[MINUTES] W3C CCG Credentials CG Call - 2023-03-07 from CCG Minutes Bot on 2023-03-07 (public-credentials@w3.org from March 2023)

From: CCG Minutes Bot <minutes@w3c-ccg.org>
Date: Tue, 07 Mar 2023 21:36:30 +0000
Message-ID: <E1pZeyv-007F6g-RB@titan.w3.org>

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2023-03-07/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2023-03-07/audio.ogg

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2023-03-07

Agenda:
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Mar&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
Mike Prorock, Kimberly Linson, Harrison Tang
Scribe:
Our Robot Overlords
Present:
Harrison Tang, Bob Wyman, Nis Jespersen , Sandy Aggarwal, Line
Kofoed, James Chartrand, Neil Thomson, Jennie Meier, George Lund,
Kerri Lemoie, Greg Bernstein, Paul Dietrich GS1, Chandi
Cumaranatunge, TallTed // Ted Thibodeau (he/him)
(OpenLinkSw.com), Jeff O - HumanOS, Scott Perry, Mathieu Glaude,
Will, Isaac Patka, Erica Connell, Joe Andrieu, BrentZ, Ryan
Grant, John Kuo, Dmitri Zagidulin, Brandon Muramatsu MIT/DCC,
Manu Sporny, Ross Power, cheqd, Bryan Luisana, Stuart Freeman,
Leo, Wendy Seltzer, Steve Magennis, David Chadwick, PL/T3 ASU,
Kaliya Young, Nate Otto, David I. Lehn, John Henderson, Andres
Uribe, tomj, Andrew Whitehead, Lucy Yang, Michael Palage, Kayode
Ezike, Drummond Reed

Bob Wyman: https://www.youtube.com/@OskarPuzzle
https://www.youtube.com/@OskarPuzzle
Our Robot Overlords are scribing.
Harrison_Tang: Alright so thank you for joining today's w3c ccg
meaning today we're very glad to have like Isaac Manu line Oscar
Constantine to actually present and lead a discussion on list of
verifiable issuers and verifiers before we get to the main agenda
just want to do the admin stuff the regular admin stuff first so
first of all just want.
Harrison_Tang: to remind everyone.
Harrison_Tang: About the code of ethics and professional conduct
reminder just want to make sure that we'd be respectful to each
other obviously we have been doing that for years but just want
to remind that.
Harrison_Tang: Quick IP note anyone can participate in these
calls however all substantive contributions to any CG work items
must be members of the ccg with for IPR agreements signed make
sure you have a w3c account as well as signing the w3c's w3c
community contributor license agreement if you have any questions
on those things please reach out to any of the cultures.
Harrison_Tang: Right so these meetings are recorded and the
meeting minutes will be published within a few days I think we
have been relatively discipline about that in the last few month
but if you want to get any recordings or minutes and you don't
see them to reach out to any of the cultures.
Harrison_Tang: GT chat 2q the speakers during the call and you
can type in Q + to add yourself to the queue or q- to remove it
you can do Q question to see who's in the queue.
Harrison_Tang: All right just want to get you the introductions
and reintroductions if you're new to the community or you haven't
been active and you are re-engaging with a community please feel
free to unmute yourself.
Harrison_Tang: So Oscar I'm gon call on you a little bit do you
mind kind of introduce yourself a little bit as well as you are
cool YouTube intentional and puzzles that you are solving just
say a few words.
Oskar_van_Deventer_(TNO): Let's just introduce my professional
Persona and postcard from Dave Hunter and we didn't you know I'm
responsible for the knowledge development and standardization on
SSI Technologies so we do a lot of t n 0 by the way it should
touch Research Institute and we do a lot of how do you say this
Consortium projects or collaborative projects we are together
with groups of stakeholders.
Oskar_van_Deventer_(TNO): we build things like within the Dutch
blockchain.
Oskar_van_Deventer_(TNO): Collaborating on SSI pilot.
Oskar_van_Deventer_(TNO): Oh and I have been responsible for the
SF lab program that finished a few months ago in which many
European ship grantees were sponsored to build SSI Technologies
and also to build Solutions and demonstrate them in customer
project.
