[MINUTES] W3C CCG Credentials CG Call - 2024-08-06

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2024-08-06/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2024-08-06/audio.ogg

A video recording is also available at:

https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-08-06.mp4

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2024-08-06

Agenda:
  https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
  Harrison Tang, Kimberly Linson, Will Abramson
Scribe:
  Our Robot Overlords
Present:
  Harrison Tang, Benjamin Young, Gregory Natran, Sam Smith, Will 
  Abramson, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), 
  Erica Connell, Jennie M, Anil John, Vanessa, Sharon Leu, Joe 
  Andrieu, David Chadwick, Brandi Delancey, Leo, Alex H, Manu 
  Sporny, Greg Bernstein, Hiroyuki Sano, Dave Longley, Nis 
  Jespersen , Simone Ravaoli, David I. Lehn, Rashmi Siravara, 
  Chandi Cumaranatunge

Our Robot Overlords are scribing.
Harrison_Tang: Welcome welcome everyone uh to today's w3c CG 
  meeting uh we're very excited to have Wesley West from digital 
  Bazaar today to present on the verifiable credentials barcodes I 
  think that we have a threat around the launch of the uh work item 
  verified credentials barcodes about a month ago and very glad to 
  that West can jump on to actually talk about a little bit more.
Harrison_Tang: Right so before then just want to quickly go 
  through some uh administrative stuff uh first of all just want to 
  a quick reminder of the Pol of ethics and professional conduct I 
  just want to make sure that we have a constructive respectful 
  conversations here.
Harrison_Tang: A second uh a quick note on the intellectual 
  property anyone can participate in these call calls however all 
  substantive contributions to any ccg work items must be member of 
  the ccg with full IPR agreements signed so if you have any 
  questions about that or if you have troubles uh sign in to the 
  w3c account uh please uh let any of the cultures know.
Harrison_Tang: A quick uh call notes uh all the meetings are 
  being automatically recorded and transcribed uh we'll try to uh 
  publish the meeting minutes uh audio recording and video 
  recording uh in the next uh 24 hours or so.
Harrison_Tang: Uh we use chuchi chat to cue the speakers during 
  the queue so you can type in Q Plus to uh add yourself to the 
  queue or cue minus to remove or you can type into question mark 
  to see who's in the queue and I will be moderating the queue.
Harrison_Tang: All right just want to take a quick moment for the 
  introductions and reintroduction so if you're new to the 
  community or you haven't been active and want to re-engage uh 
  please feel free to just unmute and uh introduce yourself.
Harrison_Tang: I see mostly a familiar faces so uh.
Harrison_Tang: I'll jump to the announcements and reminders so uh 
  if anyone have any announcements or reminders uh please feel free 
  to unmute or add yourself to the queue.
Harrison_Tang: All right a quick note on the upcoming uh meeting 
  agenda so.
Harrison_Tang: Next week we will have a work item update and 
  quarter 3 2024 review uh so will will lead that discussion uh we 
  have already sent out emails to uh different uh leaders for the 
  different work items so if you could actually uh take some quick 
  time to fill out the presentation slides uh so that uh you can 
  you know we can uh more easily go over them uh next week that 
  would be great.
Harrison_Tang: And then the week after on August 20th uh we'll 
  have a anchor and Alex uh to talk about uh updates on the did 
  link resources work item uh a more specific Deep dive on the did 
  link resources work item.
Harrison_Tang: And then the week after on the August 27th uh 
  we're very happy to have Gregory and Joanie uh from ehcc to talk 
  about pain Canadian trust framework.
Harrison_Tang: So that's the quick overview of what's uh coming.
Harrison_Tang: Any other announcements or reminders.
Harrison_Tang: I know we're going to talk about work items uh 
  next week but uh any uh updates on the work items or any thing 
  that people want to bring up.
Harrison_Tang: All right pretty straightforward so uh let's get 
  to the main agenda um again we're very happy for West to uh 
  present on the verifiable credentials barcodes uh um today and uh 
  by the way uh if people got kicked out because sometimes when the 
  presentation is large um GT actually will have a service 
  interruptions if people got kicked out for just a rejoin just 
  refresh your browser and rejoin uh that will that'll be great.
