- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 07 Aug 2024 13:47:55 +0000
- To: public-credentials@w3.org
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2024-08-06/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2024-08-06/audio.ogg A video recording is also available at: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-08-06.mp4 ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2024-08-06 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Harrison Tang, Kimberly Linson, Will Abramson Scribe: Our Robot Overlords Present: Harrison Tang, Benjamin Young, Gregory Natran, Sam Smith, Will Abramson, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Erica Connell, Jennie M, Anil John, Vanessa, Sharon Leu, Joe Andrieu, David Chadwick, Brandi Delancey, Leo, Alex H, Manu Sporny, Greg Bernstein, Hiroyuki Sano, Dave Longley, Nis Jespersen , Simone Ravaoli, David I. Lehn, Rashmi Siravara, Chandi Cumaranatunge Our Robot Overlords are scribing. Harrison_Tang: Welcome welcome everyone uh to today's w3c CG meeting uh we're very excited to have Wesley West from digital Bazaar today to present on the verifiable credentials barcodes I think that we have a threat around the launch of the uh work item verified credentials barcodes about a month ago and very glad to that West can jump on to actually talk about a little bit more. Harrison_Tang: Right so before then just want to quickly go through some uh administrative stuff uh first of all just want to a quick reminder of the Pol of ethics and professional conduct I just want to make sure that we have a constructive respectful conversations here. Harrison_Tang: A second uh a quick note on the intellectual property anyone can participate in these call calls however all substantive contributions to any ccg work items must be member of the ccg with full IPR agreements signed so if you have any questions about that or if you have troubles uh sign in to the w3c account uh please uh let any of the cultures know. Harrison_Tang: A quick uh call notes uh all the meetings are being automatically recorded and transcribed uh we'll try to uh publish the meeting minutes uh audio recording and video recording uh in the next uh 24 hours or so. Harrison_Tang: Uh we use chuchi chat to cue the speakers during the queue so you can type in Q Plus to uh add yourself to the queue or cue minus to remove or you can type into question mark to see who's in the queue and I will be moderating the queue. Harrison_Tang: All right just want to take a quick moment for the introductions and reintroduction so if you're new to the community or you haven't been active and want to re-engage uh please feel free to just unmute and uh introduce yourself. Harrison_Tang: I see mostly a familiar faces so uh. Harrison_Tang: I'll jump to the announcements and reminders so uh if anyone have any announcements or reminders uh please feel free to unmute or add yourself to the queue. Harrison_Tang: All right a quick note on the upcoming uh meeting agenda so. Harrison_Tang: Next week we will have a work item update and quarter 3 2024 review uh so will will lead that discussion uh we have already sent out emails to uh different uh leaders for the different work items so if you could actually uh take some quick time to fill out the presentation slides uh so that uh you can you know we can uh more easily go over them uh next week that would be great. Harrison_Tang: And then the week after on August 20th uh we'll have a anchor and Alex uh to talk about uh updates on the did link resources work item uh a more specific Deep dive on the did link resources work item. Harrison_Tang: And then the week after on the August 27th uh we're very happy to have Gregory and Joanie uh from ehcc to talk about pain Canadian trust framework. Harrison_Tang: So that's the quick overview of what's uh coming. Harrison_Tang: Any other announcements or reminders. Harrison_Tang: I know we're going to talk about work items uh next week but uh any uh updates on the work items or any thing that people want to bring up. Harrison_Tang: All right pretty straightforward so uh let's get to the main agenda um again we're very happy for West to uh present on the verifiable credentials barcodes uh um today and uh by the way uh if people got kicked out because sometimes when the presentation is large um GT actually will have a service interruptions if people got kicked out for just a rejoin just refresh your browser and rejoin uh that will that'll be great. Benjamin Young: Yeah I'm sorry I had 1 quick thing to say about uh the test Suite office hours it's moving from uh Wednesday mornings. Benjamin Young: Eastern Time to Thursdays at 10 am this is to accommodate the dead working group's new special topics call. Benjamin Young: Our next test Suite office hours will be this Thursday at 10:00 am and I'm sending out those details now. Harrison_Tang: thank you. Manu Sporny: Hey um uh sorry if this was already covered um the uh we've just made an announcement about the verifiable credential playground uh there are a number of um new credentials out there that uh utilize the render method um to kind of display and render uh trustworthy um renderings of verifiable credentials uh there is a uh uh current discussion kind of going on in the um on the mailing list about that um this is the first of a