- From: <meetings@w3c-ccg.org>
- Date: Mon, 27 Oct 2025 15:06:10 -0700
- To: public-credentials@w3.org
- Message-ID: <CA+ChqYdKCE8=xCX3TGE=641rJfhYLSH0NZWRzyiAKsKkn+v34A@mail.gmail.com>
Okay, here's a summary of the meeting:
Meeting Summary:
This meeting of the KTE-HAMG-BPJ community group on October 27, 2025,
focused on a report-out of experiences from the recent Internet Identity
Workshop (IIW) conference. Attendees discussed various themes and key
developments from the conference, with a focus on topics relevant to
verifiable credentials, identity, and security.
Topics Covered:
- *Introductions and Welcome:* The meeting began with introductions and
a review of community guidelines.
- *Newcomer Introduction:* Jeroen Baten introduced himself and his
interest in using open batches server for supplying credentials for
organizations from security scanner applications.
- *Upcoming Events:* Announcement of the upcoming TAC in Kobe Japan in
November, with an invitation to join the CCG session.
- *IIW Conference Report-out:* Detailed discussions and key takeaways
from the Internet Identity Workshop.
- *Government Initiatives:* Discussions on the SETI project (bring
your own digital identity), focusing on states endorsing identity
credentials issued by third parties.
- *Delegation and Guardianship:* Exploration of the importance of
delegation and guardianship in the context of verifiable credentials,
particularly in LLMs and AI agent use cases.
- *Content Authenticity:* Discussions on the Content Authenticity
Initiative (C2PA) and its ability to embed verifiable credentials in
documents and media for content provenance.
- *End-of-Life Considerations:* Discussion on managing digital
assets, including verifiable credentials, after a person or organization
ceases to exist.
- *Agent Identity and Registries:* Discussion on the need for
registries of certified LLM agents and strategies to improve safety and
security in AI systems.
- *Specific Topics:*
- *My Terms:* Presentation and discussion about "My Terms", a
mechanism to express terms of use.
- *New Data Paradigm:* Discussion on the US Chamber of Commerce
Foundation's new data paradigm which involves new data reporting
standards
and the potential of data utilities to issue verifiable credentials.
Key Points:
- *Government Endorsement of Identity:* The SETI project highlights a
shift towards government endorsement rather than issuance of identity
credentials.
- *Delegation and AI Agents:* There is a growing need to handle
delegation effectively, especially in the context of LLMs and AI agents,
using verifiable credentials to express agent identities.
- *Content Authenticity:* Efforts to embed metadata and verifiable
credentials in documents (like PDFs and images) for content provenance and
combating fake news are ongoing.
- *End-of-Life Planning:* Discussion on the importance of managing
verifiable credentials and digital assets after a person or organization
ceases to exist.
- *My Terms Initiative:* The My Terms initiative is working to
standardize terms of use in the context of digital interactions and
verifiable credentials.
- *New Data Paradigm:* The initiative aims to standardize state-level
employment data reporting and the potential of the data utility to issue
verifiable credentials.
Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-vcs-for-education-2025-10-27.md
Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-vcs-for-education-2025-10-27.mp4
*kte-hamg-bpj (2025-10-27 11:01 GMT-4) - Transcript* *Attendees*
Alex Higuera, David Ward, Dmitri Zagidulin, Geun-Hyung Kim, Hiroyuki Sano,
Ildiko Mazar, James Chartrand, JeffO - HumanOS, Jeroen Baten, Kayode Ezike,
Manu Sporny, Phillip Long, Sheela Kiiskila, Ted Thibodeau Jr
*Transcript*
Jeroen Baten: Hello.
Ildiko Mazar: Hello.
Dmitri Zagidulin: Hi Elico. Hi everyone.
Dmitri Zagidulin: All right, we're going to give it another minute for
people to connect and we'll get started.
Dmitri Zagidulin: All it's 3 minute after so we can get started. Elica,
would you like to do the boil? I'm happy to also you're muted if you're
saying anything.
Ildiko Mazar: I am muted and I was just looking for the right list. So yes,
welcome everybody to today's call that is the 27th of October, Monday 2025.
as you all know, but we would like to reiterate that anyone can participate
in these calls. However, all substantive contributions to any of the CCG
work items must be from members of the CCG with full IPR agreement signed.
You can find it on the community website. we also have some call notes to
share with you.
Ildiko Mazar: These calls are using Google Meet as you can see and all our
calls are recorded and transcribed and the meeting minutes will be
summarized by our AI assistant and will be sent later on to the mailing
list. If you would like to contribute to the call for asking a question or
making a comment, you can type your comments in the chat or raise your hand
to ask for the floor to speak. Please try to be brief and to share the
floor with others. And if you are new to these calls or you haven't been
here for a while, this is a good time to introduce reintroduce yourself.