Benjamin Young:  Yeah I'm sorry I had 1 quick thing to say about 
  uh the test Suite office hours it's moving from uh Wednesday 
  mornings.
Benjamin Young:  Eastern Time to Thursdays at 10 am this is to 
  accommodate the dead working group's new special topics call.
Benjamin Young:  Our next test Suite office hours will be this 
  Thursday at 10:00 am and I'm sending out those details now.
Harrison_Tang:  thank you.
Manu Sporny:  Hey um uh sorry if this was already covered um the 
  uh we've just made an announcement about the verifiable 
  credential playground uh there are a number of um new credentials 
  out there that uh utilize the render method um to kind of display 
  and render uh trustworthy um renderings of verifiable credentials 
  uh there is a uh uh current discussion kind of going on in the um 
  on the mailing list about that um this is the first of a number 
  of different kind of announcements VC playground updates uh that 
  will be making over the next couple of uh weeks so that's the 
  first item uh the second item is um we uh there there have been a 
  lot of people that have signed the letter of intent for the did 
  method standardization so thank you all for doing that we also.
Manu Sporny:   Uh so.
Manu Sporny:  50 Plus uh people have kind of signed the letter so 
  far um if you haven't yet uh please do um uh there's a sign-up 
  sheet for those that want to participate in the next set of 
  meetings um we're going to try and find a time that works for as 
  many people as possible as a Next Step um and then uh we will 
  start having kind of public open meetings about what that um 
  standardization effort is going to look like um I expect a part 
  of those discussions are going to be about which did methods um 
  uh which uh standards bodies and uh some discussion around like 
  Charters and Charter uh formation uh that's it.
Harrison_Tang: All right any other uh announcements or reminders.
Harrison_Tang: Introductions and uh reintroductions.
Harrison_Tang: All right um again just a quick reminder if you 
  got kicked out just uh uh do a quick Refresh on the browser and 
  it should be able to uh sign back in.
Harrison_Tang: All right uh Wes the floor is yours.
Sam Smith:  All right thank you so much um so hello everyone my 
  name is Wes uh I'm at digital Bazaar and I'm really excited to be 
  talking to you guys about the verifiable credential barcodes work 
  today uh just first things first I want to note that uh the uh 
  presentation format here is a little bit less than ideal as 
  Harrison referred to we were having trouble getting the slideshow 
  presentation to properly screen share so this is what we've got.
Sam Smith:  All right so I'll briefly go over the agenda uh so 
  I'll talk about what the challenge is that we're trying to solve 
  with this work and what current approaches are I'll talk about 
  what goals are for the technology that we're building.
Sam Smith:  And then I'll get into some of the technical details 
  how do we use verifiable credentials to do this stuff um we we 
  develop a new crypto Suite which I'll talk about how do we do 
  status information for this stuff and how do we use core LD for 
  vcbs as well.
Sam Smith:  All right so credential fraud is increasing this is 
  fairly well understood and it's increasing for a couple reasons 
  uh 1 reason is that traditional anti-counterfeiting Technologies 
  uh are losing value so what I mean here are things like uh 
  printing Holograms or special ink uh onto a physical credential 
  to be able to differentiate reels from fakes.
Sam Smith:  And this kind of technology is losing value mostly 
  because of increased public access to really high quality fake ID 
  printing services uh more so than ever before there are you know 
  shops set up that have professional-grade equipment and Hardware 
  that can essentially mimic these Technologies and print extremely 
  convincing fraudulent IDs or fairly cheap.
<brandi_delancey> there's an echo
Sam Smith:  Uh another is generative AI so there are now deployed 
  uh publicly accessible and extremely cheap tools uh that can 
  sorry I'm getting quite a lot of echo is that just on my end is 
  somebody unmuted.
Harrison_Tang: No I think there is Echo actually I think it might 
  be on your end let me mute everyone else to double check.
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Be fixed now 
  it was Neil.
Harrison_Tang: Oh got it okay.
Sam Smith:  Ah okay thank you.
<anil_john_[us/dhs/svip]> Yup.. It was me! Sorry!
Sam Smith:  Okay um so right generative AI uh so generative AI 
  tools are another Factor increasing credential fraud and that's 
  because we now have these uh tools deployed that are publicly 
  available and very cheap that can generate massive volume of very 
  convincing images of fake IDs uh these IDs can have any 
  information on them anybody's picture on them they can be from 
  anywhere um and they are very very convincing.