number of different kind of announcements VC playground updates uh that will be making over the next couple of uh weeks so that's the first item uh the second item is um we uh there there have been a lot of people that have signed the letter of intent for the did method standardization so thank you all for doing that we also. Manu Sporny: Uh so. Manu Sporny: 50 Plus uh people have kind of signed the letter so far um if you haven't yet uh please do um uh there's a sign-up sheet for those that want to participate in the next set of meetings um we're going to try and find a time that works for as many people as possible as a Next Step um and then uh we will start having kind of public open meetings about what that um standardization effort is going to look like um I expect a part of those discussions are going to be about which did methods um uh which uh standards bodies and uh some discussion around like Charters and Charter uh formation uh that's it. Harrison_Tang: All right any other uh announcements or reminders. Harrison_Tang: Introductions and uh reintroductions. Harrison_Tang: All right um again just a quick reminder if you got kicked out just uh uh do a quick Refresh on the browser and it should be able to uh sign back in. Harrison_Tang: All right uh Wes the floor is yours. Sam Smith: All right thank you so much um so hello everyone my name is Wes uh I'm at digital Bazaar and I'm really excited to be talking to you guys about the verifiable credential barcodes work today uh just first things first I want to note that uh the uh presentation format here is a little bit less than ideal as Harrison referred to we were having trouble getting the slideshow presentation to properly screen share so this is what we've got. Sam Smith: All right so I'll briefly go over the agenda uh so I'll talk about what the challenge is that we're trying to solve with this work and what current approaches are I'll talk about what goals are for the technology that we're building. Sam Smith: And then I'll get into some of the technical details how do we use verifiable credentials to do this stuff um we we develop a new crypto Suite which I'll talk about how do we do status information for this stuff and how do we use core LD for vcbs as well. Sam Smith: All right so credential fraud is increasing this is fairly well understood and it's increasing for a couple reasons uh 1 reason is that traditional anti-counterfeiting Technologies uh are losing value so what I mean here are things like uh printing Holograms or special ink uh onto a physical credential to be able to differentiate reels from fakes. Sam Smith: And this kind of technology is losing value mostly because of increased public access to really high quality fake ID printing services uh more so than ever before there are you know shops set up that have professional-grade equipment and Hardware that can essentially mimic these Technologies and print extremely convincing fraudulent IDs or fairly cheap. <brandi_delancey> there's an echo Sam Smith: Uh another is generative AI so there are now deployed uh publicly accessible and extremely cheap tools uh that can sorry I'm getting quite a lot of echo is that just on my end is somebody unmuted. Harrison_Tang: No I think there is Echo actually I think it might be on your end let me mute everyone else to double check. TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Be fixed now it was Neil. Harrison_Tang: Oh got it okay. Sam Smith: Ah okay thank you. <anil_john_[us/dhs/svip]> Yup.. It was me! Sorry! Sam Smith: Okay um so right generative AI uh so generative AI tools are another Factor increasing credential fraud and that's because we now have these uh tools deployed that are publicly available and very cheap that can generate massive volume of very convincing images of fake IDs uh these IDs can have any information on them anybody's picture on them they can be from anywhere um and they are very very convincing. Sam Smith: And the reason that generative AI works and the reason that uh you know these anti-counterfeiting Technologies are losing value is because most physical credentials lack cryptographic security cryptographic security would obviate the need for things like Holograms and special Inc and of course current generative AI tools cannot Forge cryptographic uh information. Sam Smith: So credential fraud is increasing um the main current approach to fighting credential fraud involves third-party verification Services um but these of course are privacy invasive proprietary and often very expensive. Sam Smith: So our proposal is called verifiable credential barcodes uh and it's fairly straightforward at least at a high level what we do is we embed a digital signature into the optical barcode that is printed on a physical credential so this is anti-counterfeiting for physical credentials. Sam Smith: And verify verifiable credential barcodes is built on standard or standards track Technologies including verifiable credentials data Integrity core LD and bit string status list. Sam Smith: So I want to talk a little bit about what our goals are for this technology for vcbs 1 of course is authenticity we want verification of ACB to prove that that VCB came from the issuing authority. Sam Smith: Of course we also want Integrity we want verification to prove that the data on