- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Fri, 18 Aug 2023 17:47:56 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2023-08-15/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2023-08-15/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2023-08-15 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords Present: Mike Prorock, Anil John, Harrison Tang, Tim Bouma, Erica Connell, Hiroyuki Sano, Japan, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Gregory Natran, Joe Andrieu, Kerri Lemoie, Nis Jespersen , Ted Thibodeau, Greg Bernstein, Paul Dietrich GS1, Jeff O - HumanOS, Kaliya Young, Marty Reed, Manu Sporny, Dmitri Zagidulin, Bob Wyman, Leo, Andres Uribe, Eric Sembrat, David Chadwick, Wendy Seltzer, TBouma mobile, BrentZ, Benjamin Young, Phil Long Our Robot Overlords are scribing. Mike Prorock: And we can begin so hello all and welcome to the ccg weekly meeting today is Tuesday August 15th and we are getting together today to talk about notably the digital credential wallet and verifier solicitation recently has gone out from DHS S&T millage on graciously with us today to talk about some of that and then answer questions for the community just a quick reminder that. Mike Prorock: That we do abide by a code of ethics and. Mike Prorock: https://www.w3.org/Consortium/cepc/ Mike Prorock: On duct I will put a link to that in the chat just in case folks are not familiar with it but it's the basic rules of be kind to one another right by and large this community abides by that it's great the slides for today I have been posted to the mailing list if you don't have them they are up there a note that anyone can participate in these calls however if you are contributing to an actual work item like City write in code or. Mike Prorock: Writing a report. Mike Prorock: https://www.w3.org/community/credentials/join Mike Prorock: Things like that in any kind of substantive way you do need to be a member of the ccg and that is free I've put a link to that there that is primarily in case you are new to this community for I pr reasons we don't want contributions coming in that someone the later tries to claim intellectual property rights over and things like that because that has been problematic to standards and open source more bodies past minutes and meaning of this will be posted to our GitHub. Mike Prorock: A quick note of operations we do use the jitsi chat which is also linked to the iirc. Mike Prorock: EG on the w3c IRC for managing the meeting so the transcriber dumps all of our minutes excessively into that chat unfortunately but also probably more importantly we take questions and answers I will be monitoring that for folks that when I ask a question so if you want to ask a question or make a comment type the letter Q followed by a plus sign and add yourself to the key optionally with reminder. Mike Prorock: And if. <mprorock> "type “q+” to add yourself to the queue, with an optional reminder, e.g., “q+ to mention something”. The “to” is required." Mike Prorock: Off you just reverse the plus sign to a minus and I will paste those instructions right here sometimes. Mike Prorock: Well for the transcriber or not always the same as they actually are in practice quick pause for introductions and reintroduction so anyone new to this called never been here before or changed affiliations recently and wants to reintroduce themselves or introduce themselves to the first time in this community pause. Mike Prorock: Get the hand raised or come off Mike whatever you're comfortable with. Mike Prorock: Cool so we all know each other then want to take a second pause and just see if there are any announcements or reminders from the community. Kaliya Young: https://docs.google.com/document/d/1j_RWhWjOYevTdmMorZkEPcu0c4r7MVTBu1RRxd35NmM/edit Kaliya Young: The internet identity Workshop coming up October 10 to 12 and as I'm preparing for that I'm actually just supposed to list yesterday a request for help if people would like to contribute or working on putting together a online memorial for community members who passed and. Kaliya Young: Of that for sort of placement at all future I W's I kind of did a makeshift for one for the last day of the last Ayah W but it wasn't particularly beautiful so I'm seeking creative talent and writing talent to help get the bios of folks together I put a link to the BIOS or sort of links to information about. Kaliya Young: Out the. Kaliya Young: Asked in the community let me know if I've missed anybody. Kaliya Young: And also would love you know some this is a good low hanging fruit way to help the community right kind of community obituary of a few paragraphs few sentences so would love help in both regards to physical. Kaliya Young: Helping make the physical Memorial beautiful and also helping with online create web page on the IW site. Mike Prorock: Awesome thank Scalia econ all you are up. Erica Connell: Hello everybody this is Erica and I just wanted to give you a reminder that a rebooting the web of trust is also coming up September 18th to the 22nd this year will be convening in Cologne Germany and I'll put a link to the Eventbrite in the chat thanks. Erica Connell: https://rwot12.eventbrite.com/ Mike Prorock: Awesome man who I believe you are next. <manu_sporny> CHAPI Playground's Latest Update - Multi-Credential Verification - https://lists.w3.org/Archives/Public/public-credentials/2023Aug/0017.html Manu Sporny: Hey Mike thanks um who announcements one of them is around the landfill Handler API playground the chappie playground just a week ago or so we added multi credential verification to the playground so this is something that's you being used in the jobs for the future plugfest number three we had multi issuer you know support in there we've added. <dmitri_zagidulin> Mars Needs Verifiers!! (seriously, vc-api or OID4VP verifier implementers, you should totally add yourselves to the CHAPI Playground) Manu Sporny: Support and now you can do multi-shot credentials in a verification so I put a link to that announcement kind of instructions on how you can test that out we do also have a number of other kind of upcoming improvements to the playground including things like support for oid for VCI so the open ID stuff so that will be the first time the playground. Manu Sporny: It's multiple protocols. <mprorock> yay OIDC! <manu_sporny> Initial test suites ready for VCDM v2.0, Data Integrity, ECDSA, and EdDSA -- https://lists.w3.org/Archives/Public/public-credentials/2023Jul/0056.html Manu Sporny: Talking with people about putting did Cam protocol support in there as well and