[MINUTES] W3C CCG Credentials CG Call - 2023-03-02

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2023-03-02/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2023-03-02/audio.ogg

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2023-03-02

Agenda:
  https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Mar&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
  Mike Prorock, Kimberly Linson, Harrison Tang
Scribe:
  Our Robot Overlords
Present:
  Mike Prorock, Greg Bernstein, Ryan G, Les Chasen, Harrison Tang, 
  Ken Ebert, Nis Jespersen , Joe Andrieu, David Waite, David 
  Temoshok, Manu Sporny, Kerri Lemoie, kristina, ToddSnyderGS1, Tim 
  Bouma, Markus Sabadello, Wendy Seltzer, Anil John, Clare Nelson, 
  Kimberly Linson, David I. Lehn, Rita Torkzadeh, Lucy Yang, 
  econnel, Priam Varin, Dan Bachenheimer, Bree, Sandy Aggarwal, 
  stephan baur, Frederic de Vaulx, Juliana Cafik, Line Kofoed, 
  Limari (DIF), Stephen Curran, Andres Uribe, TallTed // Ted 
  Thibodeau (he/him) (OpenLinkSw.com), Drummond Reed

<kerri_lemoie> Hello!
Our Robot Overlords are scribing.
Mike Prorock:  Awesome hello all and welcome this is a special 
  topic called with the Mist folks on a wonderful draft which is sp 
  860 3-4 which has to do with digital identity guidelines 
  something which many of us here in this community work on just a 
  little bit so we really appreciate them coming in today to kind 
  of intro the work answer questions help provide clarity.
Mike Prorock:  The call-out in the draft around making sure that 
  hopefully there are some upcoming things like verifiable 
  credentials for instance can be covered by some of this stuff 
  just a quick reminder that this meeting as with all ccg and w3c 
  meetings is covered by the code of ethics and professional 
  conduct I don't think we'll have any issues there but just have 
  to put that reminder out and this is a you know public.
Mike Prorock:   Meeting we're not discussing work items here but 
  if we.
Mike Prorock:  If someone wants to contribute into a ccg work 
  item of any kind you do need to join if there's anyone like that 
  that needs that information don't hesitate to ask in the chat or 
  email directly or email the list and we can get you joining 
  information with that just being sensitive to time I am going to 
  invite the nest folks to kick it off and maybe give a good 10 10 
  minute or so overview particularly of the.
Mike Prorock:   The not just the draft itself but maybe some.
Mike Prorock:  They think there's overlap with this community and 
  then I've got a couple of questions just that the chairs and I 
  the other cultures and myself worked out ahead of time just in 
  review at the Docks and then we'll just monitor the Q the normal 
  fashion so if you're unfamiliar with this group or new to this 
  group if you hit the raise hand button it will add you to the 
  queue otherwise you can just in the chat type the letter Q 
  followed by plus and it will add you to the Q&A.
Mike Prorock:   I will Accu and call them when it is your time 
  so.
Mike Prorock:  That missed take it away.
Mike Prorock: 
  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.ipd.pdf
Ryan_G: Absolutely thank you very much for inviting us today and 
  for giving us an opportunity to have a conversation with you I am 
  I'm going to make a very bold assumption that most of you all are 
  familiar with nist is and what our role is within the identity 
  space kind of sort of within the title of our organization but 
  primarily building standards and guidance 863 revision for is our 
  most current draft of our digital identity guidelines.
Ryan_G: Years there's been several revisions in the past 
  revision3 being probably one of the more notable changes in the 
  kind of scope and structure of how the digital identity 
  guidelines were functioning it expanded what had previously been 
  in revision to kind of a more monolithic document into what 
  addressed different aspects of identity in different ways so it's 
  split what was kind of a gigantic document you for documents all 
  of which are also kind of gigantic in their own right at this 
  point in time.
Ryan_G:  but really it provides a set of.
Ryan_G: Address your base identity model and risk management 
  you're in our base volume 863 a covers the identity proofing 
  enrollment process so how do you kind of validate and verify 
  identity information in order to establish an accountant and 
  Grant an individual credential for authentication the 
  authentication volume which is B which covers multi-factor 
  authentication use of different kinds of credentials and 
  establishes our authentication surance levels and then 863 see 
  which covers are.
Ryan_G: Quirements in Federation Insurance levels across the 
  board so we are attempting with the guidance to cover the full 
  lifecycle of an identity up until the point where you start 
  having authorization conversations which Falls a little bit 
  outside the scope some of the main things we're looking to do in 
  this particular Vision so we had gone through and done a pretty 
  decent amount of Engagement and discussions and release day a 
  call for comments in 2020 prior to the pandemic and so we had.
Ryan_G:  started the process of updating this and evolving this 
  to the next step.
Ryan_G: Started however as with many of these other the other 
  things that the digital world experienced when the pandemic hit 
  you know they were obviously there's always a lot of attention 
  that got turned to online benefits online programs and Rapid 
  transition to from physical and from more Legacy based programs 
  to more digital and online programs and with that the protection 
  of those through identity and digital identity Solutions so we 
  kind of continue.
Ryan_G:  and an.
Ryan_G: Back process to try and gain more feedback from 
  organizations that had shifted into this this realm and make sure 
  that we really captured a lot of the Lessons Learned there so 
  when it came down to it we were really focused on making updates 
  one to start dealing with issues of equity with 63 we did a lot 
  to kind of elevate privacy and usability into the conversation 
  that had previously been kind of the realm of just security with 
  this revision we're attempting to bring I think to a higher 
  level.
Ryan_G:  turns around equity and Equitable access to Services 
  primarily as.
Ryan_G: Actions during the pandemic and the reality that a lot of 
  these critical Services need to get to the right people at the 
  right time and identity Solutions and Technologies need to be 
  able to support that we want to make sure that agencies and 
  organizations are evaluating not just the security benefits of a 
  solution but also how implementation of that technology in those 
  Solutions May ultimately impact the ability for an individual to 
  gain access and whether they're inadvertently creating scenarios 
  where entire communities were groups or types of.
Ryan_G:  individuals aren't.
Ryan_G: I will too.
Ryan_G: As well as others it's really dealing with that Equity 
  piece bringing new options to the table and this is actually one 
  of the key reasons were here having conversations today is we 
  really trying to explore how to bring additional identity 
  evidence identity credentials to the table to help individuals 
  better achieve positive outcomes when it comes to interacting 
  with online services and really again this kind of goes 
  hand-in-hand with Equity but also with convenience and security 
  we'd like to be able to do.
Ryan_G:  is provide you know the the larger Community with the 
  ability to make use of.
