Re: [MINUTES] W3C CCG Credentials CG Call - 2023-08-29

So… are the robot overlords taking over and Harrison’s first message is the
first warning or are the minutes a bit messed up? Its been awhile since
I’ve been on a CCG call but I would hope things haven’t gotten that hostile
😅.

On Tue, 29 Aug 2023 at 10:16 AM CCG Minutes Bot <minutes@w3c-ccg.org> wrote:

> Thanks to Our Robot Overlords for scribing this week!
>
> The transcript for the call is now available here:
>
> https://w3c-ccg.github.io/meetings/2023-08-29/
>
> Full text of the discussion follows for W3C archival purposes.
> Audio of the meeting is available at the following location:
>
> https://w3c-ccg.github.io/meetings/2023-08-29/audio.ogg
>
> ----------------------------------------------------------------
> W3C CCG Weekly Teleconference Transcript for 2023-08-29
>
> Agenda:
>
> https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
> Organizer:
>   Mike Prorock, Kimberly Linson, Harrison Tang
> Scribe:
>   Our Robot Overlords
> Present:
>   Harrison Tang, Xavi Aracil, Greg Bernstein, Erica Connell, Oliver
>   Terbu, pauld gs1, Hiroyuki Sano, Japan, Jeff O - HumanOS, Mike
>   Xu, Gregory Natran, Benjamin Collins, Joe Andrieu, Phil L (P1),
>   Orie Steele, Kaliya Young, James Chartrand, Kimberly Linson, Leo,
>   kristina, Chandi Cumaranatunge, TimG, Dirk Balfanz,
>   ToddSnyderGS1, Benjamin Young, Henry Story, TallTed // Ted
>   Thibodeau (he/him) (OpenLinkSw.com), Dmitri Zagidulin, Kristina,
>   David I. Lehn, Denver, Phil Long, Adrian Gropper,
>   ToddSnyderGS1US, Kayode Ezike, Kerri Lemoie, Brian Richter, Manu
>   Sporny
>
> Our Robot Overlords are scribing.
> Harrison_Tang: Watching Oliver I'll do the quick intro first and
>   then I'll kill you.
> Harrison_Tang: Sounds good right so hello and welcome to this
>   week's w3c ccg meeting so this week we are very glad to have
>   Oliver here to present and lead a discussion on open ID for
>   verifiable credentials and verifiable presentations so before we
>   get to them in agenda just want to do a quick reminder on code of
>   ethics and professional conduct just want to make sure that you
>   know we acknowledge and respect each other's privacy.
> Harrison_Tang:  perspectives feel free to make any comments and
>   things like that.
> Harrison_Tang: Silence you know you keep in mind of the code of
>   ethics all right quick I denote anyone can participate in these
>   calls however all substantive contributions to atcg work items
>   must be members of the ccg with full IP our agreement sign I make
>   sure you have that w3c account and you have any problems or
>   encounter any issues in regards to sign up to a w3c account or
>   the mailing list just let it.
> Harrison_Tang:  any of the cultures know.
> Harrison_Tang:  these meetings.
> Harrison_Tang: Corded and it's automatically transcribed we do
>   try to publish these meeting minutes within a day or two but if
>   you need it a little bit sooner just that any of us know.
> Harrison_Tang: We used to teach at to Q speakers during the call
>   so you can type in Q Plus to add yourself to the Q where Q minus
>   2 to remove.
> Harrison_Tang: All right any introductions or reintroductions if
>   you are new to the community or if you are if you haven't been
>   active and want to rename engage with the community please feel
>   free to just unmute and introduce yourself.
> Benjamin Collins:  Okay I'll do a quick introduction my name is
>   Ben I'm from transmute and glad to be on the call today.
> Harrison_Tang: Anyone else feel free to mute I'll mute.
> Xavi_Aracil: Yes and let me introduce myself and tell me that you
>   like from one attack and curly based on in Barcelona Spain very
>   happy to be here.
> Harrison_Tang: All right announcements or reminders you have any
>   announcements or any reminders feel free to just allow yourself
>   to the qy me.
> Erica Connell:  Hi everyone yes it's Erica I just wanted to give
>   a friendly reminder that we're building the web of trust is
>   coming up September 18th through the 22nd in Cologne Germany I
>   will put a link to the Eventbrite in the chat all are welcome and
>   their scholarships and sponsorships available as well thanks
>   that's all.
> Erica Connell: https://rwot12.eventbrite.com/
> Harrison_Tang: Thank you Erica Clea.
