- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Tue, 05 Sep 2023 22:28:39 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2023-09-05/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2023-09-05/audio.ogg ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2023-09-05 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Sep&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords Present: Harrison Tang, Bob Wyman, Erica Connell, Benjamin Collins, Kimberly Linson, Chandi Cumaranatunge, Nis Jespersen , pauld gs1, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Sharon Leu, Kaliya Young, Orie Steele, Geun-Hyung, Jeff O - HumanOS, Leo, David I. Lehn, Joe Andrieu, Benjamin Young, Brian Richter, Vanessa , Kerri Lemoie, Sam Smith, BrentZ, David Waite, David E Waite, Wendy Seltzer <harrison_tang> We will wait for a couple minutes for other people to stroll in Our Robot Overlords are scribing. Kimberly Linson: https://w3c-ccg.github.io/traceability-interop/draft/ Kimberly Linson: All right great welcome everybody we have Ori joining us today to talk about traceability and one of the things that I actually am going to put in the chat is that I tried to do my homework today and look through the draft of the spec which does give a little bit of a good context and actually that's one of the things I really appreciate about Ori so in advance or a before we get started. Kimberly Linson: Charted on I definitely hope that you'll kind of looks like we have some. Kimberly Linson: Folks in the call today so if you kind of give the background and an explanation of how this is used to that would be great to take care of the housekeeping stuff real quickly so that we can get over to Horry I will remind everyone that we are focused on. Kimberly Linson: Is a Tory meeting that follows the code of ethics and professional conduct if you want to refresh yourself on that it's in the agenda we look forward to having everybody participate in these meetings if you are planning to be a substantial contributor which we would really love for you to do then please make sure you have a w3c 3C account and that you have signed the contributor licensure agreement both of the links to those are in the agenda and we keep a record of. Kimberly Linson: Of these calls. Kimberly Linson: And so please know that please when we are we use the chat to organize the queue and organized the discussion that's kind of the role that I take on today so if you want to add yourself to the queue you can just add q+ and that will add you and I'll kind of monitor that as the conversation is going and at this point I would love to invite anyone who is new to the community or hasn't been here for a while or just test something. Kimberly Linson: Interesting that they want to say about the work they've been doing. Kimberly Linson: Had to go ahead and do an introduction or reintroduction. Rachel_Donahue_(she/they)_-_Digital_Promise: Hi everyone I'm Rachel I am part of digital promise and we are working with MIT s digital credentials Consortium to come up with a full stack open badging solution and I was invited to participate in the meeting so it's really good like exciting to be here yeah thank you so much and I'm out of Portland Oregon. <harrison_tang> Welcome, Rachel !! Kimberly Linson: Thanks Rachel we do a lot of work with a digital promise team so I was very excited when I when I got your notification that you had joined so thank you for introducing yourself and we're really glad you're here. <rachel_donahue_(she/they)_-_digital_promise> Thanks everyone! Kimberly Linson: Anyone else that would like to. Kimberly Linson: All right how about announcements and reminders. Kimberly Linson: I know we have some of those. Kimberly Linson: Kalia can I call on you too. Kimberly Linson: Give us an update on the plans for iiw. Kaliya Young: Hi sure the internet identity Workshop is coming up October 10 through 12 in Mountain View California there is a plethora of pre-event Monday There's Something there's an OB D Foundation thing there's vrm day there's a diff of plugfest and there's an open Wallet Foundation thing that in the planning so stay tuned for those. Kaliya Young: Like if you can arrive Sunday night it's better because you can do all the fun Monday things too but yeah it's going to be great and we're committed to accessibility so if you want to be there and. Kaliya Young: The prices are an issue you can reach out to us all help work with you to help you get there. Kaliya Young: You know and yeah happy to answer any questions I'll put a link in the chat. Kimberly Linson: Great it's like a month away I'm so excited. Kaliya Young: I know it's crazy it's really right around the corner okay. Kimberly Linson: It is amazing how quickly time is going Harrison. Kaliya Young: https://internetidentityworkshop.com/ Harrison_Tang: Yo it's just like to add that on that Tuesday the ccg will hold a hybrid open house at iiw but it's at 12 p.m. noon 3 p.m. eastern time because I W has the circle right Circle discussions at 9:00 9:00 a.m. so yeah so Kimberly will be there unfortunately I won't be there physically because I'm about to have a new baby my fourth one so. Harrison_Tang: so so I won't be there but I will join the. <ben_-_transmute> congrats! <rachel_donahue_(she/they)_-_digital_promise> :angel: Harrison_Tang: And and everyone is no there at IW or can join virtually just so feel free to join I'll send out the agenda a week in the vest thanks. Kimberly Linson: I hope that you'll be joining with the little little swaddled up infant that would be happy really fun we'll have to show