Ryan_G: Are indifferent and evolving Technologies and options so 
  looking at things such as digital evidence whether through 
  something like mobile driving license or something like a 
  verifiable credential that may be held maintained and protected 
  by the individual but then asserted and able to be trusted by 
  something like the government agency or organization so again 
  that's part of the reason we're here to have these conversations 
  with you all today we're also looking to make sure that we're 
  addressing some of the latest threats that have emerged as in the 
  wake of the pandemic.
Ryan_G:  bviously fishing resistance is something.
Ryan_G: 53 be at this point in our authentication scheme and 
  making sure the providing options that allow organizations and 
  end-users to avoid a very very common pitfalls it's around 
  fishing as an authentication method or fishing authentication 
  methods that are vulnerable to fishing and then also looking at 
  how the identity proofing aspect of things can be compromised 
  through things like social engineering as well as the vast 
  automated enrollment attack.
Ryan_G:  that we saw at the very.
Ryan_G: Making sure that we had controls built in to address some 
  of the things that we saw very commonly as the pandemic rolled 
  out wanted to make sure we address learned and and really take 
  into account the fact that the guidance of this point or five 
  years old identity models identity technology it then only 
  solutions are evolving but also we're learning about the things 
  that you know where the words didn't necessarily equal the 
  outcomes were intending when it got transition from from standard 
  to code.
Ryan_G:  and to implementation so making sure we got good 
  feedback from the community there.
Ryan_G: Overall you know I think there's been a substantial 
  number of changes to the guidance in every one of the volumes but 
  just at a high level some of the major changes within revision 
  for the base volume we kind of updated in moved a little bit away 
  from some of the more strict interpretations of how to do risk 
  management around identity that were in the previous version and 
  focused a little bit more about it on a process-oriented approach 
  that allows for a bit more flexibility in tailoring from 
  organizer organizations and agencies.
Ryan_G:  in the selection of their insurance levels and 
  Technologies we have focused.
Ryan_G: Like digital evidence again this is one of the main 
  reasons we're here today is to understand have we gone far enough 
  and what do we still need to do within our guidance to support 
  things like verifiable credentials that meet with trust 
  expectations for the government Community as well as things like 
  mobile driving license and how those can be part of an overall 
  trust scheme for identity proofing and potentially for 
  authentication as well.
Ryan_G: You know we.
Ryan_G: We've taken an updated 163 see pretty substantially so 
  evolving away from some of the traditional Federation Insurance 
  components to be a bit more clear and concise about what we're 
  expecting it each Federation Assurance level and making that they 
  are achievable I think there was a lot of concern over some of 
  the stuff some of the language and requirements that exist around 
  FAL two in particular that made it hard to understand what was 
  the specific threats were attempting to mitigate and how to 
  really Implement an address of controls appropriately so.
Ryan_G:  I mean that's that's kind of the nutshell probably not 
  quite a full minute here but.
Ryan_G: Happy to dive into specific volume immediately.
<mprorock> "Are emerging authentication models and techniques – 
  such as FIDO passkey,
Mike Prorock:  I think that was an excellent intro and really 
  appreciate it and I'm actually going to start because there's a 
  section in the draft like the initial public draft where I think 
  it's on page a right and I'm going to paste the text in the chat 
  just so folks can reference it if they need to but it says are 
  emerging authentication models and techniques such as Fido pesky 
  verifiable credentials and mobile driver's licenses sufficiently 
  addressed accommodated as appropriate by the guidelines and then 
  what are the potentials.
Mike Prorock:  Some risks awesome statement right one thing 
  though that I thought was interesting is just kind of in doing 
  some text mining since I tend to work in the NLP side of the 
  world a lot and have a lot of background there is there's not a 
  single mention of DCs really in 863 right or potential use at 
  least in the initial public draft and the other gap that I 
  thought was really interesting was the lack of a mention of 
  decentralized identifiers and so maybe.
Mike Prorock:   B63 you know bash for could.
Mike Prorock: https://csrc.nist.gov/glossary/term/did
<sandy_aggarwal> Is there a slide deck being shared too?
Mike Prorock: https://csrc.nist.gov/glossary/term/vc
Mike Prorock:  Like I'm just going to put two links into the from 
  the glossary the Mist glossary end of the chap here in Sandy 
  there is no slide deck that's just pure discussion and Q&A you 
  know VC still pulls back to validating cash in the glossary did 
  does link to decentralized identifier does show that there are 
  some sources in the to blockchain assessments and there's no.
Mike Prorock:   Definition given and there's a TR out.
Mike Prorock:  ER that's not 11.1 working its way towards 24 
  verifiable credentials and so maybe this could be an option an 
  opportunity just to kind of improve what do we mean when we say 
  these terms right let's actually point to the specs from the 
  glossary and stuff like that as people are you know kicking into 
  stuff so that was just like an initial thing but it 
  philosophically like really want to appreciate the reach out and 
  to I think the spirit of that statement about like are we 
  covering these things it was.
Mike Prorock:   Great the fact that it's talking though about 
  digital identity and the fact that then there's.
Mike Prorock:  Up to decentralized identifiers right or dents in 
  any way shape or form seemed a little odd to me because that's 
  the identity portion no VCS will oftentimes be linked into that 
  that's more the identity portion and so it just struck me as odd 
  do you have any commentary on that or thoughts and feedback 
  because obviously there's dids that work with the Federated model 
  there's dense that work with like just pure web linkage cetera 
  right as well as kind of full on individual identifiers as well.
<dan_bachenheimer> the SP 800-63-4 suite relies on a CSP 
  enrolling and maintaining Authenticators for every subscriber - 
  this is CENTRALIZED by definition - what am I missing?
Ryan_G: Yeah I don't think I think what I would argue is that we 
  discussed the use of identifiers I don't think that we make a 
  distinction between a centralized versus a decentralized versus 
  any different form or function of identifiers we do mention 
  verifiable credentials in 863 a I don't know that we go so far as 
  to Define it per say but I think that's something that's very 
  reasonable given that the words show up in the document but from 
  an identifier perspective I don't.
Ryan_G:  think we intended to make any kind of a.
Ryan_G: A distinction between the different types of identifiers 
  that may or may not be used within a mop.
Mike Prorock:  Yeah man oh I'm going to hit you first let's just 
  Dive Right In.
Manu Sporny:  Okay hi Ryan and thank you for taking the time to 
  come here and present the work I know many of us have read 863 in 
  a variety of other you know nist documents I'm one of the editors 
  of the verifiable credentials standard as well as the 
  decentralized identifier one in there's a desire in that working 
  group so I'm talking about the World Wide Web Consortium work.
Manu Sporny:   And group that works on verifiable credentials 
  there's a.
