[MINUTES] W3C CCG Credentials CG Call - 2022-11-22

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2022-11-22/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2022-11-22/audio.ogg

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2022-11-22

Agenda:
  https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Nov&period_year=2022&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
  Mike Prorock, Kimberly Linson, Harrison Tang
Scribe:
  Our Robot Overlords
Present:
  Harrison Tang, John Henderson, Mike Prorock, Leonard Rosenthol, 
  Paul Dietrich GS1, Mathieu Glaude, Razvan Braghesiu, Kimberly 
  Linson, Erica Connell, Lucy Yang, Keith Kowal, Tim Bouma, Daniela 
  Gutiérrez de P., TallTed // Ted Thibodeau (he/him) 
  (OpenLinkSw.com), Drummond Reed, Kaliya Young, Dmitri Zagidulin, 
  Natasha, Nis Jespersen , Will, Joe Andrieu, BrentZ, Mahmoud 
  Alkhraishi, Jeff Orgel, Nikos Fotiou, David Chadwick, Subhasis, 
  Marty Reed, Steve Magennis, Benjamin Collins, Hadrien (IDLab), 
  Manu Sporny, David I. Lehn, James Chartrand, Jean-Francois Blier, 
  Orie Steele, Adrian Gropper, Phil Long, kristina

Our Robot Overlords are scribing.
Harrison_Tang: So hello everyone to the November 22nd w3c ccg 
  meeting today we have a very interesting very full agenda we have 
  a amazing guest Mathieu joining the join us and talk about the 
  topic of obtaining trust and then we also have some other matters 
  to discuss as well so before we start I just want to do some 
  quick IP and call notes.
Harrison_Tang:  so first of all.
Harrison_Tang: Just want to remind everyone the code of ethics 
  and professional conduct reminder there's a link that I sent out 
  in the agenda more or less just want to make sure that we be 
  respectful and acknowledge each other's opinion don’t have to 
  don’t have to agree but just make sure that we ensure 
  psychologically safe environment all right couple IP notes anyone 
  can participate in these calls however all substantive 
  contributions.
Harrison_Tang:  to ccg work items must be a member of the.
Harrison_Tang: CCG with full IPR agreement signed so there's also 
  a link to the agenda I sent out you can click on that to to join 
  make sure you have a w3c account if you have any questions just 
  let one of the co-chairs know.
Harrison_Tang: Couple call notes that meeting minutes and audio 
  recordings are available on a w3c ccg website and we use Jitsi 
  chat and to queue speakers during the call so you have any 
  questions just typing q+ to add yourself to the queue and q- to 
  remove.
Harrison_Tang:  all right.
Harrison_Tang: Any introductions or reintroductions.
Harrison_Tang: If you're new to the community or if you are 
  rejoining the community please feel free to unmute and introduce 
  yourself.
Harrison_Tang: Alright at the end of meeting I'll call out 
  introductions and reintroduction so you're feeling shy and want 
  to prepare a little bit of a couple sentences feel free to do so.
Harrison_Tang: Announcements and reminders.
Harrison_Tang: Kaliya please. Kaliya. I think you might be on 
  mute.
Harrison_Tang: I think it might be an audio issue we cannot hear 
  you.
Harrison_Tang: We can come back to Kaliya later okay. Ted
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): I just wanted 
  to make a quick note of the credible web community group which 
  seems relevant to today's topic and speaker and anybody who's not 
  familiar with it yet might take a look put the link in the chat.
Mike Prorock: +1 Ted
Harrison_Tang: Thank you thank you Ted. Alright Kaliya
Harrison_Tang: Sorry I don't think I can hear you it might be is 
  it my issue or.
Mike Prorock:  No I think it's not on your side Harrison because 
  I can hear you fine and everyone else fine.
Harrison_Tang: Sounds good so Kaliya.
Harrison_Tang: We can come back to you later sorry about that.
<kaliya_identitywoman> I was going to share that we are moving 
  with an event inspired by IIW - APAC Digital Identity 
  Unconference - March 2-3 - with an opening reception on March 1 
  in the evening in Bangkok
Harrison_Tang: And also I just want to take a moment to 
  acknowledge the VC API thread the complication of the VC API note 
  thread in the community and we invited Brent the co-char of 
  verifiable credentials working group to kind of share a few words 
  so Brent do you mind share a few words with the community.
Drummond Reed: +1
BrentZ: I don't mind at all folks there's enough information in 
  that thread for anybody to read who's interested in doing so I 
  just wanted to you know make a statement as one of the chairs and 
  what it what the situation boils down to is this there's a member 
  of the VC working group who has proposed a course of action there 
  has been discussion about that course of action in the thread.
BrentZ: The chairs and our staff contact are in communication 
  with W3 management to determine what the options are for moving 
  the proposal forward within the scope of our Charter and w3c 
  process the chairs have not reached a determination where we 
  stand on that and but once we do so we will present the VC 
  working group with those options for them to discuss.
BrentZ: Happy to take questions really that's what it boils down 
  to.
Harrison_Tang: Thank you Brent.
Mike Prorock: +1 Brent - thanks
Harrison_Tang: So long story short we're on it so thanks a lot.
Harrison_Tang: Alright and then I think Kaliya has audio issue 
  earlier so I'll kind of read her comments in the chat so she was 
  going to share that we are going to have an event inspired by IIW 
  APAC digital identity unconference on the March 2nd to 3rd so 
  with the opening of reception March 1st in the in Bangkok 
  Thailand so if you're in the APAC region.
Harrison_Tang:  or you happen to be visiting there just feel free 
  to join.
Harrison_Tang: Any other announcements or reminders. Manu
<kaliya_identitywoman> Thanks! I will share registration links 
  when they become avaliable
Manu Sporny:  Yeah hi Harrison just wanted to draw people's 
  attention towards a recent post to the mailing list around 
  Google's browser and fed CM team being interested in exploring 
  native apis in the browser for CHAPI put a link to that in the 
  chat Channel this is really exciting news it came out of the.
Manu Sporny:   The discussions that we.
