[MINUTES] W3C CCG Credentials CG Call - 2024-08-27

Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2024-08-27/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2024-08-27/audio.ogg

A video recording is also available at:

https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-08-27.mp4

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2024-08-27

Agenda:
  https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Aug&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
  Harrison Tang, Kimberly Linson, Will Abramson
Scribe:
  Our Robot Overlords and Our Robot Overlords
Present:
  Harrison Tang, Yvonne Nwogu, Rashmi Siravara, Gregory Natran, 
  Joni Brennan, Dave Roberts, Sam Smith, Jennie M, Mike Xu, TallTed 
  // Ted Thibodeau (he/him) (OpenLinkSw.com), Kerri Lemoie, PL/T3, 
  Kimberly Linson, Will Abramson, Divad Strebor, Paul Jackson, Nis 
  Jespersen , James Chartrand, Leo, Sylvain Martel(MCN), Joe 
  Andrieu, Dmitri Zagidulin, Ricky Ng-Adam (MCN, Philippe Allard, 
  Hiroyuki Sano, Japan, Kaliya Young, Tim Cappalli, Greg Bernstein, 
  Brandi Delancey, Alex H

Our Robot Overlords are scribing.
Harrison_Tang: Let me try to start the recording.
Our Robot Overlords are scribing.
Harrison_Tang: Great hopefully this works.
Harrison_Tang: All right I think the chance uh transcribe also 
  works great all right so um welcome to this week's w3c cgg 
  meeting um welcome everybody um so today we are very pleased to 
  have uh Joanie and Gregory from the dayak digital identity and 
  authentication Council uh from Canada uh to present 10 Canadian 
  trust Frameworks.
Harrison_Tang:  uh but.
Harrison_Tang: Just want to quickly go through a couple 
  administrative uh agendas first of all just a quick reminder on 
  the code of ethics and professional conduct uh just want to make 
  sure that we have Khan conversations and discussions I think 
  we've been doing that uh please continue to do that.
Harrison_Tang: Second um just want to uh make a quick note on the 
  intellectual property anyone can participate in these calls 
  however all substantive contributions to any ccg work items must 
  be member of the ccg with full IPR agreement signed so if you 
  have any questions in regards to the agreement or the w3c account 
  please feel free to reach out to any of the cultures.
Harrison_Tang: Uh couple quick call notes uh these meetings are 
  being automatically recorded and transcribed uh we will publish 
  the meeting minutes the transcriptions the audio and video 
  recordings in the next 1 to 2 days.
Harrison_Tang: Uh we use GT chat to do the speakers you can type 
  in Q Plus to add yourself to the queue or cue minus to remove and 
  you can type in Q question mark uh to see who is in the queue.
Harrison_Tang: All right um I think it's time for the 
  introductions and reintroductions so if you're new to the 
  community or you haven't been active and want to re-engage uh 
  please feel free to just unmute you don't have to type in Q Plus 
  you can just unmute and introduce yourself.
Harrison_Tang: Don't be shy it's okay I'm not going to call on 
  people though but uh if you are if you feel you know Brave and 
  just uh unmute and uh introduce uh you to the uh introduce 
  yourself to the community.
Harrison_Tang: All right any announcements or reminders.
Harrison_Tang: Anyone have a come in the events uh they want to 
  announce or remind the community about.
Kaliya Young:  Yeah we've got the internet identity Workshop 
  coming up October 29 to 31st.
Kaliya Young:   We have.
Kaliya Young:  Have a bunch of sponsorship opportunities still 
  available.
Kaliya Young:  Um and they are very affordable let's just say 
  sponsoring iiw can cost you as much as going to another 
  conference so.
Kaliya Young:  I'll just put that out there folks want to.
Kaliya Young:  Connect um and early bird pricing ends I think.
Kaliya Young:  At the end of this week so.
Kaliya Young:  Please um get registered if you want that um price 
  and then we also have the did unconference Africa happening in 
  Cape Town.
Kaliya Young:  September 25th to 27th.
Harrison_Tang: Great thanks Gia.
Harrison_Tang: Any other announcements or reminders.
Kaliya Young: https://internetidentityworkshop.com/.  + my e-mail 
  if you want to learn about sponsorship. kaliya@identitywoman.net
Kaliya Young: https://didunconf.africa/
Harrison_Tang: So a quick preview of what's coming uh so next 
  week we'll have a great comeback again to follow up and wrap up 
  on the conversation regards to Anonymous holder binding and then 
  the week after that uh we actually invited um uh people from the 
  uh nonprofit open mind to talk about uh they are a nonprofit 
  around AI governance uh so change a little bit topic uh to talk 
  about their work there and then the week after that uh we have 
  Wayne to talk about proof uh proofly forgotten signatures.
Harrison_Tang: So that's what's coming.
Harrison_Tang: Right last calls for announcements and reminders.
Harrison_Tang: All right uh any uh notes on the work items.
Harrison_Tang: So we've scheduled a couple sessions in regards to 
  the different work item updates in the next few weeks uh so 
  please stay tuned and we'll have another open discussion on the 
  work items uh in quarter 4 of this year.
Harrison_Tang: So let's get to the main agenda so uh as I stated 
  uh earlier in the call very excited to have this conversation 
  very excited to have Joanie and Gregory from the IAC to talk 
  about pain Canadian trust Frameworks uh this topic uh is dear to 
  my heart I think a lot of times uh most of the time we talk about 
  digital signatures we talk about cryptography we talk about 
  selected disclosures but I think 1 of the key things in regards 
  to uh ensuring the uh identity self identity can be realized is 
  trust Frameworks and governance so uh this is a a very 
  interesting topic and I really look forward to uh Joanie and 
  Gregory's uh presentation.
Harrison_Tang: Johnny Gregory the 4 Shores thank you.