Sam Smith:  And the reason that generative AI works and the 
  reason that uh you know these anti-counterfeiting Technologies 
  are losing value is because most physical credentials lack 
  cryptographic security cryptographic security would obviate the 
  need for things like Holograms and special Inc and of course 
  current generative AI tools cannot Forge cryptographic uh 
  information.
Sam Smith:  So credential fraud is increasing um the main current 
  approach to fighting credential fraud involves third-party 
  verification Services um but these of course are privacy invasive 
  proprietary and often very expensive.
Sam Smith:  So our proposal is called verifiable credential 
  barcodes uh and it's fairly straightforward at least at a high 
  level what we do is we embed a digital signature into the optical 
  barcode that is printed on a physical credential so this is 
  anti-counterfeiting for physical credentials.
Sam Smith:  And verify verifiable credential barcodes is built on 
  standard or standards track Technologies including verifiable 
  credentials data Integrity core LD and bit string status list.
Sam Smith:  So I want to talk a little bit about what our goals 
  are for this technology for vcbs 1 of course is authenticity we 
  want verification of ACB to prove that that VCB came from the 
  issuing authority.
Sam Smith:  Of course we also want Integrity we want verification 
  to prove that the data on the credential has not been tampered 
  with.
Sam Smith:  We want real-time status we want verification to 
  prove that the credential has not been revoked or suspended and 
  importantly we want to do this in a privacy preserving way we 
  want to do it without things like phoning home to a source of 
  Truth database to get that information.
Sam Smith:  Uh we want simplicity so we've designed vcbs such 
  that they either reuse the existing barcode that exists on a 
  physical credential this could be something like a pdf417 barcode 
  on a driver's license um or if there is no barcode they add an 
  easily consumable barcode format to a credential for example a QR 
  code.
Sam Smith:  And lastly uh we want conformance and the VCB 
  technology stack as I'll present it is aligned with both Global 
  standards as well as Department of Homeland Security identity 
  requirements.
Sam Smith:  So I also want to touch briefly on some non goals so 
  what is this technology not fixing 1 of course is document theft 
  having a digital signature cryptographically securing a physical 
  credential is not a defense against the theft of that physical 
  documents.
Sam Smith:  Another is document duplication so we're doing this 
  stuff with Optical barcodes and Optical barcodes are images and 
  you can copy and paste images.
Sam Smith:  And lastly tampering of non-machine readable data so 
  some data on a document uh for example an image a picture of a 
  person uh may not be digitally signed and if it's not digitally 
  signed then of course verification does not secure that data.
Sam Smith:  All right so with that high level stuff out of the 
  way we can go into some of the technical information now so first 
  I'll go over again very high level uh how.
Sam Smith:  Are used for verifiable credential barcodes so here 
  on the right we have an example Json LD verifiable credential and 
  its color-coded with the sort of building blocks it's composed of 
  listed on the left so we have context in pink we have type 
  information in purple credential subject in yellow issuer 
  information in red status information in green and proof in blue.
Sam Smith:  And uh something that I want to note here is that 
  this is a very compact VC and that's a really critical design 
  goal for us when we're building these verifiable credentials and 
  that's because we have size constraints given the physical size 
  and density requirements for the barcodes that we're generating 
  so we're generating barcodes that get put on something that's you 
  know physically credit card sized and of course we're limited to 
  how dense we can make these barcodes uh because we need commodity 
  scanners and things to be able to read them so we have some 
  pretty serious uh data size constraints on how big these 
  credentials can be uh and a result we work to make them very 
  compact.
Sam Smith:  So uh talk a little bit about some of the type 
  information or some rather some of the values you might see in 
  credential subject DOT type for a verifiable credential barcodes.
Sam Smith:  1 Is Amba driver's license scannable information so 
  this communicates that uh this is a VC that's securing a document 
  that uses a pdf417 that's compliant with the Amba spec so like a 
  US driver's license and another is machine readable Zone this 
  indicates that we're securing a document that has a mrz for 
  example a United States employment authorization document.
