[MINUTES] W3C CCG Verifiable Credentials for Education Task Force Call - 2022-03-21

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/audio.ogg

----------------------------------------------------------------
VC for Education Task Force Transcript for 2022-03-21

Agenda:
  https://lists.w3.org/Archives/Public/public-vc-edu/2022Mar/0005.html
Topics:
  1. IP Note
  2. Call Notes
  3. Introductions & Reintroductions
  4. Announcements
  5. About CCG Email Thread: "Centralization dangers of applying 
    OpenID Connect to wallets" (Dmitri Zagidulin)
Organizer:
  Kerri Lemoie
Scribe:
  Our Robot Overlords
Present:
  Kerri Lemoie, Stuart Freeman, Marty Reed, Deepak Kulkarni, 
  Kaliya, Andy Miller, Taylor, Colin, LEF, Dmitri Zagidulin, Sharon 
  Leu, Jim Kelly, Phil Barker, Tony Sheppard, Deb Everhart, 
  Matthias Gottlieb, Jim Goodell, Kimberly Linson, Kayode Ezike, 
  Phil L (P1)

<colin,_lef> gm gm
Our Robot Overlords are scribing.

Topic: IP Note

Kerri Lemoie:  Hey hello everybody Welcome to the March 21st bcig 
  task force called today our topic is going to be on identity and 
  I'm and education credentials I'm going to go through some of the 
  announcements and boilerplate stuff that we always start these 
  meetings with the first one to know is that the IP note know that 
  anyone can participate in these calls but any substitutive 
  continued contributions.
Kerri Lemoie:   You have to.
Kerri Lemoie: https://www.w3.org/community/credentials/join
Kerri Lemoie:  Member to do those have to be members of the CCG 
  with full IP are agreements and you can read more about this at 
  this link that I put in the chat now.

Topic: Call Notes

Kerri Lemoie:  Please note that all of these meetings are 
  recorded we do our best with our infrastructure to record them 
  all and then also have a transcription of the meeting minutes so 
  you will see in the chat that there's an auto transcriber that is 
  recording what I'm saying right now what you can do while we're 
  taking these notes is if you see something on a transcriber is 
  his is really flubbed up pretty badly you can do a substitution.
Kerri Lemoie:   In the chat like:
Kerri Lemoie:  That would be very helpful in publishing the 
  minutes and that would look something like this where you do an s 
  a forward slash I'm just going to make up one right now that 
  doesn't exist but the middle between the brackets is the word you 
  want to replace and then the replacement we do use cues in these 
  calls to instead of I'm just speaking out please put yourself in 
  the queue you can do this by typing q+ if you know what you're.
Kerri Lemoie:   Something about you going to say you can say.
Kerri Lemoie:  S + topic.
Kerri Lemoie:  And then you can also remove yourself from the 
  queue.

Topic: Introductions & Reintroductions

Kerri Lemoie:  Okay let's do some introductions and 
  reintroductions is there anybody in the call today that would 
  like to introduce themselves.
Kerri Lemoie:  A lot of my faces if there's someone who'd like to 
  introduce themselves or reintroduce themselves and give us an 
  update what you're working on here's an opportunity to do so.
Deepak_Kulkarni: Hi I'm Deepak Kulkarni I work for is you and 
  also work for the pocket initiative that you might be familiar 
  with.
Deepak_Kulkarni: But the chain thank you.
Kerri Lemoie:  I am yeah oh great thank you for introducing 
  yourself Deepak.

Topic: Announcements

Kerri Lemoie:  Okay our next part is announcements and reminders.
Kerri Lemoie:  So I have two on my list one is for tomorrow ccg 
  call the tldr for that is that John Gleason Dominic Marina from 
  storage will give an overview of decentralized cloud object 
  storage which is emerged from the same ethos as the decentralized 
  identity Community they will discuss their Edge access management 
  features and have a discussion around using SSI identity with the 
  centralized storage that sounds interesting to you the link to 
  the agenda and the connection.
Kerri Lemoie:   Info is going to be in the chat right now.
<kerri_lemoie> Link to agenda & connection info: 
  https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0088.html
Kerri Lemoie:  Also on April 26th through April 28th is the 
  internet identity Workshop this is being held at the Computer 
  History Museum in Mountain View California.
Kerri Lemoie: https://internetidentityworkshop.com/
Kerri Lemoie:  I am actually a big leagues in the chat I'm 
  actually attending this year it's the first conference I've 
  attended and over two years in person so I'm really looking 
  forward to it if you can make it I suggest that you go because 
  you will get to spend some time with the people who have been 
  thinking about identity for a really long time and it's a great 
  opportunity to learn and then wrap your head around some of these 
  Concepts that are really challenging at times.
Kerri Lemoie:  Let me see if there's anyone in the queue right 
  now.
Kerri Lemoie:  Anyone else have any other announcements that they 
  would like to make before we get started on today's topic.
Kerri Lemoie:  You're in the queue.
Kaliya: Hi thanks for sharing about IW and people should also 
  know that if.
Kaliya: Accessibility is an issue over price you can come and 
  talk to us about.
Kaliya: That we're really committed to opening it up I have 
  another event that people might be interested in called 
  mitigating harms on 13 happening April 1 if I'm on my phone so 
  it's hard to put it into chat if you search on Eventbrite for 
  mitigating harms and web three it'll come up and it's yeah five 
  hours on April 1 depending on what time zone you're on.
Kerri Lemoie:  I think I found it I'm going to put it in the chat 
  right now.
Kerri Lemoie: 
  https://www.eventbrite.com/e/mitigating-harms-in-web3-tickets-260675526517
<deb_everhart> Open Badges Summit call for proposals is open: 
  https://docs.google.com/forms/d/e/1FAIpQLSeIGapaEFIjB5WYYB9fkc1snJicqdUdGPqSLe_RFNv2gIcAJA/viewform
Kaliya: And that's when I just have one more thing I I'm it's 
  kind of an aside I'm working with a verifiable credentials policy 
  committee on getting some legislation passed in California to 
  create a trust framework and a pilot project within higher well 
  within education so if there's anybody in this group based in 
  California interested in helping say something to your 
  legislators about this.
Kaliya: I love to connect.
Kerri Lemoie:  Basically I what's the best way for folks to reach 
  you.
Kaliya: I think email kaliya at identity woman dotnet.
<deb_everhart> deadline for proposals is April 15 and the 
  conference is Aug 1-2 f2f and Aug 9 virtual
<colin,_lef> Woot woot!
Kerri Lemoie:  Thank you and then Deb Everhart you posted the 
  open badges Summit called proposals a chat that is great that is 
  on August 1st and 2nd in Boulder Colorado this year and the 
  deadline to do your proposal is April 15th I believe that's 
  another one I will be attending.
Kerri Lemoie:  Bit of course.
Kerri Lemoie:  Okay any other announcements before we get started 
  on our education credential learner identity discussion.