you know there's some discussion happening on the mailing list on that so that's the chappie playground update for today the other heads up to the group is we had moved over some of the test Suites that were worked on in this community for. Manu Sporny: Verifiable credential data. Manu Sporny: It Integrity ecdsa EDSA those have now been fully moved over to the verifiable credentials working group in have been updated so they are now fully operational in the verifiable credentials working group if you like integrating with bleeding edge test Suites please reach out and ask Dad yourself we have had a couple of people from the community like trinsic was the latest one that added them. Manu Sporny: Selves to various tests. Manu Sporny: And so we will do the test Suites will be increasingly locked down towards the end of September and that's when we'll make the general announcement to like participate in the test Suites most likely but if you want to kind of just get the mechanics of integrating with the test Suites let us know we are actively working with multiple different organizations to integrate them in there that's it. Manu Sporny: I was the. Mike Prorock: Awesome thanks man do and it's good to see multiple protocols coming in so that's awesome and I think a nil has an announcement as well. Anil John: https://www.iab.org/mailman/listinfo/identity-discuss Mike Prorock: +1 WHODIS <- needs eyes Anil John: Thank you Mike I'm just a quick note on the internet architecture board has you know started a new list on for identity discussions they want to discover what protocols and Technologies and work that is going on in Internet identity and what are the gaps out there I know that there is a tendency in a variety of stos and Community groups to sort of stay in your own Silo this may be worthwhile at. Anil John: A minimum to subscribe to and listen and. Anil John: As often there are definite blind spots for the people who are sort of you know talking about the work that they're not aware of other work that is going on I was amused by the discussion on somebody brought up Samuel and somebody was not sure how prevalent it was I thought it was amusing so things like that right so check it out check out the archives and you may want to you know at least Monitor and make sure that. Anil John: The work everyone is doing at the w3c. Anil John: That is ready to Identity are also you know broadly socialized with the broader community that is that is that the you know that is working through the IAB as well. Mike Prorock: Thank you Anil for bringing that up yeah definitely it's been interesting um and I was actually very glad at the last ITF when some of those initial conversations were going on that Kali and a few others from this community were in the room because there might have been a perception that identity might not have been as complicated as it sometimes tends to get. Mike Prorock: With that. Mike Prorock: Um let me see if there are any other I think that's it for announcements so with that Anil I'm going to pass it over to you and just let me know when you want me to advance slides and my screen should be up momentarily. Anil John: Thank you Mike good morning good afternoon good evening good night whatever the time zone that everybody is in thank you Carrie Mike and Harrison for the invitation to come and chat with the ccg community here for whatever reason my work laptop you know the ccg link is absolutely blocked or my work laptop and of course. Anil John: As I tested. Anil John: Up top and it just so happens jitsi seems to have problems with brave at least on sharing so so Mike was kind enough to take the slides and present it so first and foremost I'm hoping that this is going to be mostly you know you know questions that you might have after obviously you've you know read the solicitation I'm not going to go over I'm going to give a very high overviews primarily because I'm going to point you to this this Friday we are actually going. Anil John: To have a. Mike Prorock: https://sri-csl.regfox.com/svip-digital-wallet-industry-day Dmitri Zagidulin: https://sri-csl.regfox.com/svip-digital-wallet-industry-day Anil John: Today it is available both in person in Birmingham Alabama as well as remotely over Zoom it is free to attempt and we are very happy with the particularly with the online registration so far but you do need to register so that you can get the link and things like that so by all means if you're interested in this topic and what is going to be much more I think relevant to you is my program. Anil John: And within DHS does not just work on random stuff that we think is a great idea right so we actually are driven by trying to shape the technology that our business unit see as important to them so in this particular case the primary drivers for this solicitation which we call a call it is just internal terminology is US Customs and Border Protection and US citizenship and Immigration Services. Anil John: To the old. Anil John: The US government that have been around as long as America has been around dealing with cross-border trade tourism travel and immigration as well as a DHS privacy office they are the primary drivers and customers for this work so you're going to be hearing directly from them during the industry day so by all means you know come and join us next slide please. Anil John: We have this this this is not my first rodeo with the ccg so you know that we've been doing work in this area for a long while everything from you know funding what eventually became decentralised identifiers standard at the w3c to helping to you know bring our use cases and our needs to the work that is going on and that went into you know. Anil John: No verifiable credentials one point. Anil John: One and hopefully 2.0 as well so this is not new for us so back into you know 2018 you know we are asking you rob a happy with this sort of situation that we had back in the day we have seven companies that are in our portfolio that was selected very competitively from a global global cohort you know many of them so I won't repeat repeat any of that in general though we are comfortable with the. Anil John: The in particular with the issuance infrastructures. Anil John: That those companies have built out that are completely standard space using w3c standards and things like that and you know this if you heard me speak previously right my comment always when people ask me about digital wallets and things like that has always been hey we don't have a digital wallets Play We want you to bring your own wallet to the table we want