[MINUTES] W3C CCG Credentials CG Call - 2023-09-05

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:


Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:


W3C CCG Weekly Teleconference Transcript for 2023-09-05

  Mike Prorock, Kimberly Linson, Harrison Tang
  Our Robot Overlords
  Harrison Tang, Bob Wyman, Erica Connell, Benjamin Collins, 
  Kimberly Linson, Chandi Cumaranatunge, Nis Jespersen , pauld gs1, 
  TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Sharon Leu, 
  Kaliya Young, Orie Steele, Geun-Hyung, Jeff O - HumanOS, Leo, 
  David I. Lehn, Joe Andrieu, Benjamin Young, Brian Richter, 
  Vanessa , Kerri Lemoie, Sam Smith, BrentZ, David Waite, David E 
  Waite, Wendy Seltzer

<harrison_tang> We will wait for a couple minutes for other 
  people to stroll in
Our Robot Overlords are scribing.
Kimberly Linson: 
Kimberly Linson:  All right great welcome everybody we have Ori 
  joining us today to talk about traceability and one of the things 
  that I actually am going to put in the chat is that I tried to do 
  my homework today and look through the draft of the spec which 
  does give a little bit of a good context and actually that's one 
  of the things I really appreciate about Ori so in advance or a 
  before we get started.
Kimberly Linson:   Charted on I definitely hope that you'll kind 
  of looks like we have some.
Kimberly Linson:  Folks in the call today so if you kind of give 
  the background and an explanation of how this is used to that 
  would be great to take care of the housekeeping stuff real 
  quickly so that we can get over to Horry I will remind everyone 
  that we are focused on.
Kimberly Linson:  Is a Tory meeting that follows the code of 
  ethics and professional conduct if you want to refresh yourself 
  on that it's in the agenda we look forward to having everybody 
  participate in these meetings if you are planning to be a 
  substantial contributor which we would really love for you to do 
  then please make sure you have a w3c 3C account and that you have 
  signed the contributor licensure agreement both of the links to 
  those are in the agenda and we keep a record of.
Kimberly Linson:   Of these calls.
Kimberly Linson:  And so please know that please when we are we 
  use the chat to organize the queue and organized the discussion 
  that's kind of the role that I take on today so if you want to 
  add yourself to the queue you can just add q+ and that will add 
  you and I'll kind of monitor that as the conversation is going 
  and at this point I would love to invite anyone who is new to the 
  community or hasn't been here for a while or just test something.
Kimberly Linson:   Interesting that they want to say about the 
  work they've been doing.
Kimberly Linson:  Had to go ahead and do an introduction or 
Rachel_Donahue_(she/they)_-_Digital_Promise: Hi everyone I'm 
  Rachel I am part of digital promise and we are working with MIT s 
  digital credentials Consortium to come up with a full stack open 
  badging solution and I was invited to participate in the meeting 
  so it's really good like exciting to be here yeah thank you so 
  much and I'm out of Portland Oregon.
<harrison_tang> Welcome, Rachel !!
Kimberly Linson:  Thanks Rachel we do a lot of work with a 
  digital promise team so I was very excited when I when I got your 
  notification that you had joined so thank you for introducing 
  yourself and we're really glad you're here.
<rachel_donahue_(she/they)_-_digital_promise> Thanks everyone!
Kimberly Linson:  Anyone else that would like to.
Kimberly Linson:  All right how about announcements and 
Kimberly Linson:  I know we have some of those.
Kimberly Linson:  Kalia can I call on you too.
Kimberly Linson:  Give us an update on the plans for iiw.
Kaliya Young:  Hi sure the internet identity Workshop is coming 
  up October 10 through 12 in Mountain View California there is a 
  plethora of pre-event Monday There's Something there's an OB D 
  Foundation thing there's vrm day there's a diff of plugfest and 
  there's an open Wallet Foundation thing that in the planning so 
  stay tuned for those.
Kaliya Young:  Like if you can arrive Sunday night it's better 
  because you can do all the fun Monday things too but yeah it's 
  going to be great and we're committed to accessibility so if you 
  want to be there and.
Kaliya Young:  The prices are an issue you can reach out to us 
  all help work with you to help you get there.
Kaliya Young:  You know and yeah happy to answer any questions 
  I'll put a link in the chat.
Kimberly Linson:  Great it's like a month away I'm so excited.
Kaliya Young:  I know it's crazy it's really right around the 
  corner okay.
Kimberly Linson:  It is amazing how quickly time is going 
Kaliya Young: https://internetidentityworkshop.com/
Harrison_Tang: Yo it's just like to add that on that Tuesday the 
  ccg will hold a hybrid open house at iiw but it's at 12 p.m. noon 
  3 p.m. eastern time because I W has the circle right Circle 
  discussions at 9:00 9:00 a.m. so yeah so Kimberly will be there 
  unfortunately I won't be there physically because I'm about to 
  have a new baby my fourth one so.
