The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-06-26

Manu Sporny is scribing.

Topic: Introductions

Simon: Hi, Simon from uPort, first time on this call.
Kulpreet Singh: Working on Clue... been lurking, doing some DID integration in the CLU protocol... Go implementation of BTCR, any help would be appreciated.

Topic: Agenda Review

Topic: Announcements & Reminders

Kim Hamilton Duffy: We will have the summer BTCR outreach, July the 16th - have an action to send out an initial planning meeting for that... where are people with their implementations?
Kim Hamilton Duffy: Next is MyData in Helsinki - August 29th-31st, no DID panel, but quite a few people from CCG giving talks on various aspects of DIDs.
Kim Hamilton Duffy: Next RWoT VII - we think it will be week of Sept. 24th in Toronto.
Sam Smith: Have we tried Ryerson re: Toronto?
Kim Hamilton Duffy: TPAC:
Kim Hamilton Duffy: TPAC is October 23rd-25th, Mountain View - early bird discounts open now
Dmitri Zagidulin: Tpac is opposite of IIW, huh? :(
Kim Hamilton Duffy: IIW is at the same time as TPAC
Joe Andrieu: Dan Buchner said we do have the space... final confirmation on details today. Wanted to queue up 90 day advanced window to Manu?

Topic: Progress on Current Action Items

Manu Sporny: Yes, we'll probably not be able to coordinate w/ W3C on their workshop end of September, we're out of time.
Manu Sporny: Can you point to an explainer of why participation in the vote would require travel? [scribe assist by Ryan Grant]
Ryan Grant: It doesn't require travel... it requires you to be a W3C member
Kim Hamilton Duffy: Opencreds update, dlehn did that
Kim Hamilton Duffy: Verifiable news - asked sandro to pick it up
Kim Hamilton Duffy: Spec text version of registries process - updates went into both specs.
Kim Hamilton Duffy: Mydata panel - not doing that, but having other CCG members give talks.
Christopher Allen: Were there any documents on opencreds that aren't just historical but need to be brought forward?
David I. Lehn: Just to note, the thing i did was just to add a blurb to redirect to the new sites. i didn't check that all old things there are on new sites.
Manu Sporny: I think everything has been moved over to W3C CCG
Kim Hamilton Duffy: Sounds like W3C Workshop will be November.
Christopher Allen: Financially, the Lyon one is expensive - how important is it if there is going to be one in November.
Hi all ! I really like the generic DID scheme, is there somewhere a proposed Method scheme with Verifiable Claims maybe through the lense of smart contracts?
Drummond Reed: Manu, can you say more about that? What do anticipate is going to be a problem?
Sam Smith: Can you point me to the basic background of these politics you are speaking of?
Joe Andrieu: @Sam I'd be surprised if there's anything in writing.
Ryan Grant: I again have a question about travel: how can remote participants in W3C express their support in a way that does not allow brigading to interrupt the work? is it possible to incorporate online elements in a "workshop"? [scribe assist by Ryan Grant]
Heather Vescent: I will scribe
Drummond Reed: FYI, I can't go to Leon due to the conflict with IIW. But I could go to a workshop in November.
Manu Sporny: Where people can participate [scribe assist by Kim Hamilton Duffy]
Heather Vescent: OK, will let you do it Kim.
Kim Hamilton Duffy: ...Rebooting and hackathon are open -- anyone can participate in those
Kim Hamilton Duffy: ...TPAC is specifically for W3C members
Kim Hamilton Duffy: ...Not worth the expense if you are not a member, but there is remote participation (Similar to this)
Kim Hamilton Duffy: ...W3c workshops: we try hard to have remote access and allow input. They tend to be open, but tend to limit some attendees
Kim Hamilton Duffy: ...E.g. journalists aren't usually welcome because big company reps feel uncomfortable speaking openly
Kim Hamilton Duffy: ...The vote is only open to W3C membership
Kim Hamilton Duffy: ...That's why it's important to whip up support among w3c members
Ryan Grant: Does a paying W3C member have to attend to vote? [scribe assist by Ryan Grant]
Ryan Grant: Does a paying w3c member have to attend to vote [scribe assist by Kim Hamilton Duffy]
Manu Sporny: No, can do remotely [scribe assist by Kim Hamilton Duffy]
Kim Hamilton Duffy: ...Vote doesn't happen unless w3c mgmt believes it should happen (but that's rare)
Kim Hamilton Duffy: ...E.g. they may delay the vote many months while issues are worked thru
Kim Hamilton Duffy: ...How this goes down is mostly a political process
Kim Hamilton Duffy: ...E.g. VC stalled for 6 months due to behind the scenes
Kim Hamilton Duffy: Hackathon date TBD -- September 27th and 28th... want to get folks engaged in Hackathon.
Joe Andrieu: We'd love to support deployed DID methods at the hackathon.
Kim Hamilton Duffy: Ping on JWK cryptosuite specs... issue 18
Kim Hamilton Duffy: We have that assigned to uPort - weren't able to assign it to ChristianLundkvist - any updates from uPort?