Harrison_Tang: Cool thank you thanks again for taking the time to
present it join us today any other introductions were
reintroductions.
<wendy_seltzer> /me Line Kofoed, we couldn't hear you
Harrison_Tang: Well thank you thank you Isaac thank you for
taking the time and look forward to your presentation in a few
minutes all right line do you mind please introduce yourself a
little bit thank you.
Manu Sporny: We can hear your audio in a Porsche.
Harrison_Tang: Sorry I think we cannot hear you.
Manu Sporny: Not yeah we cannot sorry Lena.
Harrison_Tang: You might want to join with a different browser.
Harrison_Tang: If Chrome shoe work.
<line_kofoed> I'm in Chrome
Harrison_Tang: Yeah I think we cannot hear you so if you don't
mind I'll call you later you can meet well yes yes perfect.
Harrison_Tang: Thank you thank you Dina thanks a lot.
Harrison_Tang: Any other introductions were reintroductions.
Harrison_Tang: All right let's get to the announcements and
reminders anyone have announcements or reminders to the
community.
Manu Sporny: Yes sorry I'm a bit unprepared for this but the
there is an email that went out last week around feature freeze
for the verifiable credentials working group so that group is
going to basically stopped accepting new proposals New York items
at the end of this month so in about three weeks there are some
things that we're trying to get.
Manu Sporny: Get in.
Manu Sporny: And we could use support from organizations in this
group one of them is the ecdsa data Integrity crypto sweet so
there was an email that went out asking if companies want
Hardware back security HSM support and they're using data
Integrity please sign the letter of support there to say that
you're interested in seeing the group standardized that there
will also be a request coming.
Manu Sporny: Nowt probably next week or the week after.
Manu Sporny: Stir to request support for BBS signatures that's
the on linkable signatures pairing based cryptography that allows
you to do things like selective disclosure and different
signatures each time you present to enhance kind of privacy when
using verifiable credential so if you're an implementer if you're
an organization that.
Manu Sporny: Needs either one of those two.
Manu Sporny: Please make sure to take the time to put your name
on the letter of support to the verifiable credentials working
group that's it.
Harrison_Tang: Man you thank you.
Harrison_Tang: Are any other announcements.
Harrison_Tang: Any comments or new work items that people want to
bring up.
<manu_sporny> Demonstration of Support for ECDSA Data Integrity
Cryptosuite here:
https://docs.google.com/document/d/1wcEg1P3AXOF0tUwzgNo_2IDLC_vBJNEGJRg_5JfprRM/edit
<manu_sporny> please sign the letter ^^^ (if you want the
feature)
Harrison_Tang: Okay all right let's get to the main agenda so
today very glad and very happy to have Isaac mon you Lena and the
Oscar and Constantine to present and be the discussion on this of
verifiable issuers and verifiers this work focus on how a party
or its agents can decide whether or not to engage with the
counterparty in the transaction answering questions like can I
trust X to do why is that.
Harrison_Tang: diploma from a recognized University or should
the.
Harrison_Tang: Authorized verifier so personally I'm quite
interesting this topic because I thought the trust framework the
governance a lot of times are actually more important than the
technology itself so I look forward to the presentation and
discussion so I take the floor is yours.
Harrison_Tang: Sorry Isaac are you okay with taking a question
right now or you want to wait till the end.
Harrison_Tang: Okay alright Andres you have a question.
Harrison_Tang: I'm drinks a few on me.
Harrison_Tang: All right we can come back to Andres later but Bob
you have a short question was just take two questions.
Bob Wyman: Yeah I'm wondering when you say that somebody is in
the list how literal.
<andres_uribe> Sorry that was accidental
<harrison_tang> no worries
Bob Wyman: Should we interpret that is that that there is
actually a list or can it be simply that somebody has for
instance Avicii that indicates that they are that they have an
attribute that attribute being that they are a member of the
list.
Bob Wyman: I guess the question is does anybody actually need to
look to know to see the list or do they just look on the look or
they just look at the VC that says that one is in the list.
Bob Wyman: Okay be great if it's some point you could explain
why it's necessary to have anyone look at the list instead of
just relying on a VC that says that someone is in the list okay
that's.