Harrison_Tang:  so so I won't be there but I will join the.
<ben_-_transmute> congrats!
<rachel_donahue_(she/they)_-_digital_promise> :angel:
Harrison_Tang: And and everyone is no there at IW or can join 
  virtually just so feel free to join I'll send out the agenda a 
  week in the vest thanks.
Kimberly Linson:  I hope that you'll be joining with the little 
  little swaddled up infant that would be happy really fun we'll 
  have to show have to share video though if we do that anyone else 
  with an announcement reminder.
<harrison_tang> thanks everyone
Erica Connell:  I have one Kimberly this is a Erica hi everybody 
  happy Tuesday friendly reminder about rebooting the web of trust 
  is coming up just in a couple weeks September 18th to the 22nd in 
  Cologne there are scholarships available I will put the 
  Eventbrite Link in the chat thank you that's it.
Erica Connell: https://rwot12.eventbrite.com/
Kimberly Linson:  There is definitely a lot going on this fall 
  anyone else who'd like to.
Kimberly Linson:  Let us know about anything.
Kimberly Linson:  All right well then I am going to go ahead and 
  turn it over to Horry who can talk to us about traceability and I 
  will moderate the cue for you and it's all yours.
Orie Steele:  Awesome hi everyone I'm worried steel I'm CTO and 
  co-founder transmute my backgrounds in cybersecurity and I'm 
  author of The decentralized identifier specification at w3c one 
  of many authors I'm editor of various specifications in the 
  verifiable credentials working group and today I'm here to talk 
  to you about to credentials community.
Orie Steele:  Items which is really one work item with two to 
  Repose which we call traceability or just traceability of 
  vocabulary traceability API interoperability however in typical 
  fashion I'm actually going to have one of our team members been 
  present this work and I'll be here to answer any questions you 
  might have as we go through the deck then is one of our most.
Orie Steele:   Active contributors to this.
Orie Steele:  He does a lot of the pull requests from our team 
  you know with basically then and Miss who are doing a lot of the 
  contribution to the work and I'll pass the ball to ban you can 
  give a quick intro and then do screen share and let's kick it 
Benjamin Collins:  Okay all right I guess I'll go ahead and pick 
  up the ball here hello my name is Ben I am the technical product 
  owner over at Trends new and I am an author on the traceability 
  vocab and interrupt projects I guess you would call them and so 
  yeah I guess I can go we can go ahead and get started with the 
Benjamin Collins:  It's okay so just confirmation is my screen 
Orie Steele:  Yes and I can see the chat as well although they'll 
  probably interrupt in case there's anything to discuss do you 
  want to take questions as we go through or do you want to try and 
  hold questions for the end.
Orie Steele:  I'll probably cut been off if I see you have a 
  question let's get started.
Benjamin Collins:  I think it's perfectly fine to go ahead and 
  interject is as you come up with something something so go ahead 
  and hit Q Plus in the chat and I'll let the moderator interject 
  okay so let's go we're going to go Theo traceability vocab and 
  traceability intro and so to start out we kind of want to frame 
  the higher level business vertical that we're working with and 
  that's specifically Supply chains and so supply chain.
Benjamin Collins:   Is are working with old platforms.
Benjamin Collins:  Lot of old technology as we see with the 
  screenshot that notepad here has in this is word XML would be a 
  huge upgrade over what's currently happening but you have a lot 
  of small jurisdictions you have a lot of companies yell a lot of 
  countries it's very fragmented and there's a lot of very narrow 
  use cases and so what we're trying to do is you know build up the 
  scalability build up the security built up the trust and one of 
  the biggest reasons that we've added traceability.
Benjamin Collins:   Leti on to the front of it is you know 
  include that.
Benjamin Collins:  You know where the supplier is coming from 
  who's responsible for what you know there are some term ties or 
  you don't want to be completely transparent but you want to know 
  that someone's responsible you want to have at least some amount 
  of what country are they from you know who's responsible is it 
  the same person as a different person in that's coming through 
  the supply chain.
Benjamin Collins:  And so the two aspects of this which we have 
  to building off of that are traceability interrupt and 
  traceability and drop is defining the API that we have a common 
  language we have a common understanding of a lot of these are 
  going to be exchanged from machine to machine so we have a way 
  that to say hey I'm going to send you these documents or the 
  Sunday sign documents as the specific data type are you ready to 
  receive it those kind of interactions is what we do on the.
Benjamin Collins:   Trump side of things.
Benjamin Collins:  Then on the traceability vocab side of things 
  is more the data model of we're building the Jason we're building 
  the schema there's the specific commercial invoice there's a 
  specific purchase order their documents and what are the 
  documents how are they framed what shape do they need to be in 
  and all these come in with json-ld out of the box so the scheming 
  forces json-ld in order to have semantics in order to get be able 
  to query over the grass and have.
