[MINUTES] W3C CCG Credentials CG Call - 2023-03-07

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:


Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:


W3C CCG Weekly Teleconference Transcript for 2023-03-07

  Mike Prorock, Kimberly Linson, Harrison Tang
  Our Robot Overlords
  Harrison Tang, Bob Wyman, Nis Jespersen , Sandy Aggarwal, Line 
  Kofoed, James Chartrand, Neil Thomson, Jennie Meier, George Lund, 
  Kerri Lemoie, Greg Bernstein, Paul Dietrich GS1, Chandi 
  Cumaranatunge, TallTed // Ted Thibodeau (he/him) 
  (OpenLinkSw.com), Jeff O - HumanOS, Scott Perry, Mathieu Glaude, 
  Will, Isaac Patka, Erica Connell, Joe Andrieu, BrentZ, Ryan 
  Grant, John Kuo, Dmitri Zagidulin, Brandon Muramatsu MIT/DCC, 
  Manu Sporny, Ross Power, cheqd, Bryan Luisana, Stuart Freeman, 
  Leo, Wendy Seltzer, Steve Magennis, David Chadwick, PL/T3 ASU, 
  Kaliya Young, Nate Otto, David I. Lehn, John Henderson, Andres 
  Uribe, tomj, Andrew Whitehead, Lucy Yang, Michael Palage, Kayode 
  Ezike, Drummond Reed

Bob Wyman: https://www.youtube.com/@OskarPuzzle
Our Robot Overlords are scribing.
Harrison_Tang: Alright so thank you for joining today's w3c ccg 
  meaning today we're very glad to have like Isaac Manu line Oscar 
  Constantine to actually present and lead a discussion on list of 
  verifiable issuers and verifiers before we get to the main agenda 
  just want to do the admin stuff the regular admin stuff first so 
  first of all just want.
Harrison_Tang:  to remind everyone.
Harrison_Tang: About the code of ethics and professional conduct 
  reminder just want to make sure that we'd be respectful to each 
  other obviously we have been doing that for years but just want 
  to remind that.
Harrison_Tang: Quick IP note anyone can participate in these 
  calls however all substantive contributions to any CG work items 
  must be members of the ccg with for IPR agreements signed make 
  sure you have a w3c account as well as signing the w3c's w3c 
  community contributor license agreement if you have any questions 
  on those things please reach out to any of the cultures.
Harrison_Tang: Right so these meetings are recorded and the 
  meeting minutes will be published within a few days I think we 
  have been relatively discipline about that in the last few month 
  but if you want to get any recordings or minutes and you don't 
  see them to reach out to any of the cultures.
Harrison_Tang: GT chat 2q the speakers during the call and you 
  can type in Q + to add yourself to the queue or q- to remove it 
  you can do Q question to see who's in the queue.
Harrison_Tang: All right just want to get you the introductions 
  and reintroductions if you're new to the community or you haven't 
  been active and you are re-engaging with a community please feel 
  free to unmute yourself.
Harrison_Tang: So Oscar I'm gon call on you a little bit do you 
  mind kind of introduce yourself a little bit as well as you are 
  cool YouTube intentional and puzzles that you are solving just 
  say a few words.
Oskar_van_Deventer_(TNO): Let's just introduce my professional 
  Persona and postcard from Dave Hunter and we didn't you know I'm 
  responsible for the knowledge development and standardization on 
  SSI Technologies so we do a lot of t n 0 by the way it should 
  touch Research Institute and we do a lot of how do you say this 
  Consortium projects or collaborative projects we are together 
  with groups of stakeholders.
Oskar_van_Deventer_(TNO):  we build things like within the Dutch 
Oskar_van_Deventer_(TNO): Collaborating on SSI pilot.
Oskar_van_Deventer_(TNO): Oh and I have been responsible for the 
  SF lab program that finished a few months ago in which many 
  European ship grantees were sponsored to build SSI Technologies 
  and also to build Solutions and demonstrate them in customer 
Harrison_Tang: Cool thank you thanks again for taking the time to 
  present it join us today any other introductions were 
<wendy_seltzer> /me Line Kofoed, we couldn't hear you
Harrison_Tang: Well thank you thank you Isaac thank you for 
  taking the time and look forward to your presentation in a few 
  minutes all right line do you mind please introduce yourself a 
  little bit thank you.