Sam Smith:  So people who are familiar with verifiable 
  credentials might you know look at the previous example and say 
  okay well well where is the actual data right so credential 
  subject is often where much of the data that a VC signs over goes 
  uh and in the previous example credential subject only contains 2 
  things type and something called protected component index but 
  none of the actual information that would be in something like a 
  driver's license name driver's license number expiration date 
  whatever is actually in this VC so where is the data.
Sam Smith:  So the reason that the data is not in the VC itself 
  is because the data that we want to secure to cryptographically 
  sign is the data that's already on the card it's not just this 
  additional external data structure right so we're adding this VC 
  but we don't want just this VC to be cryptographically secured we 
  want the data that's already on the card to be secured.
Sam Smith:  Uh and to that end we've developed a new crypto suite 
  for this effort uh ecds ecds axi 2023 which is of course a new 
  data Integrity crypto Suite.
Sam Smith:  So what is ecdsa Xi 2023 well it's a variant of the 
  rdsc 2019 crypto Suite uh it follows the same general process 
  where you canonicalize a document with rdf data set 
  canonicalization and then add an ecdsa signature over the 
  canonicalize document.
Sam Smith:   Uh the.
Sam Smith:  Is that here some data that's not in the VC is 
  digitally signed as well.
Sam Smith:  So the letters x i in the crypto Suite name stand for 
  extra information and here in this use case that extra 
  information is data from the card itself it's the data that's 
  already on the card that we want to digitally sign so that could 
  be something like a canonicalization of data that's in the pdf417 
  that already exists on a driver's license or it could be a 
  canonicalization of the data that exists in a machine readable 
  Zone on something like an employment authorization document.
Sam Smith:  So verification for the XI crypto Suite involves 
  reconstructing this extra information from the machine readable 
  data that's on the on the credential.
Sam Smith:  Then that extra information is passed to the 
  verification algorithm alongside the verifiable credential.
Sam Smith:  And uh if you're successful what that tells you is 
  that not only is the VC valid but the data in the car on the card 
  has not been tampered with.
Sam Smith:  Um so I'll briefly talk about status now uh so here 
  we see what the the status piece of the example that I showed 
  before um and this has Type terse bit string status list entry 
  and then just a URL and an index.
Sam Smith:  Uh essentially tur bit string status list entry is a 
  compact way to use bit string status list so we developed it as 
  part of this verifiable credential barcodes effort because as I 
  mentioned before um you know compactness and size efficiency is 
  is really important in our use cases.
Sam Smith:  So we have this tur bit string status list entry 
  thing it's a compact way to use bitching status list and during 
  verification what happens is a tourist bit strings status list 
  entry is converted to a full bit string status list entry uh and 
  this allows us to do real-time status checking uh for statuses 
  like revocation and suspension and of course as I mentioned 
  before it's really important that this stuff is privacy 
  preserving we have to do this in a way where there's no uh you 
  know trackable phone home behavior and things along those lines.
Sam Smith:  Okay uh so next I'll talk about core LD so the XI 
  crypto Suite serves 2 purposes the first is that the data on the 
  card is made tamper resistant because it's part of the digital 
  signature.
Sam Smith:  The second is that payload size is small that's 
  because using the XI crypto Suite signed data doesn't need to be 
  in the VC itself it can live where it already lives and then the 
  VC knows how to sign over it without including that data.
Sam Smith:  But even with the XI crypto Suite uh our payloads are 
  still not small enough.
Sam Smith:  The constraints that we have for physical card design 
  um and and uh barcode density to be compatible with standard 
  tools RVC needs to be around 150 bites.
Sam Smith:  And uh the solution there is to use core LD to encode 
  the Json LD in a compact form so core LD is a Json LD compaction 
  tool essentially um.
Sam Smith:   Where what.
<dave_longley> aka "semantic compression"
Sam Smith:  Is it processes the contexts that appear in a 
  verifiable credential uh and it uses those contexts to build maps 
  from strings that might appear in the credential to integers and 
  importantly it does this in a fully deterministic and invertible 
  way such that if I encode my Json LD VC I get you know an object 
  that contains a bunch of integers essentially uh and then when I 
  receive that object if I know what the contexts were that were 
  used to create it I can process those contexts to myself and 
  create the same map that was used to uh encode and then and then 
  decode so it's invertible right we can shrink it down but we need 
  to do it in such a way that we know that the person receiving it 
  can you know decompress it back up.