<manu> Google Browser/FedCM team exploring native APIs for CHAPI: 
  https://lists.w3.org/Archives/Public/public-credentials/2022Nov/0119.html
Manu Sporny:  Had with Sam go to at the internet identity 
  workshop last week they've got any way we work through you know 
  playing there's an issue raised in the FED CM group and this is 
  really about like native open Wallet selection in the browser so 
  Google's actively exploring supporting CHAPI specifically to do 
  that through the FED cm apis.
<mprorock> that would be awesome
Manu Sporny:  I know a number of the chairs were able to kind of 
  chat with Sam at IIW but I'm just kind of formally bringing it up 
  Sam would like to come and present to this group about the FED CM 
  work and how CHAPI could be integrated into that and they have 
  asked this group to come and talk about CHAPI at the FED CM group 
  and I'm in communication with those chairs about that I'll Loop 
  the chairs in.
Manu Sporny:   This group.
Manu Sporny:  But just wanted to one you know say that's great 
  exciting development from IIW last week two shout out to Dimitri 
  who has been on this for a while now trying to make it happen and 
  three please read that issue it's got a lot of exciting 
  screenshots and a native browser demo and all that kind of stuff 
  that's it for me.
<kaliya_identitywoman> can you post a link to the issue - please
Harrison_Tang: Thank you Manu and congratulations and by the way 
  which Sam are you referring to and we can definitely invite him 
  to talk and present.
Manu Sporny:  Put you in touch with him in via email.
Harrison_Tang: Thank you thank you Manu.
Harrison_Tang: Any other announcements and reminders.
<manu> Link to issue: https://github.com/fedidcg/FedCM/issues/374
Harrison_Tang: All right updates on the work items that people 
  want to bring up. Manu please
<dmitri_zagidulin> and issue 240. same repo
Manu Sporny: https://w3c-ccg.github.io/di-eddsa-2020/
Manu Sporny:  Yeah just a quick update on the Ed and I still need 
  to chat with the VC wg chairs about this but in the ccg we have 
  this Edwards curve digital signature algorithm thing I put the 
  link in chat channel to the spec two weeks three weeks ago we got 
  a first.
Manu Sporny:   Public working draft.
Manu Sporny:  Of the data.
Manu Sporny:  Integrity specification out there this community 
  had published a crypto suite for the Edwards curve specifically 
  in July presuming it was going to be pulled into the VCWG working 
  group I have updated that specification to align with the recent 
  FPWD publication and I don't know at this point and will need to 
  chat about this.
Manu Sporny:   In VC wg.
Manu Sporny:  If we need to publish another final community group 
  specification because it's lagged so much or if we can just pull 
  that into the vcwg so just a heads up that there may need to be 
  some more communication between the chairs of VCWG and C CG about 
  this Spec in particular and how and when we can move it into VCWG 
  hopefully that made sense.
Harrison_Tang: Thank you any comments or questions.
Harrison_Tang: All right any other updates on the work items or 
  comment on the work items.
Harrison_Tang: Manu no problem.
Manu Sporny:  I'm sorry we just have a lot of we just have a lot 
  of specs in motion right now status list 2021 is work item in 
  this community group there seems to be support to move that spec 
  into VC working group I have been in touch with a couple of large 
  companies that are still not engaging with ccg but wanted changes 
  to the specification we were waiting for those.
Manu Sporny:  Changes to come in.
Manu Sporny:  Those large organization says have decided that the 
  specification is okay as is and so I think that clears us to move 
  that spec into the vcwg the only challenge they're being you know 
  when we would do that we have not done a final community group 
  specification publication for that document we would need to do 
  that so this is just putting that on the chairs radar as well as 
  something that may need some.
Manu Sporny:   Collaboration between ccg chairs vcwg.
Manu Sporny:  Chairs and the editors to make that happen in a 
  timely fashion that's it I swear that's the last announcement.
Harrison_Tang: Thank you Manu.
Harrison_Tang: Any other updates comments on the work items.
Harrison_Tang: Toward the end of the meeting I'll do a call-out 
  for the introductions reintroductions announcements just in case 
  people haven't had a chance to put that in now let's get to the 
  main agenda so we're very pleased and honored to have Mathieu 
  glaude the host of the SSI orbit podcast and the CEO of North and 
  block today to kind of share his thoughts in regards to attaining 
  digital trust you know I've been kind of an avid listener to 
  Mathieu’s.
Harrison_Tang:  SSI orbit I think a couple.
<mahmoud_alkhraishi> Hi,
Harrison_Tang: Weeks ago he actually interview Drummond in 
  regards to the difference between the agent and the wallet I 
  thought I was a very insightful episode and then also most 
  recently interview Stephen current on the anon-credit so he had 
  the opportunity to actually chat and interview multiple thought 
  leaders in the space and I thought he could actually use this 
  opportunity to share some of his thoughts.
Harrison_Tang:  in regards to how do we kind of collaborate.
Harrison_Tang: together to attain digital trust so without 
  further Ado I’ll let Mathieu take the floor thank you.
Mathieu_Glaude: Great thank you Harrison just want to make sure 
  you could hear me okay before I get into it.
Mathieu_Glaude: Okay awesome so yeah thank you very much for 
  having me here today it is my honor to be here in front of 
  everyone here talking about a subject that we've been thinking a 
  little bit about at northern block recently and decided to turn 
  it into a paper so really the purpose today is to walk you 
  through some of these thoughts this paper is not done we're still 
  working through it I think it's amazing to be able to talk 
  through it with the group here because any feedback that we’re 
  able.
Mathieu_Glaude:  To get and questions whatsoever is definitely 
  what we’re.
Mathieu_Glaude: Seeking and will help us make this a stronger 
  paper and I hope some of the topics that I discussed today kind 
  of resonate with the group here and so as Harrison mentioned I am 
  the CEO of Northern block so we're a company based in Canada and 
  I should be sharing my screen now if I'm not just let me know you 
  should be seeing the PowerPoint slides.
Mathieu_Glaude: Awesome so we're a company that I founded in 
  Toronto in 2017 at the time really doing a lot of software 
  development in the blockchain crypto space we pivoted towards 
  digital Identity or decentralized identity in 2019 because all 
  the solutions that we were really building had a gap in them we 
  were trying to build these decentrally governed systems but there 
  was never a really elegant way to.