Manu Sporny:  To use portions of 860 863 to it's in fields like 
  evidence so we so when we create a verifiable credential we have 
  these fields that we could use a number of 863 kind of terms in 
  like evidence you know what documentation did you provide to 
  generate this credential that's one way of looking at it more 
  recently we have had.
<mprorock> @Dan - i see you on the queue, you'll be up next
Manu Sporny:  Is around basically like identifier proofing or 
  identity proofing you know if someone is presenting this 
  verifiable credential to you you know as a verifier how can you 
  bind this digital credential to the individual if you don't have 
  a cryptographic identifiers for example so there's this real deep 
  desire to reuse 863 and in the same way that you know the 
  document ask the question are we talking about verified.
Manu Sporny:   Will prudential's appropriately here in 1863.
<kristina> tl;dr. verifiable credential data model is general, so 
  it can be usd to create a VC that is used for proofing, for 
  authentication, for authorization, etc.
Manu Sporny:  I will credentials group has the same ask are we 
  talking about 863 in a way that that you intended it to be used 
  right one of the concerns is that the language in in the news 
  publication is can be interpreted fairly broadly and so we think 
  it would be really useful if you are a number of people that are 
  working on this document can help us with some concrete.
Manu Sporny:   Examples of how.
<kristina> whether a certain use-case is a good idea is a 
  separate question, but matter of fact it can be used.
Manu Sporny:  Inch 863 in the verifiable credentials 
  specification so I think the concrete a skier is would it be 
  possible to come and present some of the of to the verifiable 
  credentials group so that we can better integrate it with the 
  work that's happening in that group.
Ryan_G: Yeah absolutely we'd love to come present I think one of 
  the things we want to at least be able to do hopefully in some 
  kind of concrete ways be able to illustrate where all these 
  different emerging standards and profiles and specifications and 
  guidance actually fit together to create a nice consistent 
  picture of how to use identity versus continuing to have a bit of 
  a fractured view of the world when it comes to these things so 
  yeah we'd be more than happy to join.
Mike Prorock:  Yeah you just got volunteered to be able to spot 
  at the moment it's you enjoyed it all.
Ryan_G: As well as you know how we see it potentially fitting 
  into the VC kind of universe as well and I think you and by the 
  way I'm not the only one here from this I just happen to be the 
  only one who's come off of off of the yeah up of the circle Andy 
  I saw you come off mute there so I'm going to throw you under the 
  bus here and see if you have something you want to say.
Andy_Regenscheid_(NIST): Yeah and I think that question and 
  comment I mean I think it brought up a lot of very good points I 
  mean one piece of context is you know we you know we we try to 
  write 863 to cover a broad range of Technologies we're trying to 
  have it be sort of implementation agnostic so the idea that it 
  could be interpreted quite broadly is often often a.
Andy_Regenscheid_(NIST):  feature although I know that.
Andy_Regenscheid_(NIST): You know creates a you know sometimes a 
  lack of clarity on how things fit in but I think you you know you 
  raised some good points about like where things like verifiable 
  credentials can fit in and as we were working on 863 I think we 
  had a lot of similar discussions about the kind of different 
  models and use cases and I think that's ultimately why you you 
  don't see these Seas specifically used throughout the documents 
  because we sort of saw it potentially fitting.
Andy_Regenscheid_(NIST):  in in multiple places for instance I 
  think you made a very good point.
Andy_Regenscheid_(NIST): Chills could be used as say is as 
  digital evidence that's presented during a proofing process so 
  that an applicant could you know provide you know 
  cryptographically secured proof that they have certain attributes 
  a verifiable credential could with through a verifiable 
  presentation could also be effectively used as an authenticator 
  as a cryptographic authenticator and 863 depending on what type 
  of protocol that's used with and I think they're you know in some 
  cases.
Andy_Regenscheid_(NIST):  cases the presentation of a verifiable 
  credential.
Andy_Regenscheid_(NIST): An awful lot.
Andy_Regenscheid_(NIST): Like Federation and present Dina you 
  know an assertion and so we thought that you know this was you 
  know depending on the both the use case and the specific 
  implementation things like verifiable credentials could fit in a 
  number of places within 863 and I don't know how well that you 
  know you know if that matches kind of your.
Andy_Regenscheid_(NIST):  oh thinking of.
Andy_Regenscheid_(NIST): Potentially how it could fit in.
<anil_john_[us/dhs/svip]> SP 800-63D
Mike Prorock:  Yeah Maynard you have a clarification there or do 
  we want to let Dan go.
Manu Sporny:  I do I that's that's great I think the the biggest 
  challenge that we've had in attempting to use 863 in the group is 
  you know some of us will say oh well you know we believe that you 
  can use it in this way and we provide kind of like a concrete 
  mechanism like an identity proofing event or you know evidence or 
  something like that and usually the counter-argument is like 
  that's not how 863 supposed to be used right and so it becomes.
Manu Sporny:   Challenging to cite the document and utilize it.
Manu Sporny:  Disagreement on what some of the language may or 
  may not mean in you know I hate the I hate to say we need someone 
  to referee the conversation but having input into you know what 
  was expected you know to come out of the language that's in 863 
  would help us make you some of the statements there that are 
  general which I agree with you it's supposed to be you know 
  that's that's a that's a feature but what we're trying to do is 
  we're trying to make it.
Manu Sporny:   Really Concrete in.
Manu Sporny:  Can group or work around it because as as you know 
  many of us are working with nation states around the world on 
  digital identity you know digital digital permanent resident card 
  additional drivers licenses things of that nature where we are 
  trying to we're trying to use the guidance and 863 and make it 
  concrete but we're we're we're challenged in that we don't have 
  some of the.
Manu Sporny:   The people that wrote it.
Manu Sporny:  To to sanity check what we're doing it so I think 
  the general asked here is that you know would it be possible to 
  pull each of you in from time to time to let us know whether or 
  not we're on the right track or not when we're doing these 
  concrete implementations.
Ryan_G: Yeah I mean I think we'd be happy to advise on the intent 
  of the guidance I think just to make sure that we're clear on 
  where that line would exist is we can't really be running around 
  saying that we have certified or validated or proved anything but 
  I think where there's questions of interpretation where there's 
  questions of what exactly did you mean here number one I think 
  we'd be happy to participate and help help make sure that you all 
  understand what we were trying to do so that you can harmonize 
  and leverage it within your own specifications and standards but 
  also be immensely valuable for us to understand.
Ryan_G:  where you're seeing challenges in the interpretation as 
  well to I mean we're in a comment period we're going to draft. 
  Here so the.
Ryan_G: If there are things that are not.
<rita_torkzadeh> Has 800-63 been used in ways you wouldn’t 
  expect/anticipate?