Topic: About CCG Email Thread: "Centralization dangers of applying OpenID Connect to wallets" (Dmitri Zagidulin)

Kerri Lemoie:  To a large part of why we're all working and I'm 
  verifiable credentials that we believe that individual should 
  have more control over their data and this includes deciding what 
  identity is associated with their credentials.
Kerri Lemoie:   And our.
Kerri Lemoie:  Our goal very soon hopefully the spring is to 
  publish a community report that informs the Education and 
  Training ecosystem without issue in verifying be seized and we're 
  narrowing in on this report today I would really like to hold a 
  discussion about identity and credentials to help inform the 
  community to It's A continuing ongoing conversation and it's a 
  moving Target right now but in order to get implementations going 
  we've landed somewhere and so we can talk about that and then 
  talk.
Kerri Lemoie:   About what they choose me or die.
Kerri Lemoie:  There are any questions that remain and before we 
  get started.
Kerri Lemoie:  Dimitri I was wondering if you could help us out 
  there's been this long thread going on over the weekend and the 
  ccg melas about open ID and choppy and did come centralized 
  versus decentralized and someone has been working on a while that 
  is one of our co-chairs I was wondering if you can unpack that 
  thread for us and hope to explain the issues that are going on 
  and how it affects what we're doing.
Dmitri Zagidulin:  Sure thanks thanks Gary I can I can certainly 
  give it a try it's it's a long thread and has branched out into 
  mini sub threads lots of things are being discussed their the 
  health of the ccg community the interaction with other standards 
  bodies but at the heart are a couple of things at the moment 
  there are let's say three or four.
Dmitri Zagidulin:  That can be used.
<kerri_lemoie> (ignore topic having the floor - Dmitiri has the 
  floor)
Dmitri Zagidulin:  There there three or four protocols that can 
  be used for verifiable credentials to request that they're issued 
  to transport them into the wallet to verify them to transfer them 
  between wallets right so a lot of the time in this group we've 
  started with.
<kerri_lemoie> Feel free to queue up your questions about this.
Dmitri Zagidulin:  Focusing on the data model so we have the 
  verifiable credentials working group has standardized the 
  envelope for us so what we do in this group is discuss a lot what 
  goes into the envelope so the data model of the payload itself 
  and of course in parallel with that we need to discuss how do we 
  get it into student wallets how do we exchange it between our 
  server to server systems how do we verify and all that stuff.
Dmitri Zagidulin:   So the protocol in the data model question is 
  in.
Dmitri Zagidulin:  And today there are three or four different 
  apis being formed by different standards bodies that can be used 
  to do something with verifiable credentials so.
Dmitri Zagidulin:  So that was thread one why are there competing 
  apis and what can be done to either converge their development or 
  at least make it clear to users to implementers what the 
  strengths and weaknesses of each API is why we why one would 
  choose w3c's VC API or diffs presentation exchange or open ID 
  foundations.
Dmitri Zagidulin:  Self issued open ID or the draft of openings 
  Uconnect for verifiable presentations.
Dmitri Zagidulin:  Which is the work that the openid foundation 
  is currently doing.
Dmitri Zagidulin:  In a certain sense the fact that there is.
Dmitri Zagidulin:  Four different apis is healthy right it means 
  there's a lot of communities have set up and take taken notice of 
  verifiable credentials.
Dmitri Zagidulin:  Means that they're definitely making impact in 
  the world and and all the standards bodies have their own 
  different approach to handling it so that was issue one how 
  what's the relationship between these.
Dmitri Zagidulin:   How do we.
Dmitri Zagidulin:  Standards bodies to communicate to cross 
  pollinate and all that stuff.
Dmitri Zagidulin:  Threatened number two was Manu and several 
  others including myself but what I can qualify that and answer 
  questions have stepped forward and said we understand where open 
  ID connect is coming from.
Dmitri Zagidulin:  But specifically when it comes to.
Dmitri Zagidulin:  Using opening to connect for general-purpose 
  verifiable credentials wallets for consumers.
Dmitri Zagidulin:  We feel that.
Dmitri Zagidulin:  The versions of the opening to connect 
  protocol tailored to work with verifiable credentials.
Dmitri Zagidulin:  Are in danger of.
Dmitri Zagidulin:  Exerting a market and technological pressure 
  towards Monopoly towards centralization.
Dmitri Zagidulin:  Now I know we use centralization or 
  decentralization as sort of value judgments a lot of times in the 
  space or especially in the web three space but here to to the 
  point where it becomes apocryphal so what do we mean by that.
Dmitri Zagidulin:  What do I do what do I personally mean when I 
  say that it exerts a market pressure towards Monopoly more so 
  than other protocols.
Dmitri Zagidulin:  It has to do with the issue of wallet 
  selection and the NASCAR problem which we'll get into in a 
  second.
Dmitri Zagidulin:  I also want to preface this that.
Dmitri Zagidulin:  In the education space.
Dmitri Zagidulin:  We have kind of a unique approach to this and 
  a unique set of problems here's what I mean by that so for 
  example several of the wallets that I work with example the 
  digital credentials Consortium DCC wallet very much uses OpenID 
  Connect for purposes of binding the existing student identity to 
  the decentralized identifier that the student brings which is the 
  other topic of this call.
Dmitri Zagidulin:   Ahmed Gary.
Dmitri Zagidulin:  Like to talk about right so we have in our 
  typical University or other school setups we have existing 
