- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 12 Feb 2025 16:17:15 +0000
- To: public-credentials@w3.org
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2025-02-11/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2025-02-11/audio.ogg A video recording is also available at: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2025-02-11.mp4 ---------------------------------------------------------------- W3C CCG Weekly Teleconference Transcript for 2025-02-11 Agenda: https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Feb&period_year=2025&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date Topics: 1. <Verifiable Traceability and AI in Supply Chain Management> Organizer: Harrison Tang, Kimberly Linson, Will Abramson Scribe: Our Robot Overlords Present: Harrison Tang, Mike Prorock, Chandi Cumaranatunge, Vanessa, Mahmoud Alkhraishi, Robert Long, Benjamin Young, Nis Jespersen , TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Laura Fowler, Rob Padula, Kyle Robinson, Jennie Meier, Kerri Lemoie, James Chartrand, Tom S, julien fraichot, Erica Connell, Tim Bloomfield, Jeff O - HumanOS, Greg Bernstein, Leo, Joe Andrieu, Taylor - LEF, Olvis E. Gil Ríos, Stephan Baur, Kayode Ezike, Dmitri Zagidulin, Alex H Our Robot Overlords are scribing. Mahmoud Alkhraishi: Hello and welcome. Harrison_Tang: You're good to go. Mahmoud Alkhraishi: Thank you hello and welcome to Tuesday February 11th call for the ccg. Mahmoud Alkhraishi: https://www.w3.org/Consortium/cepc/ Mahmoud Alkhraishi: Um just as a quick reminder we have a code of ethics and professional conduct I'm going to link it in chat please make sure that you adhere to it you're all welcome to participate in this call and anyone can join any substantive contributions require you to be a member of the ccg. Mahmoud Alkhraishi: Do we have any new people who are joining us today I would like to introduce themselves. Rob_Padula: Hello I'm Rob padila here with legendary requirements this first time joining and just kind of coming up to speed on the group. Mahmoud Alkhraishi: Hi Rob welcome and happy to have you. Mahmoud Alkhraishi: Anyone else would like to introduce themselves. <mprorock> :) Mahmoud Alkhraishi: Okay um we do use G2 chat if you would like to ask a question or be added to the queue please type Q Plus and we will get to it today we have Mike purok presenting on verified trade I so I may have trade verified ah my bad on that um which is going to be talking about verify will traceability and Ai and Supply Chain management Mike you've done a lot of things in the domain there you've also been the co co-chair of the ccg in the past is there anything specific you'd like to walk through before we go into your topic. Mike Prorock: Uh not specifically I think we can kind of dive in and uh take the conversation from there and uh you know I think there's a over the last few weeks obviously we've seen a Confluence of stuff so um uh you know I'll pause and just see if anyone has any pre comments and then otherwise I'll just start sharing and diving in. Mike Prorock: Cool so um thank you all uh so Mike Barack I'm the founder CEO at what is now trade verified we we're kind of now that we're kind of Shifting out into kind of the broader commercial Market had a bit of a name change for measure.io so some of you that have been around a while may know us under that name. Mike Prorock: Um obviously been engaged in the community for a while about the ccg side as well as kind of w3c ITF other other areas uh also couple of I I did want to note a few things kind of as I'm kicking out and just kind of talking about some of the things we're seeing um. Mike Prorock: Kenny in the market and some of the approaches uh that intersect with standards and work that was originally incubated or tested here. Mike Prorock: Um you know we just saw I think gs1 just published uh some supply chain stuff out on you know things they're seeing and toolkit and developers that was great to see uh go out and uh that's something that. Mike Prorock: https://www.cbp.gov/newsroom/national-media-release/partner-government-agencies-and-businesses-join-cbp-demonstrate Mike Prorock: Intersect because I know we leverage that with some of the interoperability testing at uh us CBP uh that recently uh went out and um I think I could put a link to a press release that just went out today kind of talking about some of that work but if you want more details obviously you could talk to me you can also talk to my mood right because they drove the oil gas pipeline um stuff that is now going into. Mike Prorock: Uh it will started to go into limited production right so we're seeing some really cool stuff on the global trade side uh happening live so uh so just kind of in that context we're now seeing literally years of work kind of coalescing into what sort of boring right behind the scenes movement from system to System of different stuff but it enables solving some real world business problems. Mike Prorock: So the uh you'll probably note that the uh November date on this um uh presentation uh this is because this is uh some stuff that I did uh uh is effectively. Mike Prorock: Um a talk that I gave at NYU and Microsoft research around ethical Computing but uh um and and I think it had kind of really intersects with what we're doing here so just just kind of context for us right as trade verified what we're doing is basically going through and leveraging information to go it will point out and identify supply chain risks before they actually become an issue um. Mike Prorock: That that's the business problem right that's the business context and really the tech um I won't say it's irrelevant right but if you're not solving a business problem that people are motivated on we won't get adoption right so we've been able to uh leverage a lot of standards in advancing the solution of some of these broader business problems and specifically what triggered a lot of the adoption in uh. Mike Prorock: Uh that we're seeing in trade on our side I actually has to do with uh a piece of legislation in the that started in the US that now has got equivalence rolling out in Canada and EU and Australia and others but uh basically that holds importers accountable. Mike Prorock: For use of forced labor in the products right and and basically says look if if if we think that forced labor was used anywhere in the creation of a product. Mike Prorock: Um that uh we we can hold that uh container right they can hold those products and keep them from getting to Market and that that's a big change right that's a that's a clear regulatory thing with monetary impact but it's in response to a very serious real world issue and when we think about showing that you're not using forced labor right in your products what's interesting about that is that gives you that ability uh it it puts it a domain right on the Importer or someone involved in the trade workflow to provide visibility right to go through and