Mathieu_Glaude:  to onboard users to.
Mathieu_Glaude: The ecosystem or to the network and if you had 
  compliance needs or you had access management needs or whatever 
  your needs were there wasn't a really good way of doing it 
  without adding some Federation and it was kind of taking away 
  from what we were trying to do and so that got us really going 
  down the rabbit hole of decentralized ID and we got quite excited 
  about where the standards were at across the board where the 
  architecture was heading I think when I first got into the.
Mathieu_Glaude:  blockchain space everyone was trying to stuff 
  everything onto a blockchain and so it was kind of refreshing.
Mathieu_Glaude: To see the movement away from blockchain and just 
  really talking about a different problem that we're trying to 
  solve and then discussing whether or not blockchains make sense 
  at all for specific use cases and yeah so since since 2019 we've 
  been focused on decentralized ID we mainly operate in Canada so 
  we're doing some work with both public and private sector in 
  Canada building digital trust infrastructure and yeah just wanted 
  to shoutout.
Mathieu_Glaude:  there's a bunch of folks on.
Mathieu_Glaude: Here that either were part of organizing IIW or 
  pushing sessions for last week or just folks that were there so 
  that was an amazing event it was actually the first IIW that I 
  got to go to in person beforehand I had only attended the online 
  ones and to be honest it makes me not want to miss another one 
  again so I was really appreciative of all the thought leadership 
  that was pushed forward there and I left every day with a 
  headache trying to rest up for the next day to absorb.
Mathieu_Glaude:  as much as I could so a lot of interesting 
  topics from DIDComm.
Mathieu_Glaude: to open ID for VC to trust over IP to Kaliya and 
  Lucy talking about mdl here and as Harrison mentioned on my 
  podcast SSI orbit I tried to talk to folks like yourselves just 
  to push the conversation forward towards adoption in the space 
  and so actually one person that I knew of but hadn't spoken to 
  Andrew Hughes at that conference he's one of the next guests that 
  will come on the podcast to talk about mdl so I’m quite.
Mathieu_Glaude:  excited about that and if any of you.
<daniela_gutiérrez_de_p.> mathieu@northernblock.io
Mathieu_Glaude: Want to be on or have any topics of Interest or 
  whatsoever please reach out to me after I could leave my email 
  here after actually Daniela you're on the call maybe you could 
  post my email in the chat and then feel free to reach out to me 
  on Twitter or LinkedIn okay so getting to the presentation here 
  let me jump into it so attaining digital Trust.
Mathieu_Glaude:  and so.
Mathieu_Glaude: I'll be talking a lot about public sector or 
  government ID here it's just it's a lens that we’re familiar with 
  based on the work that we're doing and I just want to make sure 
  that if sometimes it comes across that this is the only way 
  forward and the only thing that's needed for the success of 
  digital credentials and privacy-preserving interactions and 
  relationships online that's not what I'm saying here still trying 
  to brush up on some of the language that we’re using here but.
Mathieu_Glaude:  I start off by talking.
Mathieu_Glaude: About kind of gaining National sovereignty in the 
  digital world so we often talk about self Sovereign and take it 
  from the perspective of individuals but it's not only for people 
  right sovereignty is also quite important for nation-states and 
  so as Democratic nation states maintain or one increase their 
  sovereignty it definitely could result in positive Downstream 
  implications on the sovereignty as of us individuals inside of 
  these states so the big first question is.
Mathieu_Glaude:  how does a sovereign nation.
Mathieu_Glaude: Ensure their sovereignty remains in a digital 
  world.
Mathieu_Glaude: And so I think it's clear that tech companies 
  have sovereignty over their digital space I mean they architect 
  the rules the algorithms the data versus in the physical spaces 
  where governments are mostly in charge.
Mathieu_Glaude: If we take an example and go back to that January 
  6th event at the US Capitol in Washington 2021 the response 
  mainly went to tech companies and not the governments right the 
  tech companies were empowered to deplatform the president of the 
  US and there were other platforms that were kind of taken off of 
  their infrastructure like Amazon took off parlor Etc and however 
  you feel about these tech companies or call them social.
Mathieu_Glaude:  media companies then are today.
Mathieu_Glaude: There’s a lot of divisiveness on this and Twitter 
  is a good example of this today but Twitter has digital 
  sovereignty and we've seen this just in the past few days and as 
  they've been reinstating previously banned accounts so whatever 
  opinion you have about their policies no one really voted for 
  these rules they just were able to exert sovereignty themselves 
  and so nation state sovereignty in the digital world remains a 
  pressing topic.
Mathieu_Glaude:  and so in the digital space.
Mathieu_Glaude: Today I'll make the claim that the private sector 
  has moved far ahead of government and again generally speaking 
  and we've seen a lot of activity recently so in early 2021 the 
  prime minister's of Estonia Finland Denmark and Germany called on 
  the EU to speed up digital sovereignty and the creation of a 
  digital single market and so they wrote a letter the four Prime 
  Ministers of these countries wrote a letter that said digital 
  sovereignty means increasing Europe's technology technological.
Mathieu_Glaude: capacity and its ability to establish values and 
  rules.
Mathieu_Glaude: And a technology censored world that's becoming 
  dominated by other countries and they call them European Union to 
  get ahead of the curve in this digital transformation so they 
  talked about putting effectively effectively Safeguard 
  competition and Market access in the Digital Data driven world 
  and that critical infrastructure and Technologies need to be put 
  in place and need to become resilient and secure and so since 
  then we've seen many EU nation states first prioritized.
Mathieu_Glaude:  nationwide digital ID programs stuff coming out 
  of the EU.
Mathieu_Glaude: And stuff coming out of the nation states 
  themselves as kind of a first order of action to increase their 
  sovereignty and so if the first thing kind of the working on is 
  digital ID to gain digital trust that's kind of the hypothesis is 
  that leads to sovereignty from them for them I talked a bit about 
  this on a podcast I see Tim is on the call here did a podcast 
  with Tim and Darryl Donnell God I can't remember when maybe a 
  year ago but.