Benjamin Collins:   Them all.
Benjamin Collins:  For people to pick up and be able to use.
Orie Steele:  So I would just add one comment on this piece the 
  traceability vocabulary it can be seen as a as a kind of profile 
  of the verifiable credential specification so it builds on the 
  openness of the verifiable credential specification but it also 
  adds additional requirements that enable interoperability so you 
  know these different rdf classes that Define the types are.
Orie Steele:   Bible credentials in the.
Orie Steele:  This working group you might see an already have 
  class for a Json schema credential or credentials a status list 
  credential those are types of verifiable credential but there are 
  kind of generic types right anyone could use Json schema anyone 
  can use status list these credential types our supply chain 
  specific credential types and you know their purpose is is to 
  communicate supply chain information.
Orie Steele:  Yeah so just anchoring some some of these rdf like 
  specific details in the context of the active work within the w3c 
  verifiable credentials working group go ahead then.
Benjamin Collins:  Okay thanks for jumping in and this kind of 
  covers the top high level business aspect of it are there any 
  questions or you wouldn't just want to go.
Orie Steele:  I'll stop you if I see any.
Benjamin Collins:  Okay let's keep going so one of the specific 
  mechanics we have for exchanging credentials is the traceable 
  presentation so the shape of pretzels traceable presentations is 
  defined in Trace vocab and one of the things we've done is extend 
  verifiable presentations to added a new profile on top of that 
  and the specific things that we've changed our with respect or 
  the specific things that we've defined our specific to the.
Benjamin Collins:   Supply chain.
Benjamin Collins:  Scenario so what we have is workflows and 
  workflows have a definition so if I want to import steel or if I 
  want to import an item into the United States there's a specific 
  flow that the government expects of hey there are these 
  credentials that we expect in this order pull not always in this 
  order but they are these credentials that we expect in order for 
  you to complete this process please send them to us and that can 
  be done by either government or that can be done between 
  businesses with businesses to say hey I'm sending you these lists 
Benjamin Collins:  It into this specific purpose and that's what 
  the definition is and you can go to that link and find what the 
  definition is what is the policy what is needed how can you be 
  compliant with respect to that workflow for that party and then 
  an instance is the specific case of what's being done for that 
  workflow so I'm importing steel what is this specific shipment 
  what is the specific product and so you can have multiple parties 
  working with the same instance of okay you can have the carrier 
  handing up.
Benjamin Collins:   To the broker who's.
Benjamin Collins:  To the men.
Benjamin Collins:  Actor and they're all talking about one 
  specific instance of Steel that's understood between these three 
Orie Steele:  Yep that's that's excellent I mean just to add 
  another analogy here that's not supply chain oriented you can 
  think of a definition is a kind of recipe you know you might have 
  a cookbook with many different recipes and the the recipe will 
  say you know these are the ingredients this is how you combine 
  them this is how long you bake these then you recombine so it's a 
  it's the definition is a description of some work that's going to 
  be completed you can think of.
Orie Steele:   It as a recipe and the instances are particular 
  attempts at the recipe.
Orie Steele:  Is there going to be successful sometimes you know 
  you present a credential that's required for the recipe but 
  there's problems with it or you need to make Corrections and it's 
  in the context of that particular attempt that you need some kind 
  of common correlation identifier so you can say oh you know I was 
  trying to bake a chocolate cake but I mix the dry ingredients and 
  correctly so I'm going to redo that.
Orie Steele:   Part and then I'm going to give the dry 
Orie Steele:  Next you know person that I'm baking my cake with 
  so they can try again with the correct mixture and so there's a 
  need to communicate this you know credentials over time in 
  relationship to previous credentials that have been communicated 
  over time and that's the purpose of why instances exist and you 
  can see here the traceable presentation already have class that's 
  an example of an extension to verifiable presentation which is.
Orie Steele:   Sort of like in the previous.
Orie Steele:  Time we talked about extensions to verifiable 
  credentials but this is an extension to verifiable presentations 
  and if you're wondering you know where other where else have 
  verifiable presentations been extended the diff presentation 
  exchange specification also extends verifiable presentations as 
  part of its definition.
Orie Steele:  Doesn't look like there's any questions so keep 
  going then.
Benjamin Collins:  Okay and that was one aspect that I think I 
  skipped over is we have a replace of if he sent the wrong invoice 
  with to the wrong instance to say hey I accidentally sent the 
  wrong invoice here's the correct one please replaces in this 
Benjamin Collins:  And so here's with workflows so this is 
  probably covering a lot of or you jumped in and said ad hoc is 
  that we're close our policy requirements that describe desired 
  outcome which parties and which varifocal lenses are needed and 
  workflow definitions are additive so if you're importing steel 
  into the United States you might indicate both a generic entry 
  form which is applied to everything and then you can add the 
  specific definition for your Steel on top of that to say.