actually uh give trans transparent accounting um of what's involved in the production of the product and there's a lot of pieces in that depending on what it is right you can imagine we see some very complicated Supply chains uh especially in like electronics and automotive and things like that where you may be live looking at pieces you know all the way back. Mike Prorock: To Rome. Mike Prorock: Material in many. Mike Prorock: It's a pretty wild amount of stuff to think about right from a graph standpoint. Mike Prorock: So when we think about going through and using good visibility and trade um there's a couple of key premises that I that I think are important right the and the first is that trust right if we're going to believe or build a belief network of some kind. Mike Prorock: Um you know certain things about the trade data flow uh and the data related to supply chains uh that that has to be built up over time and so if we're going to build that up over time that means we need to things we need yes visibility as to what's happening where and where in the world and what steps are happening Etc but we also need distinct attribution um and and and what we mean by that is we need to know who is presenting the data right. Mike Prorock: You know. Mike Prorock: And that that's just really a hard requirement there and as something I want to call out for this audience especially because I know a lot of times we look at um. Mike Prorock: Uh personal credentials right or you know whether that's a driver's license right or a passport or some permanent resident card right there's been all sorts of neat stuff that's spun out of this group and folks like Manu and others that have been working in the space for a long time but a lot of times those concerns and cases are really focused on things that are touching on the individual right which means that any kind of personally identifying information you know pii uh or things uh. Mike Prorock: You know related to you know information that should be preserved uh in a privacy preserving manner right this should be under the control of an individual right um. Mike Prorock: That's a got a competing interests with what we see a lot of times in the business and Regulatory world right so when we think about personal credentials things like unlink is really really important right things like having that ability to uh selectively disclose right without leaking information right um you know that you're above age for something right or have a certain license in place or have a certain citizenship right those those kinds of things that you want to be able to just reveal the minimal amount of information without revealing other data you know like when you were born exactly or where you live or who you're connected to right those are those kinds of things that need to be preserved there but trade and in particular cross-border trade and international regulatory stuff and business stuff that actually has the opposite requirement right we must know who people are we must know and we must have required links between. Mike Prorock: The identity. Mike Prorock: Ities and the information. Mike Prorock: Being exchanged um and we must have clear attribution of who is saying 1 right and what they're claiming um and that's both for regulatory purposes but it's also um a hard requirement if we're going to go through. Mike Prorock: Uh and to start to root out or identify where an issue exists right whether that's a forced labor issue like I kind of started talking about or other issues right hey maybe we had a uh. Mike Prorock: Um you know sanctions violation or maybe we had some tainted materials right we did it just read some testing with FDA and USDA Aus and others like you know let's look at like disease spread um or something coming into the supply chain that way so there are real world things that really require that ability to say who is connected to who and what made up this product and where did it come from and how did it move through the supply chain. Mike Prorock: When we look at the business side though there are strong requirements around privacy and these are the things that people get sensitive around right um in the business context and this is an area that I think we're starting to see some good answers around we're we're definitely I think there's good work on SD JWT I think is getting ready to go to last call we'll find out um sdcwa cases uh and obviously also uh variety of the select disclosure mechanisms we see out of the pure um kind of linked data world as well um that's how we account for some of these things um that are uh concerning and require privacy or sensitivity um of handling in the business World which is basically the falling into typically 3 buckets pricing information is super sensitive right someone Upstream. Mike Prorock: In the supply chain doesn't want to go reveal a price advantage that they're giving to 1 you know 1 P person purchasing can have for uh versus another. Mike Prorock: Otherwise they won't share data right. Mike Prorock: And they don't share. Mike Prorock: Don't get into compliance uh capabilities right we don't get into visibility capabilities the other thing is intellectual property anything that's leaking uh means mechanisms of constructing things that have a unique Advantage whether that's on the product side business side Etc right those those are areas that are uh require strong privacy protections um and then same thing with things that could expose illegal or compliance issue right so so that means that even though we must have this kind of liability and attribution property in supply chain credentials uh and identifiers we uh that doesn't mean that there aren't things that don't require some of that same kind of level of privacy preserving mechanisms that we look at often in The Human Side. Mike Prorock: So how we've been building things out I think this is probably familiar to most folks on this call but maybe not um the uh just in case is there's really 3 questions we're attaching and using standards. Mike Prorock: Help us in that process of providing visibility throughout various Supply chains um. Mike Prorock: Our customers and this is kind of the who right so you know who is attesting a piece of data or a testing a piece of data on someone's behalf or making claims right. Mike Prorock: Um and we do we do that with uh dead web today right we're looking at business identifiers we want uh you know strong linkage back into the domain sign there I think we're going to see some improvements on that stuff over time I've seen some cool drafts at ITF I know there's some stuff working kind of over at w3c as well alright so we'll see where that ends up emerging but for right now basically good key material out on the web somewhere uh linked back into the domain right that that strong enough to know who someone is for right now um there's the what right what is being claimed right so what attestations are being made um so that we can start to validate like on our side right from the business value side is that well are these claims true does this company exists did this product exists or staged a production exists well those claims that you're uh rolling about we represent as VCS right so we we just create a you know 2. 