Gregory_Natran: All right so I'll take over the first bit and 
  I'll share my screen can everybody hear me okay there's a lot of 
  background noise here.
Gregory_Natran: Hopefully you're looking at a PowerPoint 
  presentation.
Gregory_Natran: There you go.
Gregory_Natran: Up on screen.
Harrison_Tang: Gregory it should be the third button oh there we 
  go.
Gregory_Natran: Yeah yeah I don't think it's it's the buttons 
  here it's the security settings on my Mac.
Harrison_Tang: We can see your full entire screen by the way not 
  just the window okay.
Gregory_Natran: That's okay there's nothing there's nothing here 
  confidential so there that should do it uh so just a quick 
  clarification uh for Harris Joanie is the president of the 
  digital identity and authentication Council of Canada I'm a 
  business and.
Gregory_Natran: Information analyst working at beige cyber Tech 
  so I don't but I've done a lot of work with Dak and so when 
  Harrison first mentioned about trust Frameworks.
Gregory_Natran: You may recall late in the spring I thought well 
  we've got we've got a a whole background on trust Frameworks 
  through the pan Canadian trust framework.
Gregory_Natran: But before we get to some details on that and I 
  turn it over to Joanie um I thought I'd present some context uh 
  because we're going to be we're shifting gears a little bit here 
  um my own personal background is I'm not I don't I'm not a 
  computer scientist I'm by training I'm a librarian I have a 
  master's degree in library and information science so so the did 
  did methods uh Json data structures is all important but we're 
  going to shift the way a little bit from that to um how a lot of 
  those Technical Solutions.
Gregory_Natran: Fully adopted in how we can generate trust in a.
Gregory_Natran:  in a.
Gregory_Natran: Security and identity context that very quickly 
  expands beyond the context of a single organization.
Gregory_Natran: Particularly important my own background is about 
  20 years of government uh Canadian public sector Services moving 
  those online and the.
Gregory_Natran: Constant push for better faster more Integrated 
  Service delivery is is the context for coming from so.
Gregory_Natran: There's it's a very basic agenda.
Gregory_Natran:  I don't.
Gregory_Natran: Think we'll need an entire hour to run through it 
  but.
Gregory_Natran:  in the.
Gregory_Natran: In terms of the trust Frameworks how do we 
  de-risk the adoption of digital identities and related cyber 
  security initiatives.
Gregory_Natran: Get the trust needed for Meaningful Digital 
  Services online um and in in part that's responses to the 
  changing online service Demands a decentralized and 
  self-suffering identity of which all of the good w3c verifiable 
  credentials are essential.
Gregory_Natran: But it is Shifting and how do we.
Gregory_Natran: How do we deal with the fact that that entire 
  ecosystem that shows up in the.
Gregory_Natran: Uh verifiable credentials data model how do you 
  build the trust between everybody in that ecosystem and across 
  the board in the absence of what you might call a formal uh 
  commercial framework like that exists in the financial sector in 
  the banking world and the credit card world and things like that.
Gregory_Natran: The way I framed this is and a lot of this will 
  not be uh new or particularly relevy to the people on this call.
Gregory_Natran: But moving Digital Services demanding is on trust 
  we need a level of trust that's difficult to get online there's a 
  great volume of personal information uh involved and it's you 
  know particularly for high value high-risk interactions and what 
  I mean by that are um.
Gregory_Natran:  I think.
Gregory_Natran: Moving transactions remote transactions for uh 
  not just buying and purchasing.
Gregory_Natran: You know your toothpaste from Amazon but buying 
  and selling houses and dealing with the requirements for a remote 
  identity verification in the legal sector which is something that 
  that Dak is now looking at.
Gregory_Natran: Of course all of that is undertaken Within.
Gregory_Natran: Uh an environment where people expect convenient 
  seamless integrated.
Gregory_Natran: They want their service experience to be like 
  that they want privacy they want consent they want transparency 
  they want the right to be forgotten.
Gregory_Natran: They want it all to be simple and easy and of 
  course none of this is particularly simple and easy when you get 
  down into the technical weeds of it.
Gregory_Natran: What it has done though.
Gregory_Natran: I would argue is the dominant digital identity 
  and security models are now strained.
Gregory_Natran: Centralized identity meaning you know your your 
  username and password that serves 1 particular company or service 
  uh has reached its peak uh we know the limitations of it.
Gregory_Natran: Standing beyond that single identity context is 
  difficult.
Gregory_Natran: Uh and the other thing that often gets lost in 
  the technical discussions is it's also incredibly expensive for a 
  small and medium Enterprises and for local governments that 
  simply don't have.
Gregory_Natran: The resources or even the Mandate in some cases 
  to develop and put together a complete digital identity solution 
  that can be fully integrated with every other government around 
  them.
Gregory_Natran: But if we don't get and meet these requirements 
  and expectations.
Gregory_Natran: All the promise of you know uh the digital the 
  Cyber economy the digital economy become harder to realize 
  particularly if you're in Canada this is particularly true if you 
  look outside of the main um the main cities and urban areas it is 
  very difficult to move a lot of this into the Arctic regions.
Gregory_Natran: That's just not uh not that simple.
Gregory_Natran: Uh I thought I'd throw in just a few um 
  statistics that Dak has collected um.
Gregory_Natran: With digital identity people the and these date 
  back a little bit Joanie you can correct me but they're going 
  back about what 2 years 3 years.
Gregory_Natran: Yeah so most people see the benefits but there's 
  a there's a large percentage.
Gregory_Natran:  of about.
Gregory_Natran: A quarter that are highly skeptical about uh you 
  know sharing their personal information giving it over to 
  government uh integrating and linking everything up.
Gregory_Natran: But a lot of the a lot of people are interested 
  in learning more about it.
Gregory_Natran: The the digital wallet concept is.
Gregory_Natran: Becoming more familiar and gaining gaining 
  popularity.
