- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 17 Jul 2024 19:37:26 +0000
- To: public-credentials@w3.org
Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2024-07-16/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2024-07-16/audio.ogg A video recording is also available at: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-07-16.mp4 ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2024-07-16 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Jul&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Organizer: Mike Prorock, Kimberly Linson, Harrison Tang Scribe: Our Robot Overlords and Our Robot Overlords Present: Harrison Tang, Joe Andrieu, stephan baur, Kimberly Linson, Stevan Erakovic [Danube Tech], Manu Sporny, Jennie M, GregB, Danny Done, Will Abramson, Hiroyuki Sano, Japan, Rashmi Siravara, Markus Sabadello, Sam Smith, Benjamin Young, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), PL/T3, Vanessa, Lucy Yang, Alex H, Kaliya Young, TimG, Nate Otto, Anil John, Kayode Ezike, Daniel Buchner, julien fraichot, Erica Connell, David I. Lehn, Tim Cappalli, Brandi Delancey, Stephan Baur, cxcheng, Nis Jespersen , Kerri Lemoie, Dmitri Zagidulin Our Robot Overlords are scribing. Kimberly Linson: We are very excited um Manu is not here just oh. Harrison_Tang: Yeah let me start the recording now. Harrison_Tang: All right you're good. Kimberly Linson: Awesome great thanks Manu is not here just to help me solve my technical challenges today um he's actually here to talk to us about something I know we're all very very interested in which is the California DMV open credential platform um I am very excited to hear what he has to say so let's go ahead and get through uh our. Kimberly Linson: Agenda and or our our housekeeping items and then we will turn the floor over to him uh. Kimberly Linson: I am betting that I could like call on some folks to actually uh do the housekeeping notes for for me so as I'm looking down the list I'm like should I call it but I but I won't I'll just. Kimberly Linson: Preface that I might do that in the future. Kimberly Linson: First of all at welcome to today's call um I so appreciate and enjoy this community I thought that the conversation last week um and every week is is valuable and collaborative and congenial and that is exactly what we want and um we follow the code of ethics and professional conduct that's set forth by the w3c and if you want to learn more about that um just from a this is this is how you you write that down um it's the link is in the agenda um but I really appreciate everyone's um commitment to to um to that. Kimberly Linson: Um we welcome everyone who is here uh we're so glad that you are uh made some time in your day for this meeting and we welcome your uh conversation and your opinion and your thoughts in this meeting. Kimberly Linson: If you decide that you would like to to contribute um more substantially to the work items that we are uh in pursuit of um then I would invite you to. Kimberly Linson: Go in. Kimberly Linson: The agenda click on the links to become a member of the ccg and sign the IPR agreements um as so that you can and participate fully. Kimberly Linson: We keep a record of these meetings uh via minutes and audio you can see we have the jitsi chat going and the recording um and that also allows us then to cue speakers in the chat which will be the role that I'm playing today is to sort of moderate this call and make sure that we get to hear from as many voices as we possibly can um so if you want to add yourself to the queue. Kimberly Linson: You do that with Q Plus if you want to remove yourself Q minus uh and uh and I will do my best to to sort of keep on top of that and now it is time for us to uh to welcome new folks and um and folks who have maybe haven't been here for a while or want to share an update as to what they're doing um it is time for introductions and reintroductions do I have anybody who would like to. Kimberly Linson: Jump on. Kimberly Linson: On the queue. Kimberly Linson: Okay well we are all old friends here today then and uh I will go ahead and move to announcements and reminders and if you um missed the window to introduce and re-energize you can you can jump in here as any announcements and reminders Clea. Kaliya Young: We have Internet identity top number 39 coming up in October October 29 to 31. Kaliya Young: I think it's. Kaliya Young: So if you want to sign up. Kaliya Young: And minus um now it's a good time to register and we have our. Kaliya Young: Digital what's it called okay um. Kaliya Young: Did on conference Africa happening in South Africa. Kaliya Young: September 25 to 27 so if you know folks in the region um. Kaliya Young: Encouraged and and you know they work in the industry um please encourage them to look at the conference and consider coming and getting a ticket now if they want to come because we're trying to figure out if we have numbers so. Kaliya Young: Signaling by buying a ticket is an important thing to do. Kaliya Young: https://internetidentityworkshop.com/ Kimberly Linson: Great thank you. Kimberly Linson: Uh Phil Long. Kaliya Young: https://didunconf.africa/ PL/T3: Um want to put in a reminder that there is badge Summit coming up in Boulder Colorado August 3rd through uh I think it's August 3rd um through the 7th um is the full duration um the Monday through Wednesday is the primary days of that week and it also happens to be that the last half days is dedicated to the T3 mid-year meeting and projects that it's doing with respect to canceling will be featured in that particular portion of the T4 if everything's scattered throughout that might