to make sure there is a way to sort of understand the security. Anil John: 30 Privacy. Anil John: Interoperability aspects of those wallets and we you know we don't see ourselves being in the digital wallet you know playing field in a lot of ways other than being a consumer of it fast forward to now and that has actually changed for a couple of reasons right one of them is we are seeing what you know our Hope was that obviously the all pieces of the. Anil John: You know. <mprorock> link to slides if you need them (this is also on the list) Anil John: Party identity model whether it is the issuer the holder and the wallet and the verify would sort of mature along and move along in a consistent way and what we are seeing is that it is not right so there's a whole bunch of work that is obviously going on on defining what the data model to represent the payload that is moved around is and given that we are the identity community and we specialize in Reinventing. Anil John: Eating ways. Anil John: Things from point A to point B that is a whole slew of protocols that are coming on board and being matured in order to move things from point A to point B we consider ourselves a from both as an issuer and as a verifier there is a significant Gap that's going on here where there's a lot of hand waving that's going on what our if a wallet comes to a front door how do we as an issuer verify and have confidence. Anil John: Evidence in the capabilities that that wallet has. Anil John: In how they are protecting the information how they are you know making sure that the in that information that is there is indeed something that is managing the Privacy respecting manner it is it is fully under the control of that person that is as you the holder of that wallet and things like that and we are really we are actually frankly disappointed in the the. Anil John: The amount of work. Anil John: What is going on in that area compared to all of you obviously all of the excitement the drama and the politics around the protocols and the payloads so we spoke internally particularly now that the people side of Customs and Border Protection have come on board so what I what I mean by that is in this solicitation back into a DAT I had Customs and Border Protection is one of our primary customers but that was the US. Anil John: Global trade facilitation side of it right so these are the people who are interested in digitizing cross-border trade documents they were not in the these are not though they are not the people that you encounter when you land in a port of entry whether it is air land or Sea and the blue uniform person who greets you is not the Customs people they are actually another part of US Customs and Border Protection what we call Office of field operations they are the law. Anil John: And offices that. Anil John: Out of the business of ensuring and checking your identity and your credentials and you're at a stations at the border as part of trade facilitation excuse me travel facilitation and tourism facilitation they're finally on board they are continuing the partnership that they have with the US citizenship immigration service so the focus for us tended to be in this call very much a people Centric how do we help. Anil John: Help move the warlick ecosystem forward. Anil John: So that's sort of the the rationale for why the call and the focus on you know wallets and verifiers came into play here so next slide Mike thank you I would also note that one of the things that we sort of internalised over experiences since 28 in in this ecosystem and what we seeing in the ecosystem is to be blunt vendors build. Anil John: Systems actually really need building blocks that everybody can use and vendors typically are not interested or motivated in order to contribute or build those building blocks Because unless it is sdks that point to their own infrastructure right so we wanted to make sure that while we are putting out a solicitation that is obviously going to solve our needs but we also wanted to make sure. Anil John: Sure that the things that sort of. Anil John: Building blocks that could help solve this what also of use to the broader ecosystem and the community so we structured our solicitation very specifically in order to enable both you know products and capabilities that we actually need as well as building blocks that are you know important and hopefully relevant to the broader Community as well so next slide and what you will see when you you know. Anil John: Ocean tends to be that you will see you know this is government speak so forgive me as I go into technical topic Area 1 and Technical topic area 2 that basically means that these are the fundamental core capabilities that we are actually going to be paying money for and we are actually seeking and there are 28 digital world. Anil John: And a mobile verifier. Anil John: Stink and you know obviously there are that are components that are common between them and we'll talk about that but those are the two products that we are asking for in the solicitation and a company that is actually applying to that sort of situation can choose to apply to solving in the build-out of just the digital world build our table just the mobile verifier or both it is up to them depending on what their interests are what their. Anil John: These are and what their capabilities are and. Anil John: Their path to Market is right so but we also structured it such that again we are fully expecting this to be you know fully commercial you know to be blunt whether you know it depends on the business model of the company whether their model is to produce an open source or a closed Source product we are perfectly fine with either but the digital world and the mobile verifier can be you know can be. Anil John: In Source completely. Anil John: Or it can be in a closed Source product that the company is bringing it to Market close doesn't mean that you does not mean that we are ignoring Open Standards and the need for interoperability there but we wanted to make sure that you know it is we are fully expecting as part of a solicitation to pay for the build-out of you know digital wallets and mobile verifiers but we are also. Anil John: So expecting that. Anil John: We sort of step back and thought to ourselves what are some of the core components that were not seeing investment in the marketplace that we believe should be paid attention to when you are building a digital wallet or a verifier and we sort of group them into you know for lack of a better word for libraries and and at a high level you know there