0 1 1. Mike Prorock: Now on to 2. Mike Prorock: And we just create a VC and that lets us structure the claims and clearly and semantically know who is issuing a set of claims um. Mike Prorock: You know uh who's in you know what what is the data structures look like which would be expecting when it's issued and all the all the good properties VCS. Mike Prorock: And then we kind of uh have another interesting thing that's kind of in the mix behind scenes but really only comes up from like a system of record standpoint and an audit standpoint but it's still an important property which is when did these things occur right so when a piece of trade data was first encountered um a lot and a lot of times because of trade and I know Mike mood is very familiar with this uh a lot of times trade data is paper like and just sometimes scan paper in fact the bulk of trade data these days right uh still right uh made in certain advanced cases we may see some XML like that's how far behind global trade is right now we're starting to see that change we're seeing modernization roll out in the US we're seeing good efforts uh and and having good collaboration with Singapore and some other you know parties South Korea right so we are seeing some good rollouts on this stuff now finally but it's taken a long time to get there because it's a big slow moving engine. Mike Prorock: Um you know from a global trade perspective right that that is huge and takes a long time to move and there's a lot of parties involved. Mike Prorock: Um but the when uh is really important um so when did I receive say a scan of a bill of lading right that's being used as evidence to say hey this transport occurred at a certain time right um the uh and that's where we use ITF Skip and that basically provides us the ability we we like to think of it as a digital notary and it's just a witness it's a third-party external witness that automatically is maintaining a good you know Miracle tree you know build out that's keeping track of uh what was received when and and in an auditable way right which is really important to meet regulatory things. Mike Prorock: So the Baseline credentials what we think about establishing visibility there's really kind of a you know I look at it as a 3 plus 1 uh you know plus plus right and and talk about what that means now but basically you have to know that the financial transaction occurred related to trade so if we look at a supply chain right supply chain is really flow of product 1 way flow of some kind of currency right or monetary value back right or numeration back uh to the person who provided the physical product um and then flow of data both directions right so when we think about this what we're representing and looking at here is the data side related to supply chain. Mike Prorock: And the purchase order and Commercial invoice combo tells us that a transaction occurred someone actually ordered something requested it it wasn't just sents for money laundering purposes or something else right uh and it's linked to an actual invoice it might be some other docs that support that but those are really the 2 that established the financial linkage as a mandatory aspect when we look at talking to some kind of regulatory agency us CBP treasury you know UK customs and revenue and all these other folks that are looking at this stuff. Mike Prorock: The other 1 uh is something that came out actually at the traceability group uh here um and then we've tested uh pretty thoroughly at CBP which is the transport Dock and we've called this a multimodal bill of lading all that means is that the mode of Transport might change over time right so we won't get into full history of Naval. Mike Prorock: Shipping stuff and where bills of lighting came from but anyways really old principle you want to know something got loaded on is in the responsibility of someone else got transported from point A to point B and that that leg Journey occurred that's what the bill of waiting lets us do but the multimodal bill of lading represents the fact that hey we may have had a truck involved somewhere. Mike Prorock: Maybe some error transporter rail not just ship right so that's something we need to be able to recognize as 1 single unified transport dock. Mike Prorock: Of the mode or modes of Transport that we're involved. Mike Prorock: The plus 1 that's a really nice to have when we think about the establishing what goes into a product is the bill of materials. Mike Prorock: So that's a really nice thing and there's some great work based on the sbom work that was done for software bill of materials uh for hbox Hardware Bill materials coming out of siza and some other places so that's basically our preferred approach for capturing bills and materials right is using H bombs as they exist today um there are depending on the regulatory environment and the trace right that may be some other credentials and those are the plus pluses right you know maybe I'm doing an intent to import that says I'm planning on moving this across a border and you could share this data and this data only write with US Customs or another regulatory agency so there's other credentials that may get involved in the supply chain. Mike Prorock: Up the top right your purchase order you know commercial invoice basically the financial transaction combo plus transport for each leg right each hop of production each component those are the required ones right that if we're thinking about establishing visibility. Mike Prorock: So where does AI come into the picture well comes into the picture with a variety of different ways right remember how I mentioned that we get a lot of PDFs and scanned images and things like that floating around and they uh. Mike Prorock: You know world of supply chain data well that kind of you know you could think of it as OCR I think we're kind of past OCR the way it was you know at least a couple years ago these days but. Mike Prorock: Um you know maybe information extraction is a better way of thinking about it. Mike Prorock: Right so. Mike Prorock: That ability to say hey I've got the Legacy data or data in 1 format right and I can XML format but I need to represent it and get it mapped over and linked into a credential that can be signed and witnessed and issued by parties. Mike Prorock: Uh 1 key area where AI sir you know AI is we know it today right and I I mean by that by AI I mean. Mike Prorock: You know. Mike Prorock: Actual um you know large language model driven agentic AI right like. Mike Prorock: Something that's taking agency and actions on its own not just making Next Step type languaging right so that that kind of