the credential has not been tampered with. Sam Smith: We want real-time status we want verification to prove that the credential has not been revoked or suspended and importantly we want to do this in a privacy preserving way we want to do it without things like phoning home to a source of Truth database to get that information. Sam Smith: Uh we want simplicity so we've designed vcbs such that they either reuse the existing barcode that exists on a physical credential this could be something like a pdf417 barcode on a driver's license um or if there is no barcode they add an easily consumable barcode format to a credential for example a QR code. Sam Smith: And lastly uh we want conformance and the VCB technology stack as I'll present it is aligned with both Global standards as well as Department of Homeland Security identity requirements. Sam Smith: So I also want to touch briefly on some non goals so what is this technology not fixing 1 of course is document theft having a digital signature cryptographically securing a physical credential is not a defense against the theft of that physical documents. Sam Smith: Another is document duplication so we're doing this stuff with Optical barcodes and Optical barcodes are images and you can copy and paste images. Sam Smith: And lastly tampering of non-machine readable data so some data on a document uh for example an image a picture of a person uh may not be digitally signed and if it's not digitally signed then of course verification does not secure that data. Sam Smith: All right so with that high level stuff out of the way we can go into some of the technical information now so first I'll go over again very high level uh how. Sam Smith: Are used for verifiable credential barcodes so here on the right we have an example Json LD verifiable credential and its color-coded with the sort of building blocks it's composed of listed on the left so we have context in pink we have type information in purple credential subject in yellow issuer information in red status information in green and proof in blue. Sam Smith: And uh something that I want to note here is that this is a very compact VC and that's a really critical design goal for us when we're building these verifiable credentials and that's because we have size constraints given the physical size and density requirements for the barcodes that we're generating so we're generating barcodes that get put on something that's you know physically credit card sized and of course we're limited to how dense we can make these barcodes uh because we need commodity scanners and things to be able to read them so we have some pretty serious uh data size constraints on how big these credentials can be uh and a result we work to make them very compact. Sam Smith: So uh talk a little bit about some of the type information or some rather some of the values you might see in credential subject DOT type for a verifiable credential barcodes. Sam Smith: 1 Is Amba driver's license scannable information so this communicates that uh this is a VC that's securing a document that uses a pdf417 that's compliant with the Amba spec so like a US driver's license and another is machine readable Zone this indicates that we're securing a document that has a mrz for example a United States employment authorization document. Sam Smith: So people who are familiar with verifiable credentials might you know look at the previous example and say okay well well where is the actual data right so credential subject is often where much of the data that a VC signs over goes uh and in the previous example credential subject only contains 2 things type and something called protected component index but none of the actual information that would be in something like a driver's license name driver's license number expiration date whatever is actually in this VC so where is the data. Sam Smith: So the reason that the data is not in the VC itself is because the data that we want to secure to cryptographically sign is the data that's already on the card it's not just this additional external data structure right so we're adding this VC but we don't want just this VC to be cryptographically secured we want the data that's already on the card to be secured. Sam Smith: Uh and to that end we've developed a new crypto suite for this effort uh ecds ecds axi 2023 which is of course a new data Integrity crypto Suite. Sam Smith: So what is ecdsa Xi 2023 well it's a variant of the rdsc 2019 crypto Suite uh it follows the same general process where you canonicalize a document with rdf data set canonicalization and then add an ecdsa signature over the canonicalize document. Sam Smith: Uh the. Sam Smith: Is that here some data that's not in the VC is digitally signed as well. Sam Smith: So the letters x i in the crypto Suite name stand for extra information and here in this use case that extra information is data from the card itself it's the data that's already on the card that we want to digitally sign so that could be something like a canonicalization of data that's in the pdf417 that already exists on a driver's license or it could be a canonicalization of the data that exists in a machine readable Zone on something like an employment authorization document. Sam Smith: So verification for the XI crypto Suite involves reconstructing