have to share video though if we do that anyone else with an announcement reminder. <harrison_tang> thanks everyone Erica Connell: I have one Kimberly this is a Erica hi everybody happy Tuesday friendly reminder about rebooting the web of trust is coming up just in a couple weeks September 18th to the 22nd in Cologne there are scholarships available I will put the Eventbrite Link in the chat thank you that's it. Erica Connell: https://rwot12.eventbrite.com/ Kimberly Linson: There is definitely a lot going on this fall anyone else who'd like to. Kimberly Linson: Let us know about anything. Kimberly Linson: All right well then I am going to go ahead and turn it over to Horry who can talk to us about traceability and I will moderate the cue for you and it's all yours. Orie Steele: Awesome hi everyone I'm worried steel I'm CTO and co-founder transmute my backgrounds in cybersecurity and I'm author of The decentralized identifier specification at w3c one of many authors I'm editor of various specifications in the verifiable credentials working group and today I'm here to talk to you about to credentials community. Orie Steele: Items which is really one work item with two to Repose which we call traceability or just traceability of vocabulary traceability API interoperability however in typical fashion I'm actually going to have one of our team members been present this work and I'll be here to answer any questions you might have as we go through the deck then is one of our most. Orie Steele: Active contributors to this. Orie Steele: He does a lot of the pull requests from our team you know with basically then and Miss who are doing a lot of the contribution to the work and I'll pass the ball to ban you can give a quick intro and then do screen share and let's kick it off. Benjamin Collins: Okay all right I guess I'll go ahead and pick up the ball here hello my name is Ben I am the technical product owner over at Trends new and I am an author on the traceability vocab and interrupt projects I guess you would call them and so yeah I guess I can go we can go ahead and get started with the presentation. Benjamin Collins: It's okay so just confirmation is my screen t-shirt. Orie Steele: Yes and I can see the chat as well although they'll probably interrupt in case there's anything to discuss do you want to take questions as we go through or do you want to try and hold questions for the end. Orie Steele: I'll probably cut been off if I see you have a question let's get started. Benjamin Collins: I think it's perfectly fine to go ahead and interject is as you come up with something something so go ahead and hit Q Plus in the chat and I'll let the moderator interject okay so let's go we're going to go Theo traceability vocab and traceability intro and so to start out we kind of want to frame the higher level business vertical that we're working with and that's specifically Supply chains and so supply chain. Benjamin Collins: Is are working with old platforms. Benjamin Collins: Lot of old technology as we see with the screenshot that notepad here has in this is word XML would be a huge upgrade over what's currently happening but you have a lot of small jurisdictions you have a lot of companies yell a lot of countries it's very fragmented and there's a lot of very narrow use cases and so what we're trying to do is you know build up the scalability build up the security built up the trust and one of the biggest reasons that we've added traceability. Benjamin Collins: Leti on to the front of it is you know include that. Benjamin Collins: You know where the supplier is coming from who's responsible for what you know there are some term ties or you don't want to be completely transparent but you want to know that someone's responsible you want to have at least some amount of what country are they from you know who's responsible is it the same person as a different person in that's coming through the supply chain. Benjamin Collins: And so the two aspects of this which we have to building off of that are traceability interrupt and traceability and drop is defining the API that we have a common language we have a common understanding of a lot of these are going to be exchanged from machine to machine so we have a way that to say hey I'm going to send you these documents or the Sunday sign documents as the specific data type are you ready to receive it those kind of interactions is what we do on the. Benjamin Collins: Trump side of things. Benjamin Collins: Then on the traceability vocab side of things is more the data model of we're building the Jason we're building the schema there's the specific commercial invoice there's a specific purchase order their documents and what are the documents how are they framed what shape do they need to be in and all these come in with json-ld out of the box so the scheming forces json-ld in order to have semantics in order to get be able to query over the grass and have. Benjamin Collins: Them all. Benjamin Collins: For people to pick up and be able to use. Orie Steele: So I would just add one comment on this piece the traceability vocabulary it can be seen as a as a kind of profile of the verifiable credential specification so it builds on the openness of the verifiable credential specification but it also adds additional requirements that enable interoperability so you know these different rdf classes that Define the types are. Orie Steele: Bible credentials in the. Orie Steele: This working group you might see an already have class for a Json schema credential or credentials a status list credential those are