Gregory_Natran: I would say largely through the efforts of apple 
  and and Google here.
Gregory_Natran: Um and only about 14% you know are completely 
  unfamiliar with what that means.
Gregory_Natran: So we do have a.
Gregory_Natran: We have a population a user population out there 
  that's that's uh educated not 100 no no they may not be technical 
  experts but they see the potential benefits of this but it's that 
  highly skeptical.
Gregory_Natran: Core that we have to that we have to address to a 
  certain degree.
Gregory_Natran: So how do you do that.
Gregory_Natran: All seen this you know it security is an issue we 
  have lots of personal information all scattered across 
  disconnected databases all over the place some of them connected 
  to the sum not doesn't matter still a target for a hacker they're 
  often protected by weak authentication or at best usernames and 
  passwords and of course they're all susceptible to social 
  engineering attacks whether it's a publicly facing database or 
  just a internal facing.
Gregory_Natran: Business system that falls prone to to employees 
  that can be scammed just as easily as anybody else Federated 
  identity of course uh we that's been on the scene for a while 
  offset the cost you get a better client experience.
Gregory_Natran:  you can.
Gregory_Natran: Core ID functions to trusted parties.
Gregory_Natran:  but what.
Gregory_Natran: Happens and this is the the.
Gregory_Natran: I would think of where the trust Frameworks come 
  in is your trust domain starts to extend beyond your Direct 
  Control.
Gregory_Natran: Your your corporate it perimeter your corporate 
  security perimeter just exploded.
Gregory_Natran: So what's the response over the last couple of 
  years better it security.
Gregory_Natran: Factor in adaptive Authentication.
Gregory_Natran: I don't like having Microsoft authenticator 
  installed on my phone having to enter codes all the time but I 
  understand that why the company does it.
Gregory_Natran: To end encryption minimizing data access 
  privileges.
Gregory_Natran: And data loss prevention all of that.
Gregory_Natran: Rolling up into the zero trust security model 
  which is uh good.
Gregory_Natran:  I would.
Gregory_Natran: Arguments inappropriate but it doesn't resolve.
Gregory_Natran: Issue uh you're still collecting lots of personal 
  information if you're a large service provider um I'm and I'm not 
  even talking here surreptitiously like Google trying to collect 
  everything and anything about you as you search through I'm just.
Gregory_Natran: Collected to actually legitimately offer you a 
  service online there's redundant collection uh I see this because 
  as an information an analysis part it's almost it's almost 
  impossible to find 2 systems that actually don't have any overlap 
  and share information.
Gregory_Natran: Data discrepancies you've got privileged accounts 
  that still exist that can be compromised.
Gregory_Natran: And you're still in a security arms race with 
  malicious actors.
Gregory_Natran:  and they are.
Gregory_Natran: Is going to be trying to get in there.
Gregory_Natran: So you've always got to be uh watching what 
  you're doing and we see it with all we saw with the uh the crowd 
  strike failures of a few weeks ago.
Gregory_Natran: Uh of course the other response decentralized 
  identity which is.
Gregory_Natran: Verifiable credentials play in it draws heavily 
  on that.
Gregory_Natran:  we want.
Gregory_Natran: Ate the number and the size of the repositories 
  that centralized personal information.
Gregory_Natran: Basic model is everybody here knows keep the 
  personal information with the owner decentralizing storage and 
  control of it often using technology that mimics physical 
  identities where you can pull out your you pull out your driver's 
  license and give it to the police officer or the person that 
  wants to try and and uh verify your identity but with more 
  privacy because you're not handing over you're not oversharing.
Gregory_Natran: So better get better privacy and transparency you 
  can consolidate digital identities into 1 interface.
Gregory_Natran: But your trustee means still beyond the direct 
  control of your organization or your service provider.
Gregory_Natran: Still that those credentials those identities 
  those verifiers are all part of a broader ecosystem.
Gregory_Natran: In a very simplified way we've kind of described 
  as being consistent of 3 groups.
Gregory_Natran: There's the solutions and the providers.
Gregory_Natran:  the bottom.
Gregory_Natran: That is the w3c the community standards groups 
  nist is a big 1 in there they are the ones that develop technical 
  standards in many cases they develop the open source code that 
  can be put out into the community and enrolled into commercial uh 
  and other products there are the adopters at the top of the of 
  the screen there uh who have certain duty of care to their 
  clients to meet not only to meet their expectations but 
  increasingly to meet legal and Regulatory uh requirements.
Gregory_Natran: On the front.
Gregory_Natran: Line of those expectations and uh want to be able 
  to offer the kind of services and experiences that their 
  customers want and.
Gregory_Natran:  just as.
Gregory_Natran: That's a that is a Hyundai logo I couldn't find a 
  a logo that would suffice for all adopters all service providers 
  I chose that 1 because allegedly it's supposed to be a stylized 
  version of 2 people shaking hands I guess agreeing to buy Hundai 
  vehicle but in my in my non-working life I have a I have an 
  interesting car so that's why I picked that 1 if you're wondering 
  where that relationship came from.
Gregory_Natran: Uh so what bridges in between these groups the 
  solution providers and the adopters that's where the trust 
  framework comes in.
Gregory_Natran: And in this case um.
Gregory_Natran: What we can talk about most authoritatively is 
  the Dak and it's Peng Canadian trust framework but there are 
  others out there.
Gregory_Natran: Australia the United Kingdom have them uh they've 
  all been working on the Singapore does.
Gregory_Natran: I think even maybe the Philippines where they're 
  looking at.
Gregory_Natran: Trying to develop auditable outcome based 
  criteria.
Gregory_Natran: Against which the participants in the verifiable 
  credential and digital identity ecosystems.
Gregory_Natran: Can be assessed in a whether that's.