are libraries are. Anil John: A library an SD card. Anil John: Basically just dust cryptographic operations these are everything from you know encryption digital signatures are selective disclosure crypto in again you can read a lot more details in the call itself but the intent is that this SDK this Library should be something that somebody can take off the shelf basically baked into an existing wallet or a verifier and get the ability to actually. Anil John: All the cryptographic operations that I needed in order to issue store and verify and validate in w3c VC and database credentials right and I think and we are also we have a pointer in there and all too often there is a whole bunch of excitement at particularly within government around privacy enhancing Technologies and there's a whole bunch of magical you know white papers. Anil John: That are coming that are that come out there. Anil John: Of the challenge is that obviously has a government agency that all government agencies within the US have is that we are very interested in implemented those Technologies but we are also constrained by something that is a law called fisma that requires that the cryptography that basically is deployed on US Government networks has to meet specific. Anil John: Action standards and to date lot of the you know the the the fascinating crypto that goes into what takes in order to do an encore relatable did in a selective disclosure a lot of the other things like zero knowledge proof and things like that are not approved crypto those are not you know they have not gone to the fips validation and things like as things like that so we are. Anil John: Obviously having conversation internally in order to. Anil John: Change that but at the same time we are also seeking to make sure that the library's particularly particularly the the cryptographic tools library is something that is set up sites that you can go through the sea MVP and the cryptographic module validation program that is a program that is jointly run by the nest as well as the equivalent on the Canadian government side right so these are. Anil John: Proved cryptographic modules they don't have to be. Anil John: Where they can very well be software and we are hoping to line up these cryptographic modules and tools SDK sites that they can go through that particular approval process as well right and the other piece of it tends to be you know we obviously want to make sure in a wallet. Anil John: How do you. Anil John: I need storage is the storage remotely within the wallet itself or is it similar to the model that we have in the host card emulation in the payment space where the actual storage becomes HSM in the cloud where what is on the local wallet is basically a shim that's pointing to it I think there is a there are some lessons learned from that space that can also apply to our credentialed world space as well third one is obviously metadata management what I mean by that. Anil John: That is if your issuer or if you are of a credential so. Anil John: Ability to retrieve metadata about your issuance process how do I Retreat that they document that allows me to obtain the in the public keys that are used in order to validate at the digital signature on a verify the credentials how do I retrieve the status list that allows us to retrieve you know the current status of the credential in a privacy respecting manner so those are types of metadata management that I think that are really. Anil John: Really important and I think that is worthwhile in a. Anil John: In a nice little SDK as well and last but not least you know everybody talks about you know security addressed Security in transit but nobody seems to talk about security while in operation and I think the combination of things like confidential Computing a confidential Computing the remote attestation work that is being standardized at the ietf there is a play here where you can have confidence. Anil John: And that the incredibly important. Anil John: Like in a cryptographic keys and you know sensitive data are actually stowed are not just in transit and in you know translated in story but also in operations and at scale so we believe that there is a play here for encouraging a component and a capability that you know brings you know the confidentiality Integrity production Computing into the digital. Anil John: Of wallet. Anil John: Right so so this is this is sort of this is sort of the the way that are you know the are the the call is actually structured the expectation is that if you are responding and saying that you want to build a digital wallet for us there is a there is a clear requirement that you will at least have at a minimum one of those cryptographic modules. Anil John: Contributing to building out and you will be providing under an open-source license that allows both the development of both open source and closed Source on top of it because people will have both so think something like Apache 2 license or something like that right so the expectation is that if you're building out a proposal for in a building a digital wallet or a mobile verifier we are expecting that the sum of the function. Anil John: Foundational pieces. Anil John: And there are going to be open source that is going to be incredibly useful and hopefully you know broadly applicable to the broader Community as well so the it is I would reiterate I think a lot of the people who have heard me and know about us VIP know this but in general we have one of the few programs within the US government that does not believe that that believes that talent doesn't stop at Borders so. Anil John: So our solicitation tends to be Global so we are. Mike Prorock: https://sam.gov/opp/33b3b247777c4912b08c23ba97dc8af4/view Anil John: We have companies that are from all across the world in our portfolio and we look forward to applications from companies from all across the world click on that sound dot-gov link it will take is take you to the actual fully fleshed-out government URL that is not going to that is not conducive for you know human consumption you will be taken there where you can download the application and the full column things like that and the application. Anil John: Deadline itself is 15th of September. Anil John: At that time right so I'm going to stop there and happy to answer any questions that that you might have and if I'm not able to provide an answer right now I hope I will be better prepared with an answer during our industry day this Friday you are you know you are you don't have to come to Birmingham but if you join online