Benjamin Collins:  Here's one workflow definition that applies to 
  any and all products and this in this use case and then 
  specifically with respect to steal here are the additive 
  requirements for this specific particle and then switching back 
  over to traceability interrupt so traceability interrupt is a 
  business and business business to government HTTP protocol so the 
  idea is we have an organization.
Benjamin Collins:   Ocean Discovery where we include the.
Benjamin Collins:  And the decentralized identifier we have a 
  security model for API protection based around Scopes and it's an 
  all-out to 2.0 based presentations so that you share credentials 
  ahead of time it's business trusted business parties exchanging 
  information with each other we have a profile test hardness of 
  HCG level implementation for Postman collections so what we do is 
  we have a lot of Postman collections specific around 
  interoperability and around conformance that you can.
Benjamin Collins:   Go to the repository get the postman 
  collections test them against your implementation.
Benjamin Collins:  Check to see if your Conformity or check to 
  see if your interoperable and with the parties and we have 
  involved in in Trace interrupt we're running nightly performance 
  and interrupt test to make sure we can constantly send 
  presentations to each other and it works between parties and that 
  we're conform it to all the underlying nitty-gritty aspects of 
  the suspect.
Benjamin Collins:  We're giving you a chance to jump in you.
Orie Steele:  I think we should probably go to the end and maybe 
  they'll be questions once we get to some of the other pieces I 
  could say more about this but I'll hold it until we have other 
  material to look at.
Benjamin Collins:  Okay and then this is a screenshot of the test 
  Suites so the idea is that it's document user-friendly tutorials 
  you can go to the link you can get the postman collection so you 
  can run them against an implementation and you can be able to see 
  what the expected result is for anything and then these are 
  screenshots of cross Fender interoperability so our vendors able 
  to send presentations to each other are they able to interrupt 
  what parts are they able to send what parts are still.
Benjamin Collins:   Missing what parts need to be upgraded and 
  working and so we're working on.
Benjamin Collins:  They painted green and then conformance report 
  you know this is specifically you know are you passing all 
  aspects of the test what needs to change and where is needed to 
  upgrade and then our implementation which is our product platform 
  that transmute that Industries we are have a suite of tools built 
  around implementing these standards to be interoperable.
Orie Steele:  These are Community drafts but they are profiles of 
  standards that w3c.
Benjamin Collins:  And I think that is the last slide so or if 
  you have anything to.
Orie Steele:  Sure so I guess one comment I wanted to make about 
  the presentation sort of experience I don't know if you can go 
  back to the traceable this this this will work so in a lot of the 
  protocols that you hear about communicating credentials.
Orie Steele:  Usually some human being that's in the loop so if 
  you for example if you're reading the open ID connect for 
  verifiable credential issue and specification which we saw 
  presentations on like last week that specification has a section 
  where there's the pre-authorized and then there's also a case 
  where you want to get consent from the human user to receive a 
  credential so in the case where you're presenting to a party 
  there is a.
Orie Steele:   I'm of Arif.
Orie Steele:  Tatian that's interactive and in that flow you will 
  get a challenge from the verifier and then you'll sign over that 
  challenge when you construct your presentation and that'll prove 
  that you're in possession of a key as the holder and that you can 
  sign over the challenge the verifier has chosen as the holder and 
  that prevents a kind of presentation replay attack but that 
  process is sort of expensive because the holder.
Orie Steele:   Needs to communicate with the verifier to get the 
Orie Steele:  Then the holder needs to sign with some keys that 
  are attributed to the holder and then the holder needs to present 
  to the verifier and in each of those like.
Orie Steele:  Shannon Scott you know could be a whole network 
  request which would mean you know DNS TLS HTTP there's a lot of 
  overhead there and there's lots of cases in supply chain or 
  business Communications where you don't want to get a push 
  notification to approve every transaction business makes so you 
  might want to have some automated policy that says you know when 
  I get a document from a party that.
Orie Steele:   I when I.
Orie Steele:  A party that I already have a business relationship 
  with I just review the document and if it's acceptable I forward 
  it to our legal department or to another supply chain partner and 
  so that kind of process you have a pre-existing of a established 
  Communication channel and you might be securing that Channel with 
  HTTP and you might be authenticating that Channel with something 
  like client credentials or private key JWT these are parameters.
Orie Steele:   Ant types that are created for the purpose of 
  authenticating service.
Orie Steele:  Not human individual users and so I want to make 
  this point sort of clear because it's often a point of confusion 
  regarding the traceability work items like we're not trying to 
  build a system where a supply chain actor has to constantly hold 
  their mobile phone and press buttons in order for credentials and 
  presentations to flow we want to build a system that you can set 
  up secure industry standards compliant.