Gregory_Natran: Normal assessment by an auditor or just a a 
  self-claimed that says look this is how we go about doing our 
  business this is the technical standards we meet this is how we 
  implement it this is the process we use for identity and 
  verification these are the process we use for verification and 
  revocation of our our verifiable credentials.
Gregory_Natran: And most of them are based on the recognized 
  schemes that are coming out of the solutions and the providers 
  themselves so that's um where we're kind of positioning the trust 
  framework is uh not technical not entirely legal and Regulatory 
  and in fact in the pan Canadian experience.
Gregory_Natran: Had to make quite clear that.
Gregory_Natran:  the truck.
Gregory_Natran: Work did not.
Gregory_Natran: Uh supersede or negate any legal or regulatory uh 
  requirement that a member had if they were participating in or 
  adopting the framework uh that's not the intent the intent is to 
  supplement the they often.
Gregory_Natran: Convoluted and sometimes.
Gregory_Natran: Dated legislation that doesn't move at the same 
  speed as uh the technical technical sector uh and fill that out 
  and try and provide guidance to.
Gregory_Natran: The uh adopters that are looking at it in this 
  case I'll refer back to the legal Community coming to Dak and 
  looking for guidance on how they can best do verific uh remote 
  identity verification for their members.
Gregory_Natran: With that as a context.
Gregory_Natran:  um I think.
Gregory_Natran: Invest to hand it over to uh Joanie who's the 
  president and can speak much more authoritatively on Dak and the 
  trustee Market itself.
Joni_Brennan: Yep um thanks Greg excuse me it's great to be here 
  um in with this group today thank you for the invitation um it's 
  great to see names that I've known and I'm familiar with um and 
  also um those that are new so uh so thanks for the time today um 
  for the about the Dak um we are a nonprofit Association um back 
  in the end we were created as a result of the global financial 
  crash in uh 2008 2009 a p the um Department of Finance at the 
  federal level put together a task force to review our payment 
  system and to look at our payment system in the context of what 
  was happening globally and make recommendations for how our 
  payment system could be you know what was working and we needed 
  some areas for improvement within our payment ecosystem out of 
  that payment task force um that included public and private.
Joni_Brennan: Matter experts was a series of recommendations um 
  toward what our payment system would benefit from and the and the 
  recommendations that were the Mandate for our organization to be 
  founded where that we needed a uh our payment system would 
  benefit from a digital identity and authentication framework that 
  that framework should be developed through collaboration of the 
  public and private sector and that that framework should be 
  developed that collaboration should be hosted under a 
  self-governing body so those 3 recommendations were the 
  foundation for how our organization was founded and um and the 
  organization was founded by um a series of uh a group of um.
Joni_Brennan: National institutions telecommunications provider 
  and um uh federal government and provincial governments um today 
  our uh board includes representation from organization small 
  medium and large um Canadian and Multinational and provinces 
  including British Columbia Ontario Quebec and New Brunswick um 
  helping to bring together a common common views around um digital 
  identification and authentication um we're about 85 members um 
  you know in in terms of the our size and we are uh we've actually 
  evolved our mission and we're focused on um what we've learned 
  and Greg showed some stats but we've learned that digital ID or 
  digital identification is confusing to most listeners um when 
  we're speaking to experts or people who are working in this space 
  like people in this call you understand it.
Joni_Brennan:  when we're.
Joni_Brennan: Speaking to the adopter.
Joni_Brennan: Um of these types of Technologies and capabilities 
  they don't always understand what digital ID means and sometimes 
  they think it means something completely different um than what 
  we are intending and we also in the Canadian ecosystem I would 
  say in my experience suffer from.
Joni_Brennan: Quite a bit of um misinformation and disinformation 
  which is uh 1 of the factors in a in a public trust Gap around 
  adopting um you know emerging and existing Technologies and so we 
  do work as an organization to advance what we now um call digital 
  trust so these are the suite of capabilities and tools to help 
  people and organizations build confidence in their transactions 
  um the trust framework is a concrete uh tool that designers of 
  services can use and that Services can get certified against um 
  and then we also do a lot of Education and Research to help 
  adopters to to better understand which messages adopters um can 
  understand and resonate and you know where we need to adjust some 
  of our language for our education um 1 of the things that Greg 
  mentioned that I also think is important to call out is that um 
  the the trust framework you know just like the words digital ID 
  or digital identification uh We've.
Joni_Brennan:  I find people use the.
Joni_Brennan: Words trust framework and.
Joni_Brennan: A lot of different.
Joni_Brennan: Ways and so sometimes that can be confusing as 
  well.
Joni_Brennan: For us the trust framework is a a set of auditable 
  criteria that help to mitigate and remove risk um and help to 
  build Assurance in different solutions and services and so this 
  means that the trust framework is really a risk mitigation 
  framework that helps the adopter to have confidence in the 
  solutions that they're that they're using that they're you know 
  that they're adopting I think another power of the trust 
  framework and the way that ours has been designed is to sit as a 
  complimentary extension to technical standards and to open 
  source.
Joni_Brennan: And so this means that this framework helps.
Joni_Brennan: Adopters and helps um helps a community to not only 
  measure the risk mitigation and Assurance of a single solution 
  built on a single technical stack but also how to measure risk 
  management and Assurance against different solutions that may be 
  built on different technical stacks and for me personally I think 
  this is a very powerful tool because 1 of the things that we see 
  in Canada and for those of us you know those of you who are 
  working on this problem both locally and globally we see a suite 
  of solutions um we see a suite of technical standards um and open 
  source and we don't seek kind of a single solution so this means 
  that we will um something that's very important for our community 
  as a whole is to know how we can measure trust and assurance and 
  risk management across different communities across different 
  Technologies um to help with that uh trust interoperability for 
  how um how the information that goes into credit.
Joni_Brennan:  Essentials is verified.
Joni_Brennan: And has not.