you'll be able to hear everything and also ask questions as well I don't. Anil John: At note. Anil John: I'm going to turn to go with you folks to ask any questions you might have. Mike Prorock: Awesome thanks until I really appreciate the overview here you piqued my interest with OSL item D there the confidentiality and integrity side of compute are you expecting that to cover like fully homomorphic encryption and some of the other things we're seeing finally kind of get some not just adoption but broad usage because that is one of those fascinating areas that lets you keep data protected while still performing. Mike Prorock: Things like machine learning or verification on top of. Mike Prorock: For decrypting it I mean is that an area that you think the program is interested in or. Anil John: I think I'm sort of forgive me as I can't I answer it it may very well be my ignorance and my lack of understanding as well I think when you talk about the fundamental purpose Graphics Primitives that are needed in order to enable homomorphic encryption or zero knowledge proof so selective disclosure or Phipps compliance and things like that we sort of expect that to sort of live in the cryptographic tools SDK right so. Anil John: The the 0s. Anil John: Confidentiality and integrity protected Computing in a lot of ways for us it turns out to be as we all know you know chipset manufacturers these days are building in enclaves that basically allow for computation to you know occur within the secure enclave and and the standards like wraps and others and ietf give you confidence around the at the station's about the things of being. Anil John: Being done in. Anil John: So we sort of see so how does that apply to our world you know I think a lot of people sort of see that is that somebody else's thing we don't we think that there is a play here where you know if cloud-based vendors are basically deploying technology that allows for confidential Computing and supporting standards that allow us to verify using Hardware level at the state. Anil John: Stations about how they are doing. Anil John: It it means that we can offload a set of processing and storage to those enclaves for example key in a cryptographic key management cryptographic encryption or a cryptographic operations today so we sort of see that as the oh sld I also think that you know I would simply note that there is there is a ways to go here so we're not expecting magic to fully Bloom but we also think. Anil John: That it is it is important enough in order. Anil John: Simply put a wedge in there and to put some funding behind it in order to move it forward so that it is useful broadly and becomes part and parcel of how we provide end-to-end security in the digital credentialing ecosystem. Mike Prorock: Yeah that makes total sense and I definitely see how that stuff kind of rides together awesome cool Harrison. Harrison_Tang: That's all to clarify like digital wallet is about presenting presentation of credentials and mobile verifiers is about verification of credentials is that correct and if so far the product more kind of detail prior requirements for the digital wallet and mobile verifiers. Anil John: So you're asking a good question and this is my I am going to flip that right back on the community right so for the last two to three years every single time that you've heard me talk I have been talking about the fact that we need to as a community agree on what are the things that make a wallet secure what are the foundational security properties what are the foundational privacy. Anil John: But he's. <mprorock> a revisit to the what's in a wallet series way back is helpful in this area <mprorock> and the universal wallet work item Manu Sporny: +1 ^ Anil John: Interoperable properties that that are core to what makes a wallet secure because in the absence of that you will default to picking a vendor's wallet rather than a cake making a capability assessment and I think what I am saying and what we are trying to motivate through this call is that bootstrap the work or energize the work or highlight the work that is. Anil John: Needed in that space. Anil John: Not happening right now in my world could we come up with a set of criteria on wallets that are you know that are sufficient to meet the Department of Homeland Security needs yes could we come up with their bespoke way of figuring that whether a wallet that is coming to us could could meet those criteria yes is that a. Anil John: Actually going to help the broader ecosystem. Anil John: System I would argue no I think this is something that across both the public and the private sector we need to Define that criteria so that we actually have a common understanding of what is what is out there so to the answer to the question Artisan excuse me Harrison is very simple we have a sense of what it is because of some of the work that we have done internally but we also think much more work needs to be done and. Anil John: And we. Anil John: That work around the digital wallet to be part of that to be very much focused on that is that helpful I know it was I may have wandered in the wilderness to your your costume Harrison. Harrison_Tang: No no helpful thanks and then sorry one more clarification question so earlier you mentioned that this to functionalities or these two areas can be in one application or service and then you also mentioned that you can be separates okay. Anil John: No and I don't know what I meant by that is basically if you know when somebody applies to our solicitation they have to tell us what they are working on are you working on a digital wallet are you working on a mobile verifier are you working on both right so what I mean so there is no we do not want a combined verifier wallet at this point in time in fact I don't. Anil John: Don't think that makes. <mprorock> the ARM folks hang out at IETF if you want to meet HW folks Anil John: Sense it particularly since we actually are hoping and expecting that the digital wallets responses will not purely be software-based digital wallet but also be you know hardware-based digital wallets as well I'm a big fan of the work that much did back in the day with project vault at Google a tap so I'm hoping some a new generation of that will come along as well so so so what I'm. Anil John: That's exactly what we meant so pick one. Anil John: They'll be supper products Harrison. Mike Prorock: Yeah and just a quick before I move to Manu if you are not familiar with the hardware folks that work in this space the arm folks on the Intel folks and probably the two