Ildiko Mazar: and Yum.
Hiroyuki Sano: Hello, this is Hiroano from Sony.
Hiroyuki Sano: Please let me advertise my affiliate company Felic Networks
will provide a breakout session at the incoming TAC that is about the
Japanese business trial with university credentials. If someone interested
in that please join in the regard session. I will put URL at the chat.
Thank you.
Ildiko Mazar: Thank you very much. I think most of us are interested in the
topic on the floor is yours.
Jeroen Baten: Okay. Hi,…
Jeroen Baten: I hope everybody can hear me. my name is Jurun Besson. I live
in the central France and I'm an independent consultant and I stumbled upon
this project when I was researching the recent developments around the open
batches server and I'm exploring the possibilities of what you are
developing to merge that maybe conceptually with supplying credential
00:05:00
Jeroen Baten: ials for organizations automatically from security scanner
application that is currently being built in the Netherlands. so maybe it
would be possible to have some sort of seal of approval digitally that some
audit has been done with this software at a certain date that will be
verifiable and seems that this group is sort of doing that kind of thing.
So, I'm very curious. and I'm lurking. so I'm curious. And the floor is to
the rest of the participants.
Dmitri Zagidulin: Let me just jump in and say Dr. that sounds very
interesting. if you'd be interested in presenting on the topic during one
of these calls, just get in touch with myself and Ildico and Simony and
we'll pick a week
Jeroen Baten: Yeah this is a sort of a side gig for me currently next to
some other projects but I am known to do talks all across Europe.
Jeroen Baten: So yeah I might take you up on that offer.
Dmitri Zagidulin: And as Phil points out in chat the other interesting
venue for you might be to bring this up is in the general credentials
community group.
Dmitri Zagidulin: So here at VCI we're a task force of the more broader
credentials community.
Jeroen Baten: Okay, thank you so
Dmitri Zagidulin: So we specifically focusing on education but I think CCG
also might be interested in the security scanner credentials that you're
talking about. and that is sort of on the subject of community
announcement. Hiroyuki mentioned this already but TAC is coming up in Coobe
Japan in November. in really a couple of weeks. So for those of you who are
going there in person, you probably have your tickets already.
Dmitri Zagidulin: everyone else TAC and W3C in general goes out of their
way to make it accessible in participants. So at the very least the CCG
will have a session during TAC but I highly encourage you to look at the
list of breakout sessions and then join anything you're interested in in
general.
Ildiko Mazar: So, yes, as you already said, Dimmitri, we already started
the announcements and reminders. are there any other upcoming events of
that would have relevance to our group? please again raise your hands or
paste the link to the event to the chat. And if there are no further
additions, then I presume I can hand the floor back to you, Dimmitri, about
the main agenda point. I don't know if we have anybody else
Ildiko Mazar: who participated at the IIW workshop, but the floor is yours
to report what we missed.
Dmitri Zagidulin: Thank you so much.
Dmitri Zagidulin: And just on the subject of conferences, so we're entering
into more or less quiet season in terms of conferences, things pick up
usually around February and into the summer. It's not too early to start
thinking about IW in spring for those of you who go. but yeah, aside from
that, we get a break from conferences for a bit. So yeah, we thought today
we might do sort of a report out sharing of experiences at this past week's
IW conference, which stands for Internet Identity Workshop.
Dmitri Zagidulin: It's twice a year conference that has been going on for
man let's see this was once for 20 years now which is intense. How does
time even work? but the reason we bring it up here is it's a really good
mix of identity which is right there in the name and verifiable credentials
and general security and privacy issues. it's a good mix of standards folks
from W3C ITF diff and other such organizations and also it's got a lot of
attendance from quote unquote powers that be meaning the really big
companies and implementers like the Google's Apples Amazons and Adobe's of
the world which for for worse strongly influence what we have to work
00:10:00
Dmitri Zagidulin: so it's a good mix of people. The format of the
conference is unusual and interesting. It's what's called in the open space
unconference format which means the agenda is not set before when the
conference starts but is instead created each morning. So whenever you have
a session to propose, you put it up on basically a sheet of paper and put
it up on the board and propose it and then see who comes. It sounds
chaotic, but as I've said, it's been running for 20 years and a really
wonderful culture has developed out of it.