> Kaliya Young:  Hi all so friendly I'm Commander that we've got
>   the internet identity Workshop coming up October 10 through 12 in
>   Mountain View California and we also have sponsorships available
>   I'm going to put a link in the chat so folks who have don't know
>   about a how affordable sponsorship is can.
> Kaliya Young:   To learn more about it.
> Kaliya Young:  I have quite a few slots available and it's a key
>   component of helping the event run so I'll put a link to the main
>   website and also that sponsorship document for folks to look at
>   thanks so much.
> Harrison_Tang: Any other announcements were reminders.
> <kaliya_identitywoman> Event Website coming up October 10-12.
>   https://internetidentityworkshop.com/
> Harrison_Tang: All right a quick preview of what's coming so next
>   week I will have already Mike Barack and others to kind of give a
>   update on the traceability and then after that we have machine
>   identity in Federated system so Justin Reacher will talk about
>   that and then after that we'll talk about Fido to and wipe all
>   thin and then the seconder September 26th will have selected
>   disclosures 48.
> Harrison_Tang:  equities of value will be the discussion on that.
> Harrison_Tang: Any other announcements were reminders.
> Orie Steele:  Paris and just confirming that traceability status
>   updates happening next week.
> Orie Steele:  Okay I think I have my dates wrong thank you.
> Harrison_Tang: Thank you no thank you again sorry for the
>   confusion to regards to the scheduling and things like that so
>   thanks thanks Lori.
> Harrison_Tang: All right any updates or comments on the work
>   items.
> Harrison_Tang: Okay well let's get to the main agenda so this
>   week as mentioned earlier we're very glad to have Oliver taking
>   the time to present and be the discussions on open ID for
>   verifiable credentials and verifiable quick presentation so I
>   thank you Oliver for taking the time to present here and the
>   floor is yours.
> Harrison_Tang: All-American go on me.
> <kaliya_identitywoman> Link to learn more about our sponsorships
>   for IIW. It costs as much to sponsor IIW as it does to attend an
>   event like Identiverse ;)
>
> https://docs.google.com/document/d/1DgVYUJQLgnguFOicm91TjnrUIHyuiaWXhnZ36gvyamM/edit
> Harrison_Tang: If you don't mind like if you don't mind can you
>   introduce yourself a little bit and then we can get right into
>   the presentation thanks.
> <kristina> announcement! a new WG dedicated to OID4VC is starting
>   this thursday in OIDF!
>
> https://openid.net/announcing-the-digital-credentials-protocols-working-group/
> Kristina: Sorry Oliver if you can go back to the previous late
>   just a nod to confuse people open ID for credential Asians and
>   presentations or based on OS so we are talking about existing all
>   of us relying parties and OSS authorization servers being able to
>   leverage right all those of course backs so those two are
>   completely based on all us like you do not need to understand up
>   that you connect to be able to do that right so only.
> Kristina: Of the provider which is synonymous with syndication
>   piece is still based on connect just being really clear because
>   you know that's why it's called open idea for a fabric with an
>   shows and not of midi connector profiled for credentials to
>   because it's fundamentally based on all of us who I deliver.
> <orie> Does the new working group mean that all new verifiable
>   credentials protocol work should happen at OIDF, or is the OAuth
>   WG at IETF planning to do protocol work for VCs ?
> <dmitri_zagidulin> ooh great question Orie
> <orie> afaik, IETF OAuth will need a new charter to do that kind
>   of thing, so maybe OIDF willl absorb all the related work.
> Harrison_Tang: Sorry sorry I'll live it like do you mind taking
>   like a couple questions right now or you want to do it again.
> Harrison_Tang: I'm on it to the queue so Dimitri.
> Dmitri Zagidulin:  Thanks I wanted to ask question before we got
>   too much from from the previous slides I wanted to ask about the
>   you mentioned that people can use existing open ID issuers also
>   open ID Lupe's identity providers for issuing credentials like
>   having having having tried to do that at least in the JavaScript
>   and the node ecosystem I find that.
> Dmitri Zagidulin:   That they're not able to write the like.
> Dmitri Zagidulin:  The VCI specs introduced new parameters new
>   API endpoints that the existing issuers don't have what am I
>   doing wrong.
> <orie> might be a good question for stack overflow... how to add
>   custom claims to `id_token` from AS
> Kristina: Seriously I don't think anything is wrong right so
>   again they are reusing all of us authorization servers and when
>   you'll get to the issuance part it will be clear but what issues
>   spec does it introduces a new resource server which you can
>   leverage using your existing authorization server and for
>   existing authorization server you can actually use it without
>   modifications if you're using a scope parameter to identify
>   which.