digitization is a key thing. Mike Prorock: Um uh the other side is that question of like well hey if we've got all these claims and and we generally want to trust people that are being transparent with us we still need to verify that data and that's an area since I just mentioned they didn't think AI right that agents can really help us and that's kind of the core of our systems. Mike Prorock: Is you know what is it you know how can we go through and say oh well someone says this originated here or this product happened here or this companies located here right makes a variety of claims well there's information that could be used to back those. Mike Prorock: That's something that uh. Mike Prorock: You know we leverage heavily. Mike Prorock: Um so when we think about llms right and being a part of things right uh they're not AI in and of themselves right they require their part of AI. Mike Prorock: But they're not an AI on themselves. Mike Prorock: And so. Mike Prorock: As I mentioned right when we're deploying agents and teams of Agents we're automating the role of people looking at and validating data right against other known things right signals data data from uh you know uh imagery right and when I say imagery I mean like things like coming off the satellite right you know uh stuff like that so and and also to digitized information hey I found something on a website or I found a I I received a um a scanned bill of lighting right how can I make a credential that's linked back to that original document that was received Etc. Mike Prorock: And this is the other area that the 3 principal you know the 3 core standard things we were talking about like dids to a degree though that's becomes less important when you're looking at internal systems that then get shared out only with regulatory or audit type people um but VCS and skit for sure right so when you look at being able to nottori and witness that certain actions and steps were taken by a system uh and what steps were taken right those claims um those are things that must be honorable right if we're going to trust when an AI says yep I received this document from so and so I went and validated it I made sure it was conforming I passed it along to the right party I researched some other things right I looked for a problem or found a problem right. Mike Prorock: All of those steps that are taken by an AI um need to be auditable right we need to be able to go back and recreate in a step-by-step way what was happening and that's a hard thing to do in the market today and that's where we definitely Leverage. Mike Prorock: Um you know VCS and skate especially to go through and say what was happening when by what process when was the information retrieved by what process right if a web crawlers pulling in a piece of information well what were the details of that what machine did it occur on right all those little details. Mike Prorock: Have to get you know pulled together and audited and everything if you're going to go through and make decisions based on this you have to be linked back to the source data maybe it was from a uh Field Report right or an audit uh. Mike Prorock: Conducted by a um a supplier audit right on site all that information has to be witnessed. Mike Prorock: So we go through with mine and crawl all sorts of you know what generally gets called osin Data. Mike Prorock: Open source intelligence data just something you can get to on the open web somehow. Mike Prorock: And construct these knowledge graphs and connect who the actors are right what's involved um what kinds of information or risks have we identified and Link all that up and use VCS to do all of that. Mike Prorock: So when we're looking at the various pieces not the other piece obviously as we talked about is going and creating VCS and things like documents right so as people move to digital native creation of data in VC format from the start great awesome they're going to eventually get there we're seeing more of that uh especially at assistant to system level and supply chain but it's going to take a long time to get all the way there right we got to push all the way back. Mike Prorock: Uh many times to raw material right I'll give a good example um uh just as a problem set for folks to think about right how do you represent the fact that um a bail of cotton right or not even really a bail like a wheelbarrow full of cotton was delivered at a mill somewhere in India and maybe a handwritten receipt was involved these are hard things to represent digitally in a test tube but they're required by the way traceability legislation exists today so that's stuff that we have to think about when think about yeah it'd be nice if we just had everyone in a perfect VC future uh you know VC did Future where everyone is just using digital credentials for all the things but this is actually going to push pretty far back into the real world and in a way that won't happen overnight. Mike Prorock: So where this gets really valuable when we think about remember I said that there's kind of 3 core documents and then a list of others that might be required for certain regulatory purposes for different Supply chains. Mike Prorock: It can go through once you know that and start to say hey where are things missing right what do I know what am I expecting how complete is the information picture that measure of completeness from information and compliance and actually turns out to be really important because that's that's how you go through that's how people that are buying from uh various suppliers know how transparent their suppliers are being with them and Upstream all the way back it's also how you show that you're compliant with certain legislation right um I think it's 211 up in Canada you flip that down here uh increasingly itar on the export side right all the all these things come into play. Mike Prorock: So for us we all ultimately just. Mike Prorock: Reports right that analyze this stuff say hey we had a shipment it's clean or it's got a problem right. Mike Prorock: But all of that. Mike Prorock: That has to be signed by our system. Mike Prorock: So that it's trusted and if it gets passed along to some other regulatory agency or some other party in the supply chain to say hey this is good or this is bad but here's what came out of the system when and it was linked back to these processes all of that's backed by verifiable credentials for us. Mike Prorock: Right that's the. Mike Prorock: The only way we have of sure we could go just use raw digital signatures and stuff but then you'd have no meaning on it right you wouldn't have the full 3-party model right the way you do with VCS so VCS bring us a lot of Advantage there and we like that. Mike Prorock: So there's some big outstanding industry concerns that uh before I open it up to question these are things that I would kind of challenge the ccg to think a little bit about like we're having some of these conversations the world