[MINUTES] W3C CCG Credentials CG Call - 2023-08-15

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2023-08-15/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2023-08-15/audio.ogg

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2023-08-15

Agenda:
  https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
  Mike Prorock, Kimberly Linson, Harrison Tang
Scribe:
  Our Robot Overlords
Present:
  Mike Prorock, Anil John, Harrison Tang, Tim Bouma, Erica Connell, 
  Hiroyuki Sano, Japan, TallTed // Ted Thibodeau (he/him) 
  (OpenLinkSw.com), Gregory Natran, Joe Andrieu, Kerri Lemoie, Nis 
  Jespersen , Ted Thibodeau, Greg Bernstein, Paul Dietrich GS1, 
  Jeff O - HumanOS, Kaliya Young, Marty Reed, Manu Sporny, Dmitri 
  Zagidulin, Bob Wyman, Leo, Andres Uribe, Eric Sembrat, David 
  Chadwick, Wendy Seltzer, TBouma mobile, BrentZ, Benjamin Young, 
  Phil Long

Our Robot Overlords are scribing.
Mike Prorock:  And we can begin so hello all and welcome to the 
  ccg weekly meeting today is Tuesday August 15th and we are 
  getting together today to talk about notably the digital 
  credential wallet and verifier solicitation recently has gone out 
  from DHS S&T millage on graciously with us today to talk about 
  some of that and then answer questions for the community just a 
  quick reminder that.
Mike Prorock:   That we do abide by a code of ethics and.
Mike Prorock: https://www.w3.org/Consortium/cepc/
Mike Prorock:  On duct I will put a link to that in the chat just 
  in case folks are not familiar with it but it's the basic rules 
  of be kind to one another right by and large this community 
  abides by that it's great the slides for today I have been posted 
  to the mailing list if you don't have them they are up there a 
  note that anyone can participate in these calls however if you 
  are contributing to an actual work item like City write in code 
  or.
Mike Prorock:   Writing a report.
Mike Prorock: https://www.w3.org/community/credentials/join
Mike Prorock:  Things like that in any kind of substantive way 
  you do need to be a member of the ccg and that is free I've put a 
  link to that there that is primarily in case you are new to this 
  community for I pr reasons we don't want contributions coming in 
  that someone the later tries to claim intellectual property 
  rights over and things like that because that has been 
  problematic to standards and open source more bodies past minutes 
  and meaning of this will be posted to our GitHub.
Mike Prorock:   A quick note of operations we do use the jitsi 
  chat which is also linked to the iirc.
Mike Prorock:  EG on the w3c IRC for managing the meeting so the 
  transcriber dumps all of our minutes excessively into that chat 
  unfortunately but also probably more importantly we take 
  questions and answers I will be monitoring that for folks that 
  when I ask a question so if you want to ask a question or make a 
  comment type the letter Q followed by a plus sign and add 
  yourself to the key optionally with reminder.
Mike Prorock:   And if.
<mprorock> "type “q+” to add yourself to the queue, with an 
  optional reminder, e.g., “q+ to mention something”. The “to” is 
  required."
Mike Prorock:  Off you just reverse the plus sign to a minus and 
  I will paste those instructions right here sometimes.
Mike Prorock:  Well for the transcriber or not always the same as 
  they actually are in practice quick pause for introductions and 
  reintroduction so anyone new to this called never been here 
  before or changed affiliations recently and wants to reintroduce 
  themselves or introduce themselves to the first time in this 
  community pause.
Mike Prorock:  Get the hand raised or come off Mike whatever 
  you're comfortable with.
Mike Prorock:  Cool so we all know each other then want to take a 
  second pause and just see if there are any announcements or 
  reminders from the community.
Kaliya Young: 
  https://docs.google.com/document/d/1j_RWhWjOYevTdmMorZkEPcu0c4r7MVTBu1RRxd35NmM/edit
Kaliya Young:  The internet identity Workshop coming up October 
  10 to 12 and as I'm preparing for that I'm actually just supposed 
  to list yesterday a request for help if people would like to 
  contribute or working on putting together a online memorial for 
  community members who passed and.
Kaliya Young:  Of that for sort of placement at all future I W's 
  I kind of did a makeshift for one for the last day of the last 
  Ayah W but it wasn't particularly beautiful so I'm seeking 
  creative talent and writing talent to help get the bios of folks 
  together I put a link to the BIOS or sort of links to information 
  about.
Kaliya Young:   Out the.
Kaliya Young:  Asked in the community let me know if I've missed 
  anybody.
Kaliya Young:  And also would love you know some this is a good 
  low hanging fruit way to help the community right kind of 
  community obituary of a few paragraphs few sentences so would 
  love help in both regards to physical.
Kaliya Young:  Helping make the physical Memorial beautiful and 
  also helping with online create web page on the IW site.
Mike Prorock:  Awesome thank Scalia econ all you are up.
Erica Connell:  Hello everybody this is Erica and I just wanted 
  to give you a reminder that a rebooting the web of trust is also 
  coming up September 18th to the 22nd this year will be convening 
  in Cologne Germany and I'll put a link to the Eventbrite in the 
  chat thanks.
Erica Connell: https://rwot12.eventbrite.com/
Mike Prorock:  Awesome man who I believe you are next.
<manu_sporny> CHAPI Playground's Latest Update - Multi-Credential 
  Verification - 
  https://lists.w3.org/Archives/Public/public-credentials/2023Aug/0017.html
Manu Sporny:  Hey Mike thanks um who announcements one of them is 
  around the landfill Handler API playground the chappie playground 
  just a week ago or so we added multi credential verification to 
  the playground so this is something that's you being used in the 
  jobs for the future plugfest number three we had multi issuer you 
  know support in there we've added.