Manu Sporny:  We can hear your audio in a Porsche.
Harrison_Tang: Sorry I think we cannot hear you.
Manu Sporny:  Not yeah we cannot sorry Lena.
Harrison_Tang: You might want to join with a different browser.
Harrison_Tang: If Chrome shoe work.
<line_kofoed> I'm in Chrome
Harrison_Tang: Yeah I think we cannot hear you so if you don't 
  mind I'll call you later you can meet well yes yes perfect.
Harrison_Tang: Thank you thank you Dina thanks a lot.
Harrison_Tang: Any other introductions were reintroductions.
Harrison_Tang: All right let's get to the announcements and 
  reminders anyone have announcements or reminders to the 
Manu Sporny:  Yes sorry I'm a bit unprepared for this but the 
  there is an email that went out last week around feature freeze 
  for the verifiable credentials working group so that group is 
  going to basically stopped accepting new proposals New York items 
  at the end of this month so in about three weeks there are some 
  things that we're trying to get.
Manu Sporny:   Get in.
Manu Sporny:  And we could use support from organizations in this 
  group one of them is the ecdsa data Integrity crypto sweet so 
  there was an email that went out asking if companies want 
  Hardware back security HSM support and they're using data 
  Integrity please sign the letter of support there to say that 
  you're interested in seeing the group standardized that there 
  will also be a request coming.
Manu Sporny:   Nowt probably next week or the week after.
Manu Sporny:  Stir to request support for BBS signatures that's 
  the on linkable signatures pairing based cryptography that allows 
  you to do things like selective disclosure and different 
  signatures each time you present to enhance kind of privacy when 
  using verifiable credential so if you're an implementer if you're 
  an organization that.
Manu Sporny:   Needs either one of those two.
Manu Sporny:  Please make sure to take the time to put your name 
  on the letter of support to the verifiable credentials working 
  group that's it.
Harrison_Tang: Man you thank you.
Harrison_Tang: Are any other announcements.
Harrison_Tang: Any comments or new work items that people want to 
  bring up.
<manu_sporny> Demonstration of Support for ECDSA Data Integrity 
  Cryptosuite here: 
<manu_sporny> please sign the letter ^^^ (if you want the 
Harrison_Tang: Okay all right let's get to the main agenda so 
  today very glad and very happy to have Isaac mon you Lena and the 
  Oscar and Constantine to present and be the discussion on this of 
  verifiable issuers and verifiers this work focus on how a party 
  or its agents can decide whether or not to engage with the 
  counterparty in the transaction answering questions like can I 
  trust X to do why is that.
Harrison_Tang:  diploma from a recognized University or should 
Harrison_Tang: Authorized verifier so personally I'm quite 
  interesting this topic because I thought the trust framework the 
  governance a lot of times are actually more important than the 
  technology itself so I look forward to the presentation and 
  discussion so I take the floor is yours.
Harrison_Tang: Sorry Isaac are you okay with taking a question 
  right now or you want to wait till the end.
Harrison_Tang: Okay alright Andres you have a question.
Harrison_Tang: I'm drinks a few on me.
Harrison_Tang: All right we can come back to Andres later but Bob 
  you have a short question was just take two questions.
Bob Wyman:  Yeah I'm wondering when you say that somebody is in 
  the list how literal.
<andres_uribe> Sorry that was accidental
<harrison_tang> no worries
Bob Wyman:  Should we interpret that is that that there is 
  actually a list or can it be simply that somebody has for 
  instance Avicii that indicates that they are that they have an 
  attribute that attribute being that they are a member of the 
Bob Wyman:  I guess the question is does anybody actually need to 
  look to know to see the list or do they just look on the look or 
  they just look at the VC that says that one is in the list.
Bob Wyman:  Okay be great if it's some point you could explain 
  why it's necessary to have anyone look at the list instead of 
  just relying on a VC that says that someone is in the list okay 
Oskar_van_Deventer_(TNO): That's later in the presentation.
<manu_sporny> bobwyman -- the list IS a VC :)
<manu_sporny> (though that's not clear at this point in the 
<manu_sporny> So, "look in the list" means "look in the list, 
  which is contained in a VC".