economic Forum level we're having some at uh. Mike Prorock: Trafficking right on some other un uh related venues and things like that um but these are these are the big outstanding challenges that we see in the industry still today we see a lot of talk around these sometimes we see a lot of ignoring of these things and uh other cases or just assuming that they're going to work out but we haven't seen actual practical deployments that really tackle these 3 core issues yet um and we're making some Headway on some of them but these are the things that I I think if the ccg needs to you know has an opportunity to go provide some real value and drive some stuff in. Mike Prorock: First is in how do we share sensitive data across uh across organizations and and I'll lay out the example say you're a um. Mike Prorock: Palm oil producer in Malaysia or Indonesia and you identify that 1 of your facilities is using. Mike Prorock: Right or using child labor. Mike Prorock: Well 1 obviously you're going to respond to that in some way right and um I you know hopefully remove that but how do you then go share that out right how do you go share that information that hey this supplier right had a had a problem how do you let other folks know that especially if they didn't resolve the issue. Mike Prorock: That's not as simple as just dumping that information out on the open web right so let's think about this right if we dump that out broadly what ends up happening well you might actually have physical ramifications what if 1 of the people there and and I'm using like real world examples I've seen smuggle to cell phone in and took pictures. Mike Prorock: You don't want retaliations against that person right that exposed the problem and their people you don't want retaliations against the business that is now trying to share that uh even though they technically were non-compliance by using you know that kind of thing with unknown even unknowingly right they were a non-compliance so we've got to have a way to share those pieces of reported information without blowback right either to the organization that's reporting or blowback especially at the human level right to the to the people that exposed that a problem was going on so that data sharing across organizations is a real big challenge. Mike Prorock: The other side is that broad or adoption of the corner you know standards so making sure we kind of really stay focused on what are the things that matter and how broadly can we get them you know VC 2.0's Etc right how do we how do we make sure we're driving that and you know um obviously all of our users and stuff like that and our supply chains are touching this stuff now but but that's going to be a concerted effort and takes work which means we have to go find business value somewhere and then deploy this if we want to see it deployed right as a part of it. Mike Prorock: And then the third piece and this is possibly the most challenging. Mike Prorock: How do. Mike Prorock: We actually linked entity in business IDs back into the persons. Mike Prorock: And where should we do that and how should we do that what are the guide rails for that. Mike Prorock: Um and and I'll give you an example when we think about um why this is such a challenge you would think oh yeah well I could just show the businesses maybe I'm not going to look at the people involved at all well actually with the way legislation globally is written there's a lot of requirements around understanding who at least the officers of a company are and the investors right the beneficial ownership right because a lot of legislation at the sanctions level or at the um you know forced labor level or uh other you know military defense level. Mike Prorock: Requires that you understand who is benefiting right uh within a supply chain or within Financial transactions so that means that is like it or not we got to link back into you know at some point you got to make that jump and connect and say this person. Mike Prorock: Represented by such and such ID is connected to this business right represented by such and such ID right. Mike Prorock: The business side as we talked about right needs strong linkability you do need linkability to the officers involved and maybe some other employees someone acting on behalf of a company Etc. Mike Prorock: I don't think at least I don't particularly want to say that linked back to like a uh you know national credit score social credit score type system like we've seen in some uh areas like we probably don't want to go push away from all the pii uh preserving you know privacy preserving uh mechanisms we have today we don't want to push away from that kind of stuff um we actually want to maintain personal privacy all right and control of individual uh knowledge over data so we got got to figure that out right now. Mike Prorock: Maybe that is handled at the same way we're looking at some of these personal credentials maybe it's not but we got to figure out how do we handle those linkages where they're required by law while not destroying all that kind of personal you know the the personally related um credential properties that we're after right on likeability privacy Etc. Mike Prorock: That's kind of my uh I think broader challenging outstanding call to action for the group if someone chooses to go take it as those are areas that are interesting that do not have well-defined Solutions uh yet um that uh this group definitely I think can uh add some contributions to so with that I'm gonna stop talking for the moment anyways and uh pass it back to my mood for any questions. Mahmoud Alkhraishi: Hi uh well that was a really really good presentation thank you for that Mike I have a question myself but before I ask it does anybody have anything they'd like to go through. Mahmoud Alkhraishi: If I can ask. Mahmoud Alkhraishi: If not okay um well I had a few questions actually the first is 1 of the first things that we talked to you at was how these businesses. Mahmoud Alkhraishi: Right as much as supply chain in a very integrated way right like the advanced ones are using XML most of them are like. Mahmoud Alkhraishi: Sending Excel spreadsheets their printing we have to assigning them stuff like that. Mahmoud Alkhraishi: Obviously they're not ready today to understand like data they're not able to understand how that works. Mahmoud Alkhraishi: So I guess. Mahmoud Alkhraishi: 1 Do you think they're ready to leverage this. Mahmoud Alkhraishi: And how do you. Mahmoud Alkhraishi: With those businesses around these Technologies. Mike Prorock: Yeah it's a great question um you know I think we're starting to see some of that stuff getting leveraged like we've got and and we'll be able to talk publicly about who uh and where appropriately uh at a later date but I can say generally we've got 2 broad areas of adoption going right now in addition to I know you guys have some pretty good adoption on the steel side Etc right. Mike Prorock: All right. Mike Prorock: Uh you know pipeline stuff uh right now we've got definitely some steel Folks at the system level and that's actually being handled adoption Wise by like Erp level Integrations like because I I mean let's think about it right most of these things at that at least at the last hop when something's crossing a border that's that's handled automatically right or it's handled at any large scale with automation so I think the big challenge is as you go Upstream in the supply chain those last tops I think they're starting to get there and we're starting to see some integrated automation pieces um we're also tying directly into 1 of the larger uh Customs processing you know backends um for a number of freight forwarders and Brokers right so we're actually picking up a lot of this stuff I mean the the other thing though I would note when we think about like our people ready for adoption is well at least on the regulatory side when you're dealing with something that says I've got to go prove that you know this came from here and. Mike Prorock: Here's all the. Mike Prorock: The data was captured right and everything else even though those a lot of times are paper docs a lot of times those paper docs right are the hash of that right the PDF right um is getting linked and. Mike Prorock: Act in our system by VCS and signed the things that kind of create that hey even though you might have had a legacy thing like a piece of XML or a spreadsheet or a paper doc somewhere we saw it at such and such time and here where the properties of it and here's how you know that hasn't been modified since we looked at it right. Mike Prorock: Um and then you obviously using Ai and OCR and other models to extract out the core regulatory required information itself and create VCS automatically from that right that are conforming so we're seeing some of that stuff happening already today I don't think it would be possible without AI being aware it's at right um if we were still using the OCR of 5 years ago um you would never give it enough examples in the world to train using traditional methods right to be able to get to uh the level of extraction required to properly linked and match all this data but we're definitely seeing stuff over the line now so hopefully that answers your question a bit. Mahmoud Alkhraishi: It does thank you Harrison you're up next. Harrison_Tang: Hi I'm just curious that uh you know a lot of these businesses and data sources they don't even know what verify what credentials uh are so so my question is uh if they don't know what they are and cannot issue it and how do you deal with uh these sources. Mike Prorock: They don't need to know what they're using like they don't know what oh off to is either right when they log into you know okta right so that that and that's 1 of those things is they don't need to they need to know what the properties are uh and then that could be handled on their behalf right and this is where plugging into the cloud providers and the erps like I mentioned right so when you've got a system that says yeah we need to make sure you are who you say you are maybe linking it back into an Lei or something else right um uh and and you know you just need to know you have such and such identity and behind the scenes this is being done in a way that's strongly uh you know meets the strong properties you're after I want to know this data wasn't tampered with I want to know you sent it not someone else right those kinds of things so so that's really the trick of service providers is to say hey don't worry as much about educate trying to educate and end user about what a VC is right. Harrison_Tang: Oh so just to. Mike Prorock: Saying what are the properties right that you're after and here's a system that helps you get there. Harrison_Tang: Got it so just to clarify basically you're saying that the erps will be issuing the verifiable credentials on their customers behalf basically right. Mike Prorock: Yeah or they're calling an API that's doing it on their customers behalf right so you're seeing service providers in different areas and and I mean you can go take a look at things like Microsoft entra and stuff like that that we're logged into you want to look at some of this stuff at a pretty large scale around VC and identifiers so those are the things that like when we think about subject matter specific systems right and I'm thinking of Neil flow on the um you know kind of uh you know I would say pipeline and oil and gas type industry like I'm thinking of us in terms of broader trade and compliance um those are the kinds of things where those systems if they're adopting this yeah you're going to see broad adoption here but you don't need to I think they're people that get really excited about standards and nerd stuff right or just nerd stuff in general right um if I think back to younger me trying to like get people on a Linux desktop well that 1 needs to get on all Linux and you can get get them there but they're not going to care um you know just because. Mike Prorock: Linux because you care because it's open source right and Linux and it's the same thing with things like ECS right we really have to sell the properties and the values of this stuff and deploy that out in our own systems if we want to see that adoption happen. Harrison_Tang: Cool thank you. Mahmoud Alkhraishi: Thank you um 1 of the things that you mentioned about looking forward 1 of your calls to action was about data sharing across organizations right. Mahmoud Alkhraishi: Do you. Mahmoud Alkhraishi: Know of a current place where this conversation is taking place do you know where people can talk about it I know DM and ITF is very tangentially related to this but it's not on point any thoughts where we start. Mike Prorock: Yeah DM is an interesting 1 right now I'm curious I I'd have to um. <mahmoud_alkhraishi> DIEM Mike Prorock: I have to actually go talk to some folks on my team that are more plugged in with that site I know they're looking more at the token site but they're not really getting at they're more getting around self attestation or attestation on behalf of an agency rather than sharing this kind of data. Mike Prorock: Um the the closest um group The the group that is at least getting the conversations. Mike Prorock: https://techagainsttrafficking.org/ Mike Prorock: Going uh on this um R2 and I'll put l well 1 I don't need to put a link in because I think everyone knows who they are but World economic Forum definitely has conversations going around this area. Mike Prorock: Uh the group that we've seen some definite motions around is Tech against trafficking um and then there's a nonprofit that has spun out um of Sheffield Hallam. Mike Prorock: https://supplytrace.org/ Mike Prorock: That we um like quite a bit and have done a lot of work with called Supply Trace um so there's just spun out a Northeastern and Sheffield home and I think they're now evolving quite a bit