<dmitri_zagidulin> Mars Needs Verifiers!! (seriously, vc-api or 
  OID4VP verifier implementers, you should totally add yourselves 
  to the CHAPI Playground)
Manu Sporny:  Support and now you can do multi-shot credentials 
  in a verification so I put a link to that announcement kind of 
  instructions on how you can test that out we do also have a 
  number of other kind of upcoming improvements to the playground 
  including things like support for oid for VCI so the open ID 
  stuff so that will be the first time the playground.
Manu Sporny:   It's multiple protocols.
<mprorock> yay OIDC!
<manu_sporny> Initial test suites ready for VCDM v2.0, Data 
  Integrity, ECDSA, and EdDSA -- 
  https://lists.w3.org/Archives/Public/public-credentials/2023Jul/0056.html
Manu Sporny:  Talking with people about putting did Cam protocol 
  support in there as well and you know there's some discussion 
  happening on the mailing list on that so that's the chappie 
  playground update for today the other heads up to the group is we 
  had moved over some of the test Suites that were worked on in 
  this community for.
Manu Sporny:   Verifiable credential data.
Manu Sporny:  It Integrity ecdsa EDSA those have now been fully 
  moved over to the verifiable credentials working group in have 
  been updated so they are now fully operational in the verifiable 
  credentials working group if you like integrating with bleeding 
  edge test Suites please reach out and ask Dad yourself we have 
  had a couple of people from the community like trinsic was the 
  latest one that added them.
Manu Sporny:   Selves to various tests.
Manu Sporny:  And so we will do the test Suites will be 
  increasingly locked down towards the end of September and that's 
  when we'll make the general announcement to like participate in 
  the test Suites most likely but if you want to kind of just get 
  the mechanics of integrating with the test Suites let us know we 
  are actively working with multiple different organizations to 
  integrate them in there that's it.
Manu Sporny:   I was the.
Mike Prorock:  Awesome thanks man do and it's good to see 
  multiple protocols coming in so that's awesome and I think a nil 
  has an announcement as well.
Anil John: https://www.iab.org/mailman/listinfo/identity-discuss
Mike Prorock: +1 WHODIS <- needs eyes
Anil John:  Thank you Mike I'm just a quick note on the internet 
  architecture board has you know started a new list on for 
  identity discussions they want to discover what protocols and 
  Technologies and work that is going on in Internet identity and 
  what are the gaps out there I know that there is a tendency in a 
  variety of stos and Community groups to sort of stay in your own 
  Silo this may be worthwhile at.
Anil John:   A minimum to subscribe to and listen and.
Anil John:  As often there are definite blind spots for the 
  people who are sort of you know talking about the work that 
  they're not aware of other work that is going on I was amused by 
  the discussion on somebody brought up Samuel and somebody was not 
  sure how prevalent it was I thought it was amusing so things like 
  that right so check it out check out the archives and you may 
  want to you know at least Monitor and make sure that.
Anil John:   The work everyone is doing at the w3c.
Anil John:  That is ready to Identity are also you know broadly 
  socialized with the broader community that is that is that the 
  you know that is working through the IAB as well.
Mike Prorock:  Thank you Anil for bringing that up yeah 
  definitely it's been interesting um and I was actually very glad 
  at the last ITF when some of those initial conversations were 
  going on that Kali and a few others from this community were in 
  the room because there might have been a perception that identity 
  might not have been as complicated as it sometimes tends to get.
Mike Prorock:   With that.
Mike Prorock:  Um let me see if there are any other I think 
  that's it for announcements so with that Anil I'm going to pass 
  it over to you and just let me know when you want me to advance 
  slides and my screen should be up momentarily.
Anil John:  Thank you Mike good morning good afternoon good 
  evening good night whatever the time zone that everybody is in 
  thank you Carrie Mike and Harrison for the invitation to come and 
  chat with the ccg community here for whatever reason my work 
  laptop you know the ccg link is absolutely blocked or my work 
  laptop and of course.
Anil John:   As I tested.
Anil John:  Up top and it just so happens jitsi seems to have 
  problems with brave at least on sharing so so Mike was kind 
  enough to take the slides and present it so first and foremost 
  I'm hoping that this is going to be mostly you know you know 
  questions that you might have after obviously you've you know 
  read the solicitation I'm not going to go over I'm going to give 
  a very high overviews primarily because I'm going to point you to 
  this this Friday we are actually going.
Anil John:   To have a.
Mike Prorock: 
  https://sri-csl.regfox.com/svip-digital-wallet-industry-day
Dmitri Zagidulin: 
  https://sri-csl.regfox.com/svip-digital-wallet-industry-day
Anil John:  Today it is available both in person in Birmingham 
  Alabama as well as remotely over Zoom it is free to attempt and 
  we are very happy with the particularly with the online 
  registration so far but you do need to register so that you can 
  get the link and things like that so by all means if you're 
  interested in this topic and what is going to be much more I 
  think relevant to you is my program.
Anil John:  And within DHS does not just work on random stuff 
  that we think is a great idea right so we actually are driven by 
  trying to shape the technology that our business unit see as 
  important to them so in this particular case the primary drivers 
  for this solicitation which we call a call it is just internal 
  terminology is US Customs and Border Protection and US 
  citizenship and Immigration Services.
Anil John:   To the old.
Anil John:  The US government that have been around as long as 
  America has been around dealing with cross-border trade tourism 
  travel and immigration as well as a DHS privacy office they are 
  the primary drivers and customers for this work so you're going 
  to be hearing directly from them during the industry day so by 
  all means you know come and join us next slide please.
Anil John:  We have this this this is not my first rodeo with the 
  ccg so you know that we've been doing work in this area for a 
  long while everything from you know funding what eventually 
  became decentralised identifiers standard at the w3c to helping 
  to you know bring our use cases and our needs to the work that is 
  going on and that went into you know.