Oskar_van_Deventer_(TNO): That's later in the presentation.
<manu_sporny> bobwyman -- the list IS a VC :)
<manu_sporny> (though that's not clear at this point in the
presentation)
<manu_sporny> So, "look in the list" means "look in the list,
which is contained in a VC".
<pl/t3_asu> Does "look" mean that the org on the list's status is
checked to verfiy it's current (not revoked or expired)?
<manu_sporny> yes
<pl/t3_asu> I think that might have been the confusion previously
expressed ;-)
<manu_sporny> (in that the list has validFrom/validUntil data,
revocation data... and the list is expected to be kept up to
date)
<pl/t3_asu> :+1:
<pl/t3_asu> This is a form of trust registry.
<smagennis> The list 'owner' then is the certifying body that
states both that an individual entity in the list is correctly
represented AND that the totality of the list is correctly
represented?
<bobwyman> I'm concerned about having access to information that
is not relevant to my query. When looking at the list, do I
discover anything about members of the list who are not the
subject of my immediate interest?
<manu_sporny> @smagennis -- yes, correct (IIUC)
<smagennis> thanks!
<manu_sporny> @bobwyman -- you get a list of all issuers for that
assurance community -- so "A list of all entities that issue
driver's licenses for your locality" or "A list of all physicians
in your locality" and so on.
<pl/t3_asu> @manu - why would you need the whole list and no
simply the answer to is the verifier I'm using valid or not? (on
the list and of good standing)
<manu_sporny> if you want to ask questions like that, you'll be
asking them of a centralized system, which will then track you :)
<pl/t3_asu> No, it's analogous to a ZKP - is this statement true?
Or am I missing something?
<george_lund_(gds)> For parties identified by DIDs, it's clear
how the key material will be retrieved. For parties identified by
HTTP URIs (or I suppose UUIDs) does anyone know of standards for
publishing keys? (We are leaning towards did:web but wondering
about prior art, that doesn't eg clash with OIDC key material in
JWKS)
<manu_sporny> You /could/ have the assurance community issue
those VCs, but think about how you'd try to deploy something like
that... where each issuer has to issue 2 VCs... 1) whether
they're a "valid issuer", and 2) how many authorities have to
issue those, and 3) that every Holder will have to carry every
variation from each assurance community.
<manu_sporny> @PL/T3_ASU you might be presuming ONE centralized
assurance community... vs. the more decentralized (there might be
multiple assurance communities).
<smagennis> But you still need to know in advance which assurance
community(s) to trust
Manu Sporny: Isaac could you zoom in it's really hard to see any
of that text if you don't mind if it's possible.
Manu Sporny: There we go.
Harrison_Tang: That was perfect.
<pl/t3_asu> @manu - yes I was assuming that you'd be primarily
interested in a community relevant to your domain focus. Not that
you'd be interested in several.
<manu_sporny> @smagennis yes, you do.
<manu_sporny> @PL/T3_ASU the position we're going from is "there
might be multiple assurance communities you care about"
<pl/t3_asu> @manu - critical distinction. Thanks.
<manu_sporny> that is, it's easy to design for ONE centralized
assurance body... harder to design for multiple assurance bodies.
<drummond_reed> I think we have to assume thousands or millions
of assurance communities.
<manu_sporny> yes, +1 to Drummond. "You and your friends" could
be viewed as an "assurance community"
<smagennis> @PL/T3_ASU, but you would need to know about them in
advance, correct?
<bobwyman> Is it assumed that these lists are "small?" (for some
value of small...)
<pl/t3_asu> Is there a link to this preso?
<harrison_tang> it's attached to the email sent to the community
about this event
<manu_sporny> @PL/T3_ASU @smagennis yes, kinda... in general, you
probably need to know about them in advance... OR, you can have
them delivered to you as VCs and then decide (though, that's a
fairly advanced use case)
<pl/t3_asu> Thanks @Harrison
<lucy_yang> @smagennis, TRAIN can support the discovery of trust
lists too.
