obviously the BBS for Signature is moving through 
  the ietf and CC FRG going forward I've been talking to this day 
  are actively tracking that work as well so is there a way to sort 
  of provide that as an option as well so we are trying to figure 
  out how best we make choices that give us cryptographic 
  flexibility now.
Anil John:   Now and.
Anil John:  Would without impacting the user experience and those 
  are things that we are going to be profiling with in there as 
  well and obviously within the you know the credential itself you 
  know how what are the data models that we support I will be very 
  clear on noting that a required at Charles here will be json-ld 
  with linked data proves right now the question becomes are there 
  others that could be a should.
Anil John:  We'll come down to the cryptographic flexibility and 
  things like that that are possible and we are working through 
  that right now you know again profiling how we deliver a 
  credential to a digital wallet in the personal credential use 
  case how we deliver it to a digital wallet in an organization to 
  organization use case credential verification revocation refresh 
  aggregation selective disclosure these are all you know 
  ingredients that go into.
Anil John:   Into a recipe.
<mprorock> note that "shall comment" - JSON-LD with Linked Data 
  Proofs is a key note that implementer should be considering
Anil John:  Right so so we consider this to be you need to 
  basically profile at the ingredient level and each of them will 
  have informative normative and conformance tests associated with 
  that and again this is where you know I keep saying that 
  basically there's a lot of things that need to be considered in 
  order to get to a full implementation some of the feedback that 
  we got when we engage with the advocacy community.
Anil John:   OT and the privacy.
Anil John:  Liberty Community you know something about a couple 
  of months ago we got some really good feedback from them about 
  information and implementation things that we need to consider 
  from a technical perspective in Atkins it's not just about 
  consent to share data with the verifier it is also is there a way 
  to notify in credential holders about the verify is intended use 
  of that share data so that they.
Anil John:   Can such that a person can make an informed.
Anil John:  Should about what to share and what not to share I 
  talked about the fact that basically digital wallets are becoming 
  more of a locus of control in this ecosystem as can be seen by 
  all the work that is going on both in our ecosystem as well as in 
  the European Union as well as in our Canadian colleagues 
  ecosystems as well right not to mention in a much more globally 
  as well so how do we come up with a mechanism that provides a you 
  know wallet selector.
Anil John:   ISM that is truly interoperable I also consider 
  that.
Anil John:  A lot of these things also have mechanism that allows 
  us to you know signal intent I am an issue or that basically is 
  in a signal into a digital wallet that basically tells them these 
  are my capabilities that I have what can you support and this is 
  a I'm a digital wallet that is signaling to a verifier hey these 
  are the things that I can support you know how do I do that and 
  how I'm a verify that is signaling to a digital wallet that 
  shows.
Anil John:   Shows up at the at my front door saying that these 
  are the things that I.
<mprorock> @Tim Bouma - would love a similar presentation from 
  your side with thoughts if you are open to it
Anil John:  You know and you know it sort of comes Under The 
  Limited umbrella of query language but I think it is broader than 
  that and we are looking at what are the ways that we sort of need 
  to Signal intent in each of these places and also have the 
  ability to technically Implement that and I'm a I'm a big 
  believer in feature detection rather than product detection I 
  think when it comes to digital.
Anil John:   Wallet and digital wall.
Anil John:  Just I think it is very easy when you go down the 
  product detection thing in order to get yourself siloed into the 
  implementations that are out there but if you're truly about 
  ensuring choice in that new locus of control which is the wallet 
  you need to basically have the ability to sort of detect the 
  features that are supported by the word so that you can basically 
  interact with it in a truly open Manner and that.
Anil John:   Are different ways of doing.
Anil John:  You could do it in a boob Force manner using 
  independent testing of the warrant itself but is there a way to 
  sort of do some sort of a cryptographic challenge or response in 
  the long term I fully think that there needs to be there has to 
  be some matter of a certification accreditation by truly 
  competent third parties around the features that are in a wallet 
  that we consume as cross marks of that allow us to know that yeah 
  barely these wallets have these features.
Anil John:   Features of because these have been verified by 
  entity and they.
Anil John:  Give It Up.
Anil John:  Cross mark So as such they are good for us to use 
  within our ecosystem so so the intent about you know with all 
  these what I call ingredients is to you know basically have a 
  combination of recipes so our intent here when the profile is you 
  should be using each of the things that I just talked about as 
  ingredients that go into building a recipe a recipe for a 
  personal credential issuance.
Anil John:   Workflow organizational credential.