Anil John:   No verifiable credentials one point.
Anil John:  One and hopefully 2.0 as well so this is not new for 
  us so back into you know 2018 you know we are asking you rob a 
  happy with this sort of situation that we had back in the day we 
  have seven companies that are in our portfolio that was selected 
  very competitively from a global global cohort you know many of 
  them so I won't repeat repeat any of that in general though we 
  are comfortable with the.
Anil John:   The in particular with the issuance infrastructures.
Anil John:  That those companies have built out that are 
  completely standard space using w3c standards and things like 
  that and you know this if you heard me speak previously right my 
  comment always when people ask me about digital wallets and 
  things like that has always been hey we don't have a digital 
  wallets Play We want you to bring your own wallet to the table we 
  want to make sure there is a way to sort of understand the 
  security.
Anil John:   30 Privacy.
Anil John:  Interoperability aspects of those wallets and we you 
  know we don't see ourselves being in the digital wallet you know 
  playing field in a lot of ways other than being a consumer of it 
  fast forward to now and that has actually changed for a couple of 
  reasons right one of them is we are seeing what you know our Hope 
  was that obviously the all pieces of the.
Anil John:   You know.
<mprorock> link to slides if you need them (this is also on the 
  list)
Anil John:  Party identity model whether it is the issuer the 
  holder and the wallet and the verify would sort of mature along 
  and move along in a consistent way and what we are seeing is that 
  it is not right so there's a whole bunch of work that is 
  obviously going on on defining what the data model to represent 
  the payload that is moved around is and given that we are the 
  identity community and we specialize in Reinventing.
Anil John:   Eating ways.
Anil John:  Things from point A to point B that is a whole slew 
  of protocols that are coming on board and being matured in order 
  to move things from point A to point B we consider ourselves a 
  from both as an issuer and as a verifier there is a significant 
  Gap that's going on here where there's a lot of hand waving 
  that's going on what our if a wallet comes to a front door how do 
  we as an issuer verify and have confidence.
Anil John:   Evidence in the capabilities that that wallet has.
Anil John:  In how they are protecting the information how they 
  are you know making sure that the in that information that is 
  there is indeed something that is managing the Privacy respecting 
  manner it is it is fully under the control of that person that is 
  as you the holder of that wallet and things like that and we are 
  really we are actually frankly disappointed in the the.
Anil John:   The amount of work.
Anil John:  What is going on in that area compared to all of you 
  obviously all of the excitement the drama and the politics around 
  the protocols and the payloads so we spoke internally 
  particularly now that the people side of Customs and Border 
  Protection have come on board so what I what I mean by that is in 
  this solicitation back into a DAT I had Customs and Border 
  Protection is one of our primary customers but that was the US.
Anil John:  Global trade facilitation side of it right so these 
  are the people who are interested in digitizing cross-border 
  trade documents they were not in the these are not though they 
  are not the people that you encounter when you land in a port of 
  entry whether it is air land or Sea and the blue uniform person 
  who greets you is not the Customs people they are actually 
  another part of US Customs and Border Protection what we call 
  Office of field operations they are the law.
Anil John:   And offices that.
Anil John:  Out of the business of ensuring and checking your 
  identity and your credentials and you're at a stations at the 
  border as part of trade facilitation excuse me travel 
  facilitation and tourism facilitation they're finally on board 
  they are continuing the partnership that they have with the US 
  citizenship immigration service so the focus for us tended to be 
  in this call very much a people Centric how do we help.
Anil John:   Help move the warlick ecosystem forward.
Anil John:  So that's sort of the the rationale for why the call 
  and the focus on you know wallets and verifiers came into play 
  here so next slide Mike thank you I would also note that one of 
  the things that we sort of internalised over experiences since 28 
  in in this ecosystem and what we seeing in the ecosystem is to be 
  blunt vendors build.
Anil John:  Systems actually really need building blocks that 
  everybody can use and vendors typically are not interested or 
  motivated in order to contribute or build those building blocks 
  Because unless it is sdks that point to their own infrastructure 
  right so we wanted to make sure that while we are putting out a 
  solicitation that is obviously going to solve our needs but we 
  also wanted to make sure.
Anil John:   Sure that the things that sort of.
Anil John:  Building blocks that could help solve this what also 
  of use to the broader ecosystem and the community so we 
  structured our solicitation very specifically in order to enable 
  both you know products and capabilities that we actually need as 
  well as building blocks that are you know important and hopefully 
  relevant to the broader Community as well so next slide and what 
  you will see when you you know.
Anil John:  Ocean tends to be that you will see you know this is 
  government speak so forgive me as I go into technical topic Area 
  1 and Technical topic area 2 that basically means that these are 
  the fundamental core capabilities that we are actually going to 
  be paying money for and we are actually seeking and there are 28 
  digital world.
Anil John:   And a mobile verifier.
Anil John:  Stink and you know obviously there are that are 
  components that are common between them and we'll talk about that 
  but those are the two products that we are asking for in the 
  solicitation and a company that is actually applying to that sort 
  of situation can choose to apply to solving in the build-out of 
  just the digital world build our table just the mobile verifier 
  or both it is up to them depending on what their interests are 
  what their.
Anil John:   These are and what their capabilities are and.
Anil John:  Their path to Market is right so but we also 
  structured it such that again we are fully expecting this to be 
  you know fully commercial you know to be blunt whether you know 
  it depends on the business model of the company whether their 
  model is to produce an open source or a closed Source product we 
  are perfectly fine with either but the digital world and the 
  mobile verifier can be you know can be.
Anil John:   In Source completely.
Anil John:  Or it can be in a closed Source product that the 
  company is bringing it to Market close doesn't mean that you does 
  not mean that we are ignoring Open Standards and the need for 
  interoperability there but we wanted to make sure that you know 
  it is we are fully expecting as part of a solicitation to pay for 
  the build-out of you know digital wallets and mobile verifiers 
  but we are also.