that I would talk to first if you wanted someone amenable to Open Standards they tend to hang out at ietf so that's just throwing that out there man. Manu Sporny: Thanks Mike this is great and Neil really good information for folks that you know want to apply in to understand kind of where some of the future development Works going to be focused so I'm trying to think about how organizations might game this to make it seem like they're providing something useful when they're not really so things like sure we've got a proprietary wallet and. Manu Sporny: We are. Manu Sporny: Adding this open source Library SDK but it's written in such a way that it's only really useful in their proprietary wallet it's so deeply ingrained that nobody else can really reuse it are there any kind of nudges that the organization's applying or going to get that where they need to demonstrate that one they haven't just taken somebody else's work in done a minor amount of work on it. Manu Sporny: In produce that. Manu Sporny: The open source thing they're working on or do they have to demonstrate you know the open source library that they've created is actually getting Traction in the ecosystem thoughts on that. Anil John: Yeah it's a valid question and a couple of one of the reasons that we we've done this you know Dance Before in fact we did this previously with RS found work as well in order to sort of healthy ecosystem while actually building our products T to your point though the expectation of anybody who responds to it is first and foremost it that cryptogram those sdks. Anil John: Will truly be open source. Anil John: Means that they will indeed be public accessible to all it will not be behind a you know a close GitHub repo we will we will work with them to find a proper home such that they are actually you know encouraged and expected to have you know folks outside of the people that we fund contribute to those. Anil John: Case as well and separately we're we're big in being very encouraging and supporting in the early phases of our work but when we when we get to the phase three pieces of it right so one of the things that we will do in particular with this we will go beyond the standard independent red team that we will actually have. Anil John: In place. Anil John: We already have in place for our programs down to the code level reviews and use those reviews as a mechanism to actually get input and feedback from the broader Community to ensure that it is indeed you know broadly usable and not just in a constructed in a way just to tick the box and useful only for the one company that is working on it. Anil John: On that note. Anil John: Open open request to the community you all know how to work this and to gain this the any suggestions that you have to us in order to in order to watch to make sure what are the things that we should be looking at to make sure it is not being gained because our hope and our intent and our desire. Anil John: Are here. Anil John: This becomes something that is truly useful for the community and the reason that we will have a fully independent code review of these open source codes you know code is to make sure that you all have confidence in that code so that you are free to use them so it I would make an argument that this work is going to be useful to you so help us to make sure that the output that is coming out. Anil John: Useful to you and not proprietary beyond that we will play it as it comes money. Mike Prorock: Awesome maybe a little bit of a technical question here a nail because I know there's some back-channel stuff flying around to in or not really back Channel but ietf stuff flying around that doesn't always get on the radar here but one of the areas that I think is really interesting is thinking about how do we combine u.s. gov requirements with global requirements right because Jeff different jurisdictions are going to have different sets of things that. Mike Prorock: Are you. Mike Prorock: Helpful pride and so one of the things I've been working on for a while now has a couple areas of those Quantum cryptography side of things in the applications of those things right and so Japan for instance as well as some others and Commercial entities here in the US have a high interest in end true as a chem even though nist is rolling with Khyber and when I think about chems in particular they seem like. Mike Prorock: They have a hole. <manu_sporny> kem ==> Key Encapsulation Mechanisms <manu_sporny> hpke ==> Hybrid Public Key Encryption Mike Prorock: Autumn application here in terms of the digital wallet spacewar could write than what we're seeing with changes and updates in terms of hpk and ways of exchanging this stuff and you know what more common ways could be really really important at this and it's not an area that I've seen the VC or the wallet space really start to jump on heavily possibly because it's earlier but or possibly just because it's sitting more at that TLS layer and stuff like that now. Mike Prorock: And before it expands out later is that an area. Mike Prorock: Think could or should be explored as part of this stuff what are your thoughts on the kind of that interop between obviously meeting nist and Phipps requirements here in the States but also making sure that interoperability is possible with say the EU or you know you know trusted parties like Canada right that we have a lot of exchange back and forth with Etc any thoughts on that. Anil John: So I'll start off with noting that you know yes VIP is not an R&D program right so there are other parts of my organization that ABS absolutely you know Fund in Ord and in a prior role that I had as the identity management and data privacy R&D program manager I was at you doing that I'm not doing that anymore so so what you will see in the call itself. Anil John: Is things that. Anil John: The business units that are in play who are interested in deploying these Technologies really need to have in order to actually enables Technologies now there could be somebody who comes to the table and said yep we will we will provide that but we are also going to you know work on these additional things you know beyond that and our answer is you are absolutely free to do so we're not going to constraint of the things for example there might be. Anil John: You know there is a community out here obviously that is. Anil John: Focus on things like an on grades and AC/DC and things of that nature right so those are not things that we have an interest in currently I know I think are you know articulation in the profile you know shows what our