be relevant and interesting I will put the link to bed Summit in the chat thank you. Nate Otto: https://www.thebadgesummit.com/ August 5-7 in Boulder CO (Including T3 Network Mid-Year Meeting) https://ip-geolocation.apple.com Kimberly Linson: So I know I am not able to go and I'm really disappointed about it but I understand that there's like something later in August that is online is that like a repeat of the sessions or. PL/T3: Yes they have a um a combination of I believe recorded presentations as well as uh live presentations virtually um. PL/T3: Just to make the process of the in-person meeting a little bit less complicated but yes I think that's correct. Kimberly Linson: Great thank you. Erica Connell: Hello happy Tuesday uh just a reminder that rebooting the web of trust will be convening in Ventura California in October the 7th through 11th and uh early bird uh tickets are still available until August 9th with your advanced. Erica Connell: Paper submission by August 2nd so I'll drop the link to the event right with those dates and other ticket information thanks. Kimberly Linson: It's going to be a busy few months for everybody. <pl/t3> BADGE SUMMIT 2025 <econnell> rwot13.eventbrite.com Kimberly Linson: Uh all right let's see I think there's. Manu Sporny: Uh just an announcement around kind of where we are with the verifiable credential 20 working group um we are trying to wrap up almost every 1 of the specifications um this month um definitely trying to finalize um the. Manu Sporny: Uh hey uh Clea I think you're unmuted and I can hear typing sorry um uh. Manu Sporny: We're trying to. <pl/t3> s/me says: Manu Sporny: Is the the test Suites um uh as well uh by the end of this month uh which means that if you have an implementation um please uh start integrating with the test Suites uh we are going to try to get through um you know multiple interoperable implementations as quickly as we can we already have enough to meet the bar for most of the specifications but we would really like to make sure that implementers have a chance to implement against the the the final 1 uh to make sure that they can you know they don't have any issues implementing it um and then uh we can make uh a movement to basically finalize the specifications um at at w3c uh technical plan area we'll go through another candidate recommendation just to be like that's it we're totally done we're serious uh around september um and then we'll keep that open for as long as we need to um but probably like minimum amount. Manu Sporny: Um before we ratify the the final uh standards the 2 0 standards um. Manu Sporny: So if you have an implementation please uh make sure that you start integrating with the with the test Suite. Kimberly Linson: Thank you Benjamin. Benjamin Young: Relatedly we're bringing back test Suite office hours um starting tomorrow at 10:00 am Eastern I'll be emailing out information about. Benjamin Young: How you can meet with me and some other developers who already have implementations. Benjamin Young: We can help you on board your implementation there. Kimberly Linson: Great thank you very much and thanks for sending that out to the list that'll be great. Kimberly Linson: Na 1 else with announcements and reminders. Kimberly Linson: Well do you want to take a minute on work items. Kimberly Linson: Great so we've given them a heads up that we're going to start picking on them for running the housekeeping items and for making sure that they've got work items to discuss um and we'll give a like sort of a long teacher pause now to see if anyone wants to put themselves on the Queue to talk about work items. Kimberly Linson: Manu thank you for jumping on this you. Manu Sporny: I'll I'll I'll buy it I'll be the the the canary um uh so uh as many of you know we've been working on the verifiable credential API probably incubating it going on 2 years now um we are down to about 30 issues uh that are ready for PR but given everyone so busy with the current verifiable credential 20 work and the new did working group um uh movement has been slow to close up those last set of issues uh however once we do that um I think there is a plan to take a verifiable credential standards track uh at at w3c so um if and again it's just incubated right now things will change once we get it into the working group but it's just kind of a heads up to the community that we do plan on uh proposing that um there is also been work done on render method I think we're hoping to you know make some stuff public about that. Manu Sporny: Is clearly of interest to various communities around the world and so we're trying to focus on that uh uh as well um that's it. Manu Sporny: Sorry yeah it's a great question um uh the uh agenda is usually sent out ideally on Sunday I have totally messed up this week and haven't sent it out yet but every uh Tuesday uh sorry what is today uh yeah it's Tuesday uh every Tuesday at 3 pm Eastern is when we have our calls um and we usually send uh a reminder out um every week. Kimberly Linson: Great any other updates on work items. Kimberly Linson: All right you're off the hook until next week when we start calling on you. Kimberly Linson: I think we are now to the main agenda topic so manual I'm going to give the floor to you and I'll do my best to kind of keep uh keep an eye on the queue. Manu Sporny: All right sounds great um so uh today we're going to kind of um Talk a bit about uh new open source platform called open cred um that uh was uh partially funded by the uh State of California uh Department of Motor Vehicles um so the California DMV uh funded um partially funded the work for this platform I'll give