Dmitri Zagidulin: A lot of the specs that and got started as an idea as a
session at For example, OOTH 2, the sort of social login protocol, login
with Apple, that got started at a lot of the verifiable credential and
decentralized identifier specifications got started at IW. So, it's really
interesting in that respect. So, I've attended the whole week. I generally
try to make them whenever I can. Phil Longwell was also there, and I'm
hoping Phil, you'll jump in and join me in your impressions. In fact, why
don't we start with you and I've got a list of sort of impressions and…
Phillip Long: Happy to jump in whenever you like.
Dmitri Zagidulin: and things I've noticed and things to talk about.
Dmitri Zagidulin: yeah, please let's start with you.
Phillip Long: It was indeed another exhausting but fun conference. as
Dimmitri mentioned the agenda is created every morning and so some of the
times you get someone who wants to propose one or two or three sessions. So
each day they add to their topic and give you a intro some more depth and
maybe an expert kind of view of the topic they're addressing. Other times
it's just a conversation and sometimes it's more formal. I attended a
couple of different things over the course of the week.
Phillip Long: one of the more interesting was the SETI meetings which
stands for state endorsed digital identity SEDI and this is a project
emerging from the state of Utah part in reaction to their discovery after
implementing it without careful analysis their MDL driver's license and
discovered a thing which we've now dubbed phone home. That is verification
by the server of the issuer in that particular credential and the potential
that opened up for surveillance with respect to other data along with the
driver's license being potentially shared in that verification process.
Phillip Long: they have since stopped issuing that MDL in their state and
they will allow the ones that are currently there to be used but they are
moving towards an alternative proposal for doing that in a more VC focused
context. the SETI presentations there though in this particular instance
were around a general movement in the state which they are trying to
recruit other states to participate with them in which is essentially bring
your own digital identity and the idea is that the state is not in the
political entity that should be creating andor withdrawing identity
credentials.
Phillip Long: these are credentials that are indelibly associated with you
as a person and the state has in their view no business in the issuance of
such things. Instead they want to consider you to bring a identity
credential to them which they will endorse meaning that They will review
whatever documentation and such they ask you to present to corroborate you
or the carbon-based person associated with this identifier and then issue
you an endorsement of some form to instantiate the credential you've
presented as a legally binding credential in their state for your identity.
00:15:00
Phillip Long: so that's a pretty big deal in the sense of it applies
clearly to another way of dealing with identifiers in the next iteration of
their mobile driver's license, but it also has to do with all kinds of
vital records credentials, birth certificates, other kinds of things that
the state might issue as a certification, but not by issuing an identifier
in it, but by including an identifier they have endorsed. from you.
Phillip Long: So I thought that was a really exciting one and I happen to
also have been to the week before the IIDW two meetings on that particular
credential in Utah and one of those was a public meeting for state
officials kind of an identif digital identity 101 which 13 other states
attended and there was general support across those states for their
continued participation. we'll see if their sign up actually results in act
in action. but it's a movement to consider. there'll also be putting out an
RFP for…
Phillip Long: how they go about addition edition issuing these identifying
endorsing credentials. and…
Dmitri Zagidulin: If I could just…
Dmitri Zagidulin: if I could jump in,…
Phillip Long: yeah, please
Dmitri Zagidulin: it's such an interesting and subtle distinction, That
instead of a government issuing let's say a birth certificate, they're
allowing other third parties to issue it,…
Dmitri Zagidulin: but then the government endorses it. it's a very subtle
difference but we think is interesting and encouraging is moving in the
right direction. what do you think about it?
Phillip Long: No, I agree with that 100%.
Phillip Long: I think that the notion of endorsement of things actually
retains and gives the agency of the individual some stability because
there's nothing in a credential that an individual might get for a
particular ification. for example, that if that certification is revoked
for whatever reason should affect your identity. and that's the problem we
currently face. and if there is going to be a national credential, then
there needs to be a debate about that as an independent consideration as to
whether a state or a country wants to do that.
Phillip Long: and many countries have and do and it's unclear that the US
will ever get to something like that or want to. So I think it's a very
subtle distinction but an absolutely critical one. I'll just mention a
couple others. I did sit in the digital fiduciary meeting. that is an idea
of establishing a trained core of people who are educated in digital
identity and the legal contexts of digital identity in different
jurisdictions as well as the the VC world of credentiing and is acting as
one of the mechanisms by which the identity of an individual can
Phillip Long: be ascertained and instantiated by effectively the fiduciary
going through a rigid step of processes that look at documentation. The
person presents to corroborate who they are and then instantiates that list
of evidence into a file that will be digitally encrypted and saved and
their endorsement following if you will their endorsement of that person's
identity as a legitimate identity create issued.