> Kristina:  attention seeker requesting like for example.
> Kristina: Shouldn't we are reusing Azure active directory which
>   is an existing authorization server which does not take any
>   modifications because it takes billion transactions a day to
>   issue credentials so you add eraser which is a new component
>   which you need to add from a scratch that's true you need to work
>   that but from the authorization server perspective you can reuse
>   up.
> Dmitri Zagidulin:  I see I see I think I was blocked by the
>   server I was using doesn't understand the credential definition
>   property and some of the other properties in the request.
> Kristina: Yeah so that's our our that's translation details so if
>   you instead try to use scope but that would need you know the
>   wallet and the a sure knows that this scope stands for this
>   credential so you can map it back to format type whatever you
>   need once you define that that should be more straightforward.
> <orie> we removed scope requirements from the trace-api to
>   support these cases recently.
> <orie> (we had conflicting scope requirements, that we removed).
> <orie> everytime I see presentation exchange, json pointers, I
>   imagine doctor strange searching for possible futures where the
>   avengers don't loose.
> <dmitri_zagidulin> lol
> <orie> would really love to see this working over SMS based
>   phones.
> <dmitri_zagidulin> how does the web-based issuer open the wallet
>   app?
> <orie> protocol handlers and deep links I assume.
> Harrison_Tang: Yes Ori please.
> Orie Steele:  So this EP working group at open ID Foundation I
>   think in the previous slide you mentioned you know some of these
>   open ID Foundation protocols already support see bore and compact
>   credential format so they're not attached to just Jason and
>   base64 URL encoded credential formats is that correct.
> Dmitri Zagidulin:
>   https://openid.net/wg/digital-credentials-protocols/charter/
> Orie Steele:  But my question specific to the DCP working group
>   meaning that there will be protocol work on non Json represented
>   credential formats at that working group all right.
> Kristina: I mean we will be sorry and this would be working with
>   we will be working on opening day for a fabric credentials
>   protocols that is three that Oliver talked about and also we have
>   additional strayed documents being contributed security analysis
>   userinfo profile for dma act and they ble part they are all
>   agnostic for credential format and yes they will support the
>   Seaboard based binary Pro formats as well.
> Orie Steele:  In terms of the protocols that are being built
>   there are they limited to mobile wallets only or is there room in
>   there for cloud identity service agent workload identity you know
>   cases where you have a credential holder that isn't a human and
>   doesn't have a mobile phone.
> Kristina: Yeah so as Oliver mentioned nothing from prodigal
>   perspective limits the wallet to be a native app work the mobile
>   wallet so yeah we do support all the protocol itself does support
>   the words with the back in the cloud component or browser-based
>   words I think that's slightly different from where you're going
>   at which is kind of more server-to-server organization Awards
>   organization server kind of presentation so.
> Kristina:  well technically because.
> <orie> like wimse, etc...
> Kristina: And all of us granted that's up you can already do that
>   but we have received recently increasing number of enquiries how
>   can people do this organization to organization kind of scenario
>   so we will be looking into that more.
> <orie> "workfload and service identity"
> <kristina> i need to catch up on wimse..
> Kristina: What's patreon the cube do they send me three.
> Kristina: Thank you - the sorry Oliver.
> Dmitri Zagidulin:  Yeah I took myself off the queue although
>   could you drop them URL to The Whimsy spec.
> Orie Steele: https://www.ietf.org/mailman/listinfo/wimse
> Dmitri Zagidulin:  X if anybody has the URL to The Whimsy spec
>   handy the one that Oreos mentioning and thank you.
> Orie Steele: https://mailarchive.ietf.org/arch/browse/wimse/
> <orie> i wil join when you switch to github
> <orie> and not before
> Harrison_Tang: Thank you Oliver Christian.
> <orie> <3 !!!!
> Kristina: Or we are changing to GitHub this Thursday so you'll be
>   able to have no more excuses not to drink.
> Kristina: But yeah no you you don't have to be an opening the
>   foundation member to join the working of actually as long as you
>   sign an IPR agreement you can join the the coals right away yeah
>   so if anyone's interested they barrier to just call in and listen
>   in to the call is there was a really low you need to be a member
>   if you once we go to implementers draft and you want to vote on
>   specification that's when you need a membership.