the standard disclaimer I do not represent California DMV or anyone in the state or any government entity or any of that stuff I'm just kind of reporting out on where the work is um uh. Manu Sporny: With that we can we can go in um open cred is basically a it's a verifiable credential verifier implementation it does verification so if we look at our 3-party model they're you know issuers holders and verifiers open cred does the verification uh portion of it um however before I get oh we'll we'll go over a number of things today like you know what does open Credit do why did we build it how does it work what can you use it for uh things like that but before I get too far I wanted to say a huge thank you to a number of ccg uh community members um they're the ones that built uh the platform I'm just here kind of talking about it um so many of you know uh them so Nate Otto I think who is here today uh Brian uh coyote uh Ganesh Dave Longley Matt uh Dave Lane um uh did an enormous amount of work. Manu Sporny: On the platform to get it to uh where it is uh today so thank you thank you thank you uh very much. Manu Sporny: To all of them. Manu Sporny: Uh I don't know Neil if that's a hand to speak or is it clapping hand. Manu Sporny: I'm going to keep going um okay so thank you very much to the open Credit uh devs um for putting the system together um they continue to work on it if you have any questions there there a great source of information um. Manu Sporny: So what is this thing um. <anil_john_[us/dhs/svip]> Sorry.. butter fingered the clapping hands :-) Manu Sporny: Fundamentally um as I mentioned it is a uh verifiable credential verifier uh it is open source so you can go to uh the California DMV GitHub repository or the state of California GitHub repository and download the Open Crow cred platform um it was funded by partially funded by the California DMV um and basically it's just it's something that helps you check. Manu Sporny: People's verifiable credentials like that's that's what it does um uh it is in production so it is running in production today for State of California there are a number of other entities that are deploying it into production uh and it supports multiple formats uh and protocols you can read more about it uh on the California uh website there's the URL in the slide deck uh that you can take a look at uh there. Manu Sporny: Um why is this a big deal um well um. <kerri_lemoie> Having trouble with the url <harrison_tang> which URL? Our Robot Overlords are scribing. Manu Sporny: Uh okay so that's kind of from an architectural perspective where you where you can put open cred and and make it work um uh. <kerri_lemoie> Earlier slide: https://www.dmv.ca.gov/portal/ca-dmv-wallet/opencred-for-developers/ Manu Sporny: Also can provide uh user interface as I mentioned um this is from the California DMV website so like I mentioned this is in production for California um. <harrison_tang> i see. that link doesn't work for me as well <pl/t3> Yup - same problem here with the CA DMV link Kerri just shared. Manu Sporny: They put it on their login screen so 1 of the use cases that California has is like just log in using your driver's license uh because California DMV basically has your driver's license data already and it's associated with an account and there's a whole bunch of kind of Virtual Field office stuff that California is doing and they want people to go beyond just username and password to log in they want kind of a strong authentication um through their app so 1 of the ways is to log in with the California DMV app as an option if you click that um it will generate on the California DMV website on the left here it will generate a QR code and then you use on the right here as a screenshot of someone using their phone to scan the QR code and that will put you into an oid for VP um exchange running over VC API um. <kerri_lemoie> I think I got it right....? <nate_otto> @Kerri interesting, I'll report that to the DMV team, that is the correct URL. <kerri_lemoie> Thanks Manu Sporny: And then and then you know it's standard stuff happens with the digital wallet digital wallet says do you want to share this information you decide whether or not you want to share it um and then uh you put that uh and then it sends the data to open cred which then uh checks the digital signature checks the certificate chain uh make sure that the verifiable credential is valid uh all that kind of stuff does all these checks and then if all the checks you know come out that it's a valid uh uh driver's license it will then send it back over to the originating website like the login website um and then you log in like that that's that's the like kind of the simplest uh uh use case um uh. Manu Sporny: That's it I mean it's it's pretty I mean you know it's a I'm sure everyone's seen the the flows before it's like pretty straightforward it shows a QR code you scan it on your phone you hit yes and then you're logged in that's that's that's the end of it um. Manu Sporny: The uh like I mentioned there are 2 operational modes that it can run in uh 1 of them is it can operate as an open ID connect provider um and that is if your organization already uses open ID uh you know connect to to do the log in it can act as a provider and give you back a tokens uh to a to a website um or it's got an HTTP API and that's if you're not running uh open ID uh to do log in uh and you have a website where you want to be more in control of the login experience there are a bunch of apis that you can call to like. Manu Sporny: Create the the workflow like the the oid for VP uh you know exchange um get the information from