Topic: Work Items

Kim Hamilton Duffy: Any status to report?

Topic: Focal Use Cases for DID WG

Adrian Gropper: A prescription for Alice - use case is a patient accessing a physican online.
Adrian Gropper: Getting a prescription that she takes to a pharmacy in person and its fulfilled... the prescription is the verifiable credential... identities DIDs of individuals involved.
Adrian Gropper: The particular questions that I'd like to talk about with the group that are represented in the use case, we need to have a use case that has specific regulations at some point.
Adrian Gropper: Health-related and prescription related security analysis - defend what we're doing as this stuff moves forward.
Hi all ! I really like the generic DID scheme, is there somewhere a proposed Method scheme with Verifiable Claims maybe through the lense of smart contracts?
Adrian Gropper: There are a lot of hypotheticals - protect privacy against collusion/tracking... trying to pick one example of how we engineer for one aspect of privacy.
Joe Andrieu: Adrian, great use case - there is a threat model approach that we're using in VCWG which is a good place for security analysis / privacy engineering.
Joe Andrieu: If Alice's identity is never assured... is that compliant with regulations today?
Adrian Gropper: It depends on the prescription... if it's not a controlled substance, the answer is yes.
Adrian Gropper: Prescriptions can be for various reasons - up to relationship w/ doctor. For example, doctor can dispense to alice keeping only the record in the doctor's office, nobody needs to know.
Adrian Gropper: There are lots of examples of this... good case for privacy engineering as well as security analysis... have to pay attention to licensed professionals in DID universe... otherwise we're not doing much different from federated identity.
Sam Smith: Cannabis is a controlled substance and there are a lot of online doctor script services, this would fit in that model, no?
Adrian Gropper: What makes DID totally unique is the fact that it can be fully decentralized and fits w/ verifiable credentials... we're trying to get Venn diagram of licensed professionals, peers, patients.
David Challener: Question about this - today when we have prescriptions, the pharmacist needs to know all prescriptions I'm taking for drug interactions. Health insurance needs to understand what I'm taking, different pharma to reduce costs. All that has happened to me in last 60 days... why do we want anonymity here when we don't have it today?
Adrian Gropper: We've spent a quarter of our time worrying about privacy-related issues. There are hundreds of use cases ... ways we could complicate this use case along the lines of what you mention. The reason to do privacy engineering, and the reason we want to adopt these principles is to have a hierarchy for the kinds of restrictions/uses that you mention.
Adrian Gropper: Privacy engineering means that you start with a foundation that is as privacy preserving as you can manage... data minimization, regulatory minimization - build through privacy engineering, as you have a reason - pharmacist monitor all prescriptions, that's a different use case.
Adrian Gropper: There are lots of things we could privacy engineer in a hierarchy, this particular use case is talking about the bottom of that hierarchy, what is a reasonable set of regulations and security issues that already exist that we could use as a baseline.
Adrian Gropper: Build on top of infrastructure - as a baseline.
David Challener: What's the problem you're trying to solve?
Adrian Gropper: It's not abstract at all.
Ryan Grant: I'd answer this as follows: doctors may want you to have only one medical persona, but there is no reason for your medical persona to be the same as your work persona. This is quite different from having "anonymity" in your medical dealings. Furthermore, doctors are sometimes wrong, and protocol infrastructure should not assume their perfection.
Samantha Mathews Chase: I can speak to this personally - planned parenthood is for a lot of people that can't access doctors... a young woman would need to get a simple scrip.
Samantha Mathews Chase: Doctors also provide marijuana prescriptions online.
Samantha Mathews Chase: There is also something to be said here for at risk youth - someone that could verify they are who they are.
Samantha Mathews Chase: Providing some non-controlled substance prescription online.
Christopher Allen: There is also birth control, etc.
Adrian Gropper: That is the goal with this use case - find lowest common denominator that has this element of certified responsible individual rather than institution, has an aspect of non-controlled substance... so we don't have to defend the more charged use cases.
Adrian Gropper: Trying to bring in relationship between licensed professional and individual.
Kim Hamilton Duffy: Freezing the q for this topic at Joe
David Challener: I still don't understand... giving someone a prescription w/o knowing who they are is illegal.
Adrian Gropper: It's not illegal. I'm a physician.
Adrian Gropper: This is not hypothetical, this is a real use case.
Joe Andrieu: One of the drivers for this, David, is to challenge some of those assumptions that is given.
Joe Andrieu: To the extent that it is legal, how can we rearchitect so we don't have baked in privacy problems.
David Challener: That's the best answer I've heard.
Kim Hamilton Duffy: Let's wrap up and move discussion to mailing list.
David Challener: Where do I find the discussion about the Washington law?
Adrian Gropper: Where in our process are we going to have a security analysis?
Joe Andrieu: Good question - the way I think we do this is through threat model approach in VCWG.
Joe Andrieu: We've asked for a bunch of use cases, getting engagement - as a communtiy, why are different people contributing... we'll need to pick a handful of focal use cases, will refine them... do a threat model, etc.
Adrian Gropper: Thanks
David Challener: Btw, what I said was: Giving a prescription you ahve been given by a doctor to someone else is illegal.
David Challener: (Sort of like buying alchohol for a minor)