> Harrison_Tang: And Christina just to clarify earlier you
>   mentioned that there's a new working group form is that the
>   digital credentials protocol working group or is it something
>   else.
> <orie> and its a paid membership like W3C? or free to participate
>   like IETF ?
> Oliver Terbu:
>   https://openid.net/wg/digital-credentials-protocols/
> <denver> is it possible to share slides?
> Kristina: Correct yeah so we were doing all this work under the
>   ability connect working group in a paint Foundation until this
>   point but as you can see it's not connect really it's based on
>   all of us but still about identity so yeah we have a dedicated
>   working group to this and that will be using GitHub which we are
>   all really excited about.
> Harrison_Tang: And I think already has a question is is that pay
>   membership like w3c or free to participate for the open ID
>   working group.
> <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> WIMSE ==
>   "Workload Identity in Multi-Service Environment" (not "Women in
>   Math, Science & Engineering" which is first suggestion from some
>   search engines...)
> <orie> my goal is to not pay another SDO, I'm happy to sign IPR
>   agreements.
> Kristina: Yeah so if your goal is to be able to comment on the
>   issues to the PRS approve your took be ours based on you know and
>   I pr protect with matter like obey Foundation does not require
>   they membership so you can do that you know as long as you sign
>   the IPR and you tell us that there no you know know I pr concerns
>   basically that's what we most care about the obviously
>   organizational membership is appreciated but that's.
> Kristina:  more if you want to get voters.
> <harrison_tang> ;(
> Kristina: And where's our organization is going like how budget
>   is being spent what not like for a spec writing you don't need
>   membership.
> <orie> awesome!
> <kaliya_identitywoman> and individual memberhsip at OpenID is $50
> Kristina: You're right it's 50.
> Harrison_Tang: Any other questions.
> <orie> just like an Apple developer license : )
> Harrison_Tang: So this is a roughly a newbie question but I know
>   that there are multiple different kind of protocols were
>   competing standards right like open i0 open ID right we see like
>   we're seeing here and there's the date calm and there's no VC
>   apis and things like that I know the open ID my impression is I
>   hope ID is the most most popular it has the most options right
>   now but I'm just curious why.
> Harrison_Tang:  what are the kind of pros and cons and question.
> Harrison_Tang: We're which standards or protocols makes more
>   sense what the kind of the trade-offs.
> Harrison_Tang: All right you want to go next.
> <kaliya_identitywoman> <3 thanks Orie :)
> Orie Steele:  I'm gonna duck the defend your favorite protocol
>   War bait but I wanted to ask regarding presentation exchange as a
>   component in open ID connect family specifications what is the
>   sort of open ID Foundation view of presentation exchange from
>   diff is that specification stable enough to build on.
> <dmitri_zagidulin> @Orie - thanks, I had that same question
> Orie Steele:  Ietf should it grow up more at diff should it move
>   to open ID Foundation just because as far as I'm aware this is
>   the first time anything in the open ID ecosystem has taken a
>   dependency on a specification that wasn't developed at ietf or
>   you know another reputable standards organization so I'm
>   interested in open ID foundations view of presentation exchange
>   as a dependency mandatory to support sort of sub.
> Orie Steele:   Asian that's it.
> Kristina: Or decided to substitute one tricky question with
>   another one yeah.
> Kristina: But okay so.
> Kristina: Everything you say is correct but right now.
> <orie> yes, its true, thats called a backflip kick : )
> Kristina: We are we appreciate the so we we have resumed closely
>   working with c-diff PE editors we had a couple of calls so we had
>   couple of remaining concerns so one was security so reg ex Json
>   schema and allowing anything pretty much like around that so they
>   are.
> Kristina:  are good.
> <orie> regex / redoss is a real thing.
> Kristina: Happening around you know maybe you know prohibiting
>   the usage of reg ex and Jason pass for example so that
>   conversation is ongoing another part is.
> Kristina: Yeah so I think right now the plan is to get a try to
>   work with the presentation exchange editors working group to get
>   the specification to a really stable reliable state which gives
>   those minimum functionalities and what we do observe is so
>   because the open the deeper VC protocols allow you know instance.
> Kristina:  ability points you need a pro.
> Kristina: For example the ice mdl like they have a clear-cut
>   profile to say this is sequential format this or identifier
>   sister kept of sweets what not right but people do is that they
>   tend to add requirements and of a presentation exchange like for
>   example the Mbox folks did at certain like Okay so this
>   identifier has to be a doctype or like this you know should be
>   this so that's what we observe realistically.