Orie Steele:  Trusted channels and then data can move in really 
  high volume across those channels as quickly as possible we want 
  the data to reflect the standard but the channel itself that 
  might not look like something you see from oh author from open 
  iae you know foundation in the future because those are more 
  oriented towards like getting consent from Human individuals and 
  the kinds of apis that were thinking about.
Orie Steele:   Out for supply chain.
Orie Steele:  No transactions are like things that are kind of 
  closer to Kafka or grp see high-volume really compact binary you 
  you authentic you set up the trusted Channel and then it is a 
  really really high falling in pipe that operates until you know 
  you take the ends of the pipe apart.
Orie Steele:  I think that's that's basically the main thing I 
  wanted to say on the presentations piece and then I have some 
  other commentary on sort of what what's been happening in 
  recently and what are the key challenges the work items facing 
  but I see Harrison's on the Q Harrison go ahead.
Harrison_Tang: Now just to clarify so when there's multiple 
  layers in the supply chain so every supply chain actors will just 
  add when they're doing addictive information basically basically 
  they're just adding on to a verifiable presentations that is my 
  understanding correct or what.
Orie Steele:  Yes it's closed so first there's the three party 
  model so the issue or the holder and the verifier and those get 
  identifiers and then they make credentials and they make 
  presentations and that creates these graph structures you know if 
  I have the issue or signed some statement about this presentation 
  today that's a credential if I make another presentation to the 
Orie Steele:   Be in a.
Orie Steele:  And I'm the issuer of that credential as well if 
  you receive both of those presentations you would see that I've 
  made two presentations about the ccg so you're building is 
  knowledge graph of things that I've done and you only have 
  visibility into that Knowledge Graph if you're the recipient of a 
  presentation which contains fragments of this knowledge graph 
  which are secured as verifiable credentials.
Harrison_Tang: Got it why if if if I'm an intermediary and then I 
  got several issued credentials and then I want to ask several 
  informations and then and then we used to it well I be am I just 
  a presenter or can I change my role in to issuer.
Orie Steele:  So in a three-party model and actor can play all 
  three roles and in workflow setting it's actually pretty common 
  that a party will be a verifier first they will receive some 
  credentials from some other party they'll verify those 
  credentials and then they'll be an issuer to issue a new 
  credential so an example of that would be the Cima license flow 
  the verifier is Seema which is a.
Orie Steele:   See that issues steel import licenses.
Orie Steele:  And they verify an application signed by a steel 
  company and then they issue a license and there's lots of 
  scenarios like that in Supply chains today where first you sign a 
  document and you send it to some party and then a party reviews 
  that document and other information they have about you and if 
  it's acceptable they will then issue you a credential so it's 
  very common that you know there might be a verify first and then 
  be an issue or second flow it's.
Orie Steele:   Also possible that.
Orie Steele:  I d the only party that can make these claims about 
  your product so maybe you're the manufacturer and you have to 
  self attest to the quality of your product so that case you'll be 
  the producer of the artifact and the first issue of statements 
  about that artifact you might hire a third party to become a 
  reviewer of your artifact and then you would be communicating 
  information to that third party they would be verifying that.
Orie Steele:   And they would issue you.
Orie Steele:  A third party issue credential you know and you can 
  think about site inspections you know facility inspections 
  scenarios where we prefer to see a neutral third-party evaluate 
  whether a particular facility has met certain compliance 
Harrison_Tang: Thank you so in what situations would the scenario 
  described here in which like the presenters I guess the 
  presenters will add additional information on top of verifiable 
  presentations and pretend again like.
Orie Steele:  Yeah so I might get a credential and I might 
  present that credential with some other credentials to a new 
  party if I can't tamper with credentials I may be that I should 
  have said that I should have assumed it but if you change the 
  information in a credential you break the signature and so I can 
  add new credentials but I can't tamper with the credentials so I 
  have to decide am I going to just forward the credential as it 
  exists am I going to do some.
Orie Steele:  Redaction and then forward it and and those are the 
  kinds of or am I going to add new credentials and do some 
  redaction forward it so those are the kinds of operations that 
  the holder can perform prior to submitting to the verifier but 
  one thing to keep in mind is with respect to selective disclosure 
  sometimes there's keybinding that happens there and then you 
  can't keep you can't forward redacted document in the case that.
Orie Steele:   That there was some form of.
Orie Steele:  Levi because you won't be able to produce a 
  signature from the key that the document was bound to and that's 
  an important feature in supply chain security sometimes you want 
  a document that anyone who's in possession of it can further 
  redact in forwarded along and other times you want a document 
  that only the intended holder or subject of that document can 
  make presentations of.
Harrison_Tang: Thank you thanks for the clarification.