types of verifiable credential but there are kind of generic types right anyone could use Json schema anyone can use status list these credential types our supply chain specific credential types and you know their purpose is is to communicate supply chain information. Orie Steele: Yeah so just anchoring some some of these rdf like specific details in the context of the active work within the w3c verifiable credentials working group go ahead then. Benjamin Collins: Okay thanks for jumping in and this kind of covers the top high level business aspect of it are there any questions or you wouldn't just want to go. Orie Steele: I'll stop you if I see any. Benjamin Collins: Okay let's keep going so one of the specific mechanics we have for exchanging credentials is the traceable presentation so the shape of pretzels traceable presentations is defined in Trace vocab and one of the things we've done is extend verifiable presentations to added a new profile on top of that and the specific things that we've changed our with respect or the specific things that we've defined our specific to the. Benjamin Collins: Supply chain. Benjamin Collins: Scenario so what we have is workflows and workflows have a definition so if I want to import steel or if I want to import an item into the United States there's a specific flow that the government expects of hey there are these credentials that we expect in this order pull not always in this order but they are these credentials that we expect in order for you to complete this process please send them to us and that can be done by either government or that can be done between businesses with businesses to say hey I'm sending you these lists of. Benjamin Collins: It into this specific purpose and that's what the definition is and you can go to that link and find what the definition is what is the policy what is needed how can you be compliant with respect to that workflow for that party and then an instance is the specific case of what's being done for that workflow so I'm importing steel what is this specific shipment what is the specific product and so you can have multiple parties working with the same instance of okay you can have the carrier handing up. Benjamin Collins: To the broker who's. Benjamin Collins: To the men. Benjamin Collins: Actor and they're all talking about one specific instance of Steel that's understood between these three parties. Orie Steele: Yep that's that's excellent I mean just to add another analogy here that's not supply chain oriented you can think of a definition is a kind of recipe you know you might have a cookbook with many different recipes and the the recipe will say you know these are the ingredients this is how you combine them this is how long you bake these then you recombine so it's a it's the definition is a description of some work that's going to be completed you can think of. Orie Steele: It as a recipe and the instances are particular attempts at the recipe. Orie Steele: Is there going to be successful sometimes you know you present a credential that's required for the recipe but there's problems with it or you need to make Corrections and it's in the context of that particular attempt that you need some kind of common correlation identifier so you can say oh you know I was trying to bake a chocolate cake but I mix the dry ingredients and correctly so I'm going to redo that. Orie Steele: Part and then I'm going to give the dry ingredients. Orie Steele: Next you know person that I'm baking my cake with so they can try again with the correct mixture and so there's a need to communicate this you know credentials over time in relationship to previous credentials that have been communicated over time and that's the purpose of why instances exist and you can see here the traceable presentation already have class that's an example of an extension to verifiable presentation which is. Orie Steele: Sort of like in the previous. Orie Steele: Time we talked about extensions to verifiable credentials but this is an extension to verifiable presentations and if you're wondering you know where other where else have verifiable presentations been extended the diff presentation exchange specification also extends verifiable presentations as part of its definition. Orie Steele: Doesn't look like there's any questions so keep going then. Benjamin Collins: Okay and that was one aspect that I think I skipped over is we have a replace of if he sent the wrong invoice with to the wrong instance to say hey I accidentally sent the wrong invoice here's the correct one please replaces in this instance. Benjamin Collins: And so here's with workflows so this is probably covering a lot of or you jumped in and said ad hoc is that we're close our policy requirements that describe desired outcome which parties and which varifocal lenses are needed and workflow definitions are additive so if you're importing steel into the United States you might indicate both a generic entry form which is applied to everything and then you can add the specific definition for your Steel on top of that to say. Benjamin Collins: Here's one workflow definition that applies to any and all products and this in this use case and then specifically with respect to steal here are the additive requirements for this specific particle and then switching back over to traceability interrupt so traceability interrupt is a business and business business to government HTTP protocol so the idea is we have an organization. Benjamin Collins: Ocean Discovery where we include the. Benjamin Collins: And the decentralized identifier