<pl/t3_asu> Does "look" mean that the org on the list's status is 
  checked to verfiy it's current (not revoked or expired)?
<manu_sporny> yes
<pl/t3_asu> I think that might have been the confusion previously 
  expressed ;-)
<manu_sporny> (in that the list has validFrom/validUntil data, 
  revocation data... and the list is expected to be kept up to 
<pl/t3_asu> :+1:
<pl/t3_asu> This is a form of trust registry.
<smagennis> The list 'owner' then is the certifying body that 
  states both that an individual entity in the list is correctly 
  represented AND that the totality of the list is correctly 
<bobwyman> I'm concerned about having access to information that 
  is not relevant to my query. When looking at the list, do I 
  discover anything about members of the list who are not the 
  subject of my immediate interest?
<manu_sporny> @smagennis -- yes, correct (IIUC)
<smagennis> thanks!
<manu_sporny> @bobwyman -- you get a list of all issuers for that 
  assurance community -- so "A list of all entities that issue 
  driver's licenses for your locality" or "A list of all physicians 
  in your locality" and so on.
<pl/t3_asu> @manu - why would you need the whole list and no 
  simply the answer to is the verifier I'm using valid or not? (on 
  the list and of good standing)
<manu_sporny> if you want to ask questions like that, you'll be 
  asking them of a centralized system, which will then track you :)
<pl/t3_asu> No, it's analogous to a ZKP - is this statement true? 
  Or am I missing something?
<george_lund_(gds)> For parties identified by DIDs, it's clear 
  how the key material will be retrieved. For parties identified by 
  HTTP URIs (or I suppose UUIDs) does anyone know of standards for 
  publishing keys? (We are leaning towards did:web but wondering 
  about prior art, that doesn't eg clash with OIDC key material in 
<manu_sporny> You /could/ have the assurance community issue 
  those VCs, but think about how you'd try to deploy something like 
  that... where each issuer has to issue 2 VCs... 1) whether 
  they're a "valid issuer", and 2) how many authorities have to 
  issue those, and 3) that every Holder will have to carry every 
  variation from each assurance community.
<manu_sporny> @PL/T3_ASU you might be presuming ONE centralized 
  assurance community... vs. the more decentralized (there might be 
  multiple assurance communities).
<smagennis> But you still need to know in advance which assurance 
  community(s) to trust
Manu Sporny:  Isaac could you zoom in it's really hard to see any 
  of that text if you don't mind if it's possible.
Manu Sporny:  There we go.
Harrison_Tang: That was perfect.
<pl/t3_asu> @manu - yes I was assuming that you'd be primarily 
  interested in a community relevant to your domain focus. Not that 
  you'd be interested in several.
<manu_sporny> @smagennis yes, you do.
<manu_sporny> @PL/T3_ASU the position we're going from is "there 
  might be multiple assurance communities you care about"
<pl/t3_asu> @manu - critical distinction. Thanks.
<manu_sporny> that is, it's easy to design for ONE centralized 
  assurance body... harder to design for multiple assurance bodies.
<drummond_reed> I think we have to assume thousands or millions 
  of assurance communities.
<manu_sporny> yes, +1 to Drummond. "You and your friends" could 
  be viewed as an "assurance community"
<smagennis> @PL/T3_ASU,  but you would need to know about them in 
  advance, correct?
<bobwyman> Is it assumed that these lists are "small?" (for some 
  value of small...)
<pl/t3_asu> Is there a link to this preso?
<harrison_tang> it's attached to the email sent to the community 
  about this event
<manu_sporny> @PL/T3_ASU @smagennis yes, kinda... in general, you 
  probably need to know about them in advance... OR, you can have 
  them delivered to you as VCs and then decide (though, that's a 
  fairly advanced use case)
<pl/t3_asu> Thanks @Harrison
<lucy_yang> @smagennis, TRAIN can support the discovery of trust 
  lists too.
<manu_sporny> Link to presentation went out to CCG mailing list: 
Harrison_Tang: Thank you Isaac Paul I think you're on the list on 
  the queue.
<smagennis> @Lucy, discovery yes, trust - ...maybe
Paul_Dietrich_GS1: Yeah yeah thanks I'll take about two or three 
  slides back where you had the json-ld example of bottom of that 
  there's a your some background noise at the bottom of that list 
  you kind of the language there it looks like where you're trying 
  to restrict the contents of that scheme of further okay oops Yeah 
  it's right there in the authorized to issue data element you've 
  got a credential schema but then there's something down there.