<manu_sporny> Link to presentation went out to CCG mailing list:
https://lists.w3.org/Archives/Public/public-credentials/2023Mar/att-0025/Verifiable_Issuers_and_Verifiers_v0.1__1_.pdf
Harrison_Tang: Thank you Isaac Paul I think you're on the list on
the queue.
<smagennis> @Lucy, discovery yes, trust - ...maybe
Paul_Dietrich_GS1: Yeah yeah thanks I'll take about two or three
slides back where you had the json-ld example of bottom of that
there's a your some background noise at the bottom of that list
you kind of the language there it looks like where you're trying
to restrict the contents of that scheme of further okay oops Yeah
it's right there in the authorized to issue data element you've
got a credential schema but then there's something down there.
Paul_Dietrich_GS1: they're below.
Paul_Dietrich_GS1: Schema property inside the credential schema
can you describe what that is.
<lucy_yang> You need to discover them and then get to the trust
building part...
Steve Magennis: :+1:
Manu Sporny: Yeah basically that's schema is a more fine-grained
matching thing the idea here is that in this you know this is the
this is a University registrar and it's basically talking about
like all of the colleges that are allowed to issue you know a
degree understanding that not every some organizations don't
operate like that right but this authorized to issue field is
basically saying the.
Manu Sporny: Defies this entity as authorized to issue this
University degree credential in this credential once you match on
University degree credential you have to make sure that that
credential also matches this state the you a state so this is the
this is the University of Utopia so you a is the state in which
the University of utopia.
Manu Sporny: Yeah you know exist so the.
Manu Sporny: As a matching mechanism so you can in a broad sense
a this entity is authorized to issue this credential this type of
credential and more specifically that credential has to have
these fields in it for this list to apply to it.
Paul_Dietrich_GS1: Yeah fantastic thanks Monty so that schema
property there is actually a schema like the thing has to be a
Json schema and it's any Json schema.
Manu Sporny: Yeah that's right yeah in theory I mean you know
with this is a bit of a hand wave right now right we're very
early in the process but yes the the expectation is that you'd
put a Json schema in there in that would match against the
credential the determine if you know this list covers that that
that type of degree.
Paul_Dietrich_GS1: Yeah I like that flexibility mono and it might
be worth putting a link to a scheme as well not just the embedded
schema to support either.
<pl/t3_asu> That's a great way to designate who within a larger
org has registrar approved authority for the credential being
checked. Nice!
Harrison_Tang: But I have a question like this looks like a white
list of protein sometimes like verifies like to approach it with
a blacklist approach right so can this can this proposal be
modified to to kind of enable Blackness approach to this I guess
the - of verifiable issuers and presenters.
Harrison_Tang: Thank you and Mom you you have a comment about
that he nihilist.
Manu Sporny: Yeah so you know allow listen to deny list the one
of the arguments against deny lists is that listing all the
people that are not supposed to do something is a really
difficult thing to do when you're dealing with like criminal
organizations right because the second they're on the list they
figure out a different way and remember that these are like lists
of decentralized identifiers which are like very in general
incredibly easy to get in generate a new one for so.
Manu Sporny: My list is a constant game of whack-a-mole right
the only.
Manu Sporny: You're able to do that is when you're potentially
leading you know dealing with the nation state that doesn't see
any reason they need to change you know they're their ID so we
one of the one of the arguments here is focus on allow lists and
just State the entities that you trust to deal with these types
of credentials in by default everybody else is not on that allow
list right and that's the way you deal with kind of bad.
Manu Sporny: Actors in the system so it's more of kind of like
a.
Manu Sporny: Data than a stick based approach because if you
take the stick based approach with like an identifier that is
massively cheap to Mint a new one you're probably never going to
be able to list all the Bad actors or all the bad identifiers for
all the Bad actors that's.
Harrison_Tang: Thank you and carry you are next on the key.
Kerri Lemoie: Thanks if two questions you don't mind I'll be
quick the one is how do you handle updates to this list which are
are certain to happen pretty frequently and then the second one
would come from City open badges Community because I've heard it
quite a bit will there be a consideration to add things like this
issuer is allowed to issue this very specific credential not a
schema type but actual you description of a credential.
Kerri Lemoie: Which they have that concept of an open badges.