Anil John:  Flow and the important thing they all are not going 
  to be identical they are all actually going to be very different 
  the way that our supply chain issuance flow works is very much 
  going to be different from a personal cadential you know issuance 
  flow and that is perfectly fine so one of the things is really 
  that's why the granularity of these ingredients become.
Anil John:   Becomes really important.
Anil John:  Open because then what we are able to do is obviously 
  mix-and-match them even in these workflows and Journeys in order 
  to enable capabilities using the vocabularies that are out there 
  right so this is sort of this is not this is sort of this is the 
  way that we are looking at this profile this is a profile that is 
  a work in progress we it will be have all this Define out of the 
  gate absolutely not will we are these things that we.
Anil John:   Need to keep in mind so that the choices that we 
  make.
Anil John:  Do not close off other choices that are articulated 
  here absolutely so you know again I know that for some of you who 
  are new to the ccg you can find obviously you know where to find 
  the link to the standards but a lot of the things that we've 
  contributed to that are available to all of you the citizenship 
  vocabulary which is something that we are using in our 
  immigration.
Anil John:   Ation credential peace.
Mike Prorock: https://github.com/w3c-ccg/citizenship-vocab/
Mike Prorock: https://github.com/w3c-ccg/traceability-vocab
Mike Prorock: https://github.com/w3c-ccg/traceability-interop
Anil John:  To increase ability vocabulary that is being used 
  within our supply chain use case the traceability 
  interoperability work that is being part done by the supply chain 
  piece as I mentioned one of the things that we are very much into 
  is demonstrating how interoperability will work then using that 
  to document what goes in the profile so you can see that ongoing 
  work going on our supply chain side in the you know traceability 
  interoperability.
Anil John:   We work link that is there and you can see that.
Anil John:  The open API that is a profile of the VC API that is 
  actually using that using that concretely right so again walking 
  the talk here publicly with full feedback and you know input from 
  all of you in the global Community we've done in cryptography and 
  Analysis of both the in a VC and the did standards that is using 
  allowing us to you know Drive our implementation on our choices.
Anil John:   BBS plus signatures are the.
Anil John:  Envision for Selective disclosure going forward water 
  could point to the Fine work that is being done by you know 
  transmute measure I/O Google IBM and I believe one more company 
  who name who's name just thank you thank you that are you know on 
  in the ietf around Json encoding for the post-mortem signatures 
  which becomes a building block for how to incorporate that within 
  the.
Anil John:   Linked data.
<mprorock> NXP on PQC as well
Anil John:  You know proof ecosystem going forward as well again 
  and I think you're aware of from the emails in the list about the 
  wallet selector playground that is using choppy as well so that's 
  sort of you know my you know mock my bitch and an update here I 
  am happy to sort of let me let me kill the sharing here if I if 
  you don't mind so that you're not seeing this.
Anil John:  Hopefully at that stop the sharing Mike.
Mike Prorock:  I did indeed and I know I had seen Phil On Cue 
  earlier Phil did you have a question or was that just in regard 
  to getting a copy of the deck because I know that lag.
Phil_L_(P1): That was just that was just getting powerchute 
  hello.
Mike Prorock:  Yep you're good.
Phil_L_(P1): Okay good that was just in copy for getting a copy 
  the deck which I have now thank you.
Anil John:  No worries again I'm happy to answer any questions 
  wanted to make sure I sort of articulated at least where we are 
  going and obviously happy to answer questions point you to the 
  test Suites and things like that that are on there and Adrian 
  would love to speak and I would love to hear from you Adrian.
<phil_l_(p1)> A bit thanks though to Anil for the update.
Adrian_Gropper_: I am I I really appreciated towards the end when 
  you mentioned that you reached out to the privacy and advocacy 
  Community for their input and that slide labeled three or four 
  that listed the basically the requirement that are coming up at 
  least that's the way I treat them.
Anil John:  It is I can send you up in there were three things 
  that actually we got back as feedback I'll simply note Adrian 
  that our Chief privacy officer link pocket debris is pretty damn 
  awesome and she basically reached out on our behalf to the civil 
  liberty and privacy advocacy community and it was a pretty pretty 
  intense you know four to five hour pretty much an entire day you 
  know session with them too.
Anil John:   To articulate them in the choices that we're making 
  getting their.
Anil John:  And you know taking their feedback and trying to 
  figure out how to bake it into the engineering on the things that 
  we are not thought of.
Adrian_Gropper_: Right so I just have one question of you like I 
  say that that was a great slide and I'm glad to see you're doing 
  this what I don't understand yet in your in your roadmap is where 
  delegation comes in into the protocol picture that obviously 
  threats through both where we are now and where we're going I did 
  not see.