this extra information from the machine readable data that's on the on the credential. Sam Smith: Then that extra information is passed to the verification algorithm alongside the verifiable credential. Sam Smith: And uh if you're successful what that tells you is that not only is the VC valid but the data in the car on the card has not been tampered with. Sam Smith: Um so I'll briefly talk about status now uh so here we see what the the status piece of the example that I showed before um and this has Type terse bit string status list entry and then just a URL and an index. Sam Smith: Uh essentially tur bit string status list entry is a compact way to use bit string status list so we developed it as part of this verifiable credential barcodes effort because as I mentioned before um you know compactness and size efficiency is is really important in our use cases. Sam Smith: So we have this tur bit string status list entry thing it's a compact way to use bitching status list and during verification what happens is a tourist bit strings status list entry is converted to a full bit string status list entry uh and this allows us to do real-time status checking uh for statuses like revocation and suspension and of course as I mentioned before it's really important that this stuff is privacy preserving we have to do this in a way where there's no uh you know trackable phone home behavior and things along those lines. Sam Smith: Okay uh so next I'll talk about core LD so the XI crypto Suite serves 2 purposes the first is that the data on the card is made tamper resistant because it's part of the digital signature. Sam Smith: The second is that payload size is small that's because using the XI crypto Suite signed data doesn't need to be in the VC itself it can live where it already lives and then the VC knows how to sign over it without including that data. Sam Smith: But even with the XI crypto Suite uh our payloads are still not small enough. Sam Smith: The constraints that we have for physical card design um and and uh barcode density to be compatible with standard tools RVC needs to be around 150 bites. Sam Smith: And uh the solution there is to use core LD to encode the Json LD in a compact form so core LD is a Json LD compaction tool essentially um. Sam Smith: Where what. <dave_longley> aka "semantic compression" Sam Smith: Is it processes the contexts that appear in a verifiable credential uh and it uses those contexts to build maps from strings that might appear in the credential to integers and importantly it does this in a fully deterministic and invertible way such that if I encode my Json LD VC I get you know an object that contains a bunch of integers essentially uh and then when I receive that object if I know what the contexts were that were used to create it I can process those contexts to myself and create the same map that was used to uh encode and then and then decode so it's invertible right we can shrink it down but we need to do it in such a way that we know that the person receiving it can you know decompress it back up. Sam Smith: So here's an example of applying core LD to our example credential so on the left of course we have the Json LD VC and on the right we have core LD. Sam Smith: So I'm not. Sam Smith: Going to get into the details of of you know where exactly these numbers come from and things like that but at a high level the color coding will show you what's happening here so the contexts are being compressed down into integers type information integers and so on and so forth um some of the data that exists in here is not compressed for example proof value I've kind of elided it here for you know a compact example but this is you know 64 65 bytes uh and that of course remains bites in the core LD because that's not known to be an that value is not in any of the contexts and as such cannot be compressed. Sam Smith: All right so after we do core LD encoding now the credentials are small enough that we can actually encode them into barcodes. Sam Smith: So we have 2 examples here we have a Utopia driver's license with a pdf417 on the back and we have a Utopia employment authorization document with a QR code on the front. Sam Smith: What's happened here well driver's licenses already contain a pdf417 so what we've actually done is we've constructed a VC that digitally signs over the pdf417 that was already here and then we've just stuck that that sort of VC on the end so we've added to the pdf417 a verifiable credential bark or a verifiable credential that is a VCB that digitally signed the rest of the PDF for a 17. Sam Smith: For the employment authorization document it's a little bit different uh so there are no barcode there was no barcode on this before we added the VCB but there was machine readable data in the form of an mrz uh so what we've done is we've added a QR code to the front of the document that contains a verifiable credential that digitally signs the mrz data on the back of the credential. Sam Smith: All right so let's summarize that process what have we done so we're adding VCS to physical cards for a layer of cryptographic security against counterfeiting that that is the you know 1 sentence summary of what verifiable credential barcodes is about. Sam Smith: Uh and to do this we needed to do a few things uh We've