Kerri Lemoie: Familiar with that.
Kerri Lemoie: Yeah I wish her well let's do one question at a
time I'm sorry the first one was how does this system handle
updates to this list.
<manu_sporny> Kerri, the "technical" answer to your question is:
Just publish an updated VC. It works just like publishing a
revocation list.
<lucy_yang> If anyone is interested in the pilot work Issac is
referring to, you can find more info here:
https://www.sparkblue.org/Regi-TRUST
<manu_sporny> (which is a type of VC)
Kerri Lemoie: Okay yeah I was I was curious about that because
you can imagine that maybe multiple listings of each issue or
might be needed to represent historical context or something like
the last one was we often get these copyright questions where we
say okay this issuer is allowed to issue this very specific
credential I see schema in here and I was wondering if there was
a consideration to do something like that.
Kerri Lemoie: Okay thanks Isaac.
Harrison_Tang: All right happy lt3 you're next in the queue.
PL/T3_ASU: Yes you hear me okay.
PL/T3_ASU: Thank you first of all I was carries comment in the
latter question that I don't want you just ask is relevant to
what I was interested in following up on I'll start by just
saying how valuable I think this is going to be because as scary
implied at particularly at institutions that are somewhat larger
complex the registrar's typically have a binary choice of either
having something go through a particular process.
PL/T3_ASU: that typically is academic senate or something like
that.
PL/T3_ASU: Forever and the likelihood of getting things like that
through is low or giving her another or he or she another
opportunity to have a list of those departments that have or
schools or whatever the unit maybe that have permission to issue
a particular kind of credential relevant to their their program
or what have you and giving that kind of flexibilities is a
hugely valuable opportunity and let that let the process of how.
PL/T3_ASU: it goes through the internal governance of the
institution be a separate one so that's.
PL/T3_ASU: Huge plus 1 that and and secondly the Fidelity or the
or the granularity I should say of the credential type will
become a hugely valuable at add-on because there are what 29
different types of credentials for just the obv three type of
single assertion verifiable credential and in those in you know
institutions of that sort are notable for their in.
PL/T3_ASU: in in.
PL/T3_ASU: Channel complexity shall we say thanks.
Harrison_Tang: Cool next we have Bob.
Bob Wyman: Yeah thanks is interesting presentation I wonder
though if you could say anything about the your your assumptions
concerning the size of these lists you know clearly a list with.
Bob Wyman: A presents a different processing problem than a list
with maybe 100 million members.
Bob Wyman: Um you know what can you just say something about you
know what where do you what do you think is a reasonable size
list what size list are you targeting does list size matter what
should we do when lists become very large Etc.
Bob Wyman: Okay I guess an application I'd be think of is
imagine you have millions of self Sovereign Social Web users each
of whom is able to issue certificates describing essentially The
credibility of other people so there you would have potentially
millions of of of issuers right.
<pl/t3_asu> s./in in/ /
<smagennis> @bobwyman, who would be the 'owner' of such large
lists?
<dmitri_zagidulin> @bobwyman - although I don't think list size
matters, the spec should have a pagination mechanism
<dmitri_zagidulin> because you're essentially asking "what's the
size of a database?". well, how much memory/disk space you got?
<george_lund_(gds)> it sounds like a thing you could bolt on to
ActivityPub :-)
<manu_sporny> @bobwyman -- there doesn't have to be a single
owner since the data model allows the data to be
combined/composed together... so, what we're probably talking
about is merging LOTS of little lists.
Harrison_Tang: Thank you Lucy you're next.
Lucy Yang: Yeah thank you I have a clarification I'm a success
so this format you're trying to standardize is its implementation
agnostic right I could like the train can implement this or
something else that using different technology you can also
implement this is that the idea for for for this work.
<sandy_aggarwal> Coming from a bank tech side, I heavily use
"Effective Date" and "Expiration Date" logic. Are you planning to
include such attributes?
Lucy Yang: And the credential you're talking about is particular
you're trying to standardize here is the credential for issuers
and verifiers which certified kind of certify that they are on a
trusted list that's the scope is that it.