Adrian_Gropper_:  see that.
Adrian_Gropper_: And I'm curious because it also impacts the 
  interaction between ccg and ITF for example that I've been you 
  know focusing on in the last couple of months so is the creation 
  go up.
Anil John:  No no this is a new dropping the ball on you 
  delegation should have been one of the things that we profile in 
  there so I will make sure that it's corrected and added as part 
  of what the end game for us is but having said that I think I've 
  responded on this back to you but I will reiterate by three 
  private responses on this as well right so.
Anil John:  You know one of the things that is really important 
  for us is to ensure that we are bootstrapping off of our existing 
  physical credentials and there is existing processes around 
  delegation of authority in how a immigration credential is used 
  that currently exists and is used by that ecosystem so there is 
  an option for that within the physical credential ecosystem so 
  which is why it is.
Anil John:   Is it.
Anil John:  Something that we want to have as a capability in the 
  digital side eventually but it is also not something that we're 
  going to tackle first and foremost out of the gate no worries now 
  I thank you for I knew you work out as soon as eight you got on 
  the call you know that I knew that you are and I think I was 
  thinking to myself oh God I forgot that yeah.
Mike Prorock:  Ha ha ha awesome yeah thanks for the call that a 
  nail because it is an important topic Allison I say you want to 
  queue.
Anil John:  So as the person who seven years ago basically when 
  the bottles spun around the table around the applicability of 
  blockchain Technologies to DHS the person who ended up holding 
  the bag was me I you know the I own the R&D program around 
  blockchain and and DLT Technologies are there is a separate set 
  of you know Genesis documents for lack of a better.
Anil John:  Word yes I am overly.
Anil John:  That comes into how we ended up putting our support 
  behind did Cindy sees that are coming from the blocks in Arena 
  the long and the short of it is we learned very quickly that 80 
  to 90 90 to 95% of the use cases that are being articulated for 
  blockchain Technologies does not require any type of blockchain 
  at also at the same time we also realize that our counter parties 
  in the.
Anil John:   Good community in the other communities were also.
Anil John:  Very enthusiastic about blockchain technology so we 
  needed a mechanism that allowed our Enterprise systems to work 
  with both blockchain Technologies and non blockchain Technologies 
  and across blockchain Technologies and the choice that we made 
  was to ensure that if you are bringing a blockchain to DHS you 
  need to ensure that there is a interoperability layer that is 
  built on top of that block.
Anil John:   Chain that consists of verifiable.
<mprorock> case note did:ion interop with did:web as part of did 
  resolution
Anil John:  As the data model decentralized identifiers as the as 
  the identifier mechanism and a set of standard ABI so my job over 
  the last three or four years within DHS has been to make 
  blockchain go away by ensuring that we have a layer of 
  interoperability around it which is why we are we are using these 
  standards which are applicable and have no dependency on 
  blockchain but also.
Anil John:   So can be used with the Block Chain as well.
Anil John:  Come back to your question originally that was a 
  long-winded answer sorry about that come back coming back your 
  question we are not anchoring anything within a block chain at 
  this point out for example though that way that we identify 
  ourselves as an entity USCIS and CBP will identify ourselves as 
  issuers and verify is in the ecosystem is using did web as a 
  mechanism the.gov top-level domain is owned and operated by the.
Anil John:   U.s. government we have a significant amount of.
Anil John:  In that domain infrastructure we have a significant 
  amount of confidence in our web infrastructure so it makes sense 
  for us to use that we are not on the personal credential side 
  actually issuing any decentralised identifiers to an immigrant of 
  for a variety of reasons the simplest and most expedient being we 
  do not want to have any question whatsoever that we are issuing 
  some.
Anil John:   A manner of an identifier that.
Anil John:  Using to track people's usage across space and time 
  and the easiest way to not sort of go down that idiotic rabbit 
  hole is to Simply ensure that we don't issue a did to that person 
  right so so when are anchoring them in that type of thing on the 
  trade side obviously you know there might be entities within the 
  broader trade Community who might be bringing decentralised 
  identifiers that are.
Anil John:   Are anchored in dlts or.
Anil John:  Blockchains so that is perfectly fine for us it is 
  not something that we are issuing or you know implementing it is 
  something that we need to verify we just need to ensure that the 
  security privacy and interoperable properties of that 
  implementation are something that we find acceptable or not does 
  that help Alison.
Mike Prorock:  Awesome and I'm looking at time here we've got 
  about three and a half minutes or so less are there any final 
  questions in or any kind of closing thoughts I if not I'd love to 
  put Tim Boma on the spot just for his feedback and thoughts since 
  I see him on the line unless he dropped off he may have.