Phillip Long: So that essentially it's kind of like you're probably
thinking in your head that this is like a notary and it is in one sense but
it isn't in the sense that notaries are generally not particularly in doing
more than looking at documents that you present to see that as far as
they're concerned it looks legitimate and stamping something on a piece of
paper and handing it to you. There are digital versions of that in some
states. but the issue that we're trying to distinguish here is the training
and understanding of the individual and the backup by which the assertion
is instantiated and retained. So if it is questioned later it can be
presented and finally the costs of doing it incorrectly are high for the
fiduciary.
00:20:00
Phillip Long: Whereas in the notary context, if a person gets it wrong,
they may be sanctioned in some way in the context of the digital fiduciary,
they'll lose their license and their practice in this space. So that was
another one. and I'll turn it back to you. I've got a couple others, but
I'll Demetri, why don't you share some of yours?
Dmitri Zagidulin: Yeah. all of those very interesting developments. So
couple of things struck me about this year's I IW this seasons really. One
of the things I always like to do is scan the proposed agenda the schedule
of sessions and look for themes. Are there more sessions on any particular
topic?
Dmitri Zagidulin: this year than during previous IWS. And a couple of
things often stand out. For example, as Phil mentioned there were a number
of sessions from the government initiatives. related to that there was a
number of sessions on delegation and guardianship. It's a super important
topic, one that I think that we haven't explored as much in depth as we
should in the area of verifiable credentials. I know our colleagues in the
European Union have already started working on these frameworks. I'm sure
would have details to add there. This notion of issuing credentials on
behalf of someone
Dmitri Zagidulin: either in the legal guardianship sense. So when a child
is born, parents can issue credentials on behalf of the child until comes
of legal age and so on or in the delegation sense that this organization is
acting on my behalf or in the sort of access control sense such as I have
let's say an AI LLM chat agent that is buying plane tickets on my behalf
and is presenting a credential.
Dmitri Zagidulin: We need a way to clearly denote in the verifiable
credential itself that though this is the identity of the agent performing
the operation the human principle behind the agent is such and such right
so we want to be able to express this is chatbot version one acting on
behalf of Dimmitri so there are a lot of sessions about that partly because
it's an important topic and it's interesting to explore and start
formulating specifications and profiles and partly it's a major pain point
in the world of LLMs. So there were a half a dozen sessions at least on how
do I express agent identity?
Dmitri Zagidulin: How do I express on behalf of identity and how do I
delegate rights and permissions in something that like an access token in
something like a verifiable credential.
Dmitri Zagidulin: So I think it's absolutely crucial topic that I would
love to explore on one of these calls in VC edge later on the …
Phillip Long: Demetri might jump in there for a second.
Phillip Long: The guardianship presentation included one of the best demos
I've ever seen by a company called Vidian…
Dmitri Zagidulin: please. Yeah.
Phillip Long: where they actually embedded the guardianship model into a
cloud-based video game. the intention was to allow a parent to decide the
kind of material at least in terms of age level or appropriateness that
they want their child to be shielded from conversely exposed and embed in
the game itself such that of their guardian credential with those parental
explicit constraints of what they do and don't want the kid to be able to
engage in is actually checked and in and implemented in the game play of
the individual in the game.
00:25:00
Phillip Long: And by that I mean for example in the game there's a
scrolling list of images or for some reason presented. If one is age
inappropriate, the child is supposed to not see things for those that the
parent believes ought to be 18 and over in their exposure to them. Then
they would run across an image that is tagged according to that and the kid
doesn't see it on the screen. similarly it implies to in game chat
conversations then in terms of who the individuals are and the ages of
those individuals. If an individual is an adult and they're in the chat and
they shouldn't be in the parents view interacting with their 13-year-old
then that individual's chat will not be displayed to that person.
Phillip Long: And finally, in terms of game purchases, if there are
purchases that are age restricted, then the game implements the
guardianship requirement that has been set by the parent. So, I just
thought it's worthwhile noting that this is not just an idea and not just a
simple sort of prototype. They actually went out after they were trying to
convince a number of game makers to pilot it and…
Phillip Long: got an open- source game Roblox and built this into that game
after the game maker said it would take weeks and weeks and it was going to
be too complicated. They did it in four days and demonstrated that with the
guardianship credentials by the parent and while the child then went in to
play the game. That's what just wanted to highlight it. Back to you.
Dmitri Zagidulin: Thanks, And yeah,…
Dmitri Zagidulin: it's a great use case. We're used to the notion of
parental controls in general on video game systems, on computers in
general. But of course, each system currently implements it in a one-off
proprietary or system specific way.