Ryan_G: Clear as we think they are and the applicability and 
  viability of the guidance is not as concise as it could be I 
  think that would be also extremely helpful for us to understand 
  both from like a conversational perspective as well as if you're 
  able to provide us some some written kind of documentation where 
  you see some of those issues it would be extremely valuable for 
  us to know where other parts of the community aren't necessarily 
  clear on what we're trying to get to.
Mike Prorock:  Yeah and I think a lot of that and I know we had 
  some pre conversation around this just in prepping to make sure 
  we got everything out on the table it was the highest priority 
  items is that there's a big gap in terminology across the 
  identity space today and and so when we look at 860 3-4 right 
  it's it's still kind of caring over a lot of the old school 
  terminology from the Enterprise and government side that might 
  have moved on in The Last 5 Years in some ways right there there 
  are.
Mike Prorock:   Current models and different language in use so 
  it's I think this is an area.
Mike Prorock:  So it's extremely timely and it and you know in 
  this comment periods of great way to help clarify and refine that 
  stuff Dan I see you on the Queue here.
Dan_Bachenheimer: There it goes yeah thanks yeah thank you for 
  this opportunity let's see oh okay I don't know if we see these 
  cameras as well but happy to yet and I did put it in the chat but 
  it did you know when we talk about verifiable credentials and 
  things like that we typically yes they can be used kind of stand 
  alone but we typically think of it in a decentralized identity 
  sort of fashion but.
Dan_Bachenheimer:  unless I didn't read it.
Dan_Bachenheimer: The sweet correctly after going through the few 
  times everything in it is centralized to the point where if you 
  know quote throughout the digital identity lifecycle csps shall 
  maintain a record of all authenticators that are or have been 
  associated with each subscriber account to me there's yeah no 
  room for decentralization at all I do appreciate the inclusion 
  of.
Dan_Bachenheimer:  switching topics somewhat.
Dan_Bachenheimer: Metric things in there but only one to one 
  biometric comparison is mentioned nothing about one too many and 
  we use the term identity proofing which you say the you know 
  includes in the first bullet is identity resolution determining 
  that the claimed identity corresponds to a single unique avenge 
  individual within the context of the.
Dan_Bachenheimer: This way to do that is through Biometrics 
  that's not even mentioned identity proofing seems to be in my 
  read of this sweet identity verification there's no mention that 
  I've read of how do we resolve an identity to a single unique 
  identity within the context of the population everything that I 
  read relies on somebody else doing that.
Dan_Bachenheimer:  are you talk about.
Dan_Bachenheimer: Using a passport or driver's license or social 
  security number anyhow I've documented dozens of questions in 
  things but those are the two that kind of bubble up to the 
  surface.
<kristina> the first step should probably be make sure the latest 
  NIST document does not preclude issuer-holder-verifier model, 
  credential format/data model conversation can only come after 
  that. at least in my opinion
Mike Prorock: +1 Kristina
Ryan_G: So I think that's so I'm going to attempt to parse 
  through this and and I'll let you jump in as well to I think 
  Connie and David around as well so you'll have feedback as soon 
  ever won one of the things were attempting to do with this 
  documentation is yes we allow for Biometrics but also we want to 
  account for the fact that there's a lot of folks that are very 
  uncomfortable with Biometrics very uncomfortable with 
  Technologies like face recognition and also acknowledging that 
  there's not really standard common.
Ryan_G:  you know repositories that could be gone to in many 
  cases to be able to.
Ryan_G: Is a biometric.
Ryan_G: He for resolution resolution when you have a large 
  population to deal with like the entire us government's 
  population to deal with so what we look at at the starting point 
  is primarily resolution through the use of attributes and unique 
  attributes that can resolve not necessarily to unique individual 
  cross the entire planet but potentially even within just a subset 
  of Records or things to deal with so that's kind of what we're 
  talking about resolution there's certainly the possibility to use 
  Biometrics for that however.
<dan_bachenheimer> government => PIV requires biometric 
  enrollment
Ryan_G: Scope of what federal agencies do need to deal with it's 
  not necessarily the easiest thing to turn to right away 
  particularly when we're talking about the challenges around 
  biometric performance for one too many type use cases so so again 
  we're looking to try and allow for a broad range in spectrum of 
  potential Technologies to be applied and that includes Biometrics 
  where appropriate and with the right controls but also making use 
  of things like data validation and data matching where we can.
Ryan_G:  for the moment on the centralized versus decentralized.
Ryan_G: I think it's a very fair.
Ryan_G: Comment that the current context and discussion that 
  exists around the the content is that it is very kind of heavy in 
  the traditional CSP centralization Focus I think there's ways 
  that you could look at it to imply that you know if you look more 
  at functionality rather than purely the kind of traditional view 
  of a CSP you can make an argument that a CSP could be something 
  that doesn't necessarily have to be run by an entity and 
  organization but it certainly is heavily implied so we'd be very.
Ryan_G:  interested in feedback directly on how to make sure that 
  our model.
Ryan_G: Of additional deployment modes Beyond kind of the 
  traditional agency runs a CSP CSP operates on behalf of an agency 
  or an organization as well as you know how something like 
  individually on credentials again assuming that there are ways to 
  place rules and expectations around those verifiable credentials 
  or whatever that individuals using to represent themselves so 
  we'd be interested in direct feedback on how to potentially fit 
  that into the model.
Ryan_G:  Andy Connie David any additional.
Ryan_G: Anybody have any advice on how to get these pop-ups from 
  chatting to stuff lying around.
Connie_LaSalle_(NIST): I know I have to look away from the 
  screen.
Ryan_G: Then hopefully that was that was helpful not sure if 
  anyone else from the team does one away in there.
Mike Prorock:  Yeah I think definitely helped light you know the 
  CSP thinking of the CSP is non-traditional ways that was not 
  clear to me from the text so that's like an immediate feedback 
  area right that area and maybe 80 I saw you come off mic might 
  have some thoughts on that.
<tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> ryif you 
  "open chat", you'll have a column on the side of the jitsi window 
  ... and the pop ups will stop
Andy_Regenscheid_(NIST): Yeah and I do think that it's it's a 
  fair reading to look at what we have today and say it certainly 
  expects a you know I think you know the csb particularly in 
  improving process to be going through a full resolution process 
  it really only kind of an explicitly envisions the case of a 
  essentially use of a that the user is using a single CSP but I.
Andy_Regenscheid_(NIST):  think Ryan's right.
<tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> ryan -- ^^^
Andy_Regenscheid_(NIST): I mean I think there's room in the model 
  for say you know any entity that might be issuing say a 
  verifiable credential can be considered a sort of CSP and you 
  know likely we may have to make some adjustments to the model to 
  be able to accommodate that and make us a be really you know 
  interested as you're reading through the documents where you 
  think there is a need for those kinds of adjustments.