> Kristina: If both of us are going sorry.
> Kristina: Yeah into sorry quickly build up on a previous question
>   right.
> Kristina: Yeah as much as yes you probably need some additional
>   work on top of your existing reservation servers they.
> Kristina: There is a variable formed ecosystem so I think that
>   kind of people willing to leverage existing knowledge existing
>   infrastructure has been kind of a good pushing force so far.
> <orie> nothing says confidence, like moving a spec to a tougher
>   arena of combat... I would like to see DIF specs make it to IETF
>   or ISO, and not stay stuck at DIF.... personally.
> Harrison_Tang: All right any other questions.
> Dmitri Zagidulin:  Iif I've got a question what's the what's the
>   current state of the art thinking in the open ID for VC + VP
>   groups in terms of wallet selection like what's the I remember
>   there was some talk about may be working on a while it's selector
>   or yeah it's like what's the what's the latest thinking.
> <kaliya_identitywoman> Wallet INVOCATION!!!! :)
> <dmitri_zagidulin> nice
> <orie> mDoc Request API supports wallet selection?
> Kristina: Yeah so Dimitri I we haven't invented a voiceover actor
>   yet I think to thing that's happening is one is kind of
>   negotiations with the browser vendors and I think there'd be some
>   conversation that tpack in few weeks where we are trying to make
>   sure that if there is a wallet selector provided by you know
>   browser vendors what not it should you know work for like
>   different protocols and not just.
> Kristina:  just the you know API so that.
> Dmitri Zagidulin:  Thank you that's huge.
> Kristina: To have a nice wallet so action does not lock you into
>   the API provided by the browser's I think that's one side of
>   conversations ya know like we need all your help like to do that
>   because right now is the direction is oh you want the wallet
>   selector now you're forced to use this API so we don't want that
>   Ray so I think that's kind of where all your help us appreciate
>   it another side of conversation is the wallet at the station
>   recent conversation so I think that's the different ecosystem at
>   yours are starting to think about how do they.
> Kristina:  you know make sure that the reliable trust about good
>   wallet so I think.
> <kaliya_identitywoman> Where is the work going on re: wallet
>   invocation capabilities - like this is really key and can't just
>   be pushed off "into the future"
> Kristina: You're starting to see is or these direction we're
>   thinking of is they wallet may be registered as a general kind of
>   custom URL scheme but the wallet you'll have to send the word at
>   the station to get the actual request objects that are very far
>   for example so the malicious wallet might be able to you know
>   start the flow but they won't be able to get the actual request
>   and continue so those kind of kind of mechanisms.
> Dmitri Zagidulin:  Thanks I know we're almost at the top of the
>   hour but Orie is asking in chat if you could say a few more words
>   about doc request API Oliver mentioned that there's some sort of
>   custom UI could you say a little more about that how does MDOC
>   deal with while its election / invocation.
> Kristina: It's an existing yet right so what's and ISO standard
>   right now is basically profile of open 84 BC re so what we have
>   been talking about is true at the same time like browsers are
>   trying to leverage that Forum to you know give like look here's
>   an API so the I think there is some first versions of those apis
>   for you know different companies or building but they are not
>   standardized yet that work to standardize those is hot.
> Kristina:  how is about to be happenin.
> Kristina: If ever sing like you know goes.
> <kristina> openid4vp-mdoc:// :D
> <dmitri_zagidulin> thank you Oliver, thank you Kristina!!
> https://openid.net/wg/digital-credentials-protocols/
> Harrison_Tang: All right thank you I think we're at time just
>   want to say thank you Oliver thank you Christina for coming here
>   and answering our spicy and tough questions was Oliver and
>   Christina has mentioned earlier there's a new working Group Forum
>   on digital credentials protocols we send the link right here the
>   meeting is that every third every other Thursday at 2:00 2:00 UTC
>   is that correct or.
> Kristina: It's every Thursday sorry yeah it's every Thursday yeah
>   it just they Time Changes by our but we don't know how I think at
>   least one of the new DCP working of course will be Thursday
>   thanks for p.m. German time 8:00 a.m. or 7:00 a.m. Pacific but we
>   do have requests for a pack folks sitting might do something like
>   a rotating Coast like they say working with us so you'll see.
> Harrison_Tang: All right thank you thanks a lot alright this
>   concludes today's call you have any last.
> Harrison_Tang: Maybe in this click right this concludes this
>   week's meeting so thanks thanks a lot.
>
>
>