Orie Steele:  Okay so if there aren't any other questions that I 
  guess I'll talk briefly about some of the challenges we've had 
  with the work items so the first challenge has been working with 
  json-ld we actually built tooling to make it so that you could 
  assemble json-ld context from collections of annotated Json 
  schema and with the reason we invested in that tooling was we 
  found it difficult to get folks to think.
Orie Steele:   Think about credentials.
Orie Steele:  I'm while looking at a single large json-ld context 
  so a designer can think about just the type that they're trying 
  to build fairly easily but they don't want to have to think about 
  all of the you know for example all of the properties and 
  schema.org when they're building a credential maybe they just 
  want the organization type from schema.org so we tried 
  experimenting with like fragmenting.
Orie Steele:   Jason Aldean.
Orie Steele:  And merging json-ld and Json schema together and we 
  still rely on that tooling to build a core V2 context where the 
  V1 context for this item but it over time we've kind of moved 
  away from that pattern for credential design and the thing that I 
  would share about that is when you have.
Orie Steele:  A single credential type that has a lot of 
  references to other subtypes so for example you might have 
  agriculture inspection report and a steel inspection report and 
  they both depend on organization and they both depend on 
  inspection and inspection depends on chemical analysis and 
  chemical analysis depends on certain out periodic table elements 
  and quantitative value measurements and quantitative value 
Orie Steele:  On some unit type information and like you can see 
  this dependency Tree starts to get like really complicated and if 
  you keep it all with references then you have to navigate all of 
  those references in order to make sense of the top-level 
  credential type and what this looks like as a designer is you'll 
  go to the top level credential type and you'll see references and 
  you'll have to kind of trace the references in order to make 
  sense of what's going on and.
Orie Steele:   This is a.
Orie Steele:  Lead to a.
Orie Steele:  Errors and it leads to potentially making mistakes 
  in how you implement it and so what we've done is we've kind of 
  tended to produce inlined Jason schemas for credential types 
  instead of having all of these references we kind of collapse the 
  definition into a single file that the describes the credential 
  type and so that making those changes has been a substantial part 
  of the work over the last.
Orie Steele:   Last couple months we've been in line and.
Orie Steele:  Updating the json-ld definitions and improving the 
  quality of the credential types based on the lessons we've 
  learned from deploying so many different credential pipes in a 
  verifiable credentials ecosystem the other lesson that we've kind 
  of learned along the way here has been that.
Orie Steele:  Don't actually ever process this data as rdf so if 
  you are a processing supply chain information as rdf and when I 
  say as rdf I mean as application and quads or as a content type 
  that isn't Jason we're json-ld we we don't find a lot of people 
  who are processing or consuming credential information in that 
  format but we are.
Orie Steele:  Types in that format specifically to Aid with some 
  of these graph analysis and supply chain analytics pieces so one 
  area that we're looking for sort of feedback from the community 
  on is you know are you a implementer verifiable credentials 
  that's actually processing them as rdf for as jason'll date 
  because if you are taking advantage of json-ld or rdf any benefit 
  from this vocabulary but if you are processing.
Orie Steele:   Charles is just Jason this vocabulary is very much 
Orie Steele:  In a lot of ways we spent a lot of time defining 
  term definitions and URLs for you know json-ld structure that if 
  you're not going to use any of that then you know there's a lot 
  of work that's going into this work item that you know not no 
  ones benefiting from unless they're doing some transformation on 
  the data to benefit from all the work that goes into the json-ld 
  context and.
Orie Steele:   Yeah I would say.
Orie Steele:  That has been a general area of contention in the 
  work you could you could very quickly create a verifiable 
  credential that has very poor definitions for all its terms and 
  then at what point do you stop trying to improve those term 
  definitions when is a verifiable credentials definitions good 
  enough it creates sometimes it creates a lot of work for very 
  little value game at a certain point and so what that's another 
  thing we've learned from this process.
Orie Steele:   Process is especially when you have so many 
  different credential.
Orie Steele:  It's very hard to make each of them really high 
  quality to review all of the term definitions to make sure they 
  all have the right rdf types Etc and that has also consumed a lot 
  of work here you know as we've as we've made those improvements 
  to json-ld it's improve the usability of the supply chain graph 
Orie Steele:  Bottleneck moves very quickly to other areas where 
  like you just aren't getting the field you don't really care what 
  it's term definition is so we've also learned that Json schema is 
  probably more valuable upfront than json-ld and then after the 
  Json schema sort of working well then we come back we add The 
  json-ld annotation and the Json structure looks the same but the 
  term definitions are getting better over time.
Orie Steele:  I'm not sure what other comment oh I guess one 
  other comment is regarding verifiable credentials version 2 so 
  version two is underway at the w3c and we're we've already tried 
  upgrading and it there was a lot of pain and trying to do that so 
  one thing that we've learned is that you know the version to 
  upgrade is probably going to be.
Orie Steele:  It's going to be substantial and we're probably not 
  going to try and support both version 1 and version 2 so we 
  probably will just.