Joni_Brennan: Been tampered with as well as how we can move trust 
  through credentials and other tools between different communities 
  and um which is a certainly important for cross border and moving 
  across different Industries so.
Joni_Brennan:  so I think.
Joni_Brennan: That's a power.
Joni_Brennan: Ful feature of what trust Frameworks can do um this 
  trust framework is also unique in that we um we have taken that 
  collaborative approach we use uh uh public review process where 
  everyone from around the world has the opportunity to comment we 
  do dispositions of comments um so taking that collaborative 
  public and private working together I would say is unique um 
  whereas you know some jurisdictions do it solely for government 
  from a government uh perspective we've tried to do it as a as a 
  collaborative approach between public and and private sector um 
  we find that people do feel in at least in our research they 
  report that having public and private work together helps to 
  provide checks and balances that they gives them more comfort and 
  helps helps um people to build trust so yeah we're uh really 
  extending um the technical aspects and so this is uh this Frame 
  you know our framework and and you know others as Greg mentioned 
  there's there's.
Joni_Brennan:  certainly a a hand.
Joni_Brennan: Full of them out there.
Joni_Brennan: Multiples Frameworks out there uh but for us it's 
  how do we add value add context um and extend for things like 
  verifiable credentials and then also how can these verifiable 
  credentials or the trust trusted information be used in trusted 
  networks and all the way into even traditional Federation really 
  you know helping with that extended layer so we're we're a 
  complimentary tool into the work that this group is doing um and 
  all of this is really to help uh reduce uncertainty for adopters 
  and I think Greg mentioned that last point on last part I'll 
  share is.
Joni_Brennan: We've seen a lot of adoption we know that there is 
  a a.
Joni_Brennan: You know the move or or the adoption and the 
  evolution from kind of traditional identity and access management 
  or Federated identity um takes time and as we move to more 
  distributed ecosystems in use of tools like digital wallets 
  verifiable credentials we will still have uh those kind of 
  traditional channels that do exist and so 1 of the things that 
  we're seeing where the areas that we're seeing adoption here is 
  um by Regulators um and how this how framework can help to 
  provide an air gap for a regulator keeping them neutral and 
  separate from the solutions providers and then providing um a 
  signal of auditability of verification and where we're seeing 
  adoption uh 1 of the areas that we're seeing adoption that's 
  interesting you know for me at least is um.
Joni_Brennan: Societies and lawyers uh we know that uh it'll take 
  time for pervasively available usable verifiable credentials for 
  people to hold these in their trusted devices um so this actually 
  also helps with the adoption of things like um other types of 
  solutions that would do photo ID capture comparative comparing 
  photo IDs to known um counterfeit characteristics using uh 
  traditional credit file methods and combinations of credit file 
  and photo ID check so we know that there will be a Continuum of 
  the shift and Adoption of these Technologies and so we're also 
  seeing a lot of adoption in this space on um something that is a 
  predecessor to something like verifiable credentials which is 
  important to help our communities step through the the adoption 
  chain as they would eventually eat we we hope and 1 of our 
  Visions is that eventually um there will be pervasively available 
  government issued um government issued identity credentials as.
Joni_Brennan:  as well as private sector.
Joni_Brennan: We're part of a supporting uh our tool is 1 of the 
  supporting tools the pctf um to help with a comprehensive risk 
  management approach that helps adopters and helps um people like 
  lawyers or others who are professionals who we need you know the 
  the professionals at the front lines of of trust um to know that 
  they can adopt a particular they can use a particular technology 
  or solution and they know that it's been verified which protects 
  uh the adopter that they have invested in the care of their 
  clients their customers their users um and helps the ultimately 
  um and most importantly the person who is you know using these 
  tools to know that these tools have been verified and that 
  they're um within the expectation of care for that person's data 
  and that person's experience as they're using those tools so it 
  is a collaborative um the work that we all do as a community is 
  is collaborative sometimes we're working on kind of overlapping 
  pieces of the puzzle.
Joni_Brennan:  um sometimes.
Joni_Brennan: On you know.
Joni_Brennan: Different pieces of the puzzle so I appreciate the 
  opportunity to share um what our experience has been and and 
  where we're going and certainly uh verifiable credentials will 
  play an important role trust Registries will play an important 
  role digital wallets while we step through the chain and and 
  traditional Federation and trusted Network operators and kind of 
  we'll have multiple of of how we do verification in society so 
  we're you know we're proud to be 1 part of that um working 
  collaboratively in an ecosystem and uh we're think we thank you 
  for the time today to share our experience.
Harrison_Tang: Thank you thanks Joey.
Harrison_Tang: Sorry I agree.
Gregory_Natran: That was that was it we we didn't go into details 
  on the I I refer you to the the pctf website itself uh for all 
  the details but uh we wanted to kind of position where the trust 
  framework sit and how they are um valuable relative to the work 
  of bodies like this not.
Harrison_Tang: Great thank you uh any questions for uh Gregory or 
  Jones.
Harrison_Tang: You can type in Q Plus to add yourself to the 
  queue authoring 1 question Johnny so earlier you mentioned about 
  uh most of the people they don't really know what digital 
  identity is or what the values are so can you share some insights 
  like in regards to what are the top 3 to 5 value that resonates 
  with adopters in other words when you're trying to convince 
  someone to adopt digital identity like what are the top 3 to 5 
  bullet points that can get them to adopt it.
Joni_Brennan: Yeah we um that thank you for that question um and 
  1 of the so how we've come up with the the the data around um 
  understanding what the audience's understanding what they don't 
  understand is we've used a qualified third-party research firm uh 
  we've done 4 waves of research across Canada uh both legal both 
  um official languages and and across the entire country and so 
  we've got data both point in time for 4 different research waves 
  and then we've got data overtime for how perceptions have changed 
  um and you know what we have seen is that when we ask people 
  about digital Identity or digital ID it it's it's low we've only 
  uh their understanding is low we've only just gotten over 50% 
  being able to conjure some kind of definition for digital ID or 
  digital identity um we we've seen that um 23%.