Anil John:   So expecting that.
Anil John:  We sort of step back and thought to ourselves what 
  are some of the core components that were not seeing investment 
  in the marketplace that we believe should be paid attention to 
  when you are building a digital wallet or a verifier and we sort 
  of group them into you know for lack of a better word for 
  libraries and and at a high level you know there are libraries 
  are.
Anil John:   A library an SD card.
Anil John:  Basically just dust cryptographic operations these 
  are everything from you know encryption digital signatures are 
  selective disclosure crypto in again you can read a lot more 
  details in the call itself but the intent is that this SDK this 
  Library should be something that somebody can take off the shelf 
  basically baked into an existing wallet or a verifier and get the 
  ability to actually.
Anil John:  All the cryptographic operations that I needed in 
  order to issue store and verify and validate in w3c VC and 
  database credentials right and I think and we are also we have a 
  pointer in there and all too often there is a whole bunch of 
  excitement at particularly within government around privacy 
  enhancing Technologies and there's a whole bunch of magical you 
  know white papers.
Anil John:   That are coming that are that come out there.
Anil John:  Of the challenge is that obviously has a government 
  agency that all government agencies within the US have is that we 
  are very interested in implemented those Technologies but we are 
  also constrained by something that is a law called fisma that 
  requires that the cryptography that basically is deployed on US 
  Government networks has to meet specific.
Anil John:  Action standards and to date lot of the you know the 
  the the fascinating crypto that goes into what takes in order to 
  do an encore relatable did in a selective disclosure a lot of the 
  other things like zero knowledge proof and things like that are 
  not approved crypto those are not you know they have not gone to 
  the fips validation and things like as things like that so we 
  are.
Anil John:   Obviously having conversation internally in order 
  to.
Anil John:  Change that but at the same time we are also seeking 
  to make sure that the library's particularly particularly the the 
  cryptographic tools library is something that is set up sites 
  that you can go through the sea MVP and the cryptographic module 
  validation program that is a program that is jointly run by the 
  nest as well as the equivalent on the Canadian government side 
  right so these are.
Anil John:   Proved cryptographic modules they don't have to be.
Anil John:  Where they can very well be software and we are 
  hoping to line up these cryptographic modules and tools SDK sites 
  that they can go through that particular approval process as well 
  right and the other piece of it tends to be you know we obviously 
  want to make sure in a wallet.
Anil John:  How do you.
Anil John:  I need storage is the storage remotely within the 
  wallet itself or is it similar to the model that we have in the 
  host card emulation in the payment space where the actual storage 
  becomes HSM in the cloud where what is on the local wallet is 
  basically a shim that's pointing to it I think there is a there 
  are some lessons learned from that space that can also apply to 
  our credentialed world space as well third one is obviously 
  metadata management what I mean by that.
Anil John:   That is if your issuer or if you are of a credential 
  so.
Anil John:  Ability to retrieve metadata about your issuance 
  process how do I Retreat that they document that allows me to 
  obtain the in the public keys that are used in order to validate 
  at the digital signature on a verify the credentials how do I 
  retrieve the status list that allows us to retrieve you know the 
  current status of the credential in a privacy respecting manner 
  so those are types of metadata management that I think that are 
  really.
Anil John:   Really important and I think that is worthwhile in 
  a.
Anil John:  In a nice little SDK as well and last but not least 
  you know everybody talks about you know security addressed 
  Security in transit but nobody seems to talk about security while 
  in operation and I think the combination of things like 
  confidential Computing a confidential Computing the remote 
  attestation work that is being standardized at the ietf there is 
  a play here where you can have confidence.
Anil John:   And that the incredibly important.
Anil John:  Like in a cryptographic keys and you know sensitive 
  data are actually stowed are not just in transit and in you know 
  translated in story but also in operations and at scale so we 
  believe that there is a play here for encouraging a component and 
  a capability that you know brings you know the confidentiality 
  Integrity production Computing into the digital.
Anil John:   Of wallet.
Anil John:  Right so so this is this is sort of this is sort of 
  the the way that are you know the are the the call is actually 
  structured the expectation is that if you are responding and 
  saying that you want to build a digital wallet for us there is a 
  there is a clear requirement that you will at least have at a 
  minimum one of those cryptographic modules.
Anil John:  Contributing to building out and you will be 
  providing under an open-source license that allows both the 
  development of both open source and closed Source on top of it 
  because people will have both so think something like Apache 2 
  license or something like that right so the expectation is that 
  if you're building out a proposal for in a building a digital 
  wallet or a mobile verifier we are expecting that the sum of the 
  function.
Anil John:   Foundational pieces.
Anil John:  And there are going to be open source that is going 
  to be incredibly useful and hopefully you know broadly applicable 
  to the broader Community as well so the it is I would reiterate I 
  think a lot of the people who have heard me and know about us VIP 
  know this but in general we have one of the few programs within 
  the US government that does not believe that that believes that 
  talent doesn't stop at Borders so.
Anil John:   So our solicitation tends to be Global so we are.
Mike Prorock: 
  https://sam.gov/opp/33b3b247777c4912b08c23ba97dc8af4/view
Anil John:  We have companies that are from all across the world 
  in our portfolio and we look forward to applications from 
  companies from all across the world click on that sound dot-gov 
  link it will take is take you to the actual fully fleshed-out 
  government URL that is not going to that is not conducive for you 
  know human consumption you will be taken there where you can 
  download the application and the full column things like that and 
  the application.
Anil John:   Deadline itself is 15th of September.