Topic: Muscians and Influencers

Joe Andrieu: @Sam I'll send an email
Samantha Mathews Chase: I grew up with the Internet, I was a DJ - met people online, met via MySpace, etc. I'd host people, they'd host me... when algorithmic fees were introduced to SoundCloud, I noticed the whole industry change.
Samantha Mathews Chase: 3Rd party models, led to the downfall of many platforms.
Samantha Mathews Chase: What's frustrating is that because there are so many platforms now, they look at their numbers... SoundCloud has become garbage... Spotify was elitist artist thing... hurt a lot of people, focused on touring.
Samantha Mathews Chase: No real way to "claim your ID"... it doesn't help anyone to convey the information they want to convey because I don't know how people are finding me... I don't know how people show up in search results. People just use the search result, images aren't even her.
Samantha Mathews Chase: Services offer a "blue check", but is there a way that we can connect all the streaming data to a single counter that is attached to an ID that I own?
Heather Vescent: The dream of the indie web of the early 00s!!
Joe Andrieu: +1 For a simple use case for public personalities / celebrities / entertainers.
Ryan Grant: +1
Samantha Mathews Chase: Also wondering if there is a way for that to hold a directory that points to -- lots of stuff that I have screenshots of just doesn't exist on the Web yet. Archival of art will be lost
Drummond Reed: +1
Samantha Mathews Chase: We need to think about how we practice our own acts of archival.
Benjamin Young: S/
Heather Vescent: This could be applied to all content creators... including bloggers, writers, vloggers, etc.
Samantha Mathews Chase: Wondering if people can help me to make this possible.
Samantha Mathews Chase: I have a crude prototype - trying to explore archival of self - verified entertainers presskit.
Jarlath O'Carroll: Thank you for these real world examples of how these solutions could effect change
Adrian Gropper: I just wanted comment - look in terms of agency - you can't do much how institutions archive stuff about you other than to have your own agent that tracks those things and that can combine/recombine them in ways that you control.
Adrian Gropper: This individual agency is something that's not typically considered.
Joe Andrieu: +1 Kim (we can pick up did-auth next week)
Kim Hamilton Duffy: Can we get a scribe for when Manu drops off?
Bohdan Andriyiv: I think Samantha's use case is about how to prove ownership over digital assets... this use case is handled on ValidBook by "statement of ownership"
Bohdan Andriyiv: Everyone is going to have a base identity - they can link to that identity - any digital asset.
Sam Smith: Can a real time streaming data counter be tied to a signature?
Kim Hamilton Duffy: Freezing q for use case #13 at Manu so we can get to Sam's other use cases
Heather Vescent: This is interesting - started out as indie and then were acquried by corporations - see this split in a couple of different ways... direct experiences about that - being an OG blogger, then stuff I wrote disappearing, cut advertising based revenue model... reclaiming contnet on corporate platforms.