Dmitri Zagidulin: we have a opportunity with verifiable credentials and
with these standards to define parental controls and guardianship controls
in a more general hopefully interoperable reusable fashion. So part of the
other motivation behind so much focus on delegation has been coming from
the LLM world. As you probably already know, it's hard to miss it. Also, as
a side note, LLM related billboards on the highways in San Francisco are
particularly bizarre.
Dmitri Zagidulin: sometimes nightmarish, sometimes just surreal. speaking
of LLMs, but anyways, so a lot of sessions on the subject of delegation and
how to use existing technology like ooth 2 and open ID connect with MCP
stands for model context protocol. It's a small piece of the LLM puzzle and
you can think of it as It's a data model for services to advertise
themselves to chat agents. Meaning with printers for example you plug in a
printer and then it appears in your list of available printers on all the
desktops on your local area network.
Dmitri Zagidulin: Similarly, you plug in a service. What do I mean by
service? really anything any tool that an agent can use such as this is a
calendar, this is Slack, right? This is a chat service. this is an email
sending API. so each one of these can be wrapped in an MCP declar in this
model context protocol declaration and it suddenly becomes visible to
agents. So this is useful. it allows agents to be tool using. But of
course, as you're probably immediately thinking, wait, What about access
control? What about guard rails for agentic AI?
Dmitri Zagidulin: And that's exactly what so many of these sessions were
about because in the excitement the very first implementations of these MCP
services either didn't have access controls or simply were doing the
classical thing of I'm a secretary when my boss wants to give access to
their email because our traditional identity and access control systems
don't provide for delegation. All that ends up happening is boss ends up
giving their username and password to me and as the secretary can just log
in as my boss and send emails or whatever. this is the failure state.
00:30:00
Dmitri Zagidulin: This is the sort of lowest common denominator of
delegation systems. If all else fails, if you don't provide for delegation,
people will just hand over their username and passwords either to
secretaries or in this case to AI agents. So we see that all the time. hey
agent send this email for me. give me your username and password to your
Gmail. not so great. So that was the first iteration either no security or
literally logging in as The sort of next iteration that immediately came
after that where are again familiar to us API tokens.
Dmitri Zagidulin: This is where you register an application. those of you
who've used third party social media readers like Facebook and Twitter,
they were one of the first pioneers in OOTH 2, this ability to register an
application. Facebook gives you an API key, you cut and paste it into your
social reader app, and now all of a sudden it is able to pull in your
messages. Although that was the original dream. Facebook and Twitter both
quickly shut down that program. That's not the point. the pattern
continues. this is also the same thing used in Slack integrations or GitHub
integrations.
Dmitri Zagidulin: but again the affordances the capabilities there are very
limited in part because you have to register an application beforehand
whereas in a lot of these chatbot AI agent use cases things are more fluid.
we want the agents to be able to discover services at runtime without
registration but still act within guard rails. So a lot of conversation on
hey how do we define let's say verifiable credentials or something like
them that communicate and hopefully in a privacy preserving way agent
identity.
Dmitri Zagidulin: the implementer of that agent who it's acting on behalf
of, what the person's intents are, what the guard rails are and so on. So,
a lot of good conversations about that. there were several sessions held on
payment protocols for agents. again, right? So, if I want an agent to buy
something on my behalf, I don't just want to give them my credit card or
access to my bank account. It would be interesting if I could instead hand
them either the exact amount let's say a prepaid card, which again looks
essentially like a verifiable credential. couple of other things,
Dmitri Zagidulin: Phil asks in chat, How much of your Slack interactions do
you want an LLM to access?" yeah, I mean, that's a great question and it's
something that we literally have to struggle with every day on every call.
For example, an LLM is providing transcript service for this call right
now. it certainly beats having to ask for scribes at the beginning of each
call, but of course there's trade-offs. let's see there several other
things. So we mentioned access control delegation, we mentioned payments
and FCP in general.
Dmitri Zagidulin: there were a number of sessions on content authenticity.
This is a content authenticity initiative. One of the specs it produces is
C2PA by Adobe, Intel, number of newspaper publications and outlets. It's a
way to embed metadata and verifiable credentials in things like Photoshop
files, PDFs, images in general, video files. again partly because it's an
interesting problem, partly because of the constant conversation about
intellectual property management, authorship and provenence and let's say
it in the fight against fake content and fake news.
00:35:00
Dmitri Zagidulin: The dream here being that if we establish a cryptographic
change of provenence from the camera used to take a picture to the
Photoshop operations that were performed to process the image when the
image is published on a website. If we have that chain of providence, we'd
at least be able to say not exactly that, we know for sure that this was
done, that this is a AI generated fake, but the opposite. At least we'll be
able to say regardless of anything else, we know with high probability
within our risk model that this was done by an accredited journalist or it
was done by me, which to my friends and followers, it's just as good. So a
little bit progress in development in that area.