Orie Steele:  Ship a version of this or just not we kind of we 
  release these versions regularly so we probably will at some 
  point upgrade to version 2 and at the same time we will address 
  several other areas that are interoperability and conformance 
  testing has sort of discovered issues with so and I'm happy to 
  talk more about like those particular issues but when we upgrade 
  to version 2 we're going to add support for status list.
Orie Steele:  Version of the credential status mechanism we're 
  also going to add support for JWT selective disclosure which 
  gives it important a selective disclosure capability while also 
  meeting the government crypto regulatory environment space in 
  other words not using fancy brand new not approved crypto and the 
  other place where we will probably make you know some changes 
  will be around.
Orie Steele:  Or protocol so right now it's you know a lot of 
  oauth 2 client credentials and you would love for that to be 
  something that's higher volume than HTTP we just don't think the 
  HTTP model is going to address the scale problem that we see in 
  the supply chain space and I should also mention the scale issue 
  is also a factor in choosing a selective disclosure Json web 
  tokens when.
Orie Steele:   You promise.
Orie Steele:  Models is already F if it's a presentation of 
  several Mill test reports that is a very expensive rdf processing 
  operation because there's lots of arrays lots of term definitions 
  potentially many different contexts URLs that have to be loaded 
  and you're ordering and canonicalizing all of this data and they 
  can take like you know without any optimization it can take 
  minutes to finish successfully.
Orie Steele:  Using several Mill test reports and so we know that 
  that operation isn't even actually necessary to transmit the data 
  so the Json web token selective disclosure approach will happily 
  give us a selective disclosure verifiable presentation without 
  doing any of that processing and all of the intermediaries won't 
  have to do any of that processing to verify it but some of them 
  that are interested in the supply chain analysis or graph 
  analysis or threat intelligence work.
Orie Steele:   Can still do that work.
Orie Steele:  To and we'll take some amount of time in order to 
  import that information graph with all of its json-ld terms fully 
  defined so we want to preserve that capability but we don't want 
  it to be a limiting factor on the transport protocol or 
  presentation exchange flows we don't think that canonicalizing is 
  a requirement for making supply chain or in the presentations you 
  think it's a requirement for getting a consistent view over data 
  that you've already verified.
Orie Steele:  You want to do graph analysis that relies on it.
Orie Steele:  So that's a lot of technical rambling happy to 
  answer any further questions folks might have.
Harrison_Tang: Hiyori I have a question can you go a little bit 
  deeper into why you need link graph like json-ld in supply chain 
  for the use cases like how do people use like graph analysis on 
  supply chain because I know json-ld is popular in SEO search 
  engine optimization because Google actually want websites to do 
  it right so for example our website support json-ld in in our 
  Pages because that's that's.
Harrison_Tang: And score but I'm just curious like why are the 
  benefits and the original intention of using json-ld as opposed 
  to just simple Json like you just mentioned in the supply chain 
  use cases.
Orie Steele:  Sure so first I'll give a plug for a future pull 
  request that man is on the hook for which is the value of the 
  json-ld data model and verifiable credentials version 2 so there 
  is the working group intends to answer that question in the next 
  version of the technical recommendation and if you review the 
  pull requests or issues related to that or you see that you know 
  man who hasn't captured what you think the value of json-ld is 
  accurately please.
Orie Steele:   Contribute to that.
Orie Steele:  I'm discussion that's going to happen you know in 
  the VC data model repo so in the context of supply chain 
  scenarios I guess I will just back up for a second and talk about 
Orie Steele:  What's the mission objective for the from the 
  business side you're consuming supply chain information and 
  you're trying to either do a values based optimization on it so 
  for example I want to buy from suppliers that reduce their 
  environmental impact or that Source ingredients locally whatever 
  values I might have as a supplier who depends on other suppliers 
  I need to evaluate the products that they're giving me and the.
Orie Steele:   Assess that.
Orie Steele:  Sing them to see if they meet you know my 
  expectations or that we have alignment and I might want to find a 
  supplier who supports local farmers better or uses less wheat in 
  their product or whatever it might be so I need to understand 
  what I'm consuming and what went into producing it in order to do 
  that values based optimization and then the other side is risk 
  assessment like there's a lot of.
Orie Steele:  A lot of this sugar ingredient here like I don't 
  feel comfortable with that much sugar going into my chocolate 
  cake you know and so if you're doing that kind of analysis you 
  have kind of two options option number one is you can take the 
  data and whatever quality you can get and you're going to 
  normalize it and process it and try and make sense of it and 
  you're probably going to apply a lot of Hardcore statistics you 
  know machine learning you're going to build.
Orie Steele:   Old model for.