Sam Smith:  So here's an example of applying core LD to our 
  example credential so on the left of course we have the Json LD 
  VC and on the right we have core LD.
Sam Smith:   So I'm not.
Sam Smith:  Going to get into the details of of you know where 
  exactly these numbers come from and things like that but at a 
  high level the color coding will show you what's happening here 
  so the contexts are being compressed down into integers type 
  information integers and so on and so forth um some of the data 
  that exists in here is not compressed for example proof value 
  I've kind of elided it here for you know a compact example but 
  this is you know 64 65 bytes uh and that of course remains bites 
  in the core LD because that's not known to be an that value is 
  not in any of the contexts and as such cannot be compressed.
Sam Smith:  All right so after we do core LD encoding now the 
  credentials are small enough that we can actually encode them 
  into barcodes.
Sam Smith:  So we have 2 examples here we have a Utopia driver's 
  license with a pdf417 on the back and we have a Utopia employment 
  authorization document with a QR code on the front.
Sam Smith:  What's happened here well driver's licenses already 
  contain a pdf417 so what we've actually done is we've constructed 
  a VC that digitally signs over the pdf417 that was already here 
  and then we've just stuck that that sort of VC on the end so 
  we've added to the pdf417 a verifiable credential bark or a 
  verifiable credential that is a VCB that digitally signed the 
  rest of the PDF for a 17.
Sam Smith:  For the employment authorization document it's a 
  little bit different uh so there are no barcode there was no 
  barcode on this before we added the VCB but there was machine 
  readable data in the form of an mrz uh so what we've done is 
  we've added a QR code to the front of the document that contains 
  a verifiable credential that digitally signs the mrz data on the 
  back of the credential.
Sam Smith:  All right so let's summarize that process what have 
  we done so we're adding VCS to physical cards for a layer of 
  cryptographic security against counterfeiting that that is the 
  you know 1 sentence summary of what verifiable credential 
  barcodes is about.
Sam Smith:  Uh and to do this we needed to do a few things uh 
  We've created the ecds ecdsa XI 2023 crypto Suite that lets us 
  digitally sign data that's on the cards but it's not in the VCS.
Sam Smith:  We created the tourist bit string status list entry 
  mechanism to use bitstring status lists in a space efficient way.
Sam Smith:  And then we used core LD to further compact VCS down 
  to fit within barcode size constraints.
Sam Smith:  So what are some next steps here well the first is 
  pretty standardization and standards track work for the 
  verifiable credentials barcode spec.
Sam Smith:  The second is interoperability testing with 
  verifiable credential verifiers the third is deployment with 
  California DMV to add a verifiable credential barcodes to 
  California driver's licenses uh the fourth is deployment with DHS 
  to add vcbs to employment authorization documents and permanent 
  resident cards.
Sam Smith:  Okay so for anyone who's interested in uh taking a 
  look at some of the you know the nitty-gritty details of how this 
  stuff works or maybe even implementing it yourself uh We've 
  provided a list of both the specifications that this technology 
  is built on as well as some implementations of those 
  specifications that you can either look at or use so for 
  specifications of course we care about the VC's spec the DI spec 
  core LD bit string status list and of course the verifiable 
  credential barcode spec.
Sam Smith:  And for implementations we have multiple core LD 
  implementations as well as a pretty cool new linked data CLI tool 
  that supports core LD.
Sam Smith:  Uh as well as verifiable credentials implementation 
  as well as the XI crypto suite and a tool for converting 
  verifiable presentations into QR codes.
Sam Smith:  Uh last thing I just want to note that the verifiable 
  credential barcode spec can now contains test vectors and these 
  test vectors include step-by-step instructions for both creating 
  and consuming verifiable credential barcodes and of course we 
  welcome anybody who's interested in implementing this stuff um 
  for guidance or to report issues please use the spec GitHub repo 
  and uh feel free to reach out to me by email if you have any 
  other questions.
Sam Smith:  Thanks and I can take any questions now.
Harrison_Tang: Questions just type in Q Plus to add yourself to 
  the Q.
Harrison_Tang: A a quick uh clarification question so um.