we have a security model for API protection based around Scopes and it's an all-out to 2.0 based presentations so that you share credentials ahead of time it's business trusted business parties exchanging information with each other we have a profile test hardness of HCG level implementation for Postman collections so what we do is we have a lot of Postman collections specific around interoperability and around conformance that you can. Benjamin Collins: Go to the repository get the postman collections test them against your implementation. Benjamin Collins: Check to see if your Conformity or check to see if your interoperable and with the parties and we have involved in in Trace interrupt we're running nightly performance and interrupt test to make sure we can constantly send presentations to each other and it works between parties and that we're conform it to all the underlying nitty-gritty aspects of the suspect. Benjamin Collins: We're giving you a chance to jump in you. Orie Steele: I think we should probably go to the end and maybe they'll be questions once we get to some of the other pieces I could say more about this but I'll hold it until we have other material to look at. Benjamin Collins: Okay and then this is a screenshot of the test Suites so the idea is that it's document user-friendly tutorials you can go to the link you can get the postman collection so you can run them against an implementation and you can be able to see what the expected result is for anything and then these are screenshots of cross Fender interoperability so our vendors able to send presentations to each other are they able to interrupt what parts are they able to send what parts are still. Benjamin Collins: Missing what parts need to be upgraded and working and so we're working on. Benjamin Collins: They painted green and then conformance report you know this is specifically you know are you passing all aspects of the test what needs to change and where is needed to upgrade and then our implementation which is our product platform that transmute that Industries we are have a suite of tools built around implementing these standards to be interoperable. Orie Steele: These are Community drafts but they are profiles of standards that w3c. Benjamin Collins: And I think that is the last slide so or if you have anything to. Orie Steele: Sure so I guess one comment I wanted to make about the presentation sort of experience I don't know if you can go back to the traceable this this this will work so in a lot of the protocols that you hear about communicating credentials. Orie Steele: Usually some human being that's in the loop so if you for example if you're reading the open ID connect for verifiable credential issue and specification which we saw presentations on like last week that specification has a section where there's the pre-authorized and then there's also a case where you want to get consent from the human user to receive a credential so in the case where you're presenting to a party there is a. Orie Steele: I'm of Arif. Orie Steele: Tatian that's interactive and in that flow you will get a challenge from the verifier and then you'll sign over that challenge when you construct your presentation and that'll prove that you're in possession of a key as the holder and that you can sign over the challenge the verifier has chosen as the holder and that prevents a kind of presentation replay attack but that process is sort of expensive because the holder. Orie Steele: Needs to communicate with the verifier to get the challenge. Orie Steele: Then the holder needs to sign with some keys that are attributed to the holder and then the holder needs to present to the verifier and in each of those like. Orie Steele: Shannon Scott you know could be a whole network request which would mean you know DNS TLS HTTP there's a lot of overhead there and there's lots of cases in supply chain or business Communications where you don't want to get a push notification to approve every transaction business makes so you might want to have some automated policy that says you know when I get a document from a party that. Orie Steele: I when I. Orie Steele: A party that I already have a business relationship with I just review the document and if it's acceptable I forward it to our legal department or to another supply chain partner and so that kind of process you have a pre-existing of a established Communication channel and you might be securing that Channel with HTTP and you might be authenticating that Channel with something like client credentials or private key JWT these are parameters. Orie Steele: Ant types that are created for the purpose of authenticating service. Orie Steele: Not human individual users and so I want to make this point sort of clear because it's often a point of confusion regarding the traceability work items like we're not trying to build a system where a supply chain actor has to constantly hold their mobile phone and press buttons in order for credentials and presentations to flow we want to build a system that you can set up secure industry standards compliant. Orie Steele: Trusted channels and then data can move in really high volume across those channels as quickly as possible we want the data to reflect the standard but the channel itself that might not look like something you see from oh author from open iae you know foundation in the future because those are more oriented towards like getting consent from Human individuals and the kinds of apis that were thinking about. Orie Steele: Out for supply chain. Orie Steele: No transactions