Mathieu_Glaude:  but just talking about this a little bit.
Mathieu_Glaude: And so with what our economies that are 
  continuing to undergo a shift and a rising share of growth and 
  prosperity is being driven by intangible assets which is kind of 
  non physical assets but ones that have the possibility to 
  generate significant economic value through examples or like data 
  Digital Services brand Equity marketing Etc it's really important 
  to start looking at how digital ID needs to.
Mathieu_Glaude:  to kind of have its place in there.
Mathieu_Glaude: Governments do provide digital ID not digital id 
  the governments provide ID infrastructure and root of trust in 
  the physical world today right like if you want to register a new 
  company you do so on a corporate registry they Define naics codes 
  which basically authorizes your boundaries of how to operate as a 
  business everything's kind of tied to the legal system of the 
  nation state and the same for individuals right we get birth 
  certificates if you emigrate to a country you get an immigrant.
Mathieu_Glaude:  and immigration ID so these are foundational 
  building blocks to enable access to services and.
Mathieu_Glaude: Goods and since we spend most of our time in the 
  digital world at least I know I do and if I had to make a bet I'm 
  sure a lot of the folks on this call do as well and I think 
  there's an expectations that government provide the same level of 
  Trust online that they're able to do in the physical world and so 
  if digital trust will bring sovereignty to States and citizens 
  how do we attain digital trust so I wrote an introduction last 
  year to digital.
Mathieu_Glaude:  trust I shorten the URL here kind of saw this a.
Mathieu_Glaude: Few times at IIW I thought it was pretty cool 
  it's a little bit easier to grab it if you're looking at it but I 
  wrote an introduction to digital trust just explaining it from a 
  very high level and trying to simplify it but now I try to move 
  this discussion forward and really answer the question like what 
  does it mean to ensure trust is baked into these digital 
  interactions and so when we talk about the trust triangle which 
  was covered in this initial post we use.
Mathieu_Glaude:  use jargon called issuers holders verifiers and 
  that's.
Mathieu_Glaude: mapped to the world we have today and we often 
  played these three roles in our day-to-day lives and again I 
  don't think I'm teaching anything new to the folks on this call 
  today.
Mathieu_Glaude: So right an issuer sends a credential to a holder 
  holder could accept or decline it and a holder could then present 
  that credential to whomever they wish with whatever levels of 
  privacy they wish but Within These interactions there's further 
  questions that need to be asked that kind of weren't asked in 
  that original post and for every type of interaction right issuer 
  to holder the reverse holder to issuer or in the same thing on 
  this side so from an issuer standpoint if.
Mathieu_Glaude:  my issuing the credential to the right holder.
Mathieu_Glaude: Is the holder authorized to receive the 
  credential than I’m issuing to them from a holder standpoint 
  there's all sorts of questions like is the issuer who they claim 
  to be is the issuer authorized to issue what they're issuing same 
  thing as the verifier who they claim to be is the verifier 
  authorized to verify and all the way to the verifier standpoint 
  which you could ask questions like the issuer issue the 
  credential to the rights holder is the holder authorized to 
  receive that credential is the issuer who they claim to be is the 
  issuer authorized to issue what they issued.
Mathieu_Glaude:  and these aren't the full lists of questions 
  that should be asked as could imagine we.
Mathieu_Glaude: Want to know other details about credential types 
  or credential schemas wallets used there's all sorts of other 
  questions that you may want to be asking in these interactions 
  but for the purpose of this just trying to take that initial 
  paper on digital trust a step further as it comes to the claims 
  being made by answering these three questions here so one how 
  could I trust any type of claim that is made digitally 
  independent of my role within the trust triangle.
Mathieu_Glaude:  second question is what infrastructure is needed 
  to support this.
Mathieu_Glaude: And the third question is who should build deploy 
  and maintain this infrastructure so we're going to go through 
  these three questions and talk about hopefully I can provide some 
  answers or steps forward in the next few slides and again not all 
  of this is concrete from the thinking still working through a lot 
  of this so this is where again as I'm walking through and if 
  anyone has feedback at the end that would be very valuable.
Mathieu_Glaude: So the first question is what infrastructure is 
  needed so I can trust any type of claim made digitally so when an 
  entity is provided with a claim there's a few things of three 
  other things now that they want to ensure one that the claim 
  hasn't been altered or falsified at any point in time so that 
  could be at presentation or at any other point in time second 
  that the claim has accurate representation and three that the 
  claim is authoritative.
Mathieu_Glaude:  that it has authoritativeness.
Mathieu_Glaude: And so I'm not suggesting that you need to follow 
  these three steps and I think on everything there is needs to be 
  a disclaimer that decisions on digital trust architectures need 
  to always be risk-based and there's no absolute trust that you're 
  ever going to gain simply just a level of assurance that's good 
  enough for your risk profile and so these are suggestions and 
  based on certain risk profiles perhaps you want to ensure these 
  these three things.
Mathieu_Glaude: As I'm going through I'm really only seeing today 
  that the claim hasn't been altered falsified at any point in time 
  I think there's a lot of discussions happening and we saw a lot 
  of them at IIW about these other things here which is great that 
  we're asking these further questions right now I think coming 
  back to nation state sovereignty and infrastructure that's being 
  built really only seeing this happening today.
Mathieu_Glaude: So ensuring a claim hasn't been altered falsified 
  so I'm going to go through these three bullets here so as you all 
  well know through cryptographic proofs we are today able to 
  guarantee to a verifier or to any really person in that trust 
  triangle that the claim being presented is based on unchanged 
  data so we're ensuring that the if it's a credential in this case 
  in the claim being presented to a verifier is the same as the 
  one.
Mathieu_Glaude:  that the issuer issued to the holder and there’s 
  different.
Mathieu_Glaude: implementations of this at Northern block we’re 
  quite familiar with the the hyper Ledger and the Ares anon creds 
  World we've started to do more work in json-ld but just using it 
  within an Ares context just based on kind of where our Market is 
  today and what the demand is for this stuff but I think as I will 
  repeat later in the presentation I think as Manu you said that in 
  one of the sessions at.