Heather Vescent: There is another methodology - foresaw this, created our own brand anchored to a domain - with DNS, you still don't own it forever, but you have a bit more control over it... aggregate it. Those domains can be fluid. May not want content from a previous blog when you were younger to be mixed w/ professional life.
Heather Vescent: There are two inputs - 1) content you've created on your own - indieweb, and 2) digital natives that have grown up using the platforms that were given to them w/o understanding that they don't own their content.
Heather Vescent: Don't know if these are two different use cases... multiple media - samantha is coming from music background, I'm coming from writing background.
Samantha Mathews Chase: Yes, Heather hit the heart of the issue - can we not just have the reclaiming oru view - not just content, metrics of your views.
Dmitri Zagidulin: The view count, by itself, is a pretty complicated issue, in decentralized terms.
Kim Hamilton Duffy: Can we get a scribe?
Joe Andrieu: Cheers, Manu
Samantha Mathews Chase: Still your responsibility for now. Collect it in a way.
Dmitri Zagidulin: We're basically talking about an ecosystem of trusted verifiers
Heather Vescent: Reputation associated with content - aggregated reputation - another layer on top of the content.
Kim Hamilton Duffy: Warning to those on q: moving to use case 14/15
Kim Hamilton Duffy: Moving sam's second use to next week [scribe assist by Heather Vescent]
Christopher Allen: I'm hearing the free association that feels like, Sam's created fans/associations with fans, but does not own the association and the fan does not own the association. Those associations are owned by the platform where she put her content & the fans are. [scribe assist by Heather Vescent]
Heather Vescent: ... When Sam moves platforms, those associations are lost.
Heather Vescent: ... The associations can be portable.
Heather Vescent: ... Can't take my thousands of followers from twitter to mastedon.
Heather Vescent: ... That is the user story I am hearing that is new.
Heather Vescent: ... Privacy for the fans.
Samantha Mathews Chase: Like a decentralized RSS feed [scribe assist by Heather Vescent]
Christopher Allen: It's a 2 way VC [scribe assist by Heather Vescent]
Kulpreet Singh: +1 Decentralised RSS :)
Dmitri Zagidulin: As far as decentralized RSS, I'd definitely point people to the Social Web Working Group's work, on ActivityPub and so on
Kim Hamilton Duffy: We'll end with Bohdan
Joe Andrieu: I've got to drop. Thanks, all!
Heather Vescent: Bodin: archiving. I have a soundcloud account, but it closes, so I have to prove that it was mine before I can port it. Solution: Take a snapshot of your soundcloud account, sign it with your digital identity, you can prove you were the owner of that account.
Heather Vescent: ... Needs to have interoperability between platforms (e.g. leaving spotify, them allowing portability.)
Sam Smith: Is there a universal avatar work being done?
Ryan Grant: Thanks!