Paul_Dietrich_GS1:  they're below.
Paul_Dietrich_GS1: Schema property inside the credential schema 
  can you describe what that is.
<lucy_yang> You need to discover them and then get to the trust 
  building part...
Steve Magennis: :+1:
Manu Sporny:  Yeah basically that's schema is a more fine-grained 
  matching thing the idea here is that in this you know this is the 
  this is a University registrar and it's basically talking about 
  like all of the colleges that are allowed to issue you know a 
  degree understanding that not every some organizations don't 
  operate like that right but this authorized to issue field is 
  basically saying the.
Manu Sporny:  Defies this entity as authorized to issue this 
  University degree credential in this credential once you match on 
  University degree credential you have to make sure that that 
  credential also matches this state the you a state so this is the 
  this is the University of Utopia so you a is the state in which 
  the University of utopia.
Manu Sporny:   Yeah you know exist so the.
Manu Sporny:  As a matching mechanism so you can in a broad sense 
  a this entity is authorized to issue this credential this type of 
  credential and more specifically that credential has to have 
  these fields in it for this list to apply to it.
Paul_Dietrich_GS1: Yeah fantastic thanks Monty so that schema 
  property there is actually a schema like the thing has to be a 
  Json schema and it's any Json schema.
Manu Sporny:  Yeah that's right yeah in theory I mean you know 
  with this is a bit of a hand wave right now right we're very 
  early in the process but yes the the expectation is that you'd 
  put a Json schema in there in that would match against the 
  credential the determine if you know this list covers that that 
  that type of degree.
Paul_Dietrich_GS1: Yeah I like that flexibility mono and it might 
  be worth putting a link to a scheme as well not just the embedded 
  schema to support either.
<pl/t3_asu> That's a great way to designate who within a larger 
  org has registrar approved authority for the credential being 
  checked.  Nice!
Harrison_Tang: But I have a question like this looks like a white 
  list of protein sometimes like verifies like to approach it with 
  a blacklist approach right so can this can this proposal be 
  modified to to kind of enable Blackness approach to this I guess 
  the - of verifiable issuers and presenters.
Harrison_Tang: Thank you and Mom you you have a comment about 
  that he nihilist.
Manu Sporny:  Yeah so you know allow listen to deny list the one 
  of the arguments against deny lists is that listing all the 
  people that are not supposed to do something is a really 
  difficult thing to do when you're dealing with like criminal 
  organizations right because the second they're on the list they 
  figure out a different way and remember that these are like lists 
  of decentralized identifiers which are like very in general 
  incredibly easy to get in generate a new one for so.
Manu Sporny:   My list is a constant game of whack-a-mole right 
  the only.
Manu Sporny:  You're able to do that is when you're potentially 
  leading you know dealing with the nation state that doesn't see 
  any reason they need to change you know they're their ID so we 
  one of the one of the arguments here is focus on allow lists and 
  just State the entities that you trust to deal with these types 
  of credentials in by default everybody else is not on that allow 
  list right and that's the way you deal with kind of bad.
Manu Sporny:   Actors in the system so it's more of kind of like 
Manu Sporny:  Data than a stick based approach because if you 
  take the stick based approach with like an identifier that is 
  massively cheap to Mint a new one you're probably never going to 
  be able to list all the Bad actors or all the bad identifiers for 
  all the Bad actors that's.
Harrison_Tang: Thank you and carry you are next on the key.
Kerri Lemoie:  Thanks if two questions you don't mind I'll be 
  quick the one is how do you handle updates to this list which are 
  are certain to happen pretty frequently and then the second one 
  would come from City open badges Community because I've heard it 
  quite a bit will there be a consideration to add things like this 
  issuer is allowed to issue this very specific credential not a 
  schema type but actual you description of a credential.
Kerri Lemoie:   Which they have that concept of an open badges.
Kerri Lemoie:  Familiar with that.
Kerri Lemoie:  Yeah I wish her well let's do one question at a 
  time I'm sorry the first one was how does this system handle 
  updates to this list.