Joni_Brennan:  are just.
Joni_Brennan: Well we see about 55% once we do explain it or they 
  do kind of have an idea that they feel uh positive about it they 
  see benefits um we see 23% are really unsure and 22% are highly 
  highly skeptical so you know it's it's really just about a 50-50 
  split there between the people seeing benefits uh across from 
  those who are unsure and those who are very um skeptical and have 
  a negative perception what we do find um and based on that 
  research we've um committed to undertaking a storytelling 
  campaign so you're going to see that coming out of our 
  organization um in the as the fall approaches um using what we 
  call you know if you're Canadian we're using Tim Horton's 
  language and what we mean there is coffee shop language using 
  language that just kind of an average person can understand um 
  very plain non-technical.
Joni_Brennan: That's 1 of.
Joni_Brennan: 1 of the things.
Joni_Brennan: 1 pillar is used very plain language don't use 
  technical speak um that technical speak is relevant when we're 
  speaking with each other as Professionals in the space when we're 
  speaking with adopters who could be lawyers they could be my mom 
  they could be ministers or Deputy ministers and government um 
  that plain language is always a winning approach um to lean away 
  from the technical we find leaning into the capabilities the 
  specifics is more useful so we find that talking about 
  credentials or wallets or you know even authentication people 
  understand that more than this kind of broad term of digital 
  identity which is kind of too too wide and too confusing um so 
  talk more specifically about the specific capability versus kind 
  of the very broad um definition and you know most importantly I 
  would say well kind of plain language most important um next to 
  that is.
Joni_Brennan: Talk about what is going to do for people so talk 
  about the why people don't necessarily want they don't wake up in 
  the morning wanting to adopt digital identity um they want to be 
  a part of the digital economy they want to start a business 
  easily they want to know that they can onboard employees um you 
  know meeting their obligations safely and securely they want to 
  know that their teams can work remotely um safely and securely uh 
  people want to know that they can manage their uh dependent 
  children in the homes records and that they can manage their 
  dependent senior you know maybe their their parent who may or may 
  not live with them so it's all about um kind of getting things 
  done using digital to do it and knowing that you're cared for uh 
  that your data is cared for so talk more to people talk in plain 
  language talk about the problems that they have in front of them 
  that they need to solve um and then you know map the capabilities 
  into it versus kind of something.
Joni_Brennan:  really big.
Joni_Brennan: Digital identity um that that people have a hard 
  time understanding so we can't expect the world to be experts um 
  the way that a group like this is uh we have to talk to them and 
  really plain language that that addresses the problems they're 
  trying to solve every day.
Harrison_Tang: And and uh earlier you mentioned that uh you 
  noticed that there are some misinformation or disinformation in 
  regards to digital ID so I'm curious what are they and how do you 
  kind of educate the public to kind of dispel these uh 
  misinformation and disinformation.
Joni_Brennan: Yes absolutely so um thank you for that question.
Joni_Brennan: The uh I would I'll speak in my personal context um 
  you know you I think you know maybe others as well but I've 
  observed kind of the grand conspiracy theory of all conspiracy 
  theories that's really um you know there's always been there are 
  rightful concerns around digital around surveillance surveillance 
  capitalism around um authoritarian governments like these these 
  concerns are are rightful and they're valid so I want to start 
  there and this is the reason that I do this work because I felt 
  that people's privacy was being eroded and people were not are 
  not and we're not in control of data about them and that's why I 
  do this work that that's my why so these are rightful concerns 
  how you know that said um through the Advent um you know through 
  the capabilities of tools that we have now like uh social media 
  social media is fine-tuned to amplify um to amplify uh uh uh 
  conflict.
Joni_Brennan: The attention economy and so social media is 
  fine-tuned to kind of amplify these things that incite conflict 
  and and get a you know get an angered reaction um so we have kind 
  of have the perfect set of tools to spread inflammatory 
  information to get reactions out of people um and so what we you 
  know and then you kind of add in the pandemic um you add in fears 
  around rightful fears uh and confusion around the pandemic around 
  uh local and Global economies around security and you kind of 
  have the perfect mix for misinformation and disinformation to 
  flow and to be Amplified um.
Joni_Brennan: That certainly um amplification around the time of 
  the pandemic um the vaccine credential certainly um was a a part 
  of that uh conspiracy theory kind of amplification what would the 
  vaccine create credential be used for was it right or was it 
  wrong and I'm not here to comment on that um but certainly it was 
  part of that conspiracy theory and like many of us saw even like 
  5G it you know you the vaccine has microchips you know lots of 
  different conspiracy theories around that that spread around um 
  in the Canadian ecosystem I personally was targeted by a 
  far-right-wing uh political leader and a particular information 
  me uh online media um website um who who claimed that uh the work 
  that that was being done around digital identity uh digital ID is 
  part of government's wanting to track and surveil and force 
  people to get the vaccine uh the co you know the.
Joni_Brennan: We saw that very I saw that personally I'll speak 
  on my own behalf um and a lot of targeted um threats and 
  harassment campaign that flowed out of that so and and and what 
  I'll say is while it's a while it's a disruptive uh story you 
  know no 1 should have to go through that uh no 1 should have to 
  go through that type of online and targeted harassment um myself 
  included uh that you know we also have to know notice that these 
  types of you know certainly there's disinformation in their 
  people knowingly spreading false information to for for their own 
  purposes which is often to destabilize um societies.
<harrison_tang> if you have questions, just type in "q+" to add 
  yourself to the queue.