Connie_LaSalle_(NIST): Can y'all hear me now.
Mike Prorock:  Yeah and I'm yeah I was going to say just a quick 
  note you know it was typed in the chat but if you actually click 
  the little chat icon on the toolbar and open the chat dialogue 
  it'll open up on the left hand side and then pop-ups will go away 
  because they can be aggravating with the transcriber so and yes 
  Connie we can hear you now so sorry yep.
Connie_LaSalle_(NIST): Oh okay okay I was just talking to myself 
  there for a couple of seconds it's fine I like my own company but 
  I think I think both Ryan and Andy have have covered it I mean 
  one of the challenges of the 800 series special Publications from 
  this is that they're there for feds based on the policy 
  requirements in the federal space required so.
Connie_LaSalle_(NIST):  part of the.
Connie_LaSalle_(NIST): We look to is one we want to be flexible 
  and inclusive but we also recognize that despite our guidelines 
  being voluntary and other contexts they are required so what does 
  the market look like can feds Implement what's what we're guiding 
  them towards so you know we try to be aspirational and 
  forward-looking but we also know that when you are an entitlement 
  program whose dream it is the entire United States.
Connie_LaSalle_(NIST):  like potentially.
Connie_LaSalle_(NIST): Context than the flexibility that a 
  smaller entity might be able to have in making decisions so I 
  just said that context because I think it's important and it can 
  get lost in these conversations that tend toward the art of the 
  possible and the theoretical but just know that that's you know 
  that's a reality that we live in every day and I think we can 
  only update the guidance with your help so I'll just Echo what 
  Ryan and Andy have already said which is if you have ideas about 
  how to make the.
Connie_LaSalle_(NIST):  text more reflective of the.
Connie_LaSalle_(NIST): You're trying to do that's that is one of 
  our goals so I just thank you for looking at it and considering 
  some specific inline updates for us.
Mike Prorock:  Awesome yeah I think there's two folks on the Q I 
  did want to call out a comment and/or question from the queue 
  from Christina who I know is one of the chairs over at the VC 
  working group one of the things in this this I think also jumped 
  out at me and some others I talked to in advance of this meeting 
  is that there's not a clear mapping to the notion of like issue 
  or holder verifier type roles in this and when we are thinking 
  about these.
Mike Prorock:   Large organizational things and I'm sure some 
  folks may or may not.
Manu Sporny: +1 To MikeP -- yes, showing alternate deployment 
  architectures, such as the VC 3-party model, would be helpful.
Mike Prorock:  Like there are some really big rollout going right 
  and and test going including with you know God of so if we can 
  find a way that this text allows us to discuss those roles and 
  how they map that's a very helpful starting place to then talk 
  about how these integrate right and that's something that's just 
  not really present and in that three-party model I think there 
  are ways you could very broadly.
Mike Prorock:   We interpret it that way but it's.
Mike Prorock:  Have to go really.
<kristina> maybe a third table is needed in addition to current 
  table 1 and 2 :)
Mike Prorock:  But which then gets highly highly problematic 
  right when stepping through and trying to say well yeah but I'm 
  using this but that's not really what the text says etcetera 
  right and yeah Christina just noted maybe a third table is needed 
  in addition to table 1 and 2 and you know or an independent right 
  that says look here's Part D or E right that says this is how you 
  know feces or the VC model Maps over right in the first here for 
  evidence and Cetera.
Ryan_G: Yeah I think that's really valuable feedback and and and 
  I actually I don't remember where I saw it excuse me but I have 
  seen someone who did this mapping.
Ryan_G: It was a couple years ago I need to remember where it was 
  and go annoy whoever it was that did it but I think that's really 
  valuable and helpful and I think from our perspective it will 
  also probably help us as well to as we start to think about where 
  we might have some inadvertent gaps or challenges to how this can 
  be interpreted I mean we I was having a call with some folks on 
  the mdl side not too long ago we were kind of joking about how we 
  needed to just create like a glossary that translates 60.
Ryan_G:  322 mdl to verifiable credentials.
<kristina> i mean even terminology in 18013-5 and vc-data-model 
  is not harmonized exactly :)
<kristina> but we are getting there
<mprorock> :)
Ryan_G: What language were speaking and make sure we're speaking 
  the sand and other International standards like you know the some 
  of the stuff around to 91 15 and 29 2003 coming at I so there 
  aren't quite the same as what we say I mean There Are we almost 
  need like kind of a translator for all the various different 
  forms and functions of identity conversations going on but I 
  think from a mapping perspective that's probably a good place for 
  us to at least start as an exercise and hopefully to to kind of 
  support what you've got as well too.
Ryan_G:  two yeah exactly and but but I think that's helpful for 
  us.
Ryan_G: Those things in provide some understanding from how the 
  models fit or don't fit and how we might need to make some 
  adjustments or where they would need to be and that is very 
  helpful recommendation.
Mike Prorock:  Yes Stephen I see you on the Q There.
Stephan_baur: Yeah thanks and thanks for the opening you have 
  this call I think there is perhaps and unintended consequences 
  out of the fact basically only have two models and one instead of 
  a silo or the other one instead of Federated identity and the 
  unintended consequence is that of that idps will know where 
  people log in and I'm I'm here from the US Healthcare perspective 
  and while it might not be a problem that idps and over people are 
  logging as far as which agency.
Stephan_baur:  you know their.
Stephan_baur: In the health care of course as polarized as the 
  opinions are it does matter right like then the witch which 
  Specialty Clinic you see and you have interactions with is 
  actually almost you know health information right and so what I 
  mean you want to just see if I can get some initial kind of you 
  know responses from you is on the fact that maybe needs a third 
  model that's maybe not calling decentralized identifier but 
  decentralized identity as opposed to Federated identity.
Stephan_baur:  and important part There is almost like in the 
  model instead of grouping the.
Stephan_baur: To the Sea.
Stephan_baur: SP in our world if we group The verifier to the RP 
  and that the cfpb ew it's then I'll do one thing that of being an 
  issuer of a verifiable credential right so my point is at the 
  moment where the identifier becomes the authenticator 
  cryptographic authenticator the model just significantly shift 
  and I think we have a very important aspect as I mentioned before 
  our privacy that that really needs to be mapped into the model 
  even though it may not apply for the agencies.
Ryan_G: Yeah I mean I think that's reasonable feedback I would 
  say that some of this will help as we start to go through and 
  evaluate I would also note that for example the way you can 
  deploy and do the functions of a CSP as a federal agency or as an 
  individual organization doesn't necessarily mandate that you 
  would always track beyond your agency but I think it's a very 
  fair point that the csps would most likely know where individuals 
  are going so I think it's reasonable to make that.