are like things that are kind of closer to Kafka or grp see high-volume really compact binary you you authentic you set up the trusted Channel and then it is a really really high falling in pipe that operates until you know you take the ends of the pipe apart. Orie Steele: I think that's that's basically the main thing I wanted to say on the presentations piece and then I have some other commentary on sort of what what's been happening in recently and what are the key challenges the work items facing but I see Harrison's on the Q Harrison go ahead. Harrison_Tang: Now just to clarify so when there's multiple layers in the supply chain so every supply chain actors will just add when they're doing addictive information basically basically they're just adding on to a verifiable presentations that is my understanding correct or what. Orie Steele: Yes it's closed so first there's the three party model so the issue or the holder and the verifier and those get identifiers and then they make credentials and they make presentations and that creates these graph structures you know if I have the issue or signed some statement about this presentation today that's a credential if I make another presentation to the ccg. Orie Steele: Be in a. Orie Steele: And I'm the issuer of that credential as well if you receive both of those presentations you would see that I've made two presentations about the ccg so you're building is knowledge graph of things that I've done and you only have visibility into that Knowledge Graph if you're the recipient of a presentation which contains fragments of this knowledge graph which are secured as verifiable credentials. Harrison_Tang: Got it why if if if I'm an intermediary and then I got several issued credentials and then I want to ask several informations and then and then we used to it well I be am I just a presenter or can I change my role in to issuer. Orie Steele: So in a three-party model and actor can play all three roles and in workflow setting it's actually pretty common that a party will be a verifier first they will receive some credentials from some other party they'll verify those credentials and then they'll be an issuer to issue a new credential so an example of that would be the Cima license flow the verifier is Seema which is a. Orie Steele: See that issues steel import licenses. Orie Steele: And they verify an application signed by a steel company and then they issue a license and there's lots of scenarios like that in Supply chains today where first you sign a document and you send it to some party and then a party reviews that document and other information they have about you and if it's acceptable they will then issue you a credential so it's very common that you know there might be a verify first and then be an issue or second flow it's. Orie Steele: Also possible that. Orie Steele: I d the only party that can make these claims about your product so maybe you're the manufacturer and you have to self attest to the quality of your product so that case you'll be the producer of the artifact and the first issue of statements about that artifact you might hire a third party to become a reviewer of your artifact and then you would be communicating information to that third party they would be verifying that. Orie Steele: And they would issue you. Orie Steele: A third party issue credential you know and you can think about site inspections you know facility inspections scenarios where we prefer to see a neutral third-party evaluate whether a particular facility has met certain compliance requirements. Harrison_Tang: Thank you so in what situations would the scenario described here in which like the presenters I guess the presenters will add additional information on top of verifiable presentations and pretend again like. Orie Steele: Yeah so I might get a credential and I might present that credential with some other credentials to a new party if I can't tamper with credentials I may be that I should have said that I should have assumed it but if you change the information in a credential you break the signature and so I can add new credentials but I can't tamper with the credentials so I have to decide am I going to just forward the credential as it exists am I going to do some. Orie Steele: Redaction and then forward it and and those are the kinds of or am I going to add new credentials and do some redaction forward it so those are the kinds of operations that the holder can perform prior to submitting to the verifier but one thing to keep in mind is with respect to selective disclosure sometimes there's keybinding that happens there and then you can't keep you can't forward redacted document in the case that. Orie Steele: That there was some form of. Orie Steele: Levi because you won't be able to produce a signature from the key that the document was bound to and that's an important feature in supply chain security sometimes you want a document that anyone who's in possession of it can further redact in forwarded along and other times you want a document that only the intended holder or subject of that document can make presentations of. Harrison_Tang: Thank you thanks for the clarification. Orie Steele: Okay so if there aren't any other questions that I guess I'll talk briefly about some of the challenges we've had with the work items so the first challenge has been working with json-ld we actually built tooling to make it so that you could assemble json-ld context from collections of annotated Json schema and with the reason we invested in that tooling was we found it difficult to get