The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back


Credentials CG Telecon

Minutes for 2018-07-03

Ganesh Annan is scribing.

Topic: Introductions and Reintroductions

Christopher Allen: Agenda Review, usual announcements and reminders and then focal use cases
David I. Lehn: Hi, this is David Lehn from Digital Bazaar. I have been involved in the Verifiable Credentials work for a while doing core Open Source implementations. Looking forward to continuing to participate.
Irene Hernandez: Irene Hernandez here, working now full time on a decentralized identity project named Gataca. This is my first call with the W3C and looking forward to contributing to this group!
Lionel Wolberger: Irene, good to see you here!

Topic: Transparency

Christopher Allen: Any quick questions on IRC methodology and using the queue?
Drummond Reed: Good summary, Christopher
Christopher Allen: IrcCloud is good when using the phone

Topic: Announcements and Reminders

Christopher Allen: Announcements page: https://w3c-ccg.github.io/announcements/
Christopher Allen: Created a special webpage for announcements and reminders. On it now is the virtual hackathon, we'll be working on the btcr method. We'd love to see other did methods and json-ld folks.
Ryan Grant: I think DID Document validation and Verifiable claim parsing are hot topics too.
Christopher Allen: We're trying to charter the W3C working group at TPAC in Lyon, France
Manu Sporny: Quick update, talked to w3c staff about Rebooting... still a possibility for an event. Some staff is still interested in co-running something at Rebooting.
Samantha Mathews Chase: Dweb conf is great! I'd love to help with panel
Drummond Reed: Drummond is planning to attend the Decentralized Web Summit.
Ryan Grant: Decentralized Web event also mentioned in Vanity Fair
Samantha Mathews Chase: I was there two years ago, we presented webvr over IPFS
Markus Sabadello: An event in early August, in San Francisco... Decentralized Web.
Drummond Reed: Demo day is July 31, the event is Aug 1 and 2
Ryan Grant: Last week we heard about w3c voting, any updates?
Ryan Grant: Do we know grounds for objections?
Manu Sporny: We are a long way from voting, looking at the end of the year. Until CCG produces required information there will be no vote. Will be presenting DID Spec at TPAC and may need another presentation after TPAC if there are any objections.

Topic: Action Items

Christopher Allen: Do we have any updates on the Veres One DID Method specification?
Manu Sporny: We are making an annoucement about the Veres One Community Group, the Board of Governors, and the Advisory Council later today. We are going into production in the next couple of months, we'll make those annoucements on the CG mailing list: https://www.w3.org/community/veres-one/
Manu Sporny: We will be updating the Veres One DID Spec after we go into production.
Christopher Allen: We would like to be kept up to date. There is also an issue on github on security, are you working on that?
Dmitri Zagidulin: Do we have a link to the issue?
Manu Sporny: David Lehn do you mind if I assign you the security vulnerability action item?
David I. Lehn: *Groans*
Christopher Allen: Any other action items we missed? If not we will be moving on to work items.

Topic: Work Items

Christopher Allen: Any announcements or requests on work items?
Christopher Allen: What do we need to do to get the credential handler polyfill done?
Manu Sporny: We have an implementation, it will not go standards track until for another two years. We're getting implementation feedback as well. Status probably won't change over the year.
Christopher Allen: Inquiry from Firefox in how to integrate?
Samantha Mathews Chase: Can you explain what we need from a browser? I work closely with JanusVR, they recently opensourced their native client which is a broswer
Manu Sporny: It would be dangerous to involve browser manufacturers right now since it's too early.
Samantha Mathews Chase: It would be interesting to use DID's with the presence server