interests are but if a company that was really had an expertise in that what did you do the work that is needed in order to meet our requirements but as part of that work also Incorporated. Anil John: Those into those cryptographic modules we would have no issues. Anil John: Actually you know be very happy because it actually provides in a broader hope to the community more than anything else separately Mike I think you know one of the one of the interesting conversations one of the interesting perspectives that a business side of my organization brings to the table that I may not bring as a technologist is more from the perspective. Anil John: Spective that. Anil John: When it comes to you know interoperability particularly across jurisdictions and and borders I would make a point that it is really really important that one needs to have a common understanding of the security privacy and interoperability as a foundation but there is a layer above that that basically talks to Mutual recognition agreements between countries. Anil John: He is for example the cost us custom side of is of our organization and what we call the CT path program right which is our trusted create a program so if you're familiar with global entry and Nexus and Centre and things like that think about that for Traders so and the foundation of it is very simple is that there is a cybersecurity criteria that was developed that basically countries. Anil John: Sort of assess themselves against. Anil John: Assure that they are meeting them both on the US side and on a counterparty and if they do that there is a formal Mutual recognition agreement that is put into place that between those two countries that basically says that hey you know Goods coming from your country with this type of accreditation associated with that will be allowed for fast-track import into the country and and if. Anil John: Because it is a mutual recognition program. Anil John: We send to that country is also recognized as there as well there is a lot of energy and excitement around all of the work that is going on and they EU digital wallet and obviously the Wallet work that we are doing and I'm sure the world work that is happening globally as well and the foundation of all of that is those technical pieces but I would also say is that we're not blindly going to you know there is a policy layer on top of the technology. Anil John: Be there as well. Anil John: When we talked to our Canadian colleagues we are going to make sure that there is a you know an understanding of our common security perspective that we are all comfortable with and we do this we will do the same with the EU as well and go from there so it is not a matter of we will blindly incorporate or incorporate into our tooling that's what somebody else has developed it is based on that. Anil John: Foundational security expectations. Anil John: Actually agree upon and and that is what I what I don't see happening within the broader community that that that public private discussion around what makes a good word and how do you assess a good wallet as being Gordon good good and what are the things that make it good and what are the things that make it not so good everybody wants to talk about moving things from point A to point. Anil John: Edie that's great. Mike Prorock: No that was that was awesome yeah. Anil John: There are other pieces that need to be true as well sorry bit rambling there Mike but authorities of bit of frustration and a one of the rationale for why we are why this call is out. Mike Prorock: Now I hundred in awesome and I fully agree right that it's really easy in the tech world to get really buried in the weeds as opposed to thinking about how are we going to actually practically get stuff done in a way that can be communicated to human beings Manu and then I think Kerri and I'm going to close the Queue at this point just because where you're going to run up on time so they don't fire take away. Manu Sporny: Great thanks Mike Anil you you covered one of my questions which was what do we you know meeting the community think about the what's happening in the EU with the aarf in the digital wallet stuff so I think that was clear you know it's it's their multiple entities that are in the ecosystem and at some point we're going to all have to read each other's credentials and interface with each others. Manu Sporny: You know it going back to the question that you raised the community about you know what what can be done to ensure that the right outcomes happen so with the with the open source libraries you know I think one of the dangers here is that there are multiple people that work on like item a the cryptographic tools SDK and you don't get any takers for B C or D right so it's one of these things is a bit easier to do than. Manu Sporny: The other things. Manu Sporny: And so I'm wondering if there has been kind of thought put into how do you make sure that there's even coverage of you know implementations and then of course you know how do you ensure that people are actually going to use this they're almost needs to be some kind of measurable you know component to there's actually uptake of these open source libraries because you know the last thing I think any of us want is the creation of an open source library at. Manu Sporny: That you know great. Manu Sporny: Us to the the US federal government which then does not have any uptake whatsoever so just some just some thoughts there I don't know if I'm wondering if those kinds of things are going to be kind of a constant conversation with the various communities and if so you know how did the people that apply to this initiative you know have a concrete Target to shoot. Manu Sporny: At the other the other thing I. Manu Sporny: Is nowhere have I seen the dollar figure that's attached to this initiative in the fact that it's non-dilutive funding is it there are a number of companies here that are building you know these things that are somewhat new to the ecosystem that probably need to hear that this is a potentially multi you know million dollar investment in their technology that's that's non-dilutive I think it's a really powerful. Manu Sporny: That I haven't seen hit on at least recently anyway just just some thoughts there. Anil John: Yeah I'll stop them on you I will go back to our 2018 solicitation as I mentioned we had 200 plus applicants we at that we started with I think making around 10 selections you know we over time it became you know seven for a variety of different reasons what I will say is that we. Anil John: We multitrack we