Mathieu_Glaude:  IIW I think we could all agree that we’re.
Mathieu_Glaude: Going to be in a.
Mathieu_Glaude: World with different protocols and different 
  technologies that are all kind of playing together based on the 
  use case but so here really we're all we're doing is verifying 
  that the claim or that the data hasn't been altered not really 
  the legitimacy of the data attributes themselves and so the next 
  question really is how do I know the other entity in question in 
  a claim is accurately represented and again from any of the three 
  roles in the trust triangle.
Mathieu_Glaude:  so here I am claiming.
Mathieu_Glaude: For example that the credential that I'm 
  presenting has been issued by XYZ so you may say it's been issued 
  by the government of Ontario so let me verify that it was 
  actually the government of Ontario that issued it to you and 
  again same for any other role in the trust triangle so we're now 
  starting to verify that the data beneath the claim was issued to 
  the holder by an accurately represented identity and that the 
  holder was accurately represented as well so both issuing and 
  accepting parties were duly authenticated.
Mathieu_Glaude:  and so this is a problem that exists in the 
  physical world today as well so if any of the folks here.
Mathieu_Glaude: Have ever had a.
Mathieu_Glaude: Fake ID fake driver's license who falsely 
  represented who issued a document to you and having a did 
  anywhere on Ledger however your implementation doesn't magically 
  solve the issue in the digital world so how do I know that an 
  issuing organization actually owns and remains in control of that 
  did and this is an authentication Challenge and so at the time of 
  issuance as a recipient as a holder of the credential I may have 
  followed different governance models to.
Mathieu_Glaude:  authenticate the identity of the issuer.
Mathieu_Glaude: There's different methods for authenticating for 
  accurate representation again depends on the use case on what's 
  available we're starting to do more work in DNS security right 
  now it's a very good implementation for government credentials 
  because you're able to kind of get a guarantee through the root 
  of trust and the DNS certificates that the ownership of a 
  specific domain such as ontario.ca is actually under the current 
  ownership and control of the province of Ontario and if ever 
  there's a takeover and someone takes over the.
Mathieu_Glaude:  website you'll find out about it in.
Mathieu_Glaude: The DNS security and ever that causes a problem 
  and credentials were issued during that time you could always go 
  back and revoke the credentials that were issued during that 
  period of time but there's other use cases where this DNS 
  security is maybe not the way you want to go and so you can use 
  different authentications Fido authentications you could use 
  Google accounts to authenticate their really depends again you're 
  playing Legos here but we're talking about an authentication 
  problem to ensure a claim as accurate representation so we've 
  kind of taken this.
Mathieu_Glaude:  a step forward and now actually.
Mathieu_Glaude: Have the confidence here that not only is the 
  claim that the claim data hasn't been untouched but the entity 
  they're claiming issued that data to them and.
Mathieu_Glaude: This example is that an entity in real life so I 
  could prove that they actually own the did or I could have 
  assurance that complete proof but Assurance to a certain level 
  that they are in control and own the did and so that moves us 
  then to kind of that third level now I want to see an implicit 
  claim that I have the authority or the other party has the 
  authority to do something so this is the claim that we're trying 
  to resolve now and so for example that the accurately represented 
  issuing.
Mathieu_Glaude:  entity has authoritativeness to.
Mathieu_Glaude: Issue such data to such holder there was a lot of 
  conversations at IIW about how you would go about that a lot of 
  discussions about lists and the type of information that would be 
  in lists and we're starting to think a little bit more how this 
  works for certain interactions but not for others how lists could 
  be useful or trust Registries which is a popular yet that drives 
  confusion term to describe what this does maybe as a good 
  solution for the issuing.
Mathieu_Glaude:  side of things but maybe not.
Mathieu_Glaude: For getting authoritativeness on the verifier 
  side of things or even the holder side of things but that's a 
  whole other discussion but until you get to this third level you 
  can't reach complete and I'll put brackets complete relative 
  digital trust in a transaction and again there's another podcast 
  I did with Daryl O’Donell on this recently that you could listen 
  to if you're interested in trust Registries but it's definitely a 
  concept that seems to be growing in popularity.
Mathieu_Glaude: But I Envision the user experience of trust.
Mathieu_Glaude: Registries are however we want to call this being 
  similar to your browser telling you that the website maybe is not 
  secure because it doesn't recognize the certificate so it's going 
  to have to be a little bit of ux built in here and yeah there's 
  obviously different conversations about governance as code and 
  other implementations as well so again not not pushing an agenda 
  on any specific implementation here and so these three.
Mathieu_Glaude:  questions come back here.
Mathieu_Glaude: So if we have confidence that the claim hasn't 
  been altered falsified that the claim has accurate representation 
  the claim has authoritativeness it should give us the relative 
  trust to say that yeah this is enough infrastructure that I need 
  to put into place so that I could trust any type of claim that is 
  made digitally which leads me to the second question is what ramp 
  is needed to maximize or what on-ramp is needed to maximize the 
  benefits of this infrastructure.
Mathieu_Glaude:  these three layers that we just talked about so 
  how could we bootstrap.
Mathieu_Glaude: This thing if we have the infrastructure but no 
  digital ids or no foundational digital IDs it's kind of like you 
  build a road give a bit of an analogy to the roads here I like to 
  use that example because roads our infrastructure kind of leads 
  into digital identity should be infrastructure but it's like you 
  build a road but with no ramps like how will cars or trucks get 
  onto the road without the ramps so the first question that we 
  talked about about the infrastructure here this is kind of more 
  about the roads.
Mathieu_Glaude:  and this question here is more about the ramps 
  to get onto the road so I hope.
Mathieu_Glaude: That's a decent enough analogy but the question 
  becomes what ramp or what ramps are needed to maximize the 
  benefits of that infrastructure.
Mathieu_Glaude: So if you look back at a moment in history where 
  after Eisenhower became the president of the u.s. in 53 and he 
  had gotten this idea from looking at Germany's Reich Autobahn 
  system the highway system he pushed forward an investigation and 
  then an investment to build an interstate highway system and this 
  is a quote from the appointed.