<manu_sporny> @dmitri -- remember that pagination might be
difficult since these are VCs... so if you have aggregated lots
of VCs (lists of issuers), you could paginate those... but
pagination among items might be more difficult.
Lucy Yang: Okay and these are different from what credentials
issuers are issuing right in a particular kind of context.
<manu_sporny> @Sandy VCs have "validFrom" and "validUntil", and
these lists can be represented as VCs... so the answer to your
banktech questions is: "Yes, they have expiry information."
<drummond_reed> BC Gov's OrgBook already is a fully indexed,
scalable registry of VCs. https://bcgov.github.io/TheOrgBook/
Lucy Yang: Okay okay cuz I cuz I was a little bit confused by
the question and Carrie asked earlier I saw she was asking about
the issuer's issue and credentials instead of the credentials for
the issuer's but anyway thank you.
Harrison_Tang: All right Paul your next on the queue.
Paul_Dietrich_GS1: Yeah I think I like the flexibility in this
data model so plus 1 I think it might be valuable to look at use
cases within the development of this that aren't just lists
meaning that are also doing issuers where this is passed down in
a distributed way so for example all we have millions of members
and creating a list for them would be possible but using this
data model the issue them certificates that show their verifiable
and having them present those I think would be.
Paul_Dietrich_GS1: be a valuable model.
Paul_Dietrich_GS1: If the group could come to consensus on the
data it contains.
Harrison_Tang: All right Sandy your next time thank you.
<kerri_lemoie> @lucy - I was king about the approved credentials
that issuers are allowed to issue. In Open Badges there's a
concept of an achievement that may be described by one
organization and issued by someone else but many are concerned
about knowing if issuers have permission to issue credentials
contaning that content.
Sandy_Aggarwal: Yeah hi thanks I think manual already answered my
question so I thank the developed from invalid to I think kind of
dress the effective date logic so essentially anything we're
coming in I think I can talk to take discussion offline with
somebody but I'm wondering how the actual Logistics behind this
is actually gonna work if you have like a huge list of users that
they are all or issuers and they all have their effective dates
and.
Sandy_Aggarwal: dates keep changing like the how do we manage
the auditing part of that so let's.
<pl/t3_asu> @Drummond - BC Gov's Org Book scales to how large
approximately? I'm guessing tens of thousands but I may be an
order of magnitude off
Sandy_Aggarwal: You have an existing issuer and the effective to
date have rules from the end of this quarter to the next quarter
or the next year so do we just try cut the existing where I could
do a new one so I guess I have some questions about that maybe we
can come back that later on given that it's almost 1:00.
Sandy_Aggarwal: If you think as I can I'll probably try to read
more the South Point a we'll see if I can try to find some
specific answer I think I think just living off with 10 second
thing is in my opinion what happens that a city like ongoing at
it's like especially if you have a huge massive scale like that
becomes a challenge because then like how do we really go to
single source of Truth in that cases like if things getting
constantly added in.
Sandy_Aggarwal: in that key for web special with the with the
dates in there.
Sandy_Aggarwal: So you have a dead you know it's on top of that
like you know you always got to check all the other way to beat
with that you know with the with dates everything and obviously
day Scott all correlate to a standard date like whether this UTC
or something not just Regional date.
Sandy_Aggarwal: I think I'll lead the full thanks.
<smagennis> @Sandy, yes large lists == large liability
Harrison_Tang: Thanks Andy thanks Isaac I think where I write
time so thanks a lot thanks again Isaac on you Lena Oscar and
Constantine for a great discussion I think today's today is one
of the most active discussions we had and so thank you.
<kerri_lemoie> Thanks for introducing this! Looking forward to
more discussions about it.
<drummond_reed> Most excellent presentation and discussion.
Thanks!
<pl/t3_asu> Great work
Harrison_Tang: All right that concludes our that concludes that
this week's at w3c ccg meaning I will publish the meeting notes
in by tomorrow and you can look at upcoming agenda in the link in
the email tab set up right thanks thanks a lot have a good one
bye.
<bobwyman> Also, is there any way for a member of the list to
restrict the list of those authorized to see if they are on the
list?

Received on Tuesday, 7 March 2023 21:36:30 UTC