created the ecds ecdsa XI 2023 crypto Suite that lets us digitally sign data that's on the cards but it's not in the VCS. Sam Smith: We created the tourist bit string status list entry mechanism to use bitstring status lists in a space efficient way. Sam Smith: And then we used core LD to further compact VCS down to fit within barcode size constraints. Sam Smith: So what are some next steps here well the first is pretty standardization and standards track work for the verifiable credentials barcode spec. Sam Smith: The second is interoperability testing with verifiable credential verifiers the third is deployment with California DMV to add a verifiable credential barcodes to California driver's licenses uh the fourth is deployment with DHS to add vcbs to employment authorization documents and permanent resident cards. Sam Smith: Okay so for anyone who's interested in uh taking a look at some of the you know the nitty-gritty details of how this stuff works or maybe even implementing it yourself uh We've provided a list of both the specifications that this technology is built on as well as some implementations of those specifications that you can either look at or use so for specifications of course we care about the VC's spec the DI spec core LD bit string status list and of course the verifiable credential barcode spec. Sam Smith: And for implementations we have multiple core LD implementations as well as a pretty cool new linked data CLI tool that supports core LD. Sam Smith: Uh as well as verifiable credentials implementation as well as the XI crypto suite and a tool for converting verifiable presentations into QR codes. Sam Smith: Uh last thing I just want to note that the verifiable credential barcode spec can now contains test vectors and these test vectors include step-by-step instructions for both creating and consuming verifiable credential barcodes and of course we welcome anybody who's interested in implementing this stuff um for guidance or to report issues please use the spec GitHub repo and uh feel free to reach out to me by email if you have any other questions. Sam Smith: Thanks and I can take any questions now. Harrison_Tang: Questions just type in Q Plus to add yourself to the Q. Harrison_Tang: A a quick uh clarification question so um. Harrison_Tang: So the verifiable credential of EC barcode in some ways is a digital signature uh. Harrison_Tang: For the data in the in the physical card uh is that correct. Sam Smith: That's correct yeah. Harrison_Tang: Got it and but if the data is uh not in the. Harrison_Tang: Self like what if. Harrison_Tang: If someone just changed the data on the physical card will the signature Still Still verify to be true or like how do you. Sam Smith: No so sorry. Harrison_Tang: No please yes I can if you could if you could you could uh clarify how that works yeah. Sam Smith: Absolutely yeah so that's the really that gets to the core of the design of the XI crypto Suite um so how the XI crypto Suite works is that 1 of the inputs uh to validating the to verifying the signature 1 of the inputs is a hash of a canonicalization of the data that's not in the VC but that still needed to uh to verify the the verifiable credential so for example. Sam Smith: I could create a verifiable credential barcode for a driver's license where verification tells me not only is the VC portion good but to verify successfully I need to have pulled out of some optically readable data on the driver's license name is Wes first name is Wes last name is Smith and my driver's license number is this so if any of those 3 things change then verification will fail. Sam Smith: Um so. Sam Smith: Cept of the XI crypto Suite is that extra information cannot change and you know for the the examples that we've given extra information is. Sam Smith: Machine readable information on the physical card itself does that make sense. Harrison_Tang: Oh got it okay so it has to be machine readable right it cannot be like a non machine readable okay got it okay. Harrison_Tang: Thank you money please. Manu Sporny: Yeah just to follow follow up on that I mean think of the way like regular driver's licenses work today like if somebody hands you or shows you their driver's license. Manu Sporny: And you. Manu Sporny: Look at it you have no idea if it's valid or not and and the barcode itself on that driver's license today you can just go online and use free tools to generate whatever data you want to go on the back of that card which means that it's pretty trivial to like. Manu Sporny: Create a fake barcode and put it on the back of a fake driver's license um the the thing that this changes is the ability for anyone right that has this verify and the verifiers are just like kind of free and open open technology it allows anybody to take a driver's license and check to see if that is a legitimate driver's license meaning it you know people can still copy the driver's license entirely but it it gives you some understanding of like. Manu Sporny: In whatever state you're in uh this is a valid driver's license you can't tell that today like it that is not a that is not a thing that you can universally do at least in the in the United States and in most countries today um so that's the big deal here is that before if someone handed you a driver's license you're like I