folks to think. Orie Steele: Think about credentials. Orie Steele: I'm while looking at a single large json-ld context so a designer can think about just the type that they're trying to build fairly easily but they don't want to have to think about all of the you know for example all of the properties and schema.org when they're building a credential maybe they just want the organization type from schema.org so we tried experimenting with like fragmenting. Orie Steele: Jason Aldean. Orie Steele: And merging json-ld and Json schema together and we still rely on that tooling to build a core V2 context where the V1 context for this item but it over time we've kind of moved away from that pattern for credential design and the thing that I would share about that is when you have. Orie Steele: A single credential type that has a lot of references to other subtypes so for example you might have agriculture inspection report and a steel inspection report and they both depend on organization and they both depend on inspection and inspection depends on chemical analysis and chemical analysis depends on certain out periodic table elements and quantitative value measurements and quantitative value measurements. Orie Steele: On some unit type information and like you can see this dependency Tree starts to get like really complicated and if you keep it all with references then you have to navigate all of those references in order to make sense of the top-level credential type and what this looks like as a designer is you'll go to the top level credential type and you'll see references and you'll have to kind of trace the references in order to make sense of what's going on and. Orie Steele: This is a. Orie Steele: Lead to a. Orie Steele: Errors and it leads to potentially making mistakes in how you implement it and so what we've done is we've kind of tended to produce inlined Jason schemas for credential types instead of having all of these references we kind of collapse the definition into a single file that the describes the credential type and so that making those changes has been a substantial part of the work over the last. Orie Steele: Last couple months we've been in line and. Orie Steele: Updating the json-ld definitions and improving the quality of the credential types based on the lessons we've learned from deploying so many different credential pipes in a verifiable credentials ecosystem the other lesson that we've kind of learned along the way here has been that. Orie Steele: Don't actually ever process this data as rdf so if you are a processing supply chain information as rdf and when I say as rdf I mean as application and quads or as a content type that isn't Jason we're json-ld we we don't find a lot of people who are processing or consuming credential information in that format but we are. Orie Steele: Types in that format specifically to Aid with some of these graph analysis and supply chain analytics pieces so one area that we're looking for sort of feedback from the community on is you know are you a implementer verifiable credentials that's actually processing them as rdf for as jason'll date because if you are taking advantage of json-ld or rdf any benefit from this vocabulary but if you are processing. Orie Steele: Charles is just Jason this vocabulary is very much Overkill. Orie Steele: In a lot of ways we spent a lot of time defining term definitions and URLs for you know json-ld structure that if you're not going to use any of that then you know there's a lot of work that's going into this work item that you know not no ones benefiting from unless they're doing some transformation on the data to benefit from all the work that goes into the json-ld context and. Orie Steele: Yeah I would say. Orie Steele: That has been a general area of contention in the work you could you could very quickly create a verifiable credential that has very poor definitions for all its terms and then at what point do you stop trying to improve those term definitions when is a verifiable credentials definitions good enough it creates sometimes it creates a lot of work for very little value game at a certain point and so what that's another thing we've learned from this process. Orie Steele: Process is especially when you have so many different credential. Orie Steele: It's very hard to make each of them really high quality to review all of the term definitions to make sure they all have the right rdf types Etc and that has also consumed a lot of work here you know as we've as we've made those improvements to json-ld it's improve the usability of the supply chain graph but. Orie Steele: Bottleneck moves very quickly to other areas where like you just aren't getting the field you don't really care what it's term definition is so we've also learned that Json schema is probably more valuable upfront than json-ld and then after the Json schema sort of working well then we come back we add The json-ld annotation and the Json structure looks the same but the term definitions are getting better over time. Orie Steele: I'm not sure what other comment oh I guess one other comment is regarding verifiable credentials version 2 so version two is underway at the w3c and we're we've already tried upgrading and it there was a lot of pain and trying to do that so one thing that we've learned is that you know the version to upgrade is probably going to be. Orie Steele: It's going to be substantial and we're probably not going to try and support both version 1 and version 2 so we probably will just. Orie Steele: Ship a version of this or just not we kind of