The Exchange check to see if the uh the individual has uh finished the exchange um uh there's a whole bunch of kind of like what's the current status of the exchange uh tell me if you got you know the information and then finally there's an a API call to actually get the the driver's license data that you want you know out of the uh The Exchange um and that's generalized meaning like it's any verifiable credential that was handed over uh you can get the the the verified information back without having to do all the crypto and did resolution and and all that kind of stuff um. <pl/t3> and that URL for github works! Manu Sporny: Is for uh the GitHub repo so it's it's open source you can go there uh you can download the source you can run it we've already got multiple fairly large organizations that are starting to use this um uh you can raise issues um you know we'll we'll respond when we can um. Manu Sporny: And that's it that's that's where the that's where the GitHub repo is um there are a number of features uh as well but before I start going into the features let's stop for a second any questions on. Manu Sporny: What I. Manu Sporny: Spoken to uh so far um around like vision and what we're trying to accomplish here. Manu Sporny: Okay if not I'll go ahead and go into the feature set um so there are a number of features that open Credit has uh that are worth kind of speaking to the the first thing is it's a docker-based deployment which basically means you can you can deploy it to any Cloud environment it can be on premise uh it can be a hybrid Cloud environment it can be a pure Cloud environment such as AWS uh gcp Microsoft Azure it's totally agnostic to where it's deployed in how it's run um since you have access to the source code you know you can make modifications to it if you want to um but but that's the general way that that we expect it to be deployed is is you know through Docker um. Manu Sporny: Because it's a Docker image and because we've uh written it to be um uh fairly um stateless uh you can horizontally scale to tens of millions of verifications per day so you know this is out in production uh it can scale to tens of millions of verifications per day and you can go even higher than that if you horizontally scale it um that's up to your it team to figure out you know how to do that Best Inn in your infrastructure but uh it's built to do that so it's not it's not a toy it's not you know it's not limited um for small use cases um as I mentioned it's the. Manu Sporny: The same. Manu Sporny: Name code that's on the. Manu Sporny: Uh on the GitHub repo is the same code that we're running for California DMV in production for everyone in in California. Manu Sporny: It does. Manu Sporny: Does support internationalization for multiple languages so a number of the screens that you saw uh like this thing on the left here that that is generated through um open credit that is in open Credit uh screen and each 1 of these um you know pieces of text can be replaced can be internationalized uh you'll see the translations thing up at the top here uh any language you want you can translate the the text to um and it's not just this text you can totally change each line of this text as well so it's very configurable based on the instructions you want to give to. Manu Sporny: You know. Manu Sporny: Population of people that are using the system. Manu Sporny: It's got internationalization support just uh built in um. Manu Sporny: In this next 1 is pretty interesting it can also um do auditing um this is a feature that large organizations tend to want um where uh it will cache did documents um that were used to do login and verification where you can um send the presentation you can you can in in open cred does not do this it does not store presentations but you can configure other systems to store those presentations and then you can in the future uh if for example an organization needs to prove that somebody did in fact interact with them um to do something that has some kind of regulatory thing associated with it like you know the um the financial reporting or something like that Banks need to prove that uh they actually interacted with you before you did you know a transfer over a certain amount um uh open Credit uh can can. Manu Sporny: 5 Presentations that happened in the past last 6 months last year last 5 years whatever um by ensuring that it keeps uh cash versions of the documents around so even if the did document disappears off the web or uh off of the the DT that it's on uh open credit is capable of saying yeah when the person sent that presentation to a half years ago um it is uh it was valid it was valid then um. Manu Sporny: And that. Manu Sporny: Organizations meet regulatory burden if they're required to keep that information around um but again to be clear open Credit does not store. Manu Sporny: Those presentations um we didn't think that that would be a good General feature for the the platform to have um that is coming out in the next release about the credit so that'll be out in a couple of weeks um so that's kind of a a handful of features that it has it also has a number of other uh features that we covered previously um so it supports open digital wallet selection um uh through multiple mechanisms 1 through chappie uh I can use the credential Handler API to do while its selection both web-based apps and uh uh sorry web-based uh digital wallets and Native digital wallets um it uh supports different presentation protocols uh so it can use the chappie native stuff it can use uh verifiable credentials workflows and exchanges through VC API uh and it also supports oid for VP