<manu_sporny> Kerri, the "technical" answer to your question is: 
  Just publish an updated VC. It works just like publishing a 
  revocation list.
<lucy_yang> If anyone is interested in the pilot work Issac is 
  referring to, you can find more info here: 
<manu_sporny> (which is a type of VC)
Kerri Lemoie:  Okay yeah I was I was curious about that because 
  you can imagine that maybe multiple listings of each issue or 
  might be needed to represent historical context or something like 
  the last one was we often get these copyright questions where we 
  say okay this issuer is allowed to issue this very specific 
  credential I see schema in here and I was wondering if there was 
  a consideration to do something like that.
Kerri Lemoie:  Okay thanks Isaac.
Harrison_Tang: All right happy lt3 you're next in the queue.
PL/T3_ASU: Yes you hear me okay.
PL/T3_ASU: Thank you first of all I was carries comment in the 
  latter question that I don't want you just ask is relevant to 
  what I was interested in following up on I'll start by just 
  saying how valuable I think this is going to be because as scary 
  implied at particularly at institutions that are somewhat larger 
  complex the registrar's typically have a binary choice of either 
  having something go through a particular process.
PL/T3_ASU:  that typically is academic senate or something like 
PL/T3_ASU: Forever and the likelihood of getting things like that 
  through is low or giving her another or he or she another 
  opportunity to have a list of those departments that have or 
  schools or whatever the unit maybe that have permission to issue 
  a particular kind of credential relevant to their their program 
  or what have you and giving that kind of flexibilities is a 
  hugely valuable opportunity and let that let the process of how.
PL/T3_ASU:  it goes through the internal governance of the 
  institution be a separate one so that's.
PL/T3_ASU: Huge plus 1 that and and secondly the Fidelity or the 
  or the granularity I should say of the credential type will 
  become a hugely valuable at add-on because there are what 29 
  different types of credentials for just the obv three type of 
  single assertion verifiable credential and in those in you know 
  institutions of that sort are notable for their in.
PL/T3_ASU:  in in.
PL/T3_ASU: Channel complexity shall we say thanks.
Harrison_Tang: Cool next we have Bob.
Bob Wyman:  Yeah thanks is interesting presentation I wonder 
  though if you could say anything about the your your assumptions 
  concerning the size of these lists you know clearly a list with.
Bob Wyman:  A presents a different processing problem than a list 
  with maybe 100 million members.
Bob Wyman:  Um you know what can you just say something about you 
  know what where do you what do you think is a reasonable size 
  list what size list are you targeting does list size matter what 
  should we do when lists become very large Etc.
Bob Wyman:  Okay I guess an application I'd be think of is 
  imagine you have millions of self Sovereign Social Web users each 
  of whom is able to issue certificates describing essentially The 
  credibility of other people so there you would have potentially 
  millions of of of issuers right.
<pl/t3_asu> s./in in/ /
<smagennis> @bobwyman, who would be the 'owner' of such large 
<dmitri_zagidulin> @bobwyman - although I don't think list size 
  matters, the spec should have a pagination mechanism
<dmitri_zagidulin> because you're essentially asking "what's the 
  size of a database?". well, how much memory/disk space you got?
<george_lund_(gds)> it sounds like a thing you could bolt on to 
  ActivityPub :-)
<manu_sporny> @bobwyman -- there doesn't have to be a single 
  owner since the data model allows the data to be 
  combined/composed together... so, what we're probably talking 
  about is merging LOTS of little lists.
Harrison_Tang: Thank you Lucy you're next.
Lucy Yang:  Yeah thank you I have a clarification I'm a success 
  so this format you're trying to standardize is its implementation 
  agnostic right I could like the train can implement this or 
  something else that using different technology you can also 
  implement this is that the idea for for for this work.
<sandy_aggarwal> Coming from a bank tech side, I heavily use  
  "Effective Date" and "Expiration Date" logic. Are you planning to 
  include such attributes?
Lucy Yang:  And the credential you're talking about is particular 
  you're trying to standardize here is the credential for issuers 
  and verifiers which certified kind of certify that they are on a 
  trusted list that's the scope is that it.
<manu_sporny> @dmitri -- remember that pagination might be 
  difficult since these are VCs... so if you have aggregated lots 
  of VCs (lists of issuers), you could paginate those... but 
  pagination among items might be more difficult.