Harrison_Tang: So the verifiable credential of EC barcode in some 
  ways is a digital signature uh.
Harrison_Tang: For the data in the in the physical card uh is 
  that correct.
Sam Smith:  That's correct yeah.
Harrison_Tang: Got it and but if the data is uh not in the.
Harrison_Tang: Self like what if.
Harrison_Tang: If someone just changed the data on the physical 
  card will the signature Still Still verify to be true or like how 
  do you.
Sam Smith:  No so sorry.
Harrison_Tang: No please yes I can if you could if you could you 
  could uh clarify how that works yeah.
Sam Smith:  Absolutely yeah so that's the really that gets to the 
  core of the design of the XI crypto Suite um so how the XI crypto 
  Suite works is that 1 of the inputs uh to validating the to 
  verifying the signature 1 of the inputs is a hash of a 
  canonicalization of the data that's not in the VC but that still 
  needed to uh to verify the the verifiable credential so for 
  example.
Sam Smith:  I could create a verifiable credential barcode for a 
  driver's license where verification tells me not only is the VC 
  portion good but to verify successfully I need to have pulled out 
  of some optically readable data on the driver's license name is 
  Wes first name is Wes last name is Smith and my driver's license 
  number is this so if any of those 3 things change then 
  verification will fail.
Sam Smith:   Um so.
Sam Smith:  Cept of the XI crypto Suite is that extra information 
  cannot change and you know for the the examples that we've given 
  extra information is.
Sam Smith:  Machine readable information on the physical card 
  itself does that make sense.
Harrison_Tang: Oh got it okay so it has to be machine readable 
  right it cannot be like a non machine readable okay got it okay.
Harrison_Tang: Thank you money please.
Manu Sporny:  Yeah just to follow follow up on that I mean think 
  of the way like regular driver's licenses work today like if 
  somebody hands you or shows you their driver's license.
Manu Sporny:   And you.
Manu Sporny:  Look at it you have no idea if it's valid or not 
  and and the barcode itself on that driver's license today you can 
  just go online and use free tools to generate whatever data you 
  want to go on the back of that card which means that it's pretty 
  trivial to like.
Manu Sporny:  Create a fake barcode and put it on the back of a 
  fake driver's license um the the thing that this changes is the 
  ability for anyone right that has this verify and the verifiers 
  are just like kind of free and open open technology it allows 
  anybody to take a driver's license and check to see if that is a 
  legitimate driver's license meaning it you know people can still 
  copy the driver's license entirely but it it gives you some 
  understanding of like.
Manu Sporny:  In whatever state you're in uh this is a valid 
  driver's license you can't tell that today like it that is not a 
  that is not a thing that you can universally do at least in the 
  in the United States and in most countries today um so that's the 
  big deal here is that before if someone handed you a driver's 
  license you're like I have no idea if this thing is real or not I 
  don't even know if this is you know the data on here.
Manu Sporny:  It you know is is is is is is real or not whereas 
  in the future with this stuff on it you can at least check to 
  make sure that that barcode on the back.
Manu Sporny:  Data that is.
Manu Sporny:  Was issued by the state driver's license Authority 
  um so that gives you like before you had no idea now you can 
  actually check it to see if it's lines up uh to a legitimate ID.
Harrison_Tang: Got it thank you.
Harrison_Tang: Uh any other questions.
Manu Sporny:  Yeah I do have a question for Wes so uh a fantastic 
  work Wes this is you know this is awesome stuff um uh as you were 
  putting all of this together what what do you feel is the most 
  difficult thing uh for um uh kind of a developer to implement 
  here like you know how what what is the most challenging aspect 
  of getting a verifiable barcode uh working.
Sam Smith:  That's a good question so let's go to the sort of 
  breakdown of the pieces here um I would say that if you are 
  planning to implement a SeaWorld Library yourself that would be 
  the most challenging piece of the puzzle here um if you're 
  planning on using an off-the-shelf SeaWorld library then great 
  that's not such such a big deal uh but sibur LD can take some 
  time to get right and you have to get it completely right because 
  if you encode or excuse me if you decode a credential with a 
  slightly different version of core LD then the other person 
  encoded the credential with everything breaks.
Sam Smith:   So I.