  student Information Management Systems particularly we have a 
  database with a student ID in it somewhere and we're trying to 
  introduce these dids these decentralised identifiers.
Dmitri Zagidulin:  And one of our challenges as technologists is 
  how do we how do we bridge that Gap how do we on-ramp how do we 
  bind the new decentralized identifiers which are controlled by 
  the students or by the individual person how do we find those to 
  that user ID in the database that exists on the learning 
  institution server somewhere.
Dmitri Zagidulin:  And so that the reason DCC wallet uses open 
  and to connect is for that binding it is an excellent mechanism 
  to when asking for a learner credential to be issued openid 
  connect provides an excellent mechanism to say okay we're going 
  to bind the openid connect user ID Dimitri one two three.
Dmitri Zagidulin:  And their email to this decentralized 
  identifier.
Dmitri Zagidulin:  Here's why I bring this up in the context of 
  the discussion of centralizing pressure or monopolizing pressure 
  OpenID connect.
Dmitri Zagidulin:  This that I believe exists in the 
  general-purpose world but less so in our field of Education it 
  has to do with.
Dmitri Zagidulin:  Use expectation and basically it has to do 
  with students are already a captured audience with a.
Dmitri Zagidulin:  Going to count on the University's our school 
  system so usual.
Dmitri Zagidulin:  So hold on one second help me close the door 
  dogs are very excited over here and I don't have a good view of 
  the chats Carrie please feel free to interrupt if there's a 
  questions in chat.
Kerri Lemoie:  Nothing yet thank you.
Dmitri Zagidulin:  Let me describe the the general situation and 
  then we can qualify of what we think is different in the 
  education space so one of the terms that's thrown about in 
  discussions in the dissent as identity space is a term called the 
  NASCAR problem.
Dmitri Zagidulin:  For those of you not in the US or just not 
  familiar with NASCAR NASCAR is a United States car racing 
  associations and one of the iconic things of NASCAR is these 
  racing cars are plastered with logos of sponsors.
Dmitri Zagidulin:  Regardless of the teams all the big companies 
  sponsor the teams and plaster the logo on the car so the cars are 
  just you know very colorful banner ads essentially with with 
  dozens if not hundreds of different logos.
Dmitri Zagidulin:  And so the NASCAR problem is.
Dmitri Zagidulin:  The rise of social login which has brought a 
  lot of a lot of benefits in a lot of was intended to bring a lot 
  of decentralisation to cross domain login but instead you see 
  insights that supported a preponderance of logos so if a side 
  support social login you usually presented with an array of 
  buttons that says log in with Google login with Facebook login 
  with LinkedIn.
Dmitri Zagidulin:   With GitHub and.
Dmitri Zagidulin:  Long or short a list.
Dmitri Zagidulin:  As that particular website decides its users 
  are going to use so.
Dmitri Zagidulin:  Closer related to that is the wallet selection 
  problem so with.
Dmitri Zagidulin:  I am sort of Web 2.0 social login which 
  incidentally is based on open ID connect.
Dmitri Zagidulin:  We have this problem of in order to use social 
  login the user has to select their identity provider or 
  essentially the user has to select their wallet that where they 
  have an account that manages cryptographic keys for them so in 
  looking at the list of login with Facebook log in with Google Etc 
  that right there is the wallet selection step that is the 
  identity provider selection stop.
Dmitri Zagidulin:   And then f.
Dmitri Zagidulin:  The long list of different logos different 
  brands with which they can log-in which is reminiscent of the 
  logo plastered racing cars at NASCAR.
Dmitri Zagidulin:  So why does this happen.
Dmitri Zagidulin:  OpenID Connect is the third iteration of the 
  opening D protocol is prefaced by open ID 1 and open ID 2.
Dmitri Zagidulin:  And both OpenID 1 and OpenID 2 as part of the 
  input required the user to paste in the URL of their identity 
  provider there's literally a text box and the user logging in was 
  literally required to cut and paste or type in the URL of so 
  google.com or facebook.com or their universities webpage or if 
  they were running.
Dmitri Zagidulin:   WordPress or.
Dmitri Zagidulin:  General something like that that URL and as 
  you can probably imagine but this was actually confirmed by 
  scientific studies paid by Yahoo and others this is incredibly 
  bad usability so openID sites ran usability studies and and and 
  discovered that users hate this this is really confusing nobody 
  wants to type in urls.
Dmitri Zagidulin:  So what's interesting about open ID connect 
  the third iteration of this protocol it did learn from this 
  Achilles heel of open ID that asking people to type in.
Dmitri Zagidulin:  Asking people to perform wallet selection step 
  the IDP selection step incredibly cumbersome.
Dmitri Zagidulin:  And open if you connect at its Inception had 
  had an answer to this.
Dmitri Zagidulin:  It was called webfinger thank you protocol 
  neighbors and it allowed the user to type in their email address 
  and through the email address.
Dmitri Zagidulin:  Discover the URL of their preferred open ID 
  connect provider so the original design of the open Internet 
  Protocol had a solution to the NASCAR problem it said okay we 
  don't want people to type in the URL of their wallet.
Dmitri Zagidulin:  Users a used to typing in the email so it's 
  fine that that's that's an okay ask and through this other piece 
  of infrastructure that we have.
Dmitri Zagidulin:  By typing in the email we're going to let 
  machines discover their preferred wallet provider great this is a 
  fantastic system.
Dmitri Zagidulin:  Here's the only problem here's why instead we 
  have this list of logos this list of social ID buttons.
Dmitri Zagidulin:  Webfinger required that email providers 