oh it supports all of those things and it's just a configuration setting to be able to support uh variation. Manu Sporny: Of those. Manu Sporny: Other thing that it has support for is it can do local verifier support meaning like it's natively at can verify credentials itself if it needs to um or there are through the verifiable credential API there are API endpoints that do credential verification and so if you have a more Enterprise grade verification um software deployment out there you can just point to it uh with open cred and it will uh use the external uh verifier system to do it um to do the verification um that is useful for large organizations uh in state federal governments uh big uh companies with you know strong it processes in place uh where they would specify like specifically these are the contexts we support uh these are the did methods we support we don't support anything other than this or. Manu Sporny: They have. Manu Sporny: That they want to support that are not you know built in natively uh in the open Credit um. Manu Sporny: Or they want they need to use external resolvers or or things of that nature so um you can start off kind of native open credit and then you can move into you know other other mechanisms um I'll also note that uh. Manu Sporny: Other external verifier support that we have is we've got Microsoft entra support built in uh to open Credit as well so if you're running on Microsoft entra uh you can hook it up to your Microsoft entry instance and uh do uh verification uh through that as well um so you can either either use the verifiable credential API which is you know uh a pretty standard uh but an open kind of specification or you can use the proprietary Microsoft entra uh API to do uh verification um so in a nutshell those are kind of the features that that uh open Credit uh has um and that's pretty much it that's that's all I you know was going to cover today um. Manu Sporny: We can. Manu Sporny: 2 Questions if folks have any um happy to try and talk about roadmap happy to talk about like you know um uh what I can with respect to what went well and what didn't go so well with you know implementing this thing uh in in working with the various um standards and pretty standards out there um so let me let me start let me stop there and see if there are any uh questions uh concerns comments. Kimberly Linson: No 1 know what to do because you're usually the first person to ask a question. Kimberly Linson: Will go ahead. Manu Sporny: Yeah um happy to cover some of that um and I might you know um uh Nate feel free to jump in with with other issues that that you saw um while we were implementing I'll note that you know we are trying to support every digital credential I mean the major digital credential formats and and the major protocols here and um. Manu Sporny: 1 Of the challenges that we had was trying to hit a Target on what to implement um uh things that shifted out from under us while we were implementing where things like oid for VP um we've implemented something that you know is is I forget which version we ended up implementing but it's already changed right the new specs are already already different from it and now there's a question of like all right like how are we going to support the old thing now and we didn't even implement the the middle thing and now there's a new thing as of 2 weeks ago uh so how do we keep Pace with that um. Manu Sporny: The the selection of VC jot 1 1 was. Manu Sporny: All we had at the time um and it is I would imagine it's not ideal um you know we we would have preferred that a different decision was made but you know. Manu Sporny: When large organizations look at this stuff they're looking for things that are fairly stable that are that are you know not going to change NBC j11 was kind of locked in stone so that's kind of the the approach we took um. Manu Sporny: There was also quite a bit of kind of you know um trying to align the way mdl and the VC JWT digital driver's license was done that led to I mean we you know we used did jwk um and that led to its own set of like. Manu Sporny: Kind of. <stephan_baur> Is there a schema def for the mDL in form of VC-JWT? Manu Sporny: Weird things that happened during uh implementation like for example like when we were starting to you know uh uh move these VC jots around and all that kind of stuff we started hitting storage limitations and databases um because because their legacy systems that we were integrating with and they were like you know who who would even think of storing something over 250 kilobytes for every presentation but you know that's kind of like where we ended up so so there and and there's like X5 or 9 certificates chain stuff that ended up being pulled in with did jwk that required us to implement an entire uh certificate chain you know uh uh uh uh checking uh you know mechanism which which is implemented kind of I mean it is implemented um but integrating it in with everything else it took time and it was kind of a pain and you know we got it wrong a number of times uh before we got it right um and even that is you know kind of. Manu Sporny: The shifting. Manu Sporny: The biggest challenge here were um. Manu Sporny: Something into production uh with the shifting Sands around the oid 4 stuff and um uh in kind of. Manu Sporny: Not I wouldn't say experimental usage of did jwk but definitely you know it was more Theory than practice when we were implementing it and so we had to make a number of kind of design decisions on on what we were putting out there uh now all that to say what we have out there is stable um but it's old and it is definitely not what's