but they're another 1 the very supply chain specific right kit you share some data in a safe and academic context. Mike Prorock: I would say though that like um. Mike Prorock: While I think Supply Trace could get there uh eventually right and would be a great place to deploy the right technology and would be willing to deploy the right technology they probably wouldn't design it right um uh so that would have to be done tested implemented elsewhere and I think a lot of the folks involved in Tech against trafficking um for sure are highly interested in solving that problem right I we had a great conversation at the last session in London last year uh with like myself and Amazon and Google and Microsoft and like a whole bunch of folks that are nominally competing right but in practice all have this shared interest of saying Let's do let's enable ourselves to do a little better for the world right let's avoid some of these modern slave your problems and and tackle some of the technical things that prevent us from really uh solving some of those challenges we see in the real world. Mahmoud Alkhraishi: Thank you um does anybody have any questions I don't see anybody on the. Mike Prorock: I'm very happy to give people time back to so. Mahmoud Alkhraishi: Before we do that thank you so much for your time Mike um I I do have a few non sorry go ahead and Harrison. Harrison_Tang: Yes uh so this question is more on the AI side of things so um by the way I just want to make a comment that I was talking to a lot of the data folks and uh uh he uh actually mentioned that uh large language models very good at finding linkages between products and brands or companies basically so just want to make a comment on that but anyway I'm just curious about um the application of AI is it's mostly for data extraction or uh the agentic AI or both right like what are the applications of AI. Harrison_Tang: All the applications. Mike Prorock: Oh yeah yeah I'm happy to talk to I mean that's the area I tend to live live and breathe and obviously the info extraction side is part of it right creating knowledge graphs or belief networks right from arbitrary data that's a really important property um I will add a caveat um when we think about llms establishing linkages between Brands products components. Mike Prorock: Um I have ever I have not ever seen an llm itself that will do that accurately um and and we've got a very like we look at. Mike Prorock: Billions of things every day right our systems do um so hallucinations are real so you'd be aware of that now agentic systems. Mike Prorock: Using llms can be really really effective at tackling that task what's the next step what went into this and what our systems do that today um and do things like say hey I found a piece of information somewhere that indicates that there's a problem uh something related to a very specific supply chain and here's what needs to be done about it so automating that thought process of the analysts the information gathering the searching the processing right um uh in linkage of all that data that's effectively what our systems do with AI right it's like we've seen um like 7x headcount reductions that a lot of our customers just on the information processing site alone so that those functions can go back to doing their actual jobs right so AIS have a definite real impacts their on a lot of areas so. Mahmoud Alkhraishi: Thank you so much Mike for the presentation um just as a reminder for the broader. Mike Prorock: Nothing's going to do uh. Mahmoud Alkhraishi: Sorry go ahead. Mike Prorock: I think I saw Stefan hop on the queue. Mahmoud Alkhraishi: Oh he is sorry I got. Stephan_Baur: Yeah yeah it's like yeah Mike um doing presentation you mentioned something about leis and so my question is around. Stephan_Baur: Digital identity for entities. Stephan_Baur: More importantly how can I as a trading partner um verify authenticity. Stephan_Baur: Of interactions transactions from such an entity that's listed in a VC right. Stephan_Baur: Can I talk a little bit more like I mean I just feel maybe um did call on the web is indeed not secure enough for these things when it's a high stake like maybe regulated supply chain like drug supply chain and so forth. Stephan_Baur: Um but I want to really um so Lei is is that also a role of gs1 in this because most of these Goods do have some sort of a GSR gs1 identifier Associated as well can you talk a bit more about you know how do you actually go about entities yeah. Mike Prorock: Yeah the gs1 actually. Mike Prorock: That it comes in. Mike Prorock: Play in a variety of ways and we see gs1 identifiers come in and I would say like 2 or 3 different areas 1 is this like when we look at kind of the chain of credentials that uh established that a product is associated with The Entity known to you know say gs1 us right um that for sure we've already tested and work I think Mmm has as well I'm not sure 100% but we've definitely have tested that with uscbp and the number of contacts they so so that kind of you know is this uh entity who they say they are uh and are they or are they at least who gs1 thinks there right you know it's a belief Network pretty high confidence there uh also then specifically then the product identifier right can we tie this back to a PLU or you know um you know barcode of some kind right the G10 um that that that's the other area so are we linking that the G10 right the identifier for the product is actually linked to. Mike Prorock: The person. Mike Prorock: That they actually control that product right that's that's a helpful property like super helpful uh and then the third thing is that the gln level right the location level right so maybe is this a specific location of an a known entity right um and uh or at least is it believed to be right now you might have to use extra data to go confirm that things like that but those those um those identifiers for sure we Leverage. Mike Prorock: Challenge though you're bringing up uh and this has to do with corporate identifiers is there is never. Mike Prorock: I do not believe we will ever wind up in a place. Mike Prorock: Where there is a single uu ID that is accepted by everyone for business entities right. Mike Prorock: And it's for 1 really good reason which is I don't think countries are ever going to stop existing and I don't think businesses are ever going to stop existing or groups of people working together to accomplish some goal. Mike Prorock: And what that means is that we wind up with these identifiers that are all pointing to the same thing but depending on what you're doing uh with those identifiers or what you need them for you might need a different set of identifiers Associated uh with a business entity and so in our case. Mike Prorock: We've been testing some stuff and I think it's going to wind up becoming an updated version of this glue draft that's floating around over at spice and ITF um so we can yell at Brent's Yunel for