Mathieu_Glaude:  General.
Mathieu_Glaude: General Lucius d clay who has put in this 
  investigation for the highway system whose and I think there's a 
  lot of parallels to digital ID here is that he said “it was 
  evident we needed better highways we needed them for safety to 
  accommodate more automobiles you needed them for defense purposes 
  if that should ever be necessary and we needed them for the 
  economy not just as Public Works measure but for future growth” 
  and so they started building this interstate highway system in 56 
  and this is responsible.
Mathieu_Glaude:  for today's Trucking industry for suburbs today 
  for gas stations.
Mathieu_Glaude: Motels the the road trips so this national 
  network this highway system was built to move goods and people 
  around and so just like roads are public good digital identity 
  needs to be a public good as well the Reliance in our everyday 
  lives on proof of presence proof of age proof of address proof of 
  Eligibility which eligibility to drive or to get Healthcare 
  Services these are all driven by government.
Mathieu_Glaude:  differently in different.
Mathieu_Glaude: Nation States but they're all driven by 
  government so there these are basically the outcomes of being 
  able to access the road through a ramp right and so to access the 
  this interstate highway system or to access this infrastructure 
  we need foundational digital identity which is the ramp and so 
  who is providing the infrastructure and the ramps to the 
  infrastructure so I’d argue and again pulling it back to the 
  start of the conversation about digital sovereignty.
Mathieu_Glaude:  for a nation I would claim its more important.
Mathieu_Glaude: Or it’s the same level as the highway system and 
  you need it for safety you need it for defense you need it for 
  the economy it kind of fits perfectly here one model that I found 
  very useful in the past and there's there's some folks here from 
  the trust over IP Foundation but it's been helpful in the past to 
  kind of walk people through how you would build digital trust 
  infrastructure through this it's basically a framework that adds 
  a governance layer across the technology side of things.
Mathieu_Glaude:  so the governance and policy questions are the 
  ones that need to be.
Mathieu_Glaude: Answered in order to drive business legal social 
  acceptance again it really depends on the governance and the 
  ecosystem you're seeking but for ecosystems that require legal 
  business social governance it's been it's been a good model and 
  recently there's been an enhancement to this model or I don't 
  know if I'd call it enhancements but a new kind of way or 
  framework of looking at digital trust and it was documented in.
Mathieu_Glaude:  in the new technology.
Mathieu_Glaude: Architectural specifications I know Drummond on 
  this call was one of the key folks behind that but we look at 
  this hourglass model and so it's based on The Hourglass model 
  that is used for the internet and much of the success of the 
  internet today is attributed to this design which in which the 
  spanning layer protocol here maximizes interoperability by 
  providing a common way for the higher levels to communicate with 
  the lower levels.
Mathieu_Glaude:  so this would be.
<drummond_reed> First public review draft of the ToIP Technology 
  Architecture V1.0 Specification: 
  https://trustoverip.org/news/2022/11/14/toip-tech-arch-first-public-review/
<harrison_tang> thanks!!
Mathieu_Glaude: IPV4 in the internet today and the design of the 
  trust binding protocol should be very thin very simple not get in 
  the way of anything else that could be functions on top of it and 
  what I again what I really like about this model is it makes it 
  more use case and Technology agnostic like for example it's 
  removed the need for public utilities which was kind of a base 
  layer here where we would.
Mathieu_Glaude:  often talk about blockchains or.
Mathieu_Glaude: It even removes the focus on use cases where we 
  know that trust tasks protocols don't have to be credential 
  exchange they could be all sorts of things but this model kind of 
  just makes it a little bit more vanilla and you could kind of 
  apply what you're trying to do what you're trying to achieve into 
  it and this was another discussion that was quite interesting at 
  IIW to see how open ID for verifiable credentials and psyop in 
  these types of things could fit into this model and it seems like 
  there is.
Mathieu_Glaude:  it's a nice fit so it’s a nice.
<drummond_reed> The ToIP conceptual diagram needs to be updated 
  now that that the ToIP Technology Architecture V1.0 Specification 
  is out.
Mathieu_Glaude: Model okay we could get into this might run out 
  of time but could get into this in a future conversation so if I 
  go back to my claim about foundational IDs being the ramp to the 
  infrastructure needed for digital trust and I map it against this 
  model I could see that two out of the three supporting systems 
  are not really at started to support foundational ids or at least 
  from our vantage point we're not seeing them right and these were 
  the three.
Mathieu_Glaude:  things that we're trying to answer.
Mathieu_Glaude: Of getting cryptographic proofs accurate 
  representation and then authoritativeness there's some good 
  Traction in different places in the world around having utilities 
  that allow us to verify cryptographically the dids of issuers 
  that's why I put a yellow like in Canada there's the candy 
  Network that is implemented across different provinces and in 
  Europe there's different networks as well so.
Mathieu_Glaude:  we are seeing traction here but not really 
  seeing much.
Mathieu_Glaude: Traction or standardization across these two 
  other ones there's a lot of conversations about it but not really 
  seeing this if this is truly needed to support foundational IDs 
  and I think the support like the hardware certain infrastructure 
  I put this green like this could be different communication 
  protocols like didcomm is a good example and maybe isn't fully 
  green yet because it maybe doesn't meet all the criteria but the 
  point I'm trying to make is this is all pretty.
Mathieu_Glaude:  defined mature done it's not like a big problem 
  we.
Mathieu_Glaude: Have to solve for to issue foundational ideas the 
  foundational IDs here in yellow are kind of in progress and 
  really without these three things it's going to be a little 
  difficult to achieve digital trust in the exchange of 
  foundational ids which I will claim will be foundational to a lot 
  of our interactions online so I'm not saying that every did or 
  identity that exists needs to have a foundational id behind it 
  I'm also not saying that like.
Mathieu_Glaude:  non goverment people can't just issue ids.