going to be the the thing that you know ends up being standardized uh but but you know sorry the thing that ends up being what you know the vc20 work you know ends up becoming but um. Manu Sporny: Given all that you know it is out in production and it is stable um and we are able to build you know business cases on top of it um and and we were able to kind of uh abstract away the implementation details to the point where the the thing that you get at the end which is the verified verifiable credential uh you could write your business logic just to work on that so you operate on the verifiable credential uh data model layer you don't operate on the the did layer or the the protocol layer or the the JWT layer or any of that stuff you just get raw data back that's been verified and you kind of work off of that so um. Manu Sporny: That would. Manu Sporny: I would say our high-level. Manu Sporny: Experience with trying to put this thing together and and get it out there into production I see Nate's on the Queue so please over to you Nate. Nate Otto: Yeah thanks for that summary the 1 additional challenge that I wanted to kind of bring in was. Nate Otto: Some tension between use cases where the wallet is known we know exactly which wallet our population is going to use and use cases where we want to enable their to be wallet Choice it's kind of hard in a user experience um in a web app like this to do both of those things at the same time um and so the the app here attempts to kind of thread the the needle between. Nate Otto: These 2 different use cases because different customers will want to either allow wallet selection and to be very um agile as to which protocol the um exchange is going to operate over and then other um users may have a use case where they've got a very specific wallet um that they expect users to to use in a very specific protocol that that supports and it's just kind of hard to build an an interface at the at this point in ecosystem that can do all of these different um things at the same time and and in a way that makes sense to the user who really should not ever need to know what a chappie is or or what a VC API is um but I think this is an interesting um stab at attempting to solve that problem and I think we did a pretty good job especially with a lot of the um customizability of all of the text strings in the interface uh and so we're looking forward to seeing other approaches out there and um the evolution of these different standards to work together a little. Nate Otto: Bit better. Nate Otto: So that hopefully. Nate Otto: We can put together a really nice um user experience that enables um either wallet choice or uh kind of a guided selection to hard a particular um wallet as different users need. Manu Sporny: Yeah that's yeah absolutely uh Nate uh and I I think what what ended up happening is is at least with open Credit like if you look at the config format it is massively uh like configurable to the point where I think we we probably all believe there's just like there's enough configurability to get yourself in trouble um and that you know I think we we probably are going to try to try to figure out ways to make it easier to to reason through the ways you can configure this stuff so it's massively flexible right now but now you have to kind of like understand how like. Manu Sporny: For Stuff where all the oid stuff works all the VC stuff works VC API chappie all that kind of stuff to to figure out you know what subset of that you're going to use um certainly you know people in this community can guide people in in setting it up but it's certainly not like you know TurnKey software uh at at this point um Nate I don't know if you want to speak to like we also had issues with like a deep Link versus uh you know um protocol scheme Handler versus like QR code um. Manu Sporny: Do you like to elaborate on kind of some of the challenges there. Nate Otto: Yeah uh so as we're learning um some of these protocols work really well for same device flows or really well for crust device flows and sometimes. Nate Otto: A particular protocol doesn't work very well for both a cross device flow and the same device flow at the same time and so for example The Experience around scanning a QR code you you can't scan a QR code with a camera on the back of the device that where the screen is on the front of the device showing the QR code so we have to turn that into some kind of Link uh for that same device use case and um the multiple different options there are to use a particular um URL scheme like the open ID for VP scheme um that is clickable here if you tap the QR code or in a newer version of the interface there's a there's a button uh that you can click or it auto detects that you're on a mobile device expects that you won't need to scan a QR code now it's a button you can click but it's really just a link to an open ID for VP uh scheme and if your device has a Handler for that scheme installed cool if it has exactly 1 Handler installed great now you've opened it in that app. Nate Otto: If you. Nate Otto: There's multiple different wallet um devices that purport to handle that scheme then the selection experience as to which 1 open can be a little bit unpredictable. Nate Otto: Another option is to use a deep link um. Nate Otto: Which is an HTTP link but it goes to a particular domain on a you know that is owned by a certain developer that has registered that domain to associate with a certain app that they control and so there's you can see that there's some trade-offs using these different mechanisms if you use a um custom URL scheme then there might be multiple apps on