Anil John:  At that time right so I'm going to stop there and 
  happy to answer any questions that that you might have and if I'm 
  not able to provide an answer right now I hope I will be better 
  prepared with an answer during our industry day this Friday you 
  are you know you are you don't have to come to Birmingham but if 
  you join online you'll be able to hear everything and also ask 
  questions as well I don't.
Anil John:   At note.
Anil John:  I'm going to turn to go with you folks to ask any 
  questions you might have.
Mike Prorock:  Awesome thanks until I really appreciate the 
  overview here you piqued my interest with OSL item D there the 
  confidentiality and integrity side of compute are you expecting 
  that to cover like fully homomorphic encryption and some of the 
  other things we're seeing finally kind of get some not just 
  adoption but broad usage because that is one of those fascinating 
  areas that lets you keep data protected while still performing.
Mike Prorock:   Things like machine learning or verification on 
  top of.
Mike Prorock:  For decrypting it I mean is that an area that you 
  think the program is interested in or.
Anil John:  I think I'm sort of forgive me as I can't I answer it 
  it may very well be my ignorance and my lack of understanding as 
  well I think when you talk about the fundamental purpose Graphics 
  Primitives that are needed in order to enable homomorphic 
  encryption or zero knowledge proof so selective disclosure or 
  Phipps compliance and things like that we sort of expect that to 
  sort of live in the cryptographic tools SDK right so.
Anil John:   The the 0s.
Anil John:  Confidentiality and integrity protected Computing in 
  a lot of ways for us it turns out to be as we all know you know 
  chipset manufacturers these days are building in enclaves that 
  basically allow for computation to you know occur within the 
  secure enclave and and the standards like wraps and others and 
  ietf give you confidence around the at the station's about the 
  things of being.
Anil John:   Being done in.
Anil John:  So we sort of see so how does that apply to our world 
  you know I think a lot of people sort of see that is that 
  somebody else's thing we don't we think that there is a play here 
  where you know if cloud-based vendors are basically deploying 
  technology that allows for confidential Computing and supporting 
  standards that allow us to verify using Hardware level at the 
  state.
Anil John:   Stations about how they are doing.
Anil John:  It it means that we can offload a set of processing 
  and storage to those enclaves for example key in a cryptographic 
  key management cryptographic encryption or a cryptographic 
  operations today so we sort of see that as the oh sld I also 
  think that you know I would simply note that there is there is a 
  ways to go here so we're not expecting magic to fully Bloom but 
  we also think.
Anil John:   That it is it is important enough in order.
Anil John:  Simply put a wedge in there and to put some funding 
  behind it in order to move it forward so that it is useful 
  broadly and becomes part and parcel of how we provide end-to-end 
  security in the digital credentialing ecosystem.
Mike Prorock:  Yeah that makes total sense and I definitely see 
  how that stuff kind of rides together awesome cool Harrison.
Harrison_Tang: That's all to clarify like digital wallet is about 
  presenting presentation of credentials and mobile verifiers is 
  about verification of credentials is that correct and if so far 
  the product more kind of detail prior requirements for the 
  digital wallet and mobile verifiers.
Anil John:  So you're asking a good question and this is my I am 
  going to flip that right back on the community right so for the 
  last two to three years every single time that you've heard me 
  talk I have been talking about the fact that we need to as a 
  community agree on what are the things that make a wallet secure 
  what are the foundational security properties what are the 
  foundational privacy.
Anil John:   But he's.
<mprorock> a revisit to the what's in a wallet series way back is 
  helpful in this area
<mprorock> and the universal wallet work item
Manu Sporny: +1 ^
Anil John:  Interoperable properties that that are core to what 
  makes a wallet secure because in the absence of that you will 
  default to picking a vendor's wallet rather than a cake making a 
  capability assessment and I think what I am saying and what we 
  are trying to motivate through this call is that bootstrap the 
  work or energize the work or highlight the work that is.
Anil John:   Needed in that space.
Anil John:  Not happening right now in my world could we come up 
  with a set of criteria on wallets that are you know that are 
  sufficient to meet the Department of Homeland Security needs yes 
  could we come up with their bespoke way of figuring that whether 
  a wallet that is coming to us could could meet those criteria yes 
  is that a.
Anil John:   Actually going to help the broader ecosystem.
Anil John:  System I would argue no I think this is something 
  that across both the public and the private sector we need to 
  Define that criteria so that we actually have a common 
  understanding of what is what is out there so to the answer to 
  the question Artisan excuse me Harrison is very simple we have a 
  sense of what it is because of some of the work that we have done 
  internally but we also think much more work needs to be done and.
Anil John:   And we.
Anil John:  That work around the digital wallet to be part of 
  that to be very much focused on that is that helpful I know it 
  was I may have wandered in the wilderness to your your costume 
  Harrison.
Harrison_Tang: No no helpful thanks and then sorry one more 
  clarification question so earlier you mentioned that this to 
  functionalities or these two areas can be in one application or 
  service and then you also mentioned that you can be separates 
  okay.
Anil John:  No and I don't know what I meant by that is basically 
  if you know when somebody applies to our solicitation they have 
  to tell us what they are working on are you working on a digital 
  wallet are you working on a mobile verifier are you working on 
  both right so what I mean so there is no we do not want a 
  combined verifier wallet at this point in time in fact I don't.
Anil John:   Don't think that makes.
<mprorock> the ARM folks hang out at IETF if you want to meet HW 
  folks
Anil John:  Sense it particularly since we actually are hoping 
  and expecting that the digital wallets responses will not purely 
  be software-based digital wallet but also be you know 
  hardware-based digital wallets as well I'm a big fan of the work 
  that much did back in the day with project vault at Google a tap 
  so I'm hoping some a new generation of that will come along as 
  well so so so what I'm.
Anil John:   That's exactly what we meant so pick one.
Anil John:  They'll be supper products Harrison.