Mathieu_Glaude: But for certain levels of trust to be there you 
  need a foundational identity so it's almost like with your other 
  verify my Google account or my that verified that I have a valid 
  SIN number in a specific country so this kind of answer is what 
  ramp is needed to maximize the benefits of the infrastructure 
  which takes me to the last question here will be wrapping up 
  shortly I'll try to leave about 10 minutes for a conversation and 
  questions and.
Mathieu_Glaude:  we'll definitely value anyone.
Mathieu_Glaude: Reaching out afterwards but the question of who 
  should build deploy and maintain this infrastructure so similarly 
  I think the reason government has to create the digital 
  equivalent of what they have in the physical world is they need 
  to create the infrastructure and the ramps that we talked about 
  and the infrastructure being this and then the ramp so that you 
  could access foundational ID governments the source of Truth for 
  these things they offer today like I said as a.
Mathieu_Glaude:  public good in the physical world now they need 
  to do it digitally.
Mathieu_Glaude: It will allow them to protect their sovereignty 
  and enhance the sovereignty of their citizens will should if 
  built right give that agency to their citizens and many of their 
  interactions will protect them from frauds identity take over as 
  phishing attacks all of these things that happen way too 
  frequently today so every time I kind of go to a cyber security 
  conference and see all of the vendors that are selling Solutions 
  there and that whole Space is growing like crazy although there's 
  more and more money being.
Mathieu_Glaude:  poured into that space it’s just.
Mathieu_Glaude: Foundationally not solving the problem it's like 
  we're trying to stick Band-Aids on a cut that is way too big.
Mathieu_Glaude: So digital ids created today by the private 
  sector I mean there's different you could think of different 
  types of IDs like my emails and ID my bank account could be an ID 
  my operating system perhaps gives me an ID but I don't have a 
  government digital ID and so if we’re talking about you know 
  digital interactions and digital transformation we don't have a 
  foundational ID from the government I don't see how that makes 
  sense and so there needs to be a carved out place in the digital 
  world that.
Mathieu_Glaude:  governments own again in the physical space 
  there are things.
Mathieu_Glaude: They own and so it's about doing it in the 
  digital space and the questions here why won't the private sector 
  build the foundational ID it's just not in the interest of the 
  private sector to build it or not in the business of public good 
  or communities good for everyone they do build some 
  infrastructure like here in Toronto where I live there is a 
  highway system 407 that is a toll road I know there's a lot of 
  toll roads in the US and in other countries throughout the world 
  but they have a commercial trust.
Mathieu_Glaude:  right they keep the roads nice for profit to 
  continue making money not for public.
<kaliya_identitywoman> NSTIC in the US there was an attempt to 
  make this happen - getting the private sector to issue digital 
  IDs that could be "trusted" but it got mostly no-where
Mathieu_Glaude: And if I'm going to use like lists or 
  infrastructure as a way to create digital trust that can't be 
  defined by the private sector they just have different incentives 
  in there could be biases and I'm not saying the private sector 
  needs to sit and wait I mean knowing how wide to build a road 
  lane can only be known if you kind of know the width of the cars 
  that you need to support so definitely not saying this is just 
  sit and wait just think there needs to be more collaboration but 
  the.
Mathieu_Glaude:  really the infrastructure that I'm talking about 
  today should be driven.
Mathieu_Glaude: By the public sector and then why Big Tech 
  shouldn’t build it well this is where I mentioned Andrew Hughes 
  on the mdl side I'm just curious to go a little bit deeper into 
  some of maybe Lucy and Kaliya with your work on mdl would be 
  interested to just know a bit more kind of about some of the the 
  context and the walled Gardens that apple is able to apply and 
  apple basically telling government's what to do because 
  government doesn't own it and this really definitely impacts 
  their sovereignty which is.
Mathieu_Glaude:  the whole reason why governments are investing 
  in digital id programs.
Mathieu_Glaude: So Big Tech shouldn’t be doing it and then why 
  kind of non for profits or communities I don't think open 
  communities are driven towards consensus for specific country and 
  like they’re Global which is positive in many aspects they’re 
  principle driven which is amazing and different aspects but 
  sometimes it's also tough to have timelines and specific mandates 
  it's more more general not for not for a specific nation state 
  and so because and that's where I get to the end here.
Mathieu_Glaude:  which is still being worked on but why does it 
  make sense for government to buid this.
Mathieu_Glaude: Infrastructure well because it's infrastructure 
  it can it can not monetize itself independently it's an 
  investment which only the government can make and because it's 
  not a use case it enables the use cases to be driven by the 
  private sector mostly in a an unbiased decentralized environment 
  where there's not any proprietary biases so this is where we 
  think and governments are building this and working towards it 
  we're just trying to.
Mathieu_Glaude:  to paint kind of what else needs to happen and 
  who.
Mathieu_Glaude: Needs to build deploy and kind of maintain this 
  infrastructure that we're defining here and again I think 
  everything is about adoption business use cases and we really 
  feel like this is a crucial crucial piece to build and why the 
  government should build it and once they do we feel like adoption 
  will just automatically happen like like it has on the highway 
  systems and so with the taxpayer money we pay and.
Mathieu_Glaude:  I don't know 90% of the time.
Mathieu_Glaude: During the day that is.
Mathieu_Glaude: Spent in the digital space I think there's more 
  value we could we could get for that so there you go I'm at the 
  end of this presentation there's nine minutes left I'm going to 
  stop here I hope this was interesting or enjoyable or both and I 
  welcome questions and feedback and thank you.
Harrison_Tang: Thank you Mathieu Adrian.
Adrian Gropper:  Yes yeah this was interesting and enjoyable 
  foundational ID typically in the non digital space involves 
  Biometrics but you did not mention Biometrics at all in this 
  presentation at least not that I heard and I'm sort of curious as 
  you envisioned this digital public good which I completely agree 
  with you.
Adrian Gropper:  What do we as a Tech Community have to do 
  relative to biometrics in order to promote your vision.
Mathieu_Glaude: I I will say that I'm not the right person to 
  answer this I would love to work with folks that are more 
  familiar with the space because I'm not in we don't spend much 
  time there but I think it's an area that was missed and should be 
  touched on but I don't have any answers right now.
Jeff Orgel: +1 Great perspective on the political optics. Well 
  brought to this community. Very nicely portrayed.