Ryan_G:  suggestion I also think from just kind of a general 
  perspective we don't really.
Ryan_G: Break apart the CSP capabilities within the model as it 
  says it's depicted so things like providing attributes and stuff 
  like that or verifiable credentials and easily recognizable and I 
  think it's again fair fair criticism and very open to 
  recommendations on how to adjust for that I think Andy just came 
  off me too.
Andy_Regenscheid_(NIST): Yeah and I mean truth be told we've been 
  talking about something kind of similar to this quite a bit 
  actually recently around you know like the model of federation 
  that we cover in 863 see is you know it's it's limited to the 
  scope of you know Federated identity in the sense of you know 
  passing assertions from you know from an IDP it doesn't cover 
  perhaps the you know broader.
<mprorock> there is kindof an implied phone home to verifiers / 
  csps in the doc the way it is written now, especially in regards 
  to revocation checks - definitely something i would love more 
  details on at some point
Andy_Regenscheid_(NIST): You know how you might trust you know 
  inter-organizational trust that would also come up and context 
  like pki so I think this idea you know whether you want to say 
  that it's you know breaking apart the the functions of the of the 
  csb is Ryan was saying or you know attaching identity attributes 
  to authenticators like there is that model that I do understand 
  doesn't really quite.
Andy_Regenscheid_(NIST):  fit into a single place and.
Andy_Regenscheid_(NIST): Sure of 863 and I you know speaking for 
  myself I guess I'm not really sure where you know if we wanted to 
  cover that explicitly where it would best fed you know is to what 
  extent is this is this authentication is this some broader notion 
  of federation or is it as you think we're perhaps suggesting as 
  it kind of a third you know a third model that could be addressed 
  separately.
Stephan_baur: Yeah that's great I mean again the subtlety is that 
  the identifier becomes the authenticator right so the 
  authentication flows this gives us a change to do the 
  authentication flows without having the need for the IDP right so 
  it can be calm don't come back to be directly down with sort of 
  like still having the benefit of the verified attributes be 
  communicated through VCS right so yeah I will.
Stephan_baur:  thinking about sort of.
Stephan_baur: Meaning you know.
Stephan_baur: That model would look like and how these flows 
  would look like but maybe this community here might actually you 
  know be willing as well to kind of maybe think about it more as a 
  third model rather than just you know individual components like 
  verifiable credentials and I and decentralized identify yours 
  right it's just again I think it's the top indication flow that's 
  the biggest privacy concern.
Mike Prorock:  Yeah that was definitely awesome in it and we 
  could Circle back after we process the key around some of the 
  implied like you know privacy implications and things like that 
  that VCS I think explicitly might have some answers for that the 
  traditional model doesn't Dan I see you on the queue.
Dan_Bachenheimer: Yeah thanks yeah and then yeah that's exactly 
  what was the point I was trying to make it in the beginning if 
  you know where the csps maintain the authenticators and they have 
  to be yeah the relying parties always have to go back to the csb 
  well then there's that is definitely not privacy enhancing but I 
  raised my hand again because you know when Connie was talking 
  about you this guidance being you know for federal for entities.
Dan_Bachenheimer:  he's and things like that you know.
<mprorock> and CBP, and USCIS
Dan_Bachenheimer: The point here and I hear you talk about 
  talking to drivers letting you know motor vehicle authorities I 
  hope to that you talk with Department of State and this goes back 
  to you know the point you made we don't have foundational 
  identity in the u.s. broadly we don't have a national ID but 
  where you say that the the CSP validates the authenticity 
  accuracy and currency of presented evidence.
Dan_Bachenheimer:  well you know Department of State we.
Dan_Bachenheimer: To this date and a few other countries allow 
  folks to take our own photographs manipulate them maybe more for 
  them and it's been proven that some people have and send those 
  into Department of State where they cryptographically signed them 
  but how how are they authentic how how is how our folks looking 
  at the authenticity of a passport photo yes they could see that 
  Department of State cryptographically signed it but I'm gonna.
Dan_Bachenheimer:  people ate it.
Dan_Bachenheimer: Accuracy goes to I would say that accuracy goes 
  through quality and we're not really assessing the quality saying 
  so bottom line is if missed 860 3-4 is saying centralized staying 
  as a Bible for government organizations to create digital 
  identity that citizens could use then why is Department of State 
  still allowing us and not listening to miss the biometrics.
Dan_Bachenheimer:  looks at Miss and making them comply to 29.
Dan_Bachenheimer: I've and why are we still allowed to take our 
  own photos and manipulate them and allowing that to be a 
  foundational document similar for driver's license but they at 
  least those are taken live.
Ryan_G: So we can't let me let me put it let me put it this way 
  we write guidance and we write standards the implant 
  implementation of those is not is not unfortunately our 
  responsibility right that is a responsibility of agencies and 
  organizations and particularly when you start getting into the 
  sphere of things like passport policy and mold dryer and driver's 
  license policy those begin to start get into real rulemaking 
  organizations like DHS and stay.
Ryan_G:  Department that have the responsibility to those so we 
  can provide guidance.
Dan_Bachenheimer: Pick me up.
Ryan_G: Indications what agencies do with that is beyond our 
  scope of responsibility so again we continue to provide the best 
  recommendations that we can obviously wrap Biometrics team is 
  deeply involved with a lot of the testing and evaluation of 
  biometric algorithms but at the end of the day there's not much 
  that we can do with what state department decides to do with 
  their passport policy there.
Dan_Bachenheimer: Very fair and I see in dashboard there's a lot 
  on demographic differentials in the risk of getting it right as 
  was said in the in the introduction about Equity but I think 
  unless they really understand the risk associated this in your 
  risk management that and where we talked about yeah the risk of 
  using a passport photo is it really known that that is risky.
Connie_LaSalle_(NIST): It's almost like you joined our risk 
  management webinar just before this this conversation I mean 
  you're preaching to the choir right and I think that's why it's 
  important for us to work together to figure out the right 
  language on 63 and look I know we're scoping the conversation 263 
  but you know it sounds like in general there's a lot of common 
  research and research questions that we have where we could be 
  partnering so I won't.
Connie_LaSalle_(NIST):  I won't volunteer Ryan's time or the rest 
  of the identity.
Connie_LaSalle_(NIST): I think that's off the table if that's 
  something that is helpful and gets us to a point where we're 
  seeing emerging models like the Cs reflected and guidance like 
  this.
