The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-03-20

Andrew Hughes is scribing.
Heather Vescent: Also, you can put me on the scribe list.
Alberto Elias: No luck joining the call
Joe Andrieu: Reminded everyone of the IPR policy
Manu Sporny: Requested an upgrade for the number of simultaneous channels that DigitalBazzar can support (up to 50) - waiting for pricing

Topic: Introductions

Ed Eykholt: Hi, I'm part of Pithya, part of the RChain initiative, looking into Decentralized Identifiers and Verifiable Credentials.
Kaliya Young: Hi everyone, my name is Kaliya Young also known as Identity Woman on the Internet. I'm one of the co-founders of the Internet Identity Workshop. Good to be here and participating.
Heather Vescent: Great to see you @Identitywoman!!!

Topic: Announcements

Joe Andrieu: Upcoming events - see the agenda for a list
David Challener: IIW26 soon.
Joe Andrieu: Need to have a hackathon to introduce the technology for new developers - should probably be a new Work Item - figuring out how. To happen over the summer - need supporting materials etc

Topic: Current action items progress

Kim Hamilton Duffy: New action items were added last week - but they are not on the current action item list - will be added for next week
Joe Andrieu: Chairs were asked if ccg will do something at TPAC?
Manu Sporny: Yes.
Manu Sporny: But we have to prepare well
Manu Sporny: Should focus heavilly on DIDs - to get everyone up to speed and more comfortable with the work
Kim Hamilton Duffy: Chairs to ensure that work items are sticky and have the right company support Chairs to find people to produce DID use cases. Chairs to find people to produce DID charter. Chairs to drum up W3C Member company support for DID WG. Chairs to find people to work on DID test suite.
Kim Hamilton Duffy: Will add TPAC prep to permanent list of action items

Topic: Work items

Kim Hamilton Duffy: First meeting of Educational and Occupational Verifiable Credentials group - meeting info was sent to list
… OpenBadges/VC alignment has started
… first meeting will be to ask the group about priorities. Kim to resend invitation to ccg list
Joe Andrieu: Summertime timezone chaos is underway for another week - pay attention to UTC time of any calls
Joe Andrieu: Seeking to add DID-Auth as a formal work item - need a lead author
Kim Hamilton Duffy: EDU/OCC Verifiable Credentials meeting info:
Christopher Allen: MyData conference - Helsinki - last week of August - invited to participate in a panel - DID VC/ccg focus
… want to talk specifically about DID-Auth proposal
Markus Sabadello: The idea for mydata is to have a DID session of some kind
… 3-4 people / implementers to present what they are doing. lots of audience that would not know what DIDs are & significance
… Kim? Ruben? Sovrin people? Talk about their specific DID method etc
… to demonstrate that DIDs are interoperable
Joe Andrieu: The Chairs want to support this
Kaliya Young: I am also working with the myData organizers to organize an "un conference" within the MyData conference
Joe Andrieu: Clearly there’s lots of support for this - so it can become a work item.
Joe Andrieu: Markus to lead - ccg will support
Markus Sabadello: The call for proposals is still open - please submit
Heather Vescent: I will be in the UK that week, so could meet somewhere before/after if there is a RWOT.
Christopher Allen: If you plan to attend, please inform Chairs to help organize mini-rebooting web of trust session (RWOT)
Joe Andrieu: Any other status updates? (nope)
RESOLUTION: Adopt MyData panel at Helsinki as a CG work item.

Topic: DID-based Authentication (DID-Auth)