Harrison_Tang: Thank you David.
Mathieu_Glaude: Yeah I guess same comments I’m not familiar with 
  that only to go look and see if it conflicts with what I said 
  here that this is something that we’ll definitely have to go look 
  at I think an there's one of the I think Tim bomaye shared that 
  on Twitter yesterday like that just a list of resources and stuff 
  I think we often just struggle to line everything altogether and 
  incorporate everything but that's something.
Mathieu_Glaude:  that we’ll definitely look at it as well on top 
  of the biometrics.
Phil Long:  Thank you yes thank you can you hear me okay thank 
  you Mathieu this was a really interesting presentation I'm 
  curious though about your analogy to the highway system is so far 
  as the parallel to that digitally of course is the internet not 
  necessarily the web but the internet and it was funded largely by 
  federal funding.
Phil Long:   With support from Federal agencies.
Phil Long:  But in collaboration with private sector and to this 
  day it is principally run by the private sector and so I'm 
  curious how the analogy stays together or whether there is 
  something distinct in the digital world which opens opportunities 
  for other players to have an ongoing role.
Mathieu_Glaude: That’s an interesting comment I’ll have to think 
  about that one as well I don't have trying to form the right 
  analogy probably not perfect so far but we'll have to include 
  that as well.
Harrison_Tang: And Mathieu I have a clarification questions 
  earlier you mentioned that government should be building the 
  identity infrastructure because it's a public good now just to 
  clarify are you referring to a government building the issuance 
  infrastructure as the issuer and or trust Registries or 
  verifiable data Registries and or wallet and or like no verifier 
  infrastructure why are you referring to the entire infrastructure 
  or.
Harrison_Tang:  were just talking about a certain parts of it.
Mathieu_Glaude: I'm not necessarily talking about the solutions 
  that are used to execute the trust tasks whether it's the 
  issuance of the foundational id or whatever it is I think it's 
  just the governance around these things and part of the 
  governance that I was like having a verifiable data registry to 
  manage governance around who could issue what type of thing on 
  this network that's kind.
Mathieu_Glaude:  of one of those supporting.
<phil_t3> @Kaliya your hand is up but you're not in the queue.
Mathieu_Glaude: Pieces that there are other other supporting 
  pieces of how authentication should be done based on different 
  risk profiles and the same thing with how Authority should be 
  established these are the types of governance pieces that when I 
  say they need to own not necessarily own the end implementation 
  of it but own the architecture and the design of it and then the 
  rules around it.
Mathieu_Glaude: I know there's push and different jurisdictions 
  like the EU for example that nation-states will each push their 
  wallet forward I'm not convinced that that is the the the 
  approach that is going to be a long-term approach for the growth 
  of this stuff I think that we're seeing a lot of nation-states 
  push their own wallets forward just because they're trying to 
  figure out where their boundaries are and what they want to 
  control and what they don't want to control I’m.
Mathieu_Glaude:  not saying in this presentation that governments 
  need to own the wallets need to own.
Mathieu_Glaude: Issuer services and stuff like that again it's 
  contextual to what the government wants to do but I don't think 
  that that is the crucial piece in establishing digital trust with 
  a foundational ID.
Harrison_Tang: Thank you any other question.
Harrison_Tang: Yeah I just I just want to make a comment I think 
  Mathieu you bring up good points and raise good questions like 
  especially the questions around accuracy like hit a chord with me 
  because you know at Spokeo we are trying to determine data truth 
  and accuracy and the truth is you cannot actually depend on one 
  single issuer like even government agencies like for example 
  birth information government agencies has different.
Harrison_Tang:  accuracy levels and.
Harrison_Tang: Historically it's been established that the DMV is 
  the best source right now not SSN and things like that so so I 
  thought the accuracy question is quite important and very very 
  thoughtful for this entire Community to think about because if 
  accuracy and Truth is just what the majority says like blockchain 
  then the Earth will always be flat because at some point human 
  history the majority of human race believe that Earth is flat 
  right so I so I think it is a very very good question.
Harrison_Tang:  and I think a very thoughtful provoking question 
  for myself.
Harrison_Tang: And I think for a lot of us.
Mathieu_Glaude: I appreciate the questions I think this still 
  trying to figure out I feel like there's good things being talked 
  about in this paper just there's some things that need to gel 
  better together but I really appreciate we're going to consider 
  how Biometrics thanks Adrian for that how that fits in and then 
  the Kim Cameron laws of identity fits and even the road analogy 
  of maybe at times it was rightly used or wrongly used but just.
Mathieu_Glaude:  to make sure if we’re using.
Mathieu_Glaude: That analogy that it's it fits tightly to what 
  we're trying to say.
Harrison_Tang: Cool thank you so we only have about two minutes 
  so I just want to say thank you again Mathieu for sharing your 
  insights and your upcoming paper you raise a very good questions 
  and I just want to take a moment to thank you for taking the time 
  to preset at w3c ccg.
Mathieu_Glaude: My pleasure thank you very much for for having me 
  here it was I was lucky to present to the group here so thank you 
  very much.
Harrison_Tang: All right so any last introductions announcements 
  reintroductions or reminders.
Harrison_Tang: Okay so I think a quick preview of what's coming 
  so next week we'll have open discussions around decentralized 
  social media I'll send out the agenda there's a little change in 
  the agenda will have a plugfest recap in the beginning of January 
  and then next week we'll have a decentralized social media 
  discussions and then the week after that we'll have ….  to talk 
  about use of VC's and dids in the government.
<kaliya_identitywoman> Thoughtful Biometrics Workshop! 
  https://www.thoughtfulbiometrics.org Feb 13-17
Harrison_Tang:  all right thank you.
Harrison_Tang: Have a good one.
<daniela_gutiérrez_de_p.> Please don't hesitate to reach out to 
  Mathieu at mathieu@northernblock.io. Thank you for having us!
Harrison_Tang: And Happy Thanksgiving to to those in the States 
  thanks.
<phil_t3> Good discussion.

Received on Wednesday, 30 November 2022 11:36:46 UTC