  support this protocol this webfinger protocol and essentially it 
  all rested on Google was one of the participants in the working 
  group that was coming up with open a g connect protocol and put 
  forward to support towards web finger.
Dmitri Zagidulin:   And the.
Dmitri Zagidulin:  Sort of figured that okay if we land Gmail if 
  Gmail supports this right that's a lot of users and then that'll 
  that'll exerted Market pressure for all the other email providers 
  to.
Dmitri Zagidulin:  Support this as well and so hey we've solved 
  one of the thorniest problems and identity which is while it's 
  selection problem great.
Dmitri Zagidulin:  Partway through the process may be at the last 
  moment I wasn't really there but the Google leadership cut 
  support for web finger so pulled the plug.
Dmitri Zagidulin:  And because Gmail didn't support it none of 
  the other major email provider supported and essentially 
  webfinger was Dead on Arrival so open it you connect protocol 
  which is a fantastic protocol has lots of lots of innovation and 
  specifically learned from the mistakes of its predecessors in a 
  lot of ways plugged a lot of security issues in open a d 1 and 2 
  and also in oauth 2 to which it open into connected.
Dmitri Zagidulin:   A successor it builds on a costume so great.
Dmitri Zagidulin:  Unfortunately at launch.
Dmitri Zagidulin:  A major major part of it was killed the 
  webfinger part of the wallet selection part and so that leads us 
  to the world where we are right now that obviously we don't want 
  to present a text box to the user to type in the URL.
Dmitri Zagidulin:   Typing in.
Dmitri Zagidulin:  Email doesn't work because webfinger I never 
  caught on due to Market pressures and political pressure.
Dmitri Zagidulin:  So instead we present the user with a bunch of 
  buttons.
Dmitri Zagidulin:  That contain the URL and contain yeah so the 
  buttons replace the text box.
Dmitri Zagidulin:  All right so all that digression how does that 
  how does that relate to what we're here for how does that relate 
  to decentralize Identity and our student wallets are learner 
  wallets.
Dmitri Zagidulin:  It relates directly.
Dmitri Zagidulin:  Most of the things that we want to do login 
  with your did ask for a credential to be issued into your wallet.
Dmitri Zagidulin:  All have to do with step 1.
Dmitri Zagidulin:  So we in the VC world have the exact same 
  problem of of wallet selection that the openid connect world have 
  had and we have almost the exact same set of fundamental tools to 
  do it with which is a text box or a list of buttons.
Dmitri Zagidulin:  Much like they're going to do a world where 
  okay yeah so let's talk about why that led to centralization you 
  can.
Dmitri Zagidulin:  You can see it intuitively.
Dmitri Zagidulin:  He long list of logos long list of social 
  login buttons is annoying to users and so each website that 
  presents social login.
<phil_l_(p1)> Isn't step 1 actually choose your identifier, and 
  then choose your wallet?
Dmitri Zagidulin:  Usability pressure to present as few buttons 
  as possible which means everybody picks the top most recognizable 
  wallets identity providers everybody picks.
Dmitri Zagidulin:  Gmail Facebook LinkedIn whatever their 
  particular Niche is.
Dmitri Zagidulin:  So the dream of.
Dmitri Zagidulin:  The recording room did not like.
Kerri Lemoie:  Like they were talking about open ID we're still 
  getting the transcription to the Head.
Dmitri Zagidulin:  Okay fantastic all right so we'll do our best 
  here.
Dmitri Zagidulin:  So OpenID Connect which is the decentralized 
  protocol.
Dmitri Zagidulin:  Was at its heart meant to to provide genuine 
  consumer level choice in wallets.
Dmitri Zagidulin:  Instead because it was missing the solution to 
  all its selection problem.
Dmitri Zagidulin:  Presented the NASCAR problem and the only 
  solution to the NASCAR problem that the world has come up with so 
  far.
Dmitri Zagidulin:  Is trying to reduce the number of logos by 
  only presenting the most well-known wallets which is where we are 
  right now right small handful of the the big main companies and 
  their wallets Google LinkedIn and so on.
Dmitri Zagidulin:  In the VC World we're in the exact same bind 
  when the exact same situation we have the same we have the same 
  tool set that are going to be had.
Dmitri Zagidulin:  Means it's the same usability problem that 
  wallet selection step and now there's asterisks all this will get 
  into the details of do we exactly have the same tool set or do we 
  have any other kind of techniques what can we do about this we'll 
  get into all of that so right now we're just trying to paint a 
  picture of what that email thread was about so but if you connect 
  has this wall selection problem we have the exact same old 
  selection problem and just as open as you connects NASCAR problem 
  led to.
Dmitri Zagidulin:   The only.
Dmitri Zagidulin:  Most websites are able to find is.
Dmitri Zagidulin:  Small handful of winner-take-all wallets 
  because we were an exact same situation exact same Market 
  pressure and Technologies if we're not careful in the DC World 
  we're going to end up in that same situation we're going to end 
  up with here are the two to three most well-known wallets and 
  everybody else is out of luck we certainly don't want to put in a 
  text box for the user to type in the name of their wallet or 
  whatever.
Dmitri Zagidulin:   Now why haven't we seen that yet.
Dmitri Zagidulin:  Because there's just not that many VC wallets 
  yet and especially here's the important part at the moment 
  there's almost no no.
Dmitri Zagidulin:  More than one interoperable VC wallets which 
  is where this problem starts to be seen right so with social 
  login all social logins are theoretically interoperable because 
  they theoretically use open it you connect although in practice 
  what's unfortunate they're not so Google uses a subtly different 