Sam Smith:  Say SeaWorld is the is the most challenging piece in 
  this stack if you're going to build it yourself uh and and that's 
  assuming you know a baseline level of familiarity with verifiable 
  credentials and and the like and data Integrity um I would say 
  that the ecdsa XY crypto Suite is pretty trivial it's really not 
  hard I mean assuming if you know how the rdfc uh kind of basic 
  EDSA rdsc 2019 crypto Suite works it's that with like 1 more step 
  um turn bit string status list entry is not a difficult 
  modification to make to regular admit string status list entry.
Sam Smith:  Um so really I would say it's core LD if you're going 
  to implement it yourself assuming you have a baseline level of 
  familiarity with the the core Technologies and the rest of the 
  stack.
Harrison_Tang: Uh sorry I have a kind of a different question 
  this is more on the kind of verifier experience can you kind of 
  quickly walk through what uh a verifiers experience look like 
  maybe the uh their user experience in UI when they actually scan 
  the barcode what is like their uh the UI on their phone look like 
  okay.
Sam Smith:  Well I can't speak to what the UI on on a phone would 
  look like because I mean that started to verify level decision 
  what I could do is walk through the process in the verifiable 
  credential barcode Speck of actually verifying 1 of these things 
  would that be helpful.
Harrison_Tang: Yes that would be good thanks.
Sam Smith:  Okay so this is a little bit removed from the UI 
  level but at least we can see exactly what the steps are here.
Sam Smith:  All right um so if you are going to consume a 
  verifiable credential barcode that's on a driver's license the 
  first thing you're going to do is you're going to scan the pdf417 
  and get some bites all right so here what we see is a kind of a 
  standard driver's license this is messy but this is what driver's 
  licenses look like if you pull the bites out of the pdf417 and 
  then at the end here we see this is essentially a verifiable 
  credential right this is the this is the VCB component.
Sam Smith:  So if we pull that out that's what extract the data 
  in this whatever means if we pull that out uh and undo the way 
  it's encoded we then get some core LD data.
Sam Smith:  Uh and the next step is to construct the map that was 
  used when making that core LD data so this is the tough step that 
  I was talking about before because you have to get this map 
  exactly right so the map is between strings and integers right 
  what we've received is a payload that just contains integers and 
  we need to invert that to get it back to containing strings so 
  that it's a you know compliant Json LD VC that we can process as 
  normal.
Sam Smith:  So we have to construct this map which we have to do 
  exactly right.
Sam Smith:   And then.
Sam Smith:  Once we have that map it's very simple you just go 
  through your core LD payload which looks like this and you turn 
  integers back into Strings.
Sam Smith:  At this point now we have a Json LD verifiable 
  credential and it looks exactly like the examples that I gave 
  earlier in the presentation.
Sam Smith:  Once we have this Json LTE VC uh we can canonicalize 
  the data in the rest of the pdf417 so what does that mean it 
  means that we've taken all the rest of the driver's license so 
  before we just pulled out the VC that we needed but now we take 
  all the rest of this and we canonicalize it and we turn it into 
  extra information so for this specific example the 3 pieces of 
  data that we care about are first name or excuse me first name 
  the AC last name and DCS DCS and driver's license number which is 
  daq whatever that is um.
Sam Smith:  Here it is.
Sam Smith:  So verification of this verifiable credential barcode 
  says the the data in this in these 3 Fields must be exactly what 
  it was at at credential creation time.
Sam Smith:  So what do we do we canonicalize we see DAC daq DCS 
  we hash it we do some more under the hood stuff uh and then we 
  can verify the credential the last thing to do is to check status 
  so as I mentioned before this is a Turf bit string status list 
  entry which gets expanded into full bit string status list 
  entries uh during verification um the algorithm by which to do 
  that exists in this specification and then those can be verified 
  as well and that's it that's the full flow so pull out your 
  credential uh you know undo some encoding to get several LD 
  construct your core LD map.
Sam Smith:  Decode the credential now you have Json LD.
Sam Smith:  Get the extra information.
Sam Smith:   And then.
Sam Smith:  Verify and that's it.
Harrison_Tang: Cool thank you this is a very very helpful 
  actually thanks.