Mike Prorock:  Yeah and just a quick before I move to Manu if you 
  are not familiar with the hardware folks that work in this space 
  the arm folks on the Intel folks and probably the two that I 
  would talk to first if you wanted someone amenable to Open 
  Standards they tend to hang out at ietf so that's just throwing 
  that out there man.
Manu Sporny:  Thanks Mike this is great and Neil really good 
  information for folks that you know want to apply in to 
  understand kind of where some of the future development Works 
  going to be focused so I'm trying to think about how 
  organizations might game this to make it seem like they're 
  providing something useful when they're not really so things like 
  sure we've got a proprietary wallet and.
Manu Sporny:   We are.
Manu Sporny:  Adding this open source Library SDK but it's 
  written in such a way that it's only really useful in their 
  proprietary wallet it's so deeply ingrained that nobody else can 
  really reuse it are there any kind of nudges that the 
  organization's applying or going to get that where they need to 
  demonstrate that one they haven't just taken somebody else's work 
  in done a minor amount of work on it.
Manu Sporny:   In produce that.
Manu Sporny:  The open source thing they're working on or do they 
  have to demonstrate you know the open source library that they've 
  created is actually getting Traction in the ecosystem thoughts on 
  that.
Anil John:  Yeah it's a valid question and a couple of one of the 
  reasons that we we've done this you know Dance Before in fact we 
  did this previously with RS found work as well in order to sort 
  of healthy ecosystem while actually building our products T to 
  your point though the expectation of anybody who responds to it 
  is first and foremost it that cryptogram those sdks.
Anil John:   Will truly be open source.
Anil John:  Means that they will indeed be public accessible to 
  all it will not be behind a you know a close GitHub repo we will 
  we will work with them to find a proper home such that they are 
  actually you know encouraged and expected to have you know folks 
  outside of the people that we fund contribute to those.
Anil John:  Case as well and separately we're we're big in being 
  very encouraging and supporting in the early phases of our work 
  but when we when we get to the phase three pieces of it right so 
  one of the things that we will do in particular with this we will 
  go beyond the standard independent red team that we will actually 
  have.
Anil John:   In place.
Anil John:  We already have in place for our programs down to the 
  code level reviews and use those reviews as a mechanism to 
  actually get input and feedback from the broader Community to 
  ensure that it is indeed you know broadly usable and not just in 
  a constructed in a way just to tick the box and useful only for 
  the one company that is working on it.
Anil John:   On that note.
Anil John:  Open open request to the community you all know how 
  to work this and to gain this the any suggestions that you have 
  to us in order to in order to watch to make sure what are the 
  things that we should be looking at to make sure it is not being 
  gained because our hope and our intent and our desire.
Anil John:   Are here.
Anil John:  This becomes something that is truly useful for the 
  community and the reason that we will have a fully independent 
  code review of these open source codes you know code is to make 
  sure that you all have confidence in that code so that you are 
  free to use them so it I would make an argument that this work is 
  going to be useful to you so help us to make sure that the output 
  that is coming out.
Anil John:  Useful to you and not proprietary beyond that we will 
  play it as it comes money.
Mike Prorock:  Awesome maybe a little bit of a technical question 
  here a nail because I know there's some back-channel stuff flying 
  around to in or not really back Channel but ietf stuff flying 
  around that doesn't always get on the radar here but one of the 
  areas that I think is really interesting is thinking about how do 
  we combine u.s. gov requirements with global requirements right 
  because Jeff different jurisdictions are going to have different 
  sets of things that.
Mike Prorock:   Are you.
Mike Prorock:  Helpful pride and so one of the things I've been 
  working on for a while now has a couple areas of those Quantum 
  cryptography side of things in the applications of those things 
  right and so Japan for instance as well as some others and 
  Commercial entities here in the US have a high interest in end 
  true as a chem even though nist is rolling with Khyber and when I 
  think about chems in particular they seem like.
Mike Prorock:   They have a hole.
<manu_sporny> kem ==> Key Encapsulation Mechanisms
<manu_sporny> hpke ==> Hybrid Public Key Encryption
Mike Prorock:  Autumn application here in terms of the digital 
  wallet spacewar could write than what we're seeing with changes 
  and updates in terms of hpk and ways of exchanging this stuff and 
  you know what more common ways could be really really important 
  at this and it's not an area that I've seen the VC or the wallet 
  space really start to jump on heavily possibly because it's 
  earlier but or possibly just because it's sitting more at that 
  TLS layer and stuff like that now.
Mike Prorock:   And before it expands out later is that an area.
Mike Prorock:  Think could or should be explored as part of this 
  stuff what are your thoughts on the kind of that interop between 
  obviously meeting nist and Phipps requirements here in the States 
  but also making sure that interoperability is possible with say 
  the EU or you know you know trusted parties like Canada right 
  that we have a lot of exchange back and forth with Etc any 
  thoughts on that.
Anil John:  So I'll start off with noting that you know yes VIP 
  is not an R&D program right so there are other parts of my 
  organization that ABS absolutely you know Fund in Ord and in a 
  prior role that I had as the identity management and data privacy 
  R&D program manager I was at you doing that I'm not doing that 
  anymore so so what you will see in the call itself.
Anil John:   Is things that.
Anil John:  The business units that are in play who are 
  interested in deploying these Technologies really need to have in 
  order to actually enables Technologies now there could be 
  somebody who comes to the table and said yep we will we will 
  provide that but we are also going to you know work on these 
  additional things you know beyond that and our answer is you are 
  absolutely free to do so we're not going to constraint of the 
  things for example there might be.
Anil John:   You know there is a community out here obviously 
  that is.
Anil John:  Focus on things like an on grades and AC/DC and 
  things of that nature right so those are not things that we have 
  an interest in currently I know I think are you know articulation 
  in the profile you know shows what our interests are but if a 
  company that was really had an expertise in that what did you do 
  the work that is needed in order to meet our requirements but as 
  part of that work also Incorporated.