  identity protocol than Facebook that's not the point point is 
  open as you connector interoperable and so we have the problem 
  in.
Dmitri Zagidulin:   The wallet world.
Dmitri Zagidulin:  Have more than one wallet that is 
  interoperable with each other we have this world selection 
  problem and on all of the all of the solutions so the circle back 
  around what the thread that Manu started was pointing out that.
Dmitri Zagidulin:  Said I have concerns.
Dmitri Zagidulin:  About this this very successful standards body 
  open 85 Foundation working on a version of openID connect for 
  verifiable credentials - I have concerns that the very same 
  Market pressures apply.
Dmitri Zagidulin:  The unsolved problem of wallet selection is 
  going to lead us to the same centralizing place to the same 
  Monopoly Monopoly winner-take-all place.
Dmitri Zagidulin:  That the previous iteration led to nothing has 
  fundamentally changed and so a lot of the lot of the argument 
  that you that you saw in the thread if you read it was bickering 
  over the details was trying to clarify is a true the nothing has 
  changed what about this technique and what about this technique 
  and also in parallel.
Dmitri Zagidulin:  Especially coming from.
Dmitri Zagidulin:  Companies that are that are that small handful 
  of winner-take-all wallets.
Dmitri Zagidulin:  You'll see some argument that oh it's not so 
  bad this this pressure towards centralization towards you know 
  very small amount of logos it's not so bad you shouldn't worry 
  about it and we'll let you make your own judgments there now what 
  about our corner of the world what about education so for 
  instance with the DC wallet.
Dmitri Zagidulin:  It's not as cute of a problem because if I'm a 
  student of I don't know Georgia Tech University and I'm trying to 
  pick up a credential from my University while selection is not so 
  bad I know I'm going to be logging in to Georgia Tech and I'm 
  doing it at not at some third party relying party site it's not 
  at a random website I'm picking up my credentials add Georgia 
  Texas website in the first place right so the.
Dmitri Zagidulin:  Focus of the use case.
Dmitri Zagidulin:  Already takes in a lot of cases or at least in 
  the case that the wallet deals with right now has already 
  performed while its election unlike social login where it's on 
  some website and needs to I'm just picking it up at my University 
  so the wall selection has essentially has already been performed 
  I've gotten to that URL of the University side I didn't have to 
  type it in its we're already there.
Dmitri Zagidulin:  The in a particular case while selection and 
  identity provider selection is taken care of and we can use the 
  power of open and you connect protocol to bind existing student 
  account existing student identity with the decentralized 
  identifier it's great.
Dmitri Zagidulin:  Oh also however however again it's not a 
  problem because in the DC context it's a pilot that just involves 
  one wallet the moment we have more than one wallet that's 
  participating in this pilot the moment that happens even though 
  on the student login side.
Dmitri Zagidulin:  I DP selection is solved because the student 
  is already at the University's website the wallet selection 
  problem is not solved.
<jim_goodell> Locking a wallet to an institution sounds 
  problematic to me. Could it be select from market leader listed 
  but also have an "other" option to enter the domain of another 
  wallet provider?
Dmitri Zagidulin:  We now have to essentially either somehow 
  guide the user to open up their preferred Wallet app and perform 
  the operations from within it which is in itself has usability 
  problems or.
<kayode_ezike> Maybe for a broader group, but any thoughts around 
  specificying wallet selection via DID services?
Dmitri Zagidulin:  Need to come up with some sort of mechanism in 
  the notification email.
Dmitri Zagidulin:  That says hey students you have a credential 
  waiting please go pick it up over here.
Dmitri Zagidulin:  And now now we have the NASCAR problem now we 
  have we need to present two buttons pick it up with the DC wallet 
  or pick it up pick it up with pocket or pick it up with so-and-so 
  wallet and now we're in the nightmare of preponderance of buttons 
  now where NASCAR land.
Dmitri Zagidulin:  And again as a community we have a couple of 
  nascent solutions to this and a lot of heated discussion but it 
  is a it is a real problem that even though it might not be as bad 
  or might not be as Tangled in our neck of the woods it is still 
  Tangled in that we do need to perform wallet selection to get the 
  user inside of the wallet out.
Dmitri Zagidulin:   Or somehow guide the.
Dmitri Zagidulin:  The protocol toll roads.
<marty_reed> as an example, we allow the user to create their own 
  e-mail VC to a SOVRIN based wallet, IDRamp, Trinsic, Evernym and 
  then allow them to authenticate via OIDC in the Open Credential 
  Publisher wallet and Teacher Wallet
Dmitri Zagidulin:  Selection okay so I've spoken enough let's 
  let's take questions hopefully this helps shed some light.
Kerri Lemoie:  I did see we have a full yeah I mean this is great 
  I know I will have some questions to a filled long is like you 
  right now.
Dmitri Zagidulin:  We'll go ahead.
Phil_L_(P1): Hi Dmitry couple of things first of all is it 
  actually the case at the first problem is the wallet selection 
  and not the identifier selection that is to say if we are 
  encouraging dids and and of course one can have multiple bids is 
  that is the first question that has to be dealt with what's the 
  identify I'm going to match my University ID to.
Phil_L_(P1): Is that actually in preceding the problem of the the 
  NASCAR wallet selection that's my question.
Dmitri Zagidulin:  Fantastic problem fantasy or floor sorry 
  fantastic question very insightful and the answer is no in in the 