Mike Prorock:  Yeah it will and speaking as a ccg co-chair like 
  we do have the ability to you know publish you know effectively 
  little notes from like here's community's assessment and working 
  back and forth with so and so we'd be happy to go through and 
  like work on some of that terminology side and like how do we 
  handle like the three you know three-party side because that that 
  feels like such a critical thing that is not eat it it may be 
  possible but it's not clear in the docks and that that's such a 
  fundamental piece I met new.
Mike Prorock:   Quick question I know you're up next on the Queue 
  but I felt like.
Mike Prorock:  Call out to like DHS and the folks setting the 
  policy and seeing someone for BHS on the line would you mind if I 
  called on them to ask some questions there so Anil I'm going to 
  put you on the spot.
<drummond_reed> Nothing like having Anil on the spot! ;-)
Anil John:  Oh thank you Mike I appreciate that good morning good 
  evening good afternoon good night and he'll John technical 
  director Department of Homeland Security hello date tamasheq good 
  to see you again as well so it was interesting to hear obviously 
  very familiar with Nest particularly in my formal role as ficam 
  technically.
Anil John:   Lead at GSA.
Anil John:  Yes and in this particular context as it regards a 
  verifiable credentials than these are the lies identifiers I am 
  speaking obviously for the needs of couple of my components of 
  DHS in particular US citizenship and immigration services and US 
  Customs and Border Protection that are actively moving out on 
  implementing verifiable credentials and decent lies are in the 
  fires in our operational use right now in within the context of 
  use.
Anil John:   He is it is about digitizing currently paid.
Anil John:  But are focused on immigration the permanent resident 
  card employment authorization documents and the like and 
  obviously on the u.s. custom side digitizing cross-border trade 
  documents using the same Technologies so there are agencies 
  within the US federal government to whom this technology is 
  obviously highly relevant to whom 863 absolutely matters a lot 
  and separately as.
Anil John:   Somebody who was involved.
Anil John:  Helping what became 860 3-3 where we actually broke 
  out the monolithic aspect of authenticators and identity proofing 
  entirely separately I think there is a path forward in order to 
  sort of baking what is needed with the decentralized identify 
  ecosystem into 863 as well so I am not going to put - colleagues 
  on the spot spot here and that is not my intention.
Anil John:   But I do.
Anil John:  What is it.
Anil John:  The station that need that we need to have regarding 
  perhaps to use a phrase earlier I represent the interests of a 
  one particular organization that is in the benefits granting 
  business on a population scale on a global scale US citizenship 
  and immigration services that is using this technology and plans 
  to use this technology so we do need to find a way to make sure 
  that the approaches of this technology.
Anil John:   Neurology are indeed something that is sort of.
Anil John:  In the structure of 863 so that we can all you know 
  solute and move forward and actually do right from the security 
  and privacy so the long and short of it guys is that we are I 
  think we are at a stage where we need to have a conversation and 
  I'll be reaching out to you.
Ryan_G: Absolutely look forward to also that's one of the reasons 
  were here right now is we see that this is kind of you know we 
  want to make sure that the guidance is not 5 years behind the day 
  it comes out and so I think making sure that we are taking into 
  account what's emerging what's evolving and being as clear as 
  possible about how to fit different in new emerging models within 
  the context of 63 I think is important going forward.
Anil John:  So I also want to be very clear right I think you 
  know there is a there is a there is a framing that often goes on 
  in this context particularly in a lot of the government circles 
  where this is emerging this is very early this is whatever as the 
  you know agency that actually originally funded some of the work 
  around this 7 to 8 years ago we've been involved in it from that 
  beginning so we.
Anil John:   We consider this to be emerging but we do consider 
  to be.
Anil John:  A long painful process in order to ensure that there 
  is global acceptance with these standards in all the things that 
  we're doing and particularly from the USCIS and CBP side we are 
  also looking at counterparties you know in both of those contexts 
  that are you know moving out on the digital wallet use cases with 
  the European Union's European identity digital wallet we are 
  envisioning use cases where a you know EU member states.
Anil John:   Citizen with the digital.
Anil John:  To the front door of a USCIS and we would like to be 
  in a position where our credentials can be issued into them and 
  they're at the station's about things that are coming in verify 
  the credentials for Max and the light can be acceptable for us so 
  there is a desire to make sure that this is not just fit for 
  purpose for government but also on the global global 
  interoperability side of you know jurisdictions and solvents 
  talking to each other as well.
<drummond_reed> The European Digital Identity Wallets initiative 
  is a fantastic example of why VCs should be fully recognized by 
  this next edition of 800-63.
Ryan_G: Yeah and apologize for huge emerging but I think we share 
  the same vision there particularly in the ability to establish 
  broad interoperability Global interoperability and making sure 
  that we're staying aligned and connected both internally as well 
  as International.
Mike Prorock:  Awesome cool looking forward to many continued 
  interesting improvements to the spec man who I see you on the cue 
  and you might be the last one up depending on how long the 
  answers are to your question so.
Manu Sporny:  Thanks Mike I guess this is in in a similar vein 
  there are a number of technologies that the verifiable 
  credentials in decentralized identifiers groups are I don't want 
  to say they're incubating I don't want to say they're emerging 
  but you know these are privacy-preserving Technologies right in 
  we've been trying for a very long time to try and push this work.
Manu Sporny:   Forward so I noticed that you know.
<kristina> why are we shy saying it is "emerging"? it's not like 
  there are billion of verifiable credentials or mDL, ye.
<kristina> *yet. is there potential? absolutely.
Manu Sporny:  3C mentions you know privacy enhancing techniques 
  and I know that it's mentioned several times throughout the 
  document I think it would be helpful to call some of these 
  Technologies out more directly things like selective disclosure 
  things like on linkable digital signatures basically help 
  individuals only expose the information that they need right I 
  mean there.
Manu Sporny:   There are things like General.
Manu Sporny:  Sharon in the EU and I know in the u.s. they're 
  different privacy regimes that are being talked about and one of 
  the challenges that we've had as a group is every time we start 
  talking about selective disclosure or unlikable signatures or 
  things like that almost immediately you know it's like Miss 
  doesn't that's not a proven this crypto it's not even talked 
  about at nist good luck you're going to it's going to take 
  another 10 years to get there which you know kind of feels 
  self-defeating.
Manu Sporny:   I'm wondering if there has been.
<mprorock> @kristina - i think it is a fine line, definitely 
  rapidly heading towards billions, but more on the health and 
  trade side
Manu Sporny:  Discussion about adding you know potential 
  beneficial future directions into these documents without 
  necessarily blessing them as you know appropriate at this point 
  in time like you know there's given the how long it takes these 
  documents to kind of rev it would be nice to to have language in 
  each the each of these documents that show.
Manu Sporny:   Oh that you know.