that um I like the name a lot because it glues identities to entities. Mahmoud Alkhraishi: https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/ <mahmoud_alkhraishi> The glue draft mike was talking about Mike Prorock: Basically think of it as just a way of saying hey I can have this array uh and a URI scheme that says the gs1 ID is this right the G10 is this here's where you go look up that G10 information know obviously everyone knows that but maybe you need to look at that in context. Mike Prorock: How do you go look up the Lei or the vlei right if they've also got a glyph identifier or the duns number or the UEI if they do business with the US government um or if they've got a facility uh for DOD the cage code or their actual Chinese registration number right because a lot of companies are working across multiple boundaries and have depending on the jurisdiction multiple identifiers attached so that's um that's kind of how we think about that space is that There For Better or Worse we're always going to see a lot of these ideas attached and we need a way to consistently recognized that some you know how do you go look up where it is even if that company might exist in the jurisdiction that doesn't play nice with others right how do you go look up and reference and identify her from the Iranian government for instance uh even if they haven't registered and identifiers in the appropriate place that I can uh you know Etc so so all of that stuff really comes together so does that does that help answer your question. Mike Prorock: In there. Stephan_Baur: Uh yeah I mean I just maybe maybe I can reach out to you uh offline I mean it just seems like you know identify all the identifiers you mentioned except to Eli's right is are not verifiable. Mike Prorock: Yeah yeah but the but. Stephan_Baur: Somebody needs to know somebody needs to tie this identifiers to to us. Mike Prorock: They're the ones oh 100 100% I agree with you um but they're also what we have and we don't see that changing at least at the um uh government nation state side right so go look at gbi in the US side lots of basically says you for shipments and you're if you're using gbi related to Imports you've got to provide 1 or more of 3 different identifiers right the ali uh dun's number um you know or the ts1 identifier right so those are. Mike Prorock: Um that's the way it is and it but it's a start it's at least a starting place it's not perfect but it's a starting place and I I agree with you I don't think did web is strong enough nor do I think I don't know we're going to have to think hard as an industry how do we handle identifiers right at the side so that we're binding back into the domain side right so that we're binding back into existing x509 infrastructure uh because that's not going to go away either. Mike Prorock: Got to got to think about that problem pretty hard. Harrison_Tang: Yeah just a follow-up clarification question so um 7 and uh Mike are you are you saying that the existing business entity identifiers like Lei is not doesn't have strong identity Assurance or it's not trustworthy enough is that what you're saying. Mike Prorock: And that's 1 of the things I think we're talking about the other side is how do you then expose that I think is implicit in the conversation is how do you expose the key material in a discoverable way right did web well you could have a domain hijack right and then your did webs not going to work because there's not a binding back end of the DNS records right so you could have some proxy and going on that subverts key material in certain contexts. Mike Prorock: Uh so that binding right of the key material back into the actual signed document that can be resolved by a third party openly right that's 1 of the things that uh I don't think we've seen a good answer to because it's got to work with x509 and the existing infrastructure we have right even if we're looking at some of that in Kos as opposed to just text um sorry sorry any ietf folks that uh like the existing way we handle domains the next 509 but I hate it um but uh you know but that stuff that infrastructure is not going away and we shouldn't expect it to or expect to ever have any realistic chance of replacing it right so we're going to have to link to that somehow so. Stephan_Baur: And I would just add there like in in my analysis. Stephan_Baur: you know. Mike Prorock: Yeah exactly it's got to roll back into that. Stephan_Baur: The people who control the private Keys around X5 or 9 and so forth versus admins in the it shop and that's just not acceptable when you really need to tie it to actually in in maybe a 3 or eventually to the to the officers right of a the number 2. Stephan_Baur: We Are The Number 2 is like even you know liis are tied to sort of like the financial aspect of the company uh but in in the case where you have like you know contract manufacturing right some subunits somewhere else it gets very quickly just unmanageable you really don't know even when you can verify you know a cryptographic key pair behind Associated and of an identifier you still don't know that that's really the entity that you know is authoritative about the statements they're making so. Mike Prorock: Yeah 100% And it's and that's 1 like there are definitely I I would say and honestly like if you're interested in that topic and I unfortunately won't be at the next ITF I will be at the 1 in Madrid uh this summer but the best. Mike Prorock: The the best cryptography folks as well as Network infrastructure folks are that are working on that problem or discussing it and starting to look at it are at ietf like just that's where they are so um and and they welcome good voices that are thinking hard about the problem so. Harrison_Tang: Got it thank you fascinating thanks. Mahmoud Alkhraishi: Thank you everyone um we do have 5 minutes left and at the risk of taking up everyone's time I just want to make a very quick announcement that on March 11th we will be conducting our ccg meeting where we do a full review of uh ccg work items and upcoming work items 1 of the things that we would like to do in that meeting is talk about some different ideas we have for revamping this ccg call and working on helping improve the overall ccg atmosphere to be more and more inclusive we love how it is but we would oh there's always room for improvement. Mahmoud Alkhraishi: That note we would love it if everybody could just take a moment and think about what are the ways that we can make it easier to incubate work items at the ccg and how we can make it more and more open to participants so we're going to be discussing that again on March 11 with a few other different ideas um thank you again Mike and thank you again to everyone else for your time and have a wonderful rest of your week talk to you soon. <olvis_e._gil_ríos> thanks! Topic: <Verifiable Traceability and AI in Supply Chain Management>
Received on Wednesday, 12 February 2025 16:17:24 UTC