  did world we have sworn a sacred vow in which we said the user 
  will never have to see or type in there did so we will never give 
  the user.
Dmitri Zagidulin:  Down of these big long opaque did identifiers 
  we're never going to ask the user to select which did their 
  logging in instead we're going to Outsource that problem to 
  wallets that's why that's why the wallet selection step is the 
  first step it you write conceptually it should be select the did 
  but because dids are big long opaque identifiers we don't expose 
  the user to them so instead it's select the wallet and then the 
  wallet will.
Dmitri Zagidulin:   Do their best in saying you know so.
Dmitri Zagidulin:  Profile select your persona select are you 
  logging in with your school dead or your work did right.
Dmitri Zagidulin:  That's the wallet responsibility.
Phil_L_(P1): So that's a while its responsibility okay so in that 
  in that the second question was related to that if I can continue 
  that is I get the NASCAR problem and the sort of neat the 
  pressure that that imposes to have as few stickers as possible 
  but the question that emerges is if there were a central registry 
  of wallets and you had just simply a drop-down what you start 
  typing.
Phil_L_(P1):  your wallet and it finds you and that's that.
Dmitri Zagidulin:  Okay great question so that is one of the 
  solution one of the attempted solutions to the NASCAR problem to 
  wallet selection identified selection that search ahead drop box 
  that you described it works better in certain verticals such as 
  banking or universities right the lid there's a couple of 
  specifically education.
Dmitri Zagidulin:  Non projects that do just that what you're 
  describing.
<deb_everhart> like shibboleth
Dmitri Zagidulin:  So that is a potential it's not a perfect 
  solution but that is a potential solution but again picture what 
  that's going to entail hey learner go pick up your credential 
  okay I go to the site to pick up now let's find what while you're 
  using and from a central registry which again is its own kind of 
  gatekeeping but me ultimately be needed.
Dmitri Zagidulin:  Behead and select your wallet not perfect 
  little bit awkward but it is one of the possible solutions yes.
Phil_L_(P1): If the last question is the one of the things you 
  didn't mention is isn't part of the concern about the 
  centralization or at least the way in which ODI see connected is 
  designed is at it it's certainly alerts to the to the 
  authenticating provider a request that you've made.
Dmitri Zagidulin:  Yes that's also a problem I didn't even 
  mention it because.
Dmitri Zagidulin:  Right now it is definitely also a problem in 
  my mind the wall selection problem is so awkward and so 
  fundamental that it outshines everything else but you're 
  absolutely right that there is very much a privacy perspective 
  that Google or Facebook or your University will know every time 
  you're logging in using their social login yes you're absolutely 
  right now.
Dmitri Zagidulin:   It's less of a problem.
Dmitri Zagidulin:  In with open and he connects because Google is 
  managing your keys they're going to know it's less of a problem 
  in wallet selection that my wallet is going to know that I logged 
  in with them because they're a local app on my phone like I'm 
  okay with that so less of a problem because of that.
Dmitri Zagidulin:   Thanks Phil.
Dmitri Zagidulin:  Questions anybody else.
Kerri Lemoie:  There's nobody else but I'm going to keep myself 
  up for a question have you what I'm hearing in the short-term 
  right now is that platforms are familiar with open ID when using 
  it for a long time and in the short term this works right and an 
  education this works pretty well right now but that there might 
  be other options in the future that we will consider as the 
  system matures.
Kerri Lemoie:   System matures.
Dmitri Zagidulin:  Great so let's be very specific.
Dmitri Zagidulin:  D the Fantastic solution for The Binding of 
  existing student identity to the new dids so for that it works 
  great hardly a problem even what we what is a problem and we 
  don't have solution for is still wallet selection.
Dmitri Zagidulin:  Of interoperable wallets and that's all that 
  we're working for right like that's what we're working here here 
  in this group in the jff interop effort we want a world where 
  students can export and transfer their credentials with multiple 
  wallets that are hopefully on Open Standards but if we achieve 
  that world.
Dmitri Zagidulin:   We will have the wall problem.
Dmitri Zagidulin:  Either in order to achieve that world we will 
  need to solve W election which openid connect does not solve is 
  the whole problem.
<phil_l_(p1)> Another concern is that the centralized registry of 
  wallets must require demonstrated interop among the wallets added 
  into the list. Dmitri referred to the gatekeeping issue at the 
  registry level, of which this is a part.
Kerri Lemoie:  Right and before I hand this over to Tamara dhia 
  he's also in the queue I think it also another complicating 
  aspect to this is that issuers are typically issuing these 
  credentials directly very typically using platforms so in between 
  the issuer and the wallet we have platforms that are also 
  handling the identity.
Kerri Lemoie:  And this has been the case with open badges for a 
  long time you know I work for a badging platform but there are 
  several out there and they'll be some of the first ones to start 
  doing this to that is also something to consider if I think.
Dmitri Zagidulin:  Yep good point good point.
Marty Reed:  So I don't necessarily have a question as much as I 
  just wanted to share a few approaches that we've taken in the 
  open credential publisher project with North Dakota and the other 
  participants there but in North Dakota is actually created a demo 
  piece of this we are using basically an email credential so as 
  long as your wallet for.