Mike Prorock:  You did that yeah.
Anil John:  If he hasn't up you know I'm going to basically so 
  the Tim as you know if Tim is on the line by all means would love 
  to hear from me he's moved on to a new role within the Canadian 
  government into the standards and verifications I would love to 
  know what he's doing but I'd also put I hate to put you on the 
  spot here but the person who's actually currently within the US.
Anil John:  Who is who's taken over the identity file in the 
  treasury board secretary is actually purchasing I noticed that he 
  is present I am hoping that he will would love to I'm sorry my 
  friend to put you on the spot I hope that you you can pretend 
  that you are you're completely dropped off by the way if you 
  don't want to answer it anyway.
Kulpreet Singh:  No no thanks no no I'm right here I'm listening 
  and yeah great great presentation lots of other questions were 
  very very interested in actually some of the conformance sort of 
  the criteria that is coming out of the work that you guys are 
  doing I think that will help us a lot to sort of you know 
  leverage that approach and maybe build on it I think it would be 
  very very interesting.
Anil John:  Thank you sir my back to you Tim are you still on by 
  any chance or are you have you have you love for fighter 
  pastures.
Anil John:  Okay never mind.
<heather_vescent> Always great to get an update from Anil!
Mike Prorock:  Am I still on did Tim Ali I believe Tim left so 
  yeah the but yeah no I um yeah I think any I would just kind of I 
  guess open it up for any kind of final closing thoughts you know 
  this is a great session is very helpful to just kind of look at 
  this stuff I appreciate the openness around this initiative 
  because I think it's important right for the reasons that 
  Adrian's noted etcetera.
Mike Prorock:  This is stuff that definitely concerns.
Mike Prorock:  Some concerns as.
Mike Prorock:  Right in and this approach is unique in government 
  and is something that I am a huge fan of so any closing thoughts 
  as we wrap up here.
Anil John:  Do we closing thought is basically if we're.
Anil John:  Even though there are many competitors in this space 
  and in the vendor Community here there is a foundation that is 
  useful and important for all of us to work together on but we 
  want to make sure that the foundation is as you truly 
  interoperable and that interoperability is actually testable 
  right so so please you know I would encourage anybody in a 
  globally to take a look at the work that is being done.
Anil John:   Done in the ccg.
Anil John:  You the test Suites that are being developed and 
  implemented and to provide feedback you know open pull request 
  against it you know contribute to it and integrate with them on a 
  regular basis so that we are all sort of moving in the general 
  direction it is going to be a real that different jurisdictions 
  will have different priorities in what they are doing but I also 
  think that there is an opportunity for us to have a set of in a 
  common foundational ingredients that we can all share that we put 
  together.
Anil John:   Together in different in two different drop is press 
  the PS that are up.
Anil John:  So let's work on those ingredients together and let's 
  make sure that they are testable through the interoperable and so 
  then we can mix and match them into what makes sense for all of 
  you within your different verticals different use cases and 
  different jurisdictions.
Mike Prorock:  Now that's it's awesome and yeah obviously I think 
  we've gotten to the point where a lot of these test Suites are 
  now you know moving forward in a pretty good way and you know 
  what so would it be fair to say you know if you've got 
  implementations or you're working with generally speaking please 
  register with those test Suites and start showing that 
  interoperability or what your final comment there.
Mike Prorock:  Or did I lose in the hell now now.
Anil John:  No you did not use and I see that Adrienne has his 
  hand up by the way just in case.
Adrian_Gropper_: Just a quick question if you can how do how 
  should we or you react to the initiatives on the mobile driver's 
  license ISO standards and on the passkey wallet announcements as 
  they relate to the work that we're promoting here.
Anil John:  Can I use the time has run out in order to run away 
  from that question a dream.
Mike Prorock:  You make because I think that's going to Meredith 
  actually I it's an important question I think that's going to be 
  eating itself.
<phil_l_(p1)> Next time then!
Anil John:  It's an important person I'm happy to answer but I 
  it's also a nuanced answer so I don't want I don't want to be in 
  a position where a half-assed answer is weaponized by people for 
  other things.
Mike Prorock:  Adrian that's an important enough topic will make 
  sure that that gets a full dedicated meeting by the way.
<harrison_tang> Thank you, Anil, for a great presentation !!
Kimberly Linson:  Got it yep.
Kimberly Linson:  Recording has stopped.

Received on Wednesday, 20 July 2022 17:34:28 UTC