fun. Anil John: Multiple companies simultaneously to solve the same problem and each company has the potential of getting up to 1.7 u.s. million dollar you are 1.7 million u.s. dollars each company and that's not you know across all of them that's up to 1.7 for each each company so phase one is a maximum of 200 K because phase one is when we determine. Anil John: That you can walk the talk or not or whether you just have a. Anil John: Phase 2 phase 3 and phase 4 tends to be up to a 500 km maximum and you know so up to 1.7 million dollars and I'm not going to basically share how many companies that we award what I will give you is point you to what happened in our prior call you know it is not one it is not too it is many you know and like I said I think. Anil John: It was close to 10 the last time. Anil John: The other piece to your point Manu is yeah so so we we do we are very aware that it could very well be everybody could basically focus on one SDK and nobody could come for the other three I think that is part of our you know how we manage our selection process as well right I think we are interested in moving all of that forward. Anil John: We are hopeful. Anil John: That basically multiple companies will apply to all of them at least you know one or more of them and we're not going to be that desperate enough that basically we're going to actually award a crappy application just because they were the only supplier in that particular case you know we have in the past actually close the call then if we did not get the type of talent that we. Anil John: I'm looking for have in in the. Anil John: Open the call again as well we are more interested in doing a right job here than basically you know checking the box here on this I think there was one more question that you asked me that I am missing I'm I'm happy to answer that separately and if I don't I'll definitely answer it during our industry day on Friday and. Anil John: Separately we. Anil John: We definitely you know we will encourage the companies that that are working on the same open source SDK to actually work on them together and out in the open because it reduces the amount of work that they need to do and it also it allows them to focus on their product roadmap while getting help for those type of components as well right so yep so. Anil John: Multi-tracking and you know making sure there are multiple awards that hopefully cover all of them and up to 1.7 million dollars per company that is selective. Mike Prorock: Awesome carry I think you're going to get the last question in the last 30 seconds or so and hopefully we get a good quick answer so. Kerri Lemoie: All right yeah I'll try to be really quick here hi Danielle I think I just as in relation to what you're saying about policy in the validation layer that is over all of this Tech and what I would like love to hear more about someday when we have an opportunity to talk about is is that layer because in education and Workforce as we start bringing issuers employers verifiers on board it's actually that layer that is where they have all the questions and it's where we don't have a lot of answers yet so yeah. Kerri Lemoie: I just sort of want to make a comments or question about that I don't think you're trying to get into it but. Kerri Lemoie: Love to talk to you about it. <kerri_lemoie> Also - edu would lean on governments for thsi. Phil Long: +1 Kerri Anil John: I would love to love to have that conversation at a fundamental of a particularly when it comes to digital wallets I I believe there is a set of things that we can check for using some sort of a cryptographic challenge response but there is a set of things that we cannot check for in that manner that requires some manner of a you know assessment independent assessment into the weeds and that results in some manner of hopefully a trust Mark that can be consumed. Anil John: And now in order to do all of that assessment you need. Anil John: Years and what I don't see any work is basically those criterias being flushed out in a manner that is broadly usable and we are hoping to so encourage that through the Scott so happy to chat particularly regarding your education vertical because we do consume your credentials particularly on the USCIS I'd so on that note Mike I appreciate all the questions thank you for taking the time. Anil John: I'm to invite me. Kerri Lemoie: +1 Anil - will be in touch. :) Thanks! Anil John: Back over to you sir and Barry and Erica. <harrison_tang> Thank you, Anil Mike Prorock: Yeah no thank you for going in a minute over here and I really appreciate the time as always this is a great call I think it hopefully Spurs a lot of thoughts from the community about engagement with existing work items things like Universal wallet etcetera and revisiting some things that may have fault. Mike Prorock: I keep it. Mike Prorock: Unless that would accidental cute. Mike Prorock: If you all. Harrison_Tang: All right thanks Mike thanks for hosting today. Mike Prorock: Yeah no worries the to move up move a meeting to get this one confirmed because some silly customers keep bugging me it's worked out well. Harrison_Tang: If you if you got something that you cannot move just let me know I. Mike Prorock: Oh yeah no I well this one they hit me like yesterday afternoon I was like I'm two weeks out here on calendaring so let's I know this is important let's find a time but that is not the time. Harrison_Tang: All right well thanks well let me know I think next week we if you could do it just let me know please host but if not I can be a backup. Mike Prorock: Yeah next week I should be fine I believe let me just double I'll tell you right now actually because that'll be the 22nd. Mike Prorock: Oh yeah yeah. Harrison_Tang: Yeah it's the open Agenda and I thought that since most technical of the group you can you park in the group area okay. Mike Prorock: Actually have oh no I am good for that one I can't do the VC working group called that day so yep good to go. Harrison_Tang: Well I mean if you cannot do it I can do it too so either way is fine. Mike Prorock: Yeah no I'm good for next week so Count Me In and obviously be great if your own but because that's just open Agenda let's touch on you know some work items and you know yes if you want to send the no doubt and that way people can come with topics they may want to discuss with the group so yeah. Harrison_Tang: All right well what do you I'll be on next week as well so I'll see you next all right like. Mike Prorock: Awesome cool will see you.
Received on Friday, 18 August 2023 17:47:56 UTC