Marty Reed:   For this.
Marty Reed:  On Sovereign but we have another pilot started with 
  with Microsoft and their did I own project but the email 
  credential can be generated via the web interface issued to 
  whichever wallet on Sovereign Network so you know trinsic I need 
  ramp evernham and once you've issue this email credential then 
  you can the oid C implementation on the open credential publisher 
  and on the teacher wallet allows the user to.
Marty Reed:   Authenticate with that VC.
Marty Reed:  So it's actually connected to the did in that the 
  did is the wallet but the credential you know is validated the 
  kind of to factor with the email address and so on the other side 
  of things with the North Dakota infrastructure internally they 
  they also connect with a PowerSchool login via this VC.
Marty Reed:  Um credential and so that VC credential connects to 
  the iadc account via the email map and then and then allows them 
  to authenticate so that's one way that we've approached it to 
  kind of solve for you know the NASCAR problem IE we don't really 
  care what wallet you have as long as it has the right credential 
  to authenticate with so just as an example and then and then.
Marty Reed:   In addition to that on.
Marty Reed:  Issue inside issuing to a wallet we actually don't 
  connect the login from North Dakota's infrastructure to the wall 
  at we just handle it in session which has its own challenges but 
  but they're that way the user then selects where the wall and so 
  I just wanted to share those couple of examples.
Marty Reed:  That we've tried to solve for some of these problems 
  and will you know continue to think about that but any thoughts 
  on that approach to me tree.
Dmitri Zagidulin:  Thank you so much Marty and this is exactly 
  why calls like this are so valuable because we get to hear from.
Dmitri Zagidulin:  Real deployments out in the field and learn 
  from them so let's let's zoom in you have so you have this use 
  case and you have multiple wallets that are in our operating.
Dmitri Zagidulin:  Hot let's let's ask how do you select the 
  right sorry how do you solve the wallet selection problem while 
  getting the credential into their wallet in the first place right 
  so when they're first picking up that email credential VC how do 
  you solve the wall section problem how does the user choose which 
  wallet to save it in.
Marty Reed:  So the user from the wallet application scans the QR 
  code to to import that BC so that's how that's how it's not up 
  front this is they just they opened the wallet they scanned and 
  and so you can have multiple Wallets on your phone whichever 
  wallet you scan with is the wallet that that BC goes into.
Dmitri Zagidulin:  Right okay got it and what happens if you want 
  to pick it up what if you don't have a second device right but if 
  you or rather yeah so what if you're picking up your credential 
  on your phone you can't really scan this your phone screen with 
  your phone.
Marty Reed:  Right yeah yeah and so then the link kind of uses a 
  last in model so the last the last wall that you opened is where 
  the BC Coast.
Dmitri Zagidulin:  Right our ends and I suspect that it's it's 
  slightly more complicated than that just because of the just 
  because of the affordances that unfortunately the mobile 
  operating system vendors are provide us so this is a great 
  example we and was one of the things that was argued about on the 
  ccg thread that carry the Carrie brought up which is so one of 
  the one of the one of the techniques that the.
Dmitri Zagidulin:   Both the open ID.
Dmitri Zagidulin:  The Wider SSI wallet world has come up with is 
  if the user has two devices and we can present a QR code on one 
  of the screens then we can ask the user to go manually pick the 
  wallet that they're going to be using meaning open that up on 
  their phone.
Dmitri Zagidulin:  QR code of that other device and so perform 
  while its election using that technique it is an absolutely valid 
  technique and 11 that we use as well in d.c..
Dmitri Zagidulin:  But it is but it has the fundamental 
  limitation of you need two devices with screens in order to do it 
  there's no there's no way to pick up the credential on your phone 
  or to pick up the credential just on your desktop so thank you so 
  much party like there is there is a handful of techniques that 
  people are using and that's one of them they are unfortunately 
  limited and maybe as we as a community.
Dmitri Zagidulin:  The lack of better options we can say okay we 
  can learn to live with these limitations one of the things that 
  was argued about in the email thread this is to go back to there 
  are four different protocols right now to deal with VCS.
<kerri_lemoie> Thread in case you haven't seen it: 
  https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0101.html
Dmitri Zagidulin:  Several of the protocols don't have that 
  limitation they're able to pick up the verifiable credentials on 
  the same device they don't need the the to scan the to screen 
  scan although they can work with that as well but others like 
  opening to connect do have that limitation.
Dmitri Zagidulin:  Anybody else like I'm curious example to hear 
  from the pocket team I'm so glad we have member from.
Dmitri Zagidulin:  Harley's had at the start of.
Dmitri Zagidulin:  Call I'm not sure if we still have them.
Kerri Lemoie:  You think he's still here.
Dmitri Zagidulin:  Okay yes I'm.
Dmitri Zagidulin:  As always really great to hear from you.
<kayode_ezike> In a native mobile setting, is there a design that 
  resembles “share via”?
<marty_reed> great discussion Dmitri, well explained!
Kerri Lemoie:  I prayed I think maybe as a you know one of the 
  things you want to do is get more Wallets on this call so I think 
  we can this is something we could ask about let me do that thank 
  you Dimitri I really appreciate I really appreciate you walking 