Anil John:   Those into those cryptographic modules we would have 
  no issues.
Anil John:  Actually you know be very happy because it actually 
  provides in a broader hope to the community more than anything 
  else separately Mike I think you know one of the one of the 
  interesting conversations one of the interesting perspectives 
  that a business side of my organization brings to the table that 
  I may not bring as a technologist is more from the perspective.
Anil John:   Spective that.
Anil John:  When it comes to you know interoperability 
  particularly across jurisdictions and and borders I would make a 
  point that it is really really important that one needs to have a 
  common understanding of the security privacy and interoperability 
  as a foundation but there is a layer above that that basically 
  talks to Mutual recognition agreements between countries.
Anil John:  He is for example the cost us custom side of is of 
  our organization and what we call the CT path program right which 
  is our trusted create a program so if you're familiar with global 
  entry and Nexus and Centre and things like that think about that 
  for Traders so and the foundation of it is very simple is that 
  there is a cybersecurity criteria that was developed that 
  basically countries.
Anil John:   Sort of assess themselves against.
Anil John:  Assure that they are meeting them both on the US side 
  and on a counterparty and if they do that there is a formal 
  Mutual recognition agreement that is put into place that between 
  those two countries that basically says that hey you know Goods 
  coming from your country with this type of accreditation 
  associated with that will be allowed for fast-track import into 
  the country and and if.
Anil John:   Because it is a mutual recognition program.
Anil John:  We send to that country is also recognized as there 
  as well there is a lot of energy and excitement around all of the 
  work that is going on and they EU digital wallet and obviously 
  the Wallet work that we are doing and I'm sure the world work 
  that is happening globally as well and the foundation of all of 
  that is those technical pieces but I would also say is that we're 
  not blindly going to you know there is a policy layer on top of 
  the technology.
Anil John:   Be there as well.
Anil John:  When we talked to our Canadian colleagues we are 
  going to make sure that there is a you know an understanding of 
  our common security perspective that we are all comfortable with 
  and we do this we will do the same with the EU as well and go 
  from there so it is not a matter of we will blindly incorporate 
  or incorporate into our tooling that's what somebody else has 
  developed it is based on that.
Anil John:   Foundational security expectations.
Anil John:  Actually agree upon and and that is what I what I 
  don't see happening within the broader community that that that 
  public private discussion around what makes a good word and how 
  do you assess a good wallet as being Gordon good good and what 
  are the things that make it good and what are the things that 
  make it not so good everybody wants to talk about moving things 
  from point A to point.
Anil John:   Edie that's great.
Mike Prorock:  No that was that was awesome yeah.
Anil John:  There are other pieces that need to be true as well 
  sorry bit rambling there Mike but authorities of bit of 
  frustration and a one of the rationale for why we are why this 
  call is out.
Mike Prorock:  Now I hundred in awesome and I fully agree right 
  that it's really easy in the tech world to get really buried in 
  the weeds as opposed to thinking about how are we going to 
  actually practically get stuff done in a way that can be 
  communicated to human beings Manu and then I think Kerri and I'm 
  going to close the Queue at this point just because where you're 
  going to run up on time so they don't fire take away.
Manu Sporny:  Great thanks Mike Anil you you covered one of my 
  questions which was what do we you know meeting the community 
  think about the what's happening in the EU with the aarf in the 
  digital wallet stuff so I think that was clear you know it's it's 
  their multiple entities that are in the ecosystem and at some 
  point we're going to all have to read each other's credentials 
  and interface with each others.
Manu Sporny:  You know it going back to the question that you 
  raised the community about you know what what can be done to 
  ensure that the right outcomes happen so with the with the open 
  source libraries you know I think one of the dangers here is that 
  there are multiple people that work on like item a the 
  cryptographic tools SDK and you don't get any takers for B C or D 
  right so it's one of these things is a bit easier to do than.
Manu Sporny:   The other things.
Manu Sporny:  And so I'm wondering if there has been kind of 
  thought put into how do you make sure that there's even coverage 
  of you know implementations and then of course you know how do 
  you ensure that people are actually going to use this they're 
  almost needs to be some kind of measurable you know component to 
  there's actually uptake of these open source libraries because 
  you know the last thing I think any of us want is the creation of 
  an open source library at.
Manu Sporny:   That you know great.
Manu Sporny:  Us to the the US federal government which then does 
  not have any uptake whatsoever so just some just some thoughts 
  there I don't know if I'm wondering if those kinds of things are 
  going to be kind of a constant conversation with the various 
  communities and if so you know how did the people that apply to 
  this initiative you know have a concrete Target to shoot.
Manu Sporny:   At the other the other thing I.
Manu Sporny:  Is nowhere have I seen the dollar figure that's 
  attached to this initiative in the fact that it's non-dilutive 
  funding is it there are a number of companies here that are 
  building you know these things that are somewhat new to the 
  ecosystem that probably need to hear that this is a potentially 
  multi you know million dollar investment in their technology 
  that's that's non-dilutive I think it's a really powerful.
Manu Sporny:  That I haven't seen hit on at least recently anyway 
  just just some thoughts there.
Anil John:  Yeah I'll stop them on you I will go back to our 2018 
  solicitation as I mentioned we had 200 plus applicants we at that 
  we started with I think making around 10 selections you know we 
  over time it became you know seven for a variety of different 
  reasons what I will say is that we.
Anil John:   We multitrack we fun.
Anil John:  Multiple companies simultaneously to solve the same 
  problem and each company has the potential of getting up to 1.7 
  u.s. million dollar you are 1.7 million u.s. dollars each company 
  and that's not you know across all of them that's up to 1.7 for 
  each each company so phase one is a maximum of 200 K because 
  phase one is when we determine.