Dmitri Zagidulin: the specs they are proceeding support for them is being
built into for example the large Adobe projects Acrobat, Photoshop, PDF
reader the main C2PA spec which is the actual metadata embedded in
something like a PDF has been sort of simplified And the way they phrased
it is in CTPa we only want to embed metadata that was automatically
generated by software or by hardware.
Dmitri Zagidulin: Anything user generated is going to go in a separate spec
called COG. C A WG content authenticity something. Here's why I bring it
up. there were early conversations about being able to embed W3C verifiable
credentials in PDFs using C2PA. then that feature was taken out and I at
least was like that's too bad that's a loss. but it turns out that the
feature was just transferred to this other specification by the same
standards group. So we do straight up have the ability to embed W3C
credentials and DIDs and other identifiers in mainstream documents like
Photoshop and PDF. I thought that was interesting.
Dmitri Zagidulin: one other thing on the subject of access delegation on
behalf of I thought somebody this was Allen not Alen K that's the small
talk guy this was Allen who I know from the capabilities world he came up
with this analogy He said, "In a car accident, the equivalent of an agent
identifier is the VIN number of my car." Let's say I get into a fender
vendor and what are the identities involved? the direct analogy is the
agent's ID is the serial number of my car.
Dmitri Zagidulin: interesting but not that interesting because for example
the other person involved in the accident about the identity of my car
doesn't really care about my identity either cares about my insurance
provider identity similarly my insurance provider also doesn't care about
the car except they do cuz it's specifically insured about the car but
cares about my identity and so on and so forth. police has a slightly
different lens into the identity of the actors. The overall upshot of this
is all the actors in the process should have their own clearly delineated
identifiers, clearly delineated relationships and power dynamics and all
that stuff. Let's see, we talked about content authenticity on behalf of
MCP.
00:40:00
Dmitri Zagidulin: there were a couple of sessions on end of life
considerations and this is something that we've brought up on these VC edu
calls before and something hopefully that we'll be able to talk about again
and that's simply what happens when an organization disappears. either a
university closes its doors or is renamed or is registered and so gets a
new legal identifier is acquired by another entity. Alan Karp, thank you,
Jeff. is acquired by another entity, right? What happens when I have a
diploma from a university that no longer exists?
Dmitri Zagidulin: That's what we mean by end of life. Not just and in fact
there were two different sessions on one on human end of life and one on
ganization On the human end of life super interesting the question of what
happens to your digital assets, games, movies and verifiable credentials
after you die. There is straight up a working group in the open ID
foundation. that's the standards body behind open federation and a bunch of
other specifications you use all the time. So they straight up have a
working group for human end of life considerations notions of I suppose how
to write digital credentials into your will in a machine readable way.
that's one crude way of putting it.
Dmitri Zagidulin: So that was interesting and of course even more relevant
to us here at VC Edu is organizational there's several things that come
into play here. One is again going back to on behalf of a lot of the
verifiable credentials in education being issued right now are not issued
directly by let's say the universities. They're issued by a platform like
Kredley or IQ4 or something else. they're issued by a service provider on
behalf of the university.
Dmitri Zagidulin: And so we need clear policies and data models for what
happens much more likely when the platform disappears. How does the
university say okay so initially the diploma was issued by this service
provider but now that service provider was acquired and is now out of
business. And so now organizational identity continuation. now we're known
as this other thing over here. There's a couple of places in our
specifications that are relevant to this. We need to extend the verified
credentials data model to be able to clearly express these hybrid
situations. we need the ability to do more complex issuer objects for
example.
Dmitri Zagidulin: issue is university but really the platform right we need
to be able to express both in the credential itself. The other place where
we need to be able to do this is of course in our issuer registries. we
need to be able to say when looking up the digital signature of a
credential when looking up a decentralized identifier we need to be able to
say this did belongs to this platform acting on behalf of this university.
Right? So we need changes in both specifications VC and is a share registry.
Dmitri Zagidulin: And speaking of issuer registries, the other thing that
will be familiar to us in the verified credential community is again due to
the pain points brought by AI and LLM all of a sudden everybody's really
concerned about hey so we do give our agents a digital identity we need
registries we need registries of certified agents we need registries bad
agents that we want to filter out. we want to be able to say who the vendor
is responsible and so on and so forth. So basically there were a lot of
sessions on applying the same strategies that we have for our credential
issuer registries to other things LLM agents and that was good to see.