Orie Steele:  We handling how messy the real world data is and 
  then the other approach is sort of the old school way I approach 
  where you ask your supplier to like invest in fully describing 
  what it is they're making so you can process it in an automated 
  fashion without a complicated statistical model and that second 
  category kind of aligns with the verifiable credentials as 
  json-ld World it says I'm going to convince you to do all of this 
  upfront work to make.
Orie Steele:  Data of the highest quality and then I'm going to 
  consume it without running it through you know so many heavy 
  machine learning models so that I can like make sense of it you 
  can blend these two approaches together I think the market has 
  generally rewarded the messy data plus expensive machine learning 
  approach and that is definitely a factor in sort of thinking 
  about future versions of verifiable credentials.
Orie Steele:   But I.
Orie Steele:  You in premium Brands doing the work up front to 
  create credentials that represent statements about their product 
  or statements that third-party made about their product that are 
  of the highest quality data inputs and then being able to do 
  machine processing on top of them so I saw Brian raised his hand 
  Brian ask your question.
Brian Richter:  Yeah I was wondering if you could talk a little 
  bit more about like the workflows and their definitions and stuff 
  I see the stuff on the left there and right there I'm just 
  wondering kind of what on a more technical level how does that 
Orie Steele:  Sure so you know if you think about the three party 
  model there's the issue or to holder flow and that's the open ID 
  connect for a verifiable credential issuance protocol and then 
  there's the holder to verify our flow and that's open ID connect 
  for verifiable presentations and you know generally speaking when 
  you're doing secured information exchange it's kind of a it's a.
Orie Steele:   It's a.
Orie Steele:  Teaching graph basically where you have a party 
  presenting information to another party for some business purpose 
  or you know they're not just disclosing this information that's 
  been cryptographically signed for no reason they're hoping to get 
  some benefit at the end of it either an ability to do that values 
  based optimization where that works management and so workflows 
  are away of.
Orie Steele:   And you know we.
Orie Steele:  Here but like we didn't invent the concept of 
  workflow like there's several specifications that Inspire our 
  concept of workflow definitions and workflow instances the most 
  relevant one to this work is called bpmn which is stands for 
  business process modeling notation from the OMG which is the 
  standards organization that created bpmn but they also created 
  like korba like some some older XML.
Orie Steele:   Wanted data transfer object.
Orie Steele:  It hurts but those if you've seen business process 
  modeling notation diagrams they have a start they have a series 
  of tasks they have decision points they emit data or they consume 
  other workflows and then they have an end and you've probably 
  seen versions of them where you have like three or four actors 
  and there's a channel where you know this guy starts he makes 
  this thing he hands it to this other guy over here he evaluates 
  it if it's yes.
Orie Steele:   Yes he goes.
Orie Steele:  If it's no he sends it you know back to the first 
  guy and then at the very end the whole thing completes with the 
  sort of success or failure status that visual diagram is a 
  workflow definition it's actually called definition and bpmn so 
  we really we really borrowed from their concept and then 
  instances of that definition are executions of it and in bpmn you 
  can actually can actually execute workflows you.
Orie Steele:   There with a human in the loop or just as a purely 
  automated workflow.
Orie Steele:  Of them gets an instance ID and that's where 
  instance ID concept came from the challenging part for workflows 
  is composability so how can I take a workflow it's really 
  complicated and split it into three or four smaller workflows 
  that are really simple and if I'm looking just at the smaller 
  workflow that's really simple it's probably easier for me to 
  optimize it.
Orie Steele:   But if I'm looking at a really.
Orie Steele:  Complicated supply chain workflow is just one giant 
  definition it's going to be really easy for there to be mistakes 
  in there and so this idea of workflow composability you have to 
  have a way of relating the two presentations or related to to 
  workflow definitions or a presentation is related to multiple 
  instances like maybe I started a presentation and then the 
  customer called and their requirements change and I had to start 
Orie Steele:   Another instance for the new changed presentation 
  but already.
Orie Steele:  And data along the way so how do I relate that I 
  started this process requirements changed not have to start a new 
  process and that's why you see workflow definitions and instances 
  in the traceable presentation as a raise of identifiers because 
  you can group like multiple definitions together by making a 
  presentation that contains both of them and you can do the same 
  thing for instances.
Orie Steele:  Gives some additional detail we've got two minutes 
  left before the five-minute warning so I can take maybe one more 
  question but I'll leave it to the chairs.
Kimberly Linson:  Any final thoughts.
Kimberly Linson:  Alright well thank you Lori and Ben Ben you did 
  a great job this is this was really helpful presentation to 
  understanding traceability for me as I as I plugged through the 
  spec this morning so thank you both and thank you everyone for 
  today and we will talk to you next week.
<ben_-_transmute> thank you
<harrison_tang> Thank you, Orie and Ben
<rachel_donahue_(she/they)_-_digital_promise> Thank you!

Received on Tuesday, 5 September 2023 22:28:39 UTC