we release these versions regularly so we probably will at some point upgrade to version 2 and at the same time we will address several other areas that are interoperability and conformance testing has sort of discovered issues with so and I'm happy to talk more about like those particular issues but when we upgrade to version 2 we're going to add support for status list. Orie Steele: Version of the credential status mechanism we're also going to add support for JWT selective disclosure which gives it important a selective disclosure capability while also meeting the government crypto regulatory environment space in other words not using fancy brand new not approved crypto and the other place where we will probably make you know some changes will be around. Orie Steele: Or protocol so right now it's you know a lot of oauth 2 client credentials and you would love for that to be something that's higher volume than HTTP we just don't think the HTTP model is going to address the scale problem that we see in the supply chain space and I should also mention the scale issue is also a factor in choosing a selective disclosure Json web tokens when. Orie Steele: You promise. Orie Steele: Models is already F if it's a presentation of several Mill test reports that is a very expensive rdf processing operation because there's lots of arrays lots of term definitions potentially many different contexts URLs that have to be loaded and you're ordering and canonicalizing all of this data and they can take like you know without any optimization it can take minutes to finish successfully. Orie Steele: Using several Mill test reports and so we know that that operation isn't even actually necessary to transmit the data so the Json web token selective disclosure approach will happily give us a selective disclosure verifiable presentation without doing any of that processing and all of the intermediaries won't have to do any of that processing to verify it but some of them that are interested in the supply chain analysis or graph analysis or threat intelligence work. Orie Steele: Can still do that work. Orie Steele: To and we'll take some amount of time in order to import that information graph with all of its json-ld terms fully defined so we want to preserve that capability but we don't want it to be a limiting factor on the transport protocol or presentation exchange flows we don't think that canonicalizing is a requirement for making supply chain or in the presentations you think it's a requirement for getting a consistent view over data that you've already verified. Orie Steele: You want to do graph analysis that relies on it. Orie Steele: So that's a lot of technical rambling happy to answer any further questions folks might have. Harrison_Tang: Hiyori I have a question can you go a little bit deeper into why you need link graph like json-ld in supply chain for the use cases like how do people use like graph analysis on supply chain because I know json-ld is popular in SEO search engine optimization because Google actually want websites to do it right so for example our website support json-ld in in our Pages because that's that's. Harrison_Tang: And score but I'm just curious like why are the benefits and the original intention of using json-ld as opposed to just simple Json like you just mentioned in the supply chain use cases. Orie Steele: Sure so first I'll give a plug for a future pull request that man is on the hook for which is the value of the json-ld data model and verifiable credentials version 2 so there is the working group intends to answer that question in the next version of the technical recommendation and if you review the pull requests or issues related to that or you see that you know man who hasn't captured what you think the value of json-ld is accurately please. Orie Steele: Contribute to that. Orie Steele: I'm discussion that's going to happen you know in the VC data model repo so in the context of supply chain scenarios I guess I will just back up for a second and talk about what. Orie Steele: What's the mission objective for the from the business side you're consuming supply chain information and you're trying to either do a values based optimization on it so for example I want to buy from suppliers that reduce their environmental impact or that Source ingredients locally whatever values I might have as a supplier who depends on other suppliers I need to evaluate the products that they're giving me and the. Orie Steele: Assess that. Orie Steele: Sing them to see if they meet you know my expectations or that we have alignment and I might want to find a supplier who supports local farmers better or uses less wheat in their product or whatever it might be so I need to understand what I'm consuming and what went into producing it in order to do that values based optimization and then the other side is risk assessment like there's a lot of. Orie Steele: A lot of this sugar ingredient here like I don't feel comfortable with that much sugar going into my chocolate cake you know and so if you're doing that kind of analysis you have kind of two options option number one is you can take the data and whatever quality you can get and you're going to normalize it and process it and try and make sense of it and you're probably going to apply a lot of Hardcore statistics you know machine learning you're going to build. Orie Steele: Old model for. Orie Steele: We handling how messy the real world data is and then the other approach is sort of the old school way I approach where you ask your supplier to like invest in fully describing