Dmitri Zagidulin: there was one session by several startups that are like
hey we propose wouldn't it be a good idea if we used open ID federation to
record issuer keys and bids it was very validating and amusing to me I
raised my hand yeah it's definitely a good idea and the VC edi community
and dcc and credential engine in fact did propose just that and ran a pilot
And this is what we found. Right? So driven by the same pain points and
guided by the shape of the problem space. A lot of people are sort of
coming independently to these realizations that we need these registries.
So that was another interesting topic. let's see what else did I miss Phil?
00:45:00
Dmitri Zagidulin: that's right. Jeff was also there. Yeah. Please join in,
Jeff.
JeffO - HumanOS: It's true.
Phillip Long: Yeah, I was on mute.
JeffO - HumanOS: Yeah, it's true.
Phillip Long: Go ahead, Jeff.
JeffO - HumanOS: Yeah. I very much appreciated the energy that was going on
around the agent to agent in particular. I think that the presence of these
things and their functionality and what's going to be interoperability
between each other kind of puts things in a situation where I do some work
with internet safety labs and I know that when an app and its behavior is
being looked at there we have certain sorts of software tooling that'll tap
the behavior of the app report that data science over to the analyst gang
and then the analyst gang
JeffO - HumanOS: puts out what was kind of referred to as a nutrition
label. And one of the things that seemed to be sort of a fact of the matter
is that once you release an agent out into its purpose and mission that
there is seems to be in some use cases and I don't know maybe all use cases
to some degree that these things go out and kind of do their own thing.
They gather their info, they do their correlations, they do their
summaries, and then they drop it back as out the outcome of the data per
mission per se. And that it's really hard beyond a point to be able to get
analytics. how do these things leave skin flakes, footprints, things like
that beyond a certain point?
JeffO - HumanOS: It seems like they operate distinctly to a point and then
they sort of leave the ground and we don't have footprints on them until
they come back and land. So that was a thing I was feeling and we had some
good discussion about and just wanted to enter that see if anyone had any
feelings about that felt that at all. Thanks.
Dmitri Zagidulin: Thanks Jeff.
Dmitri Zagidulin: I totally agree with Really important topic film.
Phillip Long: Yeah, sorry I was on mute before.
Phillip Long: A couple of things that came up and one was that probably of
interest to this group is Doc Surles has been working for the last gosh 10
years on my terms and…
Dmitri Zagidulin: Yeah. yeah.
Phillip Long: it is essentially a mechanism to express the way in which you
would like your terms of use to be the method by which you interact with a
given service, a website or what have you. it's essentially a replacement
for cookies for all practical purposes. and the idea was actually in
instantiated and endorsed by it during the course of the meeting last week
with the notion that an individual will develop a set of contracts or my
terms organization.
Phillip Long: Think of creative commons and the way in which they put a
very simple syntax around how your expression of creative work is intended
to be seen from a copyright perspective. The same idea applies here. What
is your expression interaction with a service provider and the data that
you exchange with them? What is your expectation for how that's to be
treated but in a contractual way? And so my terms is developing currently a
set of libraries of that correspond to contract options in plain language
but also will have a machine readable expression and a legal expression
following the three-part height structure of creative comments for the
interactions with sites.
Phillip Long: And they recognize the challenge that the providers out there
will present to them with respect to no, I'm not going to negotiate to you
with you on the terms You use my site or go away. they're hoping that they
will get some agreement from a number of larger providers to set as a
benchmark going forward. But the work that's being done in this is being
done concurrently and there is a signal channel that you can join. when I
get to it, I will put it in the chat if you'd like to be a part of the
development of those contracts and the way in which the you browser and the
sites browser interacts negotiate with those contracts. So that was very
interesting.
00:50:00
Dmitri Zagidulin: And this is a topic near and…
Phillip Long: I thought go ahead.
Dmitri Zagidulin: dear to your heart because it very much intersects with
terms of use for verifiable credentials.
Phillip Long: They've taken the idea of terms of use and turned it into a
much broader my way of interacting with the services on the web from Amazon
books that I buy to anything else what happens to the data in those
interactions and…
Phillip Long: I think it's a hugely important topic the two others I'll
mention go ahead
Dmitri Zagidulin: I think second one sec before you go to those just on
terms of use.
Dmitri Zagidulin: I think it's high time we gave some example and some
sample applications of terms of use in verifiable credentials.
Dmitri Zagidulin: So highly recommend implementers doing stuff with VCs to
think about terms of use to reuse my terms it ec for it.
Dmitri Zagidulin: And Phil to you directly we should build in terms of use
into the resume author and link creds author applications.