  us through that because the whole lot of the backstory there I 
  had no idea even working on the web for so long to thank you very 
  much for explaining that so well.
Dmitri Zagidulin:  Thanks Gary so I noticed that coyote is asked 
  a good question in chat which is in in the context of mobile 
  devices in the context of picking up picking up a credential on 
  my phone without having another screen for example to deal with 
  is there an interface that.
Dmitri Zagidulin:  That uses the mobile operating system share 
  sheet we're all familiar with the share via right both on Android 
  and on iOS we have the icons that encourage you to if you like 
  this image share it via this messenger or share it via Twitter 
  and so on right so we the native operating systems have all of 
  them one in one way or another have this notion of a share sheet 
  and are any of the current.
Dmitri Zagidulin:  Using it great question that was one of the 
  things being argued about on that thread is the.
Dmitri Zagidulin:  Credential Handler API protocol short CHAPI.
Dmitri Zagidulin:  Use the native mobile system or that rather 
  the next iteration of chappie and we have demos out there that I 
  can link to.
Kerri Lemoie: CHAPI: 
  https://w3c-ccg.github.io/credential-handler-api/
Dmitri Zagidulin:  Does use the iOS or Android share sheet so the 
  way it works is you click the link up Pops The Familiar share 
  screen that where there were familiar with and you select the 
  apps that are registered to receive the share event for that 
  particular data type so yes we that is an option we can we can 
  absolutely do that.
<kayode_ezike> Awesome, thanks Dmitri!
Kerri Lemoie: OpenID: https://openid.net/connect/faq/
Dmitri Zagidulin:  In in this one particular family of protocols 
  not others though hopefully others will pick up that technology 
  as well the reason the reason we can do that and not because 
  we're particularly clever is because w3c has another Speck called 
  Web share API.
Kerri Lemoie: DIDComm: 
  https://identity.foundation/didcomm-messaging/spec/
Dmitri Zagidulin:  And web share EPA is supported by the majority 
  of Mobile and other browsers so now it's tricky to because it's 
  designed to work with just raw text or hyperlinks It's tricky to 
  get it to work with verifiable credentials in an interoperable 
  way but it's definitely possible and and we do encourage doing 
  that.
Phil_L_(P1): Yeah I remember the reading through that that thread 
  and I thought there was a comment there that said that web share 
  was not from a security perspective sufficiently robust because 
  of the potential phishing that is available.
Dmitri Zagidulin:  Ah good good good question no the opposite 
  custom protocol handling is not sufficiently robust because of 
  security so.
Phil_L_(P1): So Webster has protections that are encrypted in the 
  way in which it's shared okay.
Dmitri Zagidulin:  That's correct or rather let's let's zoom in 
  real quick.
Dmitri Zagidulin:  It's not that it has encryption it's more that 
  so one of the family of open it you connect protocols is called 
  psyop which stands for self issued open Education Act so that is 
  one of one of the two main directions that they open it you 
  connect Foundation is focusing on science is a great protocol.
Dmitri Zagidulin:   But here's the thing.
Dmitri Zagidulin:  He'll hear this main limitation.
Kerri Lemoie: SIOP: 
  https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
Dmitri Zagidulin:  It only works via the custom URL protocol 
  Handler so it doesn't use HTTP https URLs it uses open ID colon 
  URLs and that's where the the security limitation comes comes in 
  which the siop working group is very much aware of and points to 
  in their specification they said there's a section in the psyops 
  back that says we're really unhappy about this that this approach 
  can lead to fish.
Dmitri Zagidulin:   Fishing can be tuned.
Dmitri Zagidulin:  Here's why unfortunately on this is the fault 
  of Google end and apple mostly Apple.
Dmitri Zagidulin:  When you have more than one application that 
  registers to handle open ID links meaning when you have more than 
  one wallet again.
Dmitri Zagidulin:  The behavior of what happens on when you click 
  to that link is undefined meaning you'd you're not presented with 
  a list of hair pick which wallet to do know it just picks one 
  which means that if some app and any app in the app store can 
  register to handle open ID links so.
Dmitri Zagidulin:  I want to pick up a credential using psyop and 
  I'm expecting that it will end up in my wallet you can instead be 
  intercepted by some random game that I picked up the other day 
  that registered a Handler for open ID and intercepted that call 
  that's the problem and the share she does not have that because 
  on the share sheet you explicitly pick the app that you're 
  sharing it to does that make sense.
<kerri_lemoie> We didn't get to the credential identity topic 
  today but here's a link to the 
  slides:https://docs.google.com/presentation/d/1gL5b59jMjCFIDnyjruIZgZD9ZQVCFuvMp60mMbodUic/edit#slide=id.g11d7d1204ed_0_15
Phil_L_(P1): Yes that makes perfect sense.
Dmitri Zagidulin:  All right so I see yeah I see where the top of 
  the hour didn't get to talk about identity good go ahead Carrie.
Kerri Lemoie:  Yeah and that's that's perfectly fine thank you 
  for watching us through this I think we need this discussion and 
  I hope we come back to it I'm in the chat I put links to the 
  slide so about identity that we will Circle back to so feel free 
  to read those over and preparation and you will get back to it 
  like next month or so and I believe next week actually my looking 
  from this way I think we the DC while I will be presenting the 
  learn to wallet so stay tuned for that okay thank you so much 
  everybody have a great week.
Kerri Lemoie:   Thank you.
<taylor> Thanks Kerri, Dmitri and all :)

Received on Monday, 21 March 2022 21:44:11 UTC