have no idea if this thing is real or not I don't even know if this is you know the data on here. Manu Sporny: It you know is is is is is is real or not whereas in the future with this stuff on it you can at least check to make sure that that barcode on the back. Manu Sporny: Data that is. Manu Sporny: Was issued by the state driver's license Authority um so that gives you like before you had no idea now you can actually check it to see if it's lines up uh to a legitimate ID. Harrison_Tang: Got it thank you. Harrison_Tang: Uh any other questions. Manu Sporny: Yeah I do have a question for Wes so uh a fantastic work Wes this is you know this is awesome stuff um uh as you were putting all of this together what what do you feel is the most difficult thing uh for um uh kind of a developer to implement here like you know how what what is the most challenging aspect of getting a verifiable barcode uh working. Sam Smith: That's a good question so let's go to the sort of breakdown of the pieces here um I would say that if you are planning to implement a SeaWorld Library yourself that would be the most challenging piece of the puzzle here um if you're planning on using an off-the-shelf SeaWorld library then great that's not such such a big deal uh but sibur LD can take some time to get right and you have to get it completely right because if you encode or excuse me if you decode a credential with a slightly different version of core LD then the other person encoded the credential with everything breaks. Sam Smith: So I. Sam Smith: Say SeaWorld is the is the most challenging piece in this stack if you're going to build it yourself uh and and that's assuming you know a baseline level of familiarity with verifiable credentials and and the like and data Integrity um I would say that the ecdsa XY crypto Suite is pretty trivial it's really not hard I mean assuming if you know how the rdfc uh kind of basic EDSA rdsc 2019 crypto Suite works it's that with like 1 more step um turn bit string status list entry is not a difficult modification to make to regular admit string status list entry. Sam Smith: Um so really I would say it's core LD if you're going to implement it yourself assuming you have a baseline level of familiarity with the the core Technologies and the rest of the stack. Harrison_Tang: Uh sorry I have a kind of a different question this is more on the kind of verifier experience can you kind of quickly walk through what uh a verifiers experience look like maybe the uh their user experience in UI when they actually scan the barcode what is like their uh the UI on their phone look like okay. Sam Smith: Well I can't speak to what the UI on on a phone would look like because I mean that started to verify level decision what I could do is walk through the process in the verifiable credential barcode Speck of actually verifying 1 of these things would that be helpful. Harrison_Tang: Yes that would be good thanks. Sam Smith: Okay so this is a little bit removed from the UI level but at least we can see exactly what the steps are here. Sam Smith: All right um so if you are going to consume a verifiable credential barcode that's on a driver's license the first thing you're going to do is you're going to scan the pdf417 and get some bites all right so here what we see is a kind of a standard driver's license this is messy but this is what driver's licenses look like if you pull the bites out of the pdf417 and then at the end here we see this is essentially a verifiable credential right this is the this is the VCB component. Sam Smith: So if we pull that out that's what extract the data in this whatever means if we pull that out uh and undo the way it's encoded we then get some core LD data. Sam Smith: Uh and the next step is to construct the map that was used when making that core LD data so this is the tough step that I was talking about before because you have to get this map exactly right so the map is between strings and integers right what we've received is a payload that just contains integers and we need to invert that to get it back to containing strings so that it's a you know compliant Json LD VC that we can process as normal. Sam Smith: So we have to construct this map which we have to do exactly right. Sam Smith: And then. Sam Smith: Once we have that map it's very simple you just go through your core LD payload which looks like this and you turn integers back into Strings. Sam Smith: At this point now we have a Json LD verifiable credential and it looks exactly like the examples that I gave earlier in the presentation. Sam Smith: Once we have this Json LTE VC uh we can canonicalize the data in the rest of the pdf417 so what does that mean it means that we've taken all the rest of the driver's license so before we just pulled out the VC that we needed but now we take all the rest of this and we canonicalize it and we turn it into extra information so for this specific example the 3 pieces of data that we care about are first name or excuse me first name the AC last name and DCS DCS and driver's license number which is daq whatever that is um. Sam Smith: Here it is. Sam Smith: So verification of this verifiable credential barcode says the the data in this in these 3 Fields must be exactly what it was at at credential creation time. Sam Smith: So what do we do