Phillip Long: Absolutely. and…
Phillip Long: I'd suggested in a previous call here that we get Alex Jackal
to come talk because in the K12 world when there's data exchange between
the high schools to a district and from a district to the state board of
education in the US there is a document called pods I'm trying to remember
privacy obligation documents
Phillip Long: in the privacy obligation document specify the PII that's
associated with student records in a student high school or middle school
and the permissions that are associated or the restrictions in their
exposure that should be associated with each of those data elements and
those are in these POD agreements and we can have Alex come talk to us
about how those are ma managed in the current high school and K12
environments in the US. the last one I'll mention two others.
Phillip Long: there were a lot of presentations on verifiable identifiers
for businesses particularly coming originally from the finance world and
the gly world and those are basically unique organizational identifiers
that happen to follow a carry format or ACDC format selfcertified
identifier that large banks and lending institutions around the world have
adopted. and so there's a whole bunch of presentations around that and
their expression potentially or other kinds of businesses besides financial
institutions.
Phillip Long: And lastly, Demetri you and I participated in one on the new
data paradigm, which is a T3, US Chamber of Commerce Foundation initiative
to change the way in the US that states report the data they have about
their employees, their employment history, titles, job descriptions and
relevant information that they are required to send to states. every year.
but to do so in a way that is now more standardized following an agreed
data model.
Phillip Long: Initially the one being suggested is the learning and
employment record resume standard which is effectively a compound
credential which contains can contain entirely VCs but it can also contain
VCs and just JSON objects or for that matter XML objects and there is a
Jedex API the jobs and employment exchange API that's been built to send
these to an endpoint. The novel part about this project besides
standardizing the way it's reported and I should say novel because many of
you probably aren't aware that every state requires or specifies how the
data from a business about their employee employees is reported is done
differently for every state. So it's 50 different ways of doing it and
those employers that operate in multiple states have to do it in every
state according to those rules.
Phillip Long: And so the idea is to simplify this both for minimizing
errors but also just to make the cost of doing so less. the novel idea in
the new data paradigm is that the data endpoint is not the state itself but
a public private what's referred to as a data utility for which all
employers will be reporting these data and that the state will pull from
that data utility to do the work that they need to do and to generate the
information that is required for their internal planning and their various
department of labor and workforce activities but also to prepare what they
need to prepare when they submit their states report to the federal
government. and they would use the same notion of a public data utility
between the state and the federal government to place the data in that
utility that the different agencies in this the federal government could
pull from.
00:55:00
Phillip Long: and so we talked a little bit about that and about the pilots
that have been done with three states so far but only with simulated data
from selected employers and the possibility that generates to do things
because of the data in that data utility to actually become an issuer. the
data utility itself becomes an issuer to send verifiable credentials back
to the employees that contain their work history, salary history, job
descriptions etc. which can be used for their purposes in job mobility,
looking for new employment etc.
Phillip Long: But a way of jumpstarting the possession and use of that by
individuals which we have seen slow to be adopted by businesses because
they maintain the sort of standoff no one's asking me to do it this way so…
Phillip Long: why should I bother and the generation of those credentials
on the part of for example training on companies and educational
institutions is why should I bother because the employers aren't asking for
them and don't have a way to accept them. So we're trying to break that
deadlock with this new issuing height capability from the data utility
itself and I'll stop there.
Dmitri Zagidulin: So, we're a couple minutes before the top of the hour,…
Dmitri Zagidulin: but I do want to ask, so when do you think it would be a
good idea to do a fuller presentation on this topic to this group.
Phillip Long: Any probably sometime in the later part of November would be
good…
Dmitri Zagidulin: Perfect.
Phillip Long: because I will be out of this country for the next 3 weeks.
Dmitri Zagidulin: I was asking more do you think it makes sense to talk
about it before or after it gets funding?
Phillip Long: I think it's likely it's going to get some additional there
is some funding coming.
Dmitri Zagidulin: Got it.
Phillip Long:
Phillip Long: We're certain of that. The question is there enough to do the
kind of larger scale pilots and increase the number of states and we've had
a lot of things to decide about the so-called data utility. right now it is
essentially a data lake using the software from Apache and the Apache and a
se several other of those components for data links and governance or with
brighthive as a governance layer. But those things need to be worked out
because there's security issues there as well as opportunities to generate
more specific and more close to real-time analysis of change and job
opportunities, skill requirements, etc.
Phillip Long: within a state from that data utility.
Phillip Long: If it can be done securely,…
Dmitri Zagidulin: All right.
Dmitri Zagidulin: Right on. Thank you, Phil, Jeff for your report out. and
we'll see you all on these calls later.
Phillip Long: cheers everyone.
Dmitri Zagidulin: Cheers all.
Meeting ended after 01:06:07 👋
*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Monday, 27 October 2025 22:06:20 UTC