Lucy Yang:  Okay and these are different from what credentials 
  issuers are issuing right in a particular kind of context.
<manu_sporny> @Sandy VCs have "validFrom" and "validUntil", and 
  these lists can be represented as VCs... so the answer to your 
  banktech questions is: "Yes, they have expiry information."
<drummond_reed> BC Gov's OrgBook already is a fully indexed, 
  scalable registry of VCs. https://bcgov.github.io/TheOrgBook/
Lucy Yang:  Okay okay cuz I cuz I was a little bit confused by 
  the question and Carrie asked earlier I saw she was asking about 
  the issuer's issue and credentials instead of the credentials for 
  the issuer's but anyway thank you.
Harrison_Tang: All right Paul your next on the queue.
Paul_Dietrich_GS1: Yeah I think I like the flexibility in this 
  data model so plus 1 I think it might be valuable to look at use 
  cases within the development of this that aren't just lists 
  meaning that are also doing issuers where this is passed down in 
  a distributed way so for example all we have millions of members 
  and creating a list for them would be possible but using this 
  data model the issue them certificates that show their verifiable 
  and having them present those I think would be.
Paul_Dietrich_GS1:  be a valuable model.
Paul_Dietrich_GS1: If the group could come to consensus on the 
  data it contains.
Harrison_Tang: All right Sandy your next time thank you.
<kerri_lemoie> @lucy - I was king about the approved credentials 
  that issuers are allowed to issue. In Open Badges there's a 
  concept of an achievement that may be described by one 
  organization and issued by someone else but many are concerned 
  about knowing if issuers have permission to issue credentials 
  contaning that content.
Sandy_Aggarwal: Yeah hi thanks I think manual already answered my 
  question so I thank the developed from invalid to I think kind of 
  dress the effective date logic so essentially anything we're 
  coming in I think I can talk to take discussion offline with 
  somebody but I'm wondering how the actual Logistics behind this 
  is actually gonna work if you have like a huge list of users that 
  they are all or issuers and they all have their effective dates 
Sandy_Aggarwal:  dates keep changing like the how do we manage 
  the auditing part of that so let's.
<pl/t3_asu> @Drummond - BC Gov's Org Book scales to how large 
  approximately?  I'm guessing tens of thousands but I may be an 
  order of magnitude off
Sandy_Aggarwal: You have an existing issuer and the effective to 
  date have rules from the end of this quarter to the next quarter 
  or the next year so do we just try cut the existing where I could 
  do a new one so I guess I have some questions about that maybe we 
  can come back that later on given that it's almost 1:00.
Sandy_Aggarwal: If you think as I can I'll probably try to read 
  more the South Point a we'll see if I can try to find some 
  specific answer I think I think just living off with 10 second 
  thing is in my opinion what happens that a city like ongoing at 
  it's like especially if you have a huge massive scale like that 
  becomes a challenge because then like how do we really go to 
  single source of Truth in that cases like if things getting 
  constantly added in.
Sandy_Aggarwal:  in that key for web special with the with the 
  dates in there.
Sandy_Aggarwal: So you have a dead you know it's on top of that 
  like you know you always got to check all the other way to beat 
  with that you know with the with dates everything and obviously 
  day Scott all correlate to a standard date like whether this UTC 
  or something not just Regional date.
Sandy_Aggarwal: I think I'll lead the full thanks.
<smagennis> @Sandy, yes large lists == large liability
Harrison_Tang: Thanks Andy thanks Isaac I think where I write 
  time so thanks a lot thanks again Isaac on you Lena Oscar and 
  Constantine for a great discussion I think today's today is one 
  of the most active discussions we had and so thank you.
<kerri_lemoie> Thanks for introducing this! Looking forward to 
  more discussions about it.
<drummond_reed> Most excellent presentation and discussion. 
<pl/t3_asu> Great work
Harrison_Tang: All right that concludes our that concludes that 
  this week's at w3c ccg meaning I will publish the meeting notes 
  in by tomorrow and you can look at upcoming agenda in the link in 
  the email tab set up right thanks thanks a lot have a good one 
<bobwyman> Also, is there any way for  a member of the list to 
  restrict the list of those authorized to see if they are on the 

Received on Tuesday, 7 March 2023 21:36:30 UTC