Joe Andrieu: Markus to talk about DID-Auth. At the highest level, using DIDs for Authentication (NOT Authorization :)
Markus Sabadello: DID-Auth - process or ceremony to prove control of a DID
Manu Sporny: Example of Browser-based DID Authentication:
Markus Sabadello: It gets complex when covering different use cases / scenarios; e.g. web authentication, mutual authentication (like TLS authentication), service authentication. Many different ways to prove control (signatures/crypto; biometric)
Markus Sabadello: Still need to clarify/refine scope and outline of what DID-Auth exactly is and represents
Markus Sabadello: Hartog and markus_sabadello submitted topic papers to RWOT. A draft paper came out of RWOT
Markus Sabadello: Draft paper needs to decide/define what is and is not DID-Auth - eg email signatures?
Dave Longley: This page has links to browser-based DID Auth demo and video:
Christopher Allen: Question - before RWOT meeting, lots of questions about what DID-Auth was supposed to be - did RWOT help to reconcile that quetion? are there still different views on what it is? Should the abstract focus on more requirements?
Christopher Allen: E.g. with DID the first paper was requirements (not a spec)
Manu Sporny: Video demo of browser-based DID Authentication -
Kyle Den Hartog: At RWOT we scoped it down - DID-Auth does not include authorization. Can be done in a few different ways.
Kaliya Young: It shouldn't include authorization - authentication and authorization are different
Kyle Den Hartog: Concern is how to do an interoperable authentication protocol - thats where the issues will lie - requirements will help clarify the concerns that need to be resolved
Kyle Den Hartog: Maybe implementations might have their own ‘method specs’ in the same way the DID spec evolved
Christopher Allen: What are next steps?
Heather Vescent: Mixes well with some ambient background music.
Christopher Allen: Does markus_sabadello think that refocusing on Requirements is the next step?
Joe Andrieu: Chris, could you restate your question for Markus?
Moses Ma: I had one question - Question: does anyone have a functional block diagram for how DID and DIDauth work? Please send to me -
Andrew Hughes: Moses - we are developing sequence diagrams for the DID-Auth paper
Joe Andrieu: Chris?
Joe Andrieu: You had a question for Markus
Markus Sabadello: I think next steps are to continue work on the DID Auth RWoT paper to define scope and the various forms DID Auth can take (browser based, qr scanning with mobile, DID Auth service endpoint, DID-TLS, etc.), and incorporate content from Kyle's and my topic papers.
Markus Sabadello: And ask for input from this group about what is DID Auth and what is not DID Auth.
Markus Sabadello: And have at least 10 IIW sessions about it :)
Joe Andrieu: =)
Joe Andrieu: Definitely some IIW sessions.
Andrew Hughes: One thing we did talk about at RWOT is that DID-Auth requires _cryptographic_ proof of control - not other types of ‘proof'
Manu Sporny: So, I guess the question is how many IIW sessions and when?
Manu Sporny: I'm concerned that we may need to do some more front-running/planning for that event.
Markus Sabadello: I can also demo DID Auth components I built for BCGov. This includes use of HTTP Signatures and Verifiable Credentials similar (but not equal) to the browser Credential Handler API.
Christopher Allen: (…Or at least one cryptographic prof if control)
Andrew Hughes: _Cryptographic_ proof means that we had to focus on the keys - we put a simplified flow into the document so that we can ‘test’ scenarios to see if they fit the DID-Auth pattern
Andrew Hughes: It was useful to avoid talking about authorization
Kaliya Young: I just hung up - I literally couldn't hear anything
Joe Andrieu: One question for me is whether or not DID-AUTH is only about control of the DID, e.g., the right to update the DID document, or does it also include work flows for logging in AS the referent of the DID, which might use keys or methods other than master key proof of control.
Markus Sabadello: Regarding authorization, I agree that's out of scope for DID Auth, but the data formats and flows are related. If you look at the Credential Handler API, or if you look at uPort, then "proving control of an identifier" is not so different from "proving something else".
Dave Longley: Was wondering if anyone working on DID-based TLS looked into potentially defining a new `TokenBindingID` type of DID (see and
Manu Sporny: Markus_sabadello and Hartog, what's next wrt. DID Auth - it feels like we're kinda all over the place with it... use cases, requirements?
Manu Sporny: Where is the focus going to be? Fundamentally, there needs to be a spec if we're going to drive toward a standard of any kind.
Christopher Allen: I would like to see Marcus and team continue to work on the RWoT paper, but seperately I'd like to see a CCG work item abstract for a requirements, which may be less than RWoT paper.
Manu Sporny: There also has to be deployment... who's deploying this stuff commercially in the next year or so?
Christopher Allen: I'd like to see a goal that we have a requirements document suitable for CCG use by summer.
Christopher Allen: (Done)
Joe Andrieu: Chris, you bring up a good point. The RWOT paper is *not* a CCG work item, although once written, could be the foundation for or input to a CCG work item.
Kyle Den Hartog: Two things: I know there's concerns about zoom, but in order to continue this call today I can supply a zoom room until we resolve SIP concerns. Anyone opposed to that idea?
Joe Andrieu: Thanks, Kyle. I think we are better of making the most of IRC in the limited time we have left.
Markus Sabadello: I think the RWoT paper should be an initial overview of requirements, flows, data formats, to get to a common understanding what is DID Auth. It also has examples, but it's not going to be a spec.
Kyle Den Hartog: Second: I'd primarily like to see a requirements doc be built in parallel to the RWoT paper with the CCG work coming out to be the standard based work.
Alberto Elias: I think we're already covering requirements in the RWoT paper, as that sets the line for the rest of the paper
Ryan Grant: Joe, I can answer this one quickly. BTCR will not do any DID-auth for authorization to control the DID, since its authorization is rooted in access to keys on the blockchain that DID-auth cannot refuse.
Kaliya Young: Can someone please post a link to the RWoT paper we are talking about :) thanks
Joe Andrieu: Thanks, rgrant
Kyle Den Hartog: @Alberto, great point, now that I think about it we did address this fairly well, we just need feedback on it from the larger community.
Joe Andrieu: And thanks, albertoalias
Joe Andrieu: Markus, would it be appropriate to ask folks to review the current doc and provide feedback?
Joe Andrieu: What would be the best venue for that? Issues?
Joe Andrieu: Thanks, dlongley
Markus Sabadello: Yes if people have time, reviewing that draft paper (and Kyle's and my topic papers) would be helpful.
Markus Sabadello: There's also a did-auth channel on the weboftrustinfo slack.
Ryan Grant: Sorry, already done.
Kyle Den Hartog: @Joe, I'd suggest github issues in the RWoT repo being used, but I'm not opposed to the RWoT slack channel to facilitate discussion
Joe Andrieu: Ok.
Joe Andrieu: Kyle, could you send an email to the list with the URL and ask for feedback on Github?
Kyle Den Hartog: Yea, I can do that
Joe Andrieu: Perfect.
Dennis Yurkevich: Markus_sabadello how does one join the RWOT slack?
Joe Andrieu: Sorry for the technical challenges folks.
Joe Andrieu: Chris, for the slack, they should email Shannon?
Dennis Yurkevich: Go to and follow the instructions
Joe Andrieu: Perfect. Thanks, Andrew
Andrew Hughes: The links to the github repos for all the RWOT events are there too
Andrew Hughes: And the published papers
Joe Andrieu: With that, let's draw this meeting to a close. Does anyone have any parting comments?
Joe Andrieu: Oh.
Joe Andrieu: I do. =)
Joe Andrieu: Who will be editor(s) of the DID-Auth output of the CCG?
Joe Andrieu: (Not the RWOT paper)