the phone experience might be tricky picking which 1 and if you use a deep link then there is only 1 app that the user could navigate to with that link so they would need to kind of Select which wallet they're using before the link is even generated for them and. Nate Otto: And then alternately to that there's the whole choppy flows which um. Nate Otto: Kind of a different set of trade-offs um we're also encountering some issues around um custom link handlers inside web views so if you render the open cred UI inside a web view sometimes when the user clicks that link it results in an error and that needs to be caught and then retriggered rather than the system being able to just pick up on that link click and navigate it to to the direct um application. Manu Sporny: Yeah yeah absolutely so so as you know everyone heard like there are lots of challenges on all the different ways that you can invoke and um you know go through these flows. Manu Sporny: Um they're just made really complicated with the different decisions platform vendors have made um in theory you know digital credential API is going to save all of us and it's going to get it right right for both cross devices and same device and it'll be this wonderful um uh you know Utopia once once we get there but uh this is the reality of it today um that said like it's usable like we've you know people are using it um uh and so there are ways to get through this and the open Credit system tries to iron over all of those wrinkles that Nate was talking about but again it's not necessarily Just Like You Know download the software run it and off you go you've got a you've got a try all the variations out uh to make sure it works for your um use case. Manu Sporny: Any other questions coyote I don't know if you wanted to add anything with respect to like um things that were hard to implement or um. Manu Sporny: Challenges we we face that we haven't met or haven't mentioned yet. Kayode Ezike: Yeah I think I think you guys covered on the general high level stuff um. Kayode Ezike: I think there was some stuff with auditing as well that came that came about um around actually tracking like. Kayode Ezike: You know the tokens that were presented in the past and you know understanding that there's you know differences in different. Kayode Ezike: Did did types go through a dynamic we retrieved from uh appetite web or those that are static and handling those differently um as far as. Kayode Ezike: Um the different versions of those dates I know that there's work being done. Kayode Ezike: Did spec where you can actually start to specify the different versions and expose an API for that but um and also I mean y'all may be familiar with Brian's work with TDW is did TW as well which kind of tries to address that as well um but each of those things are kind of relatively n n so. Kayode Ezike: That's all I have. Kaliya Young: So the code for this is currently in the California DMV repo. Kaliya Young: Um as refunded by them is this it the permanent home for the code or. Kaliya Young: Will the. Kaliya Young: Code be somewhere else um. Kaliya Young: And partly I'm asking because um. Kaliya Young: You know there's. Kaliya Young: There can be confusion about. Kaliya Young: Fusion in the market about. Kaliya Young: What things do and who you know like there's just how do we get clear about. Kaliya Young: Some of these things and maybe you know but maybe answer the first question and then I can ask a more particular version of second question. Kaliya Young: Oh sorry okay. Nate Otto: https://github.com/stateofca/opencred\ Manu Sporny: Sure yeah I mean I I get I I get the question the second question you're asking so um uh mechanically the code is in the state of California GitHub repo not the California DMV doesn't have a direct repo so it's state of CA um I mean yeah I mean and it's like super easy to to I was I was like why why I was like I don't understand why that's happening where why aren't we putting it in the DMV repo so right now it's state of CA slopen credit what you see on the the screen um it will remain there for as long as the the state of California. Manu Sporny: You know decides um. Manu Sporny: I can't speak to what's the future plans there are I can probably say that like they would like to make sure that the system that they are deploying uh in production is uh you know at least under their control if it were moved somewhere else I would expect them to maintain a fork um that would pull in uh Upstream um uh so so if you you know who's in charge of you know open credit right now it's the it's the California DMV primarily in the state of California. Manu Sporny: That it is open source and so anybody can Fork it so if you don't like that you know Fork it and work on it you know elsewhere it's under an open source license so that you can do that um I'll also mention that the the base I said partially funded by uh because the base of open credit is all of um the digital Bazaar open source libraries so there's a set of uh just fundamental like node.js libraries that build up uh an application kind of layer uh that uh again is under an open source license a digital Bazaar and then we added a bunch of other things on top of that uh to build open Credit um but since all of it is under an open source license then you know anybody can Fork any 1 of uh the top level package or all the bottom level packages and. Manu Sporny: Uh do. Manu Sporny: On to as long as it follows the open source license that it's under um if I remember correctly uh I think it was Apache 2 that we ended up uh licensing it under. Manu Sporny: Yes Benjamin uh who was involved in the