Anil John:   That you can walk the talk or not or whether you 
  just have a.
Anil John:  Phase 2 phase 3 and phase 4 tends to be up to a 500 
  km maximum and you know so up to 1.7 million dollars and I'm not 
  going to basically share how many companies that we award what I 
  will give you is point you to what happened in our prior call you 
  know it is not one it is not too it is many you know and like I 
  said I think.
Anil John:   It was close to 10 the last time.
Anil John:  The other piece to your point Manu is yeah so so we 
  we do we are very aware that it could very well be everybody 
  could basically focus on one SDK and nobody could come for the 
  other three I think that is part of our you know how we manage 
  our selection process as well right I think we are interested in 
  moving all of that forward.
Anil John:   We are hopeful.
Anil John:  That basically multiple companies will apply to all 
  of them at least you know one or more of them and we're not going 
  to be that desperate enough that basically we're going to 
  actually award a crappy application just because they were the 
  only supplier in that particular case you know we have in the 
  past actually close the call then if we did not get the type of 
  talent that we.
Anil John:   I'm looking for have in in the.
Anil John:  Open the call again as well we are more interested in 
  doing a right job here than basically you know checking the box 
  here on this I think there was one more question that you asked 
  me that I am missing I'm I'm happy to answer that separately and 
  if I don't I'll definitely answer it during our industry day on 
  Friday and.
Anil John:   Separately we.
Anil John:  We definitely you know we will encourage the 
  companies that that are working on the same open source SDK to 
  actually work on them together and out in the open because it 
  reduces the amount of work that they need to do and it also it 
  allows them to focus on their product roadmap while getting help 
  for those type of components as well right so yep so.
Anil John:  Multi-tracking and you know making sure there are 
  multiple awards that hopefully cover all of them and up to 1.7 
  million dollars per company that is selective.
Mike Prorock:  Awesome carry I think you're going to get the last 
  question in the last 30 seconds or so and hopefully we get a good 
  quick answer so.
Kerri Lemoie:  All right yeah I'll try to be really quick here hi 
  Danielle I think I just as in relation to what you're saying 
  about policy in the validation layer that is over all of this 
  Tech and what I would like love to hear more about someday when 
  we have an opportunity to talk about is is that layer because in 
  education and Workforce as we start bringing issuers employers 
  verifiers on board it's actually that layer that is where they 
  have all the questions and it's where we don't have a lot of 
  answers yet so yeah.
Kerri Lemoie:   I just sort of want to make a comments or 
  question about that I don't think you're trying to get into it 
  but.
Kerri Lemoie:  Love to talk to you about it.
<kerri_lemoie> Also - edu would lean on governments for thsi.
Phil Long: +1 Kerri
Anil John:  I would love to love to have that conversation at a 
  fundamental of a particularly when it comes to digital wallets I 
  I believe there is a set of things that we can check for using 
  some sort of a cryptographic challenge response but there is a 
  set of things that we cannot check for in that manner that 
  requires some manner of a you know assessment independent 
  assessment into the weeds and that results in some manner of 
  hopefully a trust Mark that can be consumed.
Anil John:   And now in order to do all of that assessment you 
  need.
Anil John:  Years and what I don't see any work is basically 
  those criterias being flushed out in a manner that is broadly 
  usable and we are hoping to so encourage that through the Scott 
  so happy to chat particularly regarding your education vertical 
  because we do consume your credentials particularly on the USCIS 
  I'd so on that note Mike I appreciate all the questions thank you 
  for taking the time.
Anil John:   I'm to invite me.
Kerri Lemoie: +1 Anil - will be in touch. :) Thanks!
Anil John:  Back over to you sir and Barry and Erica.
<harrison_tang> Thank you, Anil
Mike Prorock:  Yeah no thank you for going in a minute over here 
  and I really appreciate the time as always this is a great call I 
  think it hopefully Spurs a lot of thoughts from the community 
  about engagement with existing work items things like Universal 
  wallet etcetera and revisiting some things that may have fault.
Mike Prorock:  I keep it.
Mike Prorock:  Unless that would accidental cute.
Mike Prorock:  If you all.
Harrison_Tang: All right thanks Mike thanks for hosting today.
Mike Prorock:  Yeah no worries the to move up move a meeting to 
  get this one confirmed because some silly customers keep bugging 
  me it's worked out well.
Harrison_Tang: If you if you got something that you cannot move 
  just let me know I.
Mike Prorock:  Oh yeah no I well this one they hit me like 
  yesterday afternoon I was like I'm two weeks out here on 
  calendaring so let's I know this is important let's find a time 
  but that is not the time.
Harrison_Tang: All right well thanks well let me know I think 
  next week we if you could do it just let me know please host but 
  if not I can be a backup.
Mike Prorock:  Yeah next week I should be fine I believe let me 
  just double I'll tell you right now actually because that'll be 
  the 22nd.
Mike Prorock:  Oh yeah yeah.
Harrison_Tang: Yeah it's the open Agenda and I thought that since 
  most technical of the group you can you park in the group area 
  okay.
Mike Prorock:  Actually have oh no I am good for that one I can't 
  do the VC working group called that day so yep good to go.
Harrison_Tang: Well I mean if you cannot do it I can do it too so 
  either way is fine.
Mike Prorock:  Yeah no I'm good for next week so Count Me In and 
  obviously be great if your own but because that's just open 
  Agenda let's touch on you know some work items and you know yes 
  if you want to send the no doubt and that way people can come 
  with topics they may want to discuss with the group so yeah.
Harrison_Tang: All right well what do you I'll be on next week as 
  well so I'll see you next all right like.
Mike Prorock:  Awesome cool will see you.

Received on Friday, 18 August 2023 17:47:56 UTC