Manu Sporny:  Like a pairing friendly curve you know BBS 
  signature on something is of interest from a privacy perspective 
  doing a selective disclosure using you know SD jot or some other 
  mechanism is something that is viewed as a viable a reasonable 
  goal to move towards so that you know effectively we stop having 
  these nice pecs being used as kind of hammers to stop that or.
Manu Sporny:   Work right.
Manu Sporny:  Again I think as you said and as is stated in the 
  document we're all trying to do the right thing and minimize 
  information that's being shared and make sure that people's 
  privacy or being being protected but one of the ways that some of 
  the nist Publications are being used are too you know halt or 
  slow some of that work certainly not by nist by you know other 
  other entities in the in the ecosystem have have you.
Manu Sporny:   Consider door.
Manu Sporny:  Language already exist specifically language that 
  calls out selective disclosure and why it's beneficial to use 
  that in detail or unlink Bill signatures like BBS in why it would 
  be a useful attribute of a system to have that.
Andy_Regenscheid_(NIST): And we're certainly not trying to put a 
  stop or slow down that work at all I mean I am based out of the 
  the cryptographic Technology Group at nist the one that puts out 
  the cryptographic algorithm standards and guidelines I mean we've 
  been very interested in you know a variety of approaches for 
  privacy enhancing cryptography and privacy enhancing Technologies 
  you know so when we you know when mist is engaged in places like 
  ISO on the.
Andy_Regenscheid_(NIST):  you know mdl standard those are things 
  you know features that we're looking for.
Andy_Regenscheid_(NIST): Okay first of all I mean II think it 
  would be good to get your feedback you know it's good to get 
  feedback here but also good to get your feedback during the 
  comment period on you know what could be some of those you know 
  those properties to that could be you know referenced you know we 
  do talk about related properties in the context of say Federation 
  protocols you know but they don't necessarily have a.
Andy_Regenscheid_(NIST):  we don't really.
<mprorock> "Derived Attribute Value" which is defined in the 
  draft is definitely an area where these concepts apply
Andy_Regenscheid_(NIST): A separate place that talks about those 
  things in the context of things closer to verifiable credentials 
  so I think there's a mean I think there's interesting work to go 
  on and I think that's also interesting work for you know 
  basically I think that's interesting feedback both you know also 
  for the you know in this cryptographic technology group as we you 
  know look at where where you know looking to you know Target are 
  you know efforts I mean we.
Andy_Regenscheid_(NIST):  we have a lot of discussions about some 
  of these things I mean we had.
Mike Prorock: +1 Andy
Andy_Regenscheid_(NIST): Active program on privacy Nancy 
  cryptography for you know close to you know 10 years now longer 
  depending on what you count you know I will acknowledge it part 
  of the challenge that we have right now is is that we're very 
  interested in in post Quantum cryptography and some of the 
  techniques that have been historically pointed to like pairings 
  you know would be vulnerable so you know we are also now looking 
  at you know what new lattice base.
Andy_Regenscheid_(NIST):  schemes you know could be.
Andy_Regenscheid_(NIST): You know are out there in order to 
  provide similar properties that would you know resisted X by 
  quantum computers anyways I think you brought up a lot of very 
  interesting points I mean I think those are things that we'll 
  have to connect it to dig into more.
Ryan_G: And I think some of this might also have some opportunity 
  to be a bit more precise and in translatable and some of the 
  language I mean we we've got data minimization is a very 
  important concept to us and selective disclosure is a way to 
  achieve that more directly we've got Concepts like I think we 
  call derived attribute values but essentially not providing all 
  of the attributes so much as providing just kind of you know 
  critical responses but I think in particular be very valuable to 
  get that.
Ryan_G:  very specific feedback and the other thing I will add is 
  we do work pretty closely with our privacy engineering team.
Ryan_G: Well to who works.
Ryan_G: On privacy enhancing technology not just crypto based off 
  but you know other IAI machine learning and kind of privacy 
  enhancing models so I do think the if there are areas where you 
  can point out very specific hey you know you talk about this 
  concept that's kind of sort of like the concept that we have over 
  here being more concise and being more specific about how this 
  would look and what it might look like would be helpful to us as 
  we as we start to again I think account for the broader range of.
Ryan_G: Entity and credential models that are starting to emerge 
  or.
Mike Prorock:  Yeah and then and I think that's a great note to 
  get you know kind of clothes on as far as like a lot of this is 
  terminology some of it is there is a gap right the role cons like 
  this three-party role section is not really covered or explicitly 
  allowed and they mean there's good call-outs and do a TC and 
  things like that and the in the draft but not really back in like 
  well how does this map in on the PC side that's very I think we 
  can help but the that notion of derived.
Mike Prorock:   You know I think I called out the exact size.
Mike Prorock:  Mentioned it right that derived attribute values 
  right that's a one-to-one effectively with this notion of a 
  derived predicate right in in the VC data model and there are a 
  number of items like that that I'm sure as folks are going 
  through and prepping responses hopefully they will call out 
  because those are the things that are very actionable and they 
  just a big plus one on the post Quantum stuff so just as always 
  liked working on some of those things over at ietf.
Mike Prorock:   Find glad glad to know that that is on your mind 
  as well as the.
Mike Prorock:  So with that I know we're about a minute and 40 
  seconds or so over time I'm going to give missed the big thanks 
  really appreciate the time today from everyone if there's any 
  kind of final Last Words thoughts call to action etcetera let's 
  please do it now and then I'll stop the recording and hopefully 
  this is the first of many helpful you know productive pack.
Ryan_G: Yeah and we again we are more than happy to continue to 
  have these conversations I think it's really important and if you 
  would like us to connect on how we can present to some of your 
  other working groups to make sure they understand the intent of 
  63 and Guy fits just let us know and we'll figure out how to get 
  some folks there.
Mike Prorock:  Awesome yeah absolutely and I'm sure I know 
  Christine is one of the editors the VC working group she's on 
  this call Manu myself at a number of items along some other folks 
  on here so I am sure there will be some reach outs drumming 
  diagnose on the Queue and I think he's over at the did you know 
  with more of the did side so I am sure there will be some reach 
  outs for very specific working group and terminology and like how 
  does this apply can we clarify type items so awesome well thank 
  you so much all again.
<drummond_reed> Sorry, I meant to hit the "clap" button ;-)
Mike Prorock:   Really appreciate it really appreciate the great 
  questions and.
Mike Prorock:  Looks and just looking forward to practical 
  actionable stuff and loving loving the fact that hopefully we can 
  get some great comments back in and make the stock better for all 
  of us so thanks again.
<harrison_tang> Thanks, everyon!

Received on Friday, 3 March 2023 01:38:27 UTC