licensing of it yeah so it's Apache 2 um. Manu Sporny: Does that answer your question Kia I don't know if it answered the second question. Kaliya Young: Yeah that was super helpful um a follow-up um is um. Kaliya Young: Maybe it's a I haven't really poked around enough but like. Kaliya Young: You know which standards are you using and is that like is there a list somewhere and is there anything in this that isn't standards based or like. <benjamin_young> Actually...It's BSD-3-Clause. Apologies! https://github.com/stateofca/opencred Kaliya Young: Like where's the line between like we we you know we had to go production so we fill the hole versus like the following the standards. Manu Sporny: Yeah that's a great question that probably I I don't think the readme has the list of standards that we Implement does it Nate Benjamin I don't think it does. Manu Sporny: Okay we should we should definitely list them because that would be a good thing to have there the the goal Kalia is was everything's meant to be standards based we tried to not fill any holes with any kind of like made up made up you know proprietary thing um so uh we Implement you know oid for VP which which version do do we ever forget which 1 we ended up implementing um. Nate Otto: A little bit unclear I don't necessarily think the wallets we were testing with. Nate Otto: Were compatible. Nate Otto: A specific version either but we're really close to the latest version which is I think 20. Manu Sporny: Yeah yeah yeah so so yeah we started with 18 and things weren't working and then we did 20 but but again like the wallets didn't necessarily implement the and then of course there's a new version as of 2 weeks ago of id4 um that we are definitely not uh aligned with um VC API we follow uh the latest uh in the specifications verifiable credential 1 1 we follow the spec to the T as far as we know same thing for V jot 1 1 um uh there's the VC API backend stuff for issuance verification uh sorry for issuance sorry for verification uh that we follow I don't think we currently implement the did resolution spec because we don't. Manu Sporny: Integrate with an external resolver um did Webb did did uh key um did jwk um. Manu Sporny: Number of pre-and here that we did our best to try and align with whatever was in the specification so um. Manu Sporny: I'm trying. Manu Sporny: Think if if if there's anything where we went kind of. Manu Sporny: There was something that was so new that we were like oh that's not being worked on anywhere we're just going to have to slap something together um. Manu Sporny: Ing stuff might be the closest to it but oh sorry. Kimberly Linson: And I want to let I want to let Stephen we're just about at time and I want to let Stephen asked his his question. Stephan_Baur: Yeah thank you thanks man for presenting this and setting the deck ahead and all that and thanks for the team uh 2 2 things 1 is in in relation to before with the standards uh can you also really specify the the software supply chain for it like. Stephan_Baur: You know the the the polyfill sort of issues just kind of showed again that that importance that would be equally helpful to have that. Stephan_Baur: Um and then the question I had and I had this also on the issue list um of course is the next thing around issuance is there any plans on the road map for issuance. Manu Sporny: Um I'll try to answer the second question first um there are airplanes to hook up to external issuance infrastructures um we the the the doing kind of a lightweight you know open source implementation of an issuer um we don't feel comfortable doing that right now primarily because like we've we do. Manu Sporny: Set up issues. Manu Sporny: Organizations and it takes a lot of effort to make sure that you've got something that's maintainable over the long term uh and so we we are going to use VC API to hook into external issuance infrastructures um to start um as far as software supply chain um you know the package.js available there you did bring up a good point about like chappie and dependence on external resources um because it's you know it's open source and it's configurable you don't have to use the components that you don't want to right and so you can deactivate you know those components if if that's what you want to do I don't know I don't we haven't really talked that much about kind of. Manu Sporny: Supply chain for you know this this piece of software it's like most other open source software it's kind of like. Manu Sporny: You get what you you get that what's there and then if you want to do anything else software supply chain on top of it it's kind of up to you as the deployer to to do that um that Benjamin sorry go ahead. Benjamin Young: Yeah I just wanted to add to that we um I said the wrong license earlier it's BSD 3 Clause um but we did do some uh extra lifting at the beginning. Benjamin Young: To implement the ReUse um specification that does make generating uh software Bill and materials uh relatively trivial um California isn't publishing any yet but. Benjamin Young: Can through the GitHub settings among other places. Stephan_Baur: Great thank you very helpful. Kimberly Linson: Great thank you all thank you Manu this is again really exciting exciting work and and exciting to see this all sort of. Kimberly Linson: Starting the the flywheel starting to really turn uh and. <benjamin_young> REUSE https://reuse.software/ Kimberly Linson: That is it for today we've gone over just a little bit so I appreciate everyone's patience thank you for this great conversation and we look forward to seeing you next week.
Received on Wednesday, 17 July 2024 19:37:35 UTC