what it is they're making so you can process it in an automated fashion without a complicated statistical model and that second category kind of aligns with the verifiable credentials as json-ld World it says I'm going to convince you to do all of this upfront work to make. Orie Steele: Data of the highest quality and then I'm going to consume it without running it through you know so many heavy machine learning models so that I can like make sense of it you can blend these two approaches together I think the market has generally rewarded the messy data plus expensive machine learning approach and that is definitely a factor in sort of thinking about future versions of verifiable credentials. Orie Steele: But I. Orie Steele: You in premium Brands doing the work up front to create credentials that represent statements about their product or statements that third-party made about their product that are of the highest quality data inputs and then being able to do machine processing on top of them so I saw Brian raised his hand Brian ask your question. Brian Richter: Yeah I was wondering if you could talk a little bit more about like the workflows and their definitions and stuff I see the stuff on the left there and right there I'm just wondering kind of what on a more technical level how does that work. Orie Steele: Sure so you know if you think about the three party model there's the issue or to holder flow and that's the open ID connect for a verifiable credential issuance protocol and then there's the holder to verify our flow and that's open ID connect for verifiable presentations and you know generally speaking when you're doing secured information exchange it's kind of a it's a. Orie Steele: It's a. Orie Steele: Teaching graph basically where you have a party presenting information to another party for some business purpose or you know they're not just disclosing this information that's been cryptographically signed for no reason they're hoping to get some benefit at the end of it either an ability to do that values based optimization where that works management and so workflows are away of. Orie Steele: And you know we. Orie Steele: Here but like we didn't invent the concept of workflow like there's several specifications that Inspire our concept of workflow definitions and workflow instances the most relevant one to this work is called bpmn which is stands for business process modeling notation from the OMG which is the standards organization that created bpmn but they also created like korba like some some older XML. Orie Steele: Wanted data transfer object. Orie Steele: It hurts but those if you've seen business process modeling notation diagrams they have a start they have a series of tasks they have decision points they emit data or they consume other workflows and then they have an end and you've probably seen versions of them where you have like three or four actors and there's a channel where you know this guy starts he makes this thing he hands it to this other guy over here he evaluates it if it's yes. Orie Steele: Yes he goes. Orie Steele: If it's no he sends it you know back to the first guy and then at the very end the whole thing completes with the sort of success or failure status that visual diagram is a workflow definition it's actually called definition and bpmn so we really we really borrowed from their concept and then instances of that definition are executions of it and in bpmn you can actually can actually execute workflows you. Orie Steele: There with a human in the loop or just as a purely automated workflow. Orie Steele: Of them gets an instance ID and that's where instance ID concept came from the challenging part for workflows is composability so how can I take a workflow it's really complicated and split it into three or four smaller workflows that are really simple and if I'm looking just at the smaller workflow that's really simple it's probably easier for me to optimize it. Orie Steele: But if I'm looking at a really. Orie Steele: Complicated supply chain workflow is just one giant definition it's going to be really easy for there to be mistakes in there and so this idea of workflow composability you have to have a way of relating the two presentations or related to to workflow definitions or a presentation is related to multiple instances like maybe I started a presentation and then the customer called and their requirements change and I had to start anew. Orie Steele: Another instance for the new changed presentation but already. Orie Steele: And data along the way so how do I relate that I started this process requirements changed not have to start a new process and that's why you see workflow definitions and instances in the traceable presentation as a raise of identifiers because you can group like multiple definitions together by making a presentation that contains both of them and you can do the same thing for instances. Orie Steele: Gives some additional detail we've got two minutes left before the five-minute warning so I can take maybe one more question but I'll leave it to the chairs. Kimberly Linson: Any final thoughts. Kimberly Linson: Alright well thank you Lori and Ben Ben you did a great job this is this was really helpful presentation to understanding traceability for me as I as I plugged through the spec this morning so thank you both and thank you everyone for today and we will talk to you next week. <ben_-_transmute> thank you <harrison_tang> Thank you, Orie and Ben <rachel_donahue_(she/they)_-_digital_promise> Thank you!
Received on Tuesday, 5 September 2023 22:28:39 UTC