Joni_Brennan: Um and uh and often targets women and um you know 
  visible minorities or other vulnerable populations um but but 
  then the misinformation is is you know I've had friends who were 
  sharing disinformation and I had to sit down and explain to them 
  what digital identity was and once I did they said oh no that's 
  fine I want that you know so I had firsthand experience with 
  people of that nature but then you know the other poor important 
  piece is that when people um when misinformation and 
  disinformation does flow and it moves around what I'll call an 
  unauthenticated space like Twitter for example or Reddit um it 
  actually causes uh governments and private sector to stop their 
  work uh to stop their work on protecting people and protecting 
  their data and to move more into a defensive posture and to even 
  sometimes Keep information quieter when in fact we need more 
  transparency um but we do need to more transparency about this 
  work and what it is and what it means for people and why we're 
  doing.
Joni_Brennan:  it um.
Joni_Brennan: And not less transparency um but we do have to meet 
  people where they are and we do have to know that the goal is not 
  to get everyone to want to use this technology because that's 
  that's not going to happen um the goal is to help people have 
  better information to make better choices about the tools that 
  they use and to help inform policy uh Echoes forward to to 
  properly govern and regulate uh these types of Technologies.
Harrison_Tang: It kind of changed the topic I'm just curious like 
  uh how what's the difference or similarities uh between the 
  Canadian trust framework versus like you European Union standards 
  and obviously it's quite different from the US Paradigm but can 
  you kind of highlight the similarities and differences.
Joni_Brennan: Yeah so um in the EU uh so the European Union takes 
  a you know has taken and it is currently taking a more regulatory 
  approach um and you know what we've seen we've been we've seen 
  over time with the EI Dash um regulatory framework and digital 
  signatures and moving toward a digital single digital market for 
  um EU citizens and residents to be able to access services so 
  taking a very government regulatory top-down approach um and and 
  regarding the EU di the and the digital wallet implementation uh 
  work we could debate on whether it's a strategically sound to put 
  particular Technologies into the regulatory framework um I'm not 
  here to make a view on whether that's right or that's wrong I 
  think that's debatable um so certainly there's a more regulatory 
  based approach in the European ecosystem um in the um you know in 
  the Canadian.
Joni_Brennan:  ecosystem and.
Joni_Brennan: I like to think about Canada.
Joni_Brennan: And and in fact the US you know we're all 
  federations we're all federations in Canada it's provinces and 
  territories in the federal government in the US it's it's states 
  in the federal government now we do have less provinces and 
  territories than in Canada than the US has States um but still 
  we're we're all a collaborative um the US has taken a much less 
  um.
Joni_Brennan: Hands-On approach and we know there's a new 863 uh 
  document out so may may be folks who are reading that over the 
  weekend and that's certainly exciting um.
Joni_Brennan: Where 863 was really built for for private sector 
  to offer services to the federal government and a lot of the work 
  over the last 5 to ten years has been to make that work that 
  frame that um n 863 more usable in the private sector for example 
  um in Canada we also have a flavor of um there there's even an 
  identity Assurance uh framework in where I am in British Columbia 
  that is specific to British Columbia so we have um both uh 
  jurisdictional regulatory schemes Federal regulatory schemes in 
  Canada our finances federally regulated but our education and our 
  health for example is pro regulated um so we are all sitting kind 
  of at the intersections of federal and jurisdictional Regulation 
  and then non-regulated spaces as well so I do think that we have 
  a lot in common um we're all trying to solve similar uh 
  challenges and and bring similar opportunities to to our to our.
Joni_Brennan: Cultural aspects and the governance aspects um 
  there are differences like in in Canada we do have a robust um 
  corporate registry you know jurisdictional and federal Registries 
  um I know that you know I think that that's a bit lacking in the 
  US for example so we all have to work with what what our 
  strengths are um and work across our challenges as well and work 
  with our cultures and what our what our culture what our um 
  citizens and residents and Society culturally expect which might 
  be a bit different um from 1 jurisdiction to the next so I think 
  we have a lot of similarities but then um Canada I think sets a 
  little bit in the middle space between uh EU which is very 
  regulated and us which is very not regulated I think we kind of 
  sit in the middle um you know between those 2 those 2 polls of of 
  approach.
Harrison_Tang: Cool thank you.
Harrison_Tang: Anyone have any other questions.
Gregory_Natran: Stop sharing this Harrison.
Harrison_Tang: And uh I'm just curious like seems we're talking 
  about wallet uh I think uh.
Harrison_Tang: Uh you know like.
Harrison_Tang: In in the old like feder Vietnam or the existing 
  Federated identity system I think we've seen that Google and 
  Facebook emerged as the dominant players right essentially it 
  becomes a centralized system and then the now with the wallets uh 
  you know it does appear that their numbers are showing that the 
  Apple and Google are probably going to uh win the wallet War 
  right with quite significant market share um and so I'm just 
  wondering if uh uh you have any thoughts in regards to uh the 
  potential dominance of Apple and Google kind of platforms over 
  the uh kind of the wallet Wars for lack of better terms uh or if 
  it's not really a concern and if it is a concern like what can we 
  do to kind of mitigate this kind of recent centralization of 
  power.
Joni_Brennan: Right um so for people in that that's a great 
  question um for people in this group and you may you may know or 
  be familiar with um not sakamura um former uh former nor more 
  research institute in Japan not has a great video um on YouTube 
  where you know he talks about the.
Joni_Brennan: Kind of the Paradox of decentralization which is 
  its kind of always leading back to centralization um you know 
  these decentralized when it's successful is kind of trying to 
  push you to 1 Network stack or 1 um approach so there's a little 
  bit of a paradox there in that um.