Anil John: FYI: DHS and U.S. Citizenship and Immigration Services 
  is looking to implement VCB's in combination with DIDs (as the 
  issuer identifier) on digital immigration and citizenship based 
  credentials to enable in-person digital verification of physical 
  credentials while preserving the same privacy usage 
  characteristics as the current generation of physical 
  credentials.
Manu Sporny:  Yeah from a from a ux standpoint um just like a 
  customer experience standpoint um you take your mobile phone you 
  open the verifier app you point it at the back of the driver's 
  license and you get a green check mark.
Manu Sporny:  So it's literally you just kind of Point your 
  commodity mobile phone.
Manu Sporny:   At the back.
Manu Sporny:  The driver's license and and that's it it'll give 
  you a green check mark or it'll say you know x mark this is you 
  know uh this this driver's license has been revoked this driver's 
  license has been suspended um or somebody's tampered with the 
  data um on the driver's license you can't trust it.
Sam Smith:  Yeah oh sorry.
Manu Sporny:  Well that that that's it oh oh sorry 1 1 more thing 
  um we did ask at some point if people wanted like test cards um 
  we have physical cards uh so if you want some mail to you we can 
  do that and then there's a website uh that you can go to with 
  your just regular mobile phone and um.
Manu Sporny:  And and use that so that's up today you can use 
  this using a standard mobile phone um and a web browser so the 
  verifier apps just a website that you go to uh you click scan you 
  point it at the card and it tells you whether or not it's a valid 
  card or not and we have test cards for like.
<anil_john_[us/dhs/svip]> We are also funding the development and 
  enhancement of verification capabilities integrated into both 
  mobile and in-person verifiers for VCBs.
Manu Sporny:  Uh valid cards and we have like invalid cards that 
  you can test as well ones where they've been tampered with so 
  that you can see what you know a verification failure uh looks 
  like that's it.
Harrison_Tang: Right any other questions.
Manu Sporny:  Sorry not not a question but I would I would be uh 
  I think it's important to note who's funding this work um so um 
  DHS has been uh funding uh a good chunk of this work uh along 
  with uh California DMV uh and the National Association 
  convenience stores so all of those organizations have uh kind of 
  a deep interest in um ensuring that fraudulent IDs aren't used uh 
  in the market so uh huge thank you to each 1 of those 
  organizations for making this this uh sort of work possible.
Harrison_Tang: But I I have 1 last question uh this is uh Wes 
  this is more on your comment about C4 LD where um you know the 
  canonicalization needs to be like very exact right so like um it 
  sounds a little bit uh finicky where things had to be exact it 
  feels like 1 little mistake like things doesn't work so can you 
  kind of uh comment on the robustness or for example if things 
  change like uh how do you actually make sure that the system is 
  robust over time.
Sam Smith:  Yeah so when I say that you have to be very precise 
  what I essentially mean is that.
Sam Smith:  So there are 2 steps for cable LTE there's 
  compression which is going to be done by you know say an issuer 
  and there's decompression that's going to be done by say a 
  verifier and in both of those steps the exact same map from 
  strings to integers.
Sam Smith:   Has to be.
Sam Smith:  And that map is constructed by processing the 
  contexts that are that exist in the verifiable credential.
Sam Smith:  So when I say that it's very precise what I really 
  mean is that the algorithms that the issuer and the verifier in 
  this example have you are using to compress and decompress the 
  credential.
Sam Smith:  This exact same map.
Sam Smith:  So I mean.
Sam Smith:   If they.
Sam Smith:  Both versions of core LD that are used are correct 
  implementations there's no I mean it's fully robust right it's 
  just that um you need to make sure that you are using a fully 
  conformed version of core LD and then it's the same version that 
  was used by the issuer and so on and so forth um otherwise 
  otherwise you won't be able to consume a VCB as a verifier does 
  that make sense.
Harrison_Tang: Got it got it thank you.
Harrison_Tang: All right so if no further questions um I think 
  this concludes uh today's w3c ccg meeting uh does anybody have 
  any last uh comments or thoughts or agenda.
Harrison_Tang: All right well thank you thank you Wes uh thank 
  you Manu thanks a lot thanks everyone.
Sam Smith:  Thank you it's a pleasure.

Received on Wednesday, 7 August 2024 13:48:02 UTC