we canonicalize we see DAC daq DCS we hash it we do some more under the hood stuff uh and then we can verify the credential the last thing to do is to check status so as I mentioned before this is a Turf bit string status list entry which gets expanded into full bit string status list entries uh during verification um the algorithm by which to do that exists in this specification and then those can be verified as well and that's it that's the full flow so pull out your credential uh you know undo some encoding to get several LD construct your core LD map. Sam Smith: Decode the credential now you have Json LD. Sam Smith: Get the extra information. Sam Smith: And then. Sam Smith: Verify and that's it. Harrison_Tang: Cool thank you this is a very very helpful actually thanks. Anil John: FYI: DHS and U.S. Citizenship and Immigration Services is looking to implement VCB's in combination with DIDs (as the issuer identifier) on digital immigration and citizenship based credentials to enable in-person digital verification of physical credentials while preserving the same privacy usage characteristics as the current generation of physical credentials. Manu Sporny: Yeah from a from a ux standpoint um just like a customer experience standpoint um you take your mobile phone you open the verifier app you point it at the back of the driver's license and you get a green check mark. Manu Sporny: So it's literally you just kind of Point your commodity mobile phone. Manu Sporny: At the back. Manu Sporny: The driver's license and and that's it it'll give you a green check mark or it'll say you know x mark this is you know uh this this driver's license has been revoked this driver's license has been suspended um or somebody's tampered with the data um on the driver's license you can't trust it. Sam Smith: Yeah oh sorry. Manu Sporny: Well that that that's it oh oh sorry 1 1 more thing um we did ask at some point if people wanted like test cards um we have physical cards uh so if you want some mail to you we can do that and then there's a website uh that you can go to with your just regular mobile phone and um. Manu Sporny: And and use that so that's up today you can use this using a standard mobile phone um and a web browser so the verifier apps just a website that you go to uh you click scan you point it at the card and it tells you whether or not it's a valid card or not and we have test cards for like. <anil_john_[us/dhs/svip]> We are also funding the development and enhancement of verification capabilities integrated into both mobile and in-person verifiers for VCBs. Manu Sporny: Uh valid cards and we have like invalid cards that you can test as well ones where they've been tampered with so that you can see what you know a verification failure uh looks like that's it. Harrison_Tang: Right any other questions. Manu Sporny: Sorry not not a question but I would I would be uh I think it's important to note who's funding this work um so um DHS has been uh funding uh a good chunk of this work uh along with uh California DMV uh and the National Association convenience stores so all of those organizations have uh kind of a deep interest in um ensuring that fraudulent IDs aren't used uh in the market so uh huge thank you to each 1 of those organizations for making this this uh sort of work possible. Harrison_Tang: But I I have 1 last question uh this is uh Wes this is more on your comment about C4 LD where um you know the canonicalization needs to be like very exact right so like um it sounds a little bit uh finicky where things had to be exact it feels like 1 little mistake like things doesn't work so can you kind of uh comment on the robustness or for example if things change like uh how do you actually make sure that the system is robust over time. Sam Smith: Yeah so when I say that you have to be very precise what I essentially mean is that. Sam Smith: So there are 2 steps for cable LTE there's compression which is going to be done by you know say an issuer and there's decompression that's going to be done by say a verifier and in both of those steps the exact same map from strings to integers. Sam Smith: Has to be. Sam Smith: And that map is constructed by processing the contexts that are that exist in the verifiable credential. Sam Smith: So when I say that it's very precise what I really mean is that the algorithms that the issuer and the verifier in this example have you are using to compress and decompress the credential. Sam Smith: This exact same map. Sam Smith: So I mean. Sam Smith: If they. Sam Smith: Both versions of core LD that are used are correct implementations there's no I mean it's fully robust right it's just that um you need to make sure that you are using a fully conformed version of core LD and then it's the same version that was used by the issuer and so on and so forth um otherwise otherwise you won't be able to consume a VCB as a verifier does that make sense. Harrison_Tang: Got it got it thank you. Harrison_Tang: All right so if no further questions um I think this concludes uh today's w3c ccg meeting uh does anybody have any last uh comments or thoughts or agenda. Harrison_Tang: All right well thank you thank you Wes uh thank you Manu thanks a lot thanks everyone. Sam Smith: Thank you it's a pleasure.
Received on Wednesday, 7 August 2024 13:48:02 UTC