Joni_Brennan: You know the decentralized approach does tend to 
  lead back to centralization and often um the decentralized 
  approach in order to when you need to do transactions of value or 
  transactions that have risk um quite often intermediaries are the 
  way that you get those things done to build in those uh 
  protective structures that you're looking for so I mean these are 
  kind of philosophical points around centralization and 
  decentralization that I feel like probably people in this group 
  could sit around a table and debate and be quite pleased to have 
  that debate um for the for the wallet specifically you know I'll 
  I'll say I'm I'm in the Apple ecosystem as a p as a person that 
  not only does this work but as a user I have a phone a computer a 
  watch an iPad so I've made I had a decision um and then also 
  contacts as you know helped with some of those decisions um to be 
  in that ecosystem.
Joni_Brennan: So uh so I do use my Apple wallet quite a bit and I 
  think that and where we do see a lot of this use on wallets is 
  payments people are getting more familiar with it um the I think 
  that the question comes forward with what can be done is you know 
  govern governments have I would argue you know the authority here 
  um in terms of using their influence and using uh the 
  authoritative levers that they do have both at a federal and 
  jurisdictional level um to try to help push um along with a 
  different jurisdictions like the EU to try to help um push uh 
  large platforms to conform to a set of criteria to to that they 
  are caring for people's data as people would expect their data to 
  be cared for that that lock in is avoided um that said you know 
  back with my user hat on if if there was sets of criteria if 
  there was testing if there was guidance and.
Joni_Brennan:  a large.
Joni_Brennan: Uh could meet that bar I would be happy to have my 
  government credential in my Apple wallet but that's a big if 
  right and and that's where the policy and regulate regulatory um 
  can be an influencer um to to help you know bring uh large 
  platform providers to where they are more respectful of people's 
  data um.
Joni_Brennan: Really where these tools come come into play is you 
  know there should be an ecosystem of wallets um that people can 
  know digital wallets that people can know have met certain 
  criteria that are trustworthy and some people will want to use 
  those platform wallets and some people will want to use 
  independent wallets and we all also know that the choice of where 
  the credential gets issued to is up to the issuer can be up to 
  the issuer um so I think that the the issuers will also help to 
  drive that market we'll have to see about you know which goals 
  are most important and you know are we going for more adoption 
  which might say Okay large platform providers have an important 
  role to play here and if they can meet criteria then great um 
  this is my personal view um and we we want to promote choice and 
  so we know that you know Cho 1 of the things our research shows 
  as well is that choice is an important feature to help people 
  have trust some people will only trust you know those large.
Joni_Brennan:  platform big.
Joni_Brennan: Only trust independent and open source some people 
  will only trust governments so that we can have a Level Playing 
  Field with tools like Frameworks um and Regulatory schemes and 
  with sound and transparent and open technical standards and open 
  source we all have a part to play in this so I we don't have an 
  answer uh but I do think all these pieces come together and um 
  and and I think you know especially regulatory has a role to play 
  here along with um working with private sector working around 
  technical standards and and Regulatory Frameworks.
Harrison_Tang: Cool thank you and uh we only have 3 minutes uh I 
  I just want to ask 1 last question uh which is uh what are the 
  upcoming latest developments or initiatives that uh you guys are 
  working on like you mentioned about some educational pieces 
  that's coming out okay you kind of preview a little bit more.
Joni_Brennan: Um yeah so first I want to thank Greg Natron he's 
  pretty modest he he was our technical he was our um lead 
  technical editor for version 1 of the pctf so you know with Greg 
  being in this group you have somebody that you can always lean on 
  who knows the ins and outs of the Dax work on the pctf and our 
  collaboration so I want to thank Greg for that and his role in 
  recognize him um and.
Gregory_Natran: Thank you and I'm still still participating just 
  not as editor.
Joni_Brennan: Yeah there you go thanks Greg um so yeah please 
  always feel free to ask Greg some questions around that and then 
  um so I mentioned the the 2 newest components are the um digital 
  wallet which is auditable criteria can work with any different 
  technology uh on top of so the digital wallet component and then 
  the um trust Registries component to help uh organizations who 
  have who are managing authoritative data in their ecosystem so 
  like for us at Dak we're we're trust registry for who certified 
  so you lots of trust Registries out there so I would say look at 
  those pieces from technical aspects um from from the framework 
  side and then we're doing a lot of work uh around an educational 
  storytelling campaign and plain language um which is really to 
  help uh those adopters which is often people who don't speak our 
  language who don't know the technology who are not digital 
  identity and identity and access management experts and helping 
  with um the language and the stories and the.
Joni_Brennan: To help to resonate with them so look for that 
  storytelling campaign um and look for more education advocacy and 
  research on our side so those 2 sides of the house around the 
  storytelling and the education and the research uh look for that 
  in the fall uh from coming out from our organization and then uh 
  we continue on a yearly basis unless uh ecosystem conditions push 
  sooner we do continue to um evolve the the pctf criteria and I 
  would say look at the digital wallet component look at the trust 
  registry component and we've just re-released um authentication 
  as well so uh so you can pull those from the shelf and have a 
  look at those and just keep in mind that they will work as 
  complimentary to you and on top of the w3c work or ietf work or 
  um open source uh so yeah this is a complimentary tool so I would 
  look there.
Harrison_Tang: Oh thanks look forward to it well thank you thank 
  you Tony and thanks Gregory uh again for the coming here today to 
  present the pain Canadian trust framework and also share your 
  thoughts on on that so thanks a lot.
<joni_brennan> Thank you!
Harrison_Tang: All right so this concludes uh this week's uh 
  shishi meeting uh so thanks for thanks everyone for attending and 
  we'll publish the.
Gregory_Natran: I think I think you got 1 sorry Harrison I think 
  you got 1 hand up maybe.
Harrison_Tang: I think oh Phil do you have any questions.
Gregory_Natran: Thank you for having us here.
Harrison_Tang: No I think he just probably pressed the wrong 
  button all right thanks a lot have a good 1.
Joni_Brennan: Thank you bye.

Received on Wednesday, 28 August 2024 15:56:46 UTC