Topic: Focal Use Cases

Christopher Allen: We're at the half hour mark so we'll be moving to the Focal Use Cases.
Heather Vescent: I have a more general use case question.
Christopher Allen: Sub-topic use case #14 e-profiles
Samantha Mathews Chase: Under the current system we have these eprofiles built. It would make more sense to have an e-profile kept to myself that has the same information that other e-profiles are built from.
Samantha Mathews Chase: We should be gaining control of our identity and then claiming the claims around that identity.
Heather Vescent: It reminds me of the data "gems" (I forget which company did it)
Heather Vescent: Yes, thanks.
Christopher Allen: I remember setting up my e-profile FOAF, later we had similar ideas with OpenID. They've all failed I can't bring my profile from one place to another. In particular in these use cases what is it that DIDs do differently to make things better this time?
Ryan Grant: DIDs are secure enough to have grounding with other uses in society, such as legal matters. This should attract infrastructure better than FOAF.
Drummond Reed: DIDs have a much broader set of applications than identity and profile sharing. They address a fundamental need for decentralized PKI.
Dmitri Zagidulin: A central idea that I have is the lack of decentralized authentication and authorization is the reason why all these other solutions failed. The difference this time we have a better grasp on decentralized authentication via DID Auth and we have a better access control with capabilities.
Samantha Mathews Chase: No
Samantha Mathews Chase: Private consumer profiles
Bohdan Andriyiv: Regarding e-profiles, are we talking about social media profile or advertisement network profiles that is gathered information around you?
Samantha Mathews Chase: I think we can start with a consumer/intent profile, not social
Heather Vescent: Axciom was at IIW
Christopher Allen: FOAF was more of self attestation, which is personal representations without any authenticity checks. Then there was claims about other people such as on Twitter, I'm known as Christopher A.
Samantha Mathews Chase: To me this use case is about first collecting all the representations of 'me' online through the back channels i.e third party profilers. Then I can see all of these different profiles and either verify or formally object to collected information
Samantha Mathews Chase: Let's forget social for just a moment, first this would be about identifying other profiles that exist and assigning my own verification to it or objecting.
Chris Boscolo: +1 To what drummond said
Drummond Reed: It goes much deeper than profile sharing. DIDs address fundamentally for persisting an identity of a resource and decentralized PKI. There's nothing like it.
Drummond Reed: DIDs are also a decentralized solution to persistent identification of a resource. That has been a longstanding need of the Web as a whole. So when you combine the ability to have persistent identification of a resource with the ability to do public key discovery and verification, all decentralized, DIDs are a major paradigm shift.
Bohdan Andriyiv: There's not that much for DID standard, they are not connected to our identity.
Chris Boscolo: Would it be helpful to have this group that gives an architectural view of the DID-base solution that Drummond described?
Christopher Allen: (New CA law only has fines of $750, or $2500 if egregious)
Christopher Allen: (GDPR is up to 4% of revenues)
Manu Sporny: Two thoughts. The information collected on you, advertisers are not interested in sharing information that they have about you to you. This approach may not work in US but probably in Europe due to GDPR. There is an opportunity in the ad industry in which they can serve ads to a confirmed identity. They want it to be known that ads are shown to people that actually have those interests, using verifiable credentials. This conversation will be around converting consumers into their sales funnel. I'm a bit concerned about having that discussion, I just want to be very clear before going into it.
Chris Boscolo: If you look at the taxonomy of DID uses cases, how many AREN'T verified claims?
Heather Vescent: I've been thinking about delegation and reverse delegation: multiple identities come together to do a financial transaction. An example, is a group of people come together to open a joint bank account. Is there a situation where DIDs can be two or three, together create a DID that represents their collective identity?
Christopher Allen: I call that proof of association, but it could be more than that
Samantha Mathews Chase: Like a DID fog?
Heather Vescent: Well, I see this as more of a collective identity. Where people may bring parts of their reputation and associate it with the collective identity.
Heather Vescent: Like someone might bring reputation, another may bring financial, etc.
Bohdan Andriyiv: DID vs. centralized IDs – DID will shine where sovereignty (ultimate control over asset + e2ee) is required.
Manu Sporny: The thing that jumped out at me is that it's more of an ocap use case. There are many tools that we have that could address those use cases. It could be a ocap use case or a multi-sig use case
Kim Hamilton Duffy: +1 I'd like to see that paper
Samantha Mathews Chase: What heather is talking about might be useful for the Guatemala use case, each person can assign an identity as part of their community? I'd love to talk about it more
Manu Sporny: Heathervescent, to be clear -- I think there is a DID use case in there...
Manu Sporny: Heathervescent, like DIDs enable that use case you're talking about...
Heather Vescent: Thank you everyone for their comments.
Heather Vescent: OK, Thanks Manu. I may write up something brief.
Kim Hamilton Duffy: +1 To Manu's comment. I think there is a DID use cases in there AND others (OCAP, etc)

Topic: DID-Auth

Joe Andrieu: Definitely support a topic paper and potentially a great use case. This might be a good example of leveraging multi-sig.
Markus Sabadello: The paper on DID-Auth is in its final stages, I just wanted to take a snapshot of the community wisdom on DID-Auth.
Markus Sabadello: Is the paper a representation in any way about whether the scenarios are secure? [scribe assist by Ryan Grant]
Markus Sabadello: (I.e. does it need review?) [scribe assist by Ryan Grant]
Christopher Allen: One thing we wanted to get from you is what from the DID-Auth paper needs to be worked through as a potential work item in this group. This paper is a good overview of everyone's thoughts. What are some low hanging items we can work on as a group?
Chris Boscolo: Would "agency" or "control" be better than "ownership?
Chris Boscolo: Would "agency" or "control" be better than "ownership"?
Dmitri Zagidulin: We mention OCap in the paper, fwiw
Markus Sabadello: Happy to talk on a seprate call with manu about ocap in DID Auth.
Manu Sporny: Skimming paper now, I see a lot of JWT which is concerning. I'm not seeing a lot of OCAP in the paper. We'll chat offline about using OCAP to using authentication, fantastic work on the paper, thank you for putting that together.
Drummond Reed: Please note: I will be completely offline at a family reunion in Maine the week of July 9, so I won't be able to attend.
Christopher Allen: I want to get to authorization later, it's very important. Institutions want attestations that a bimoetric was used to open the private key. A particular hardware generation of a key was generated with trusted hardware. That's it for today, next week we may not be able to revisit the Guatemala use case.
Christopher Allen: Coming up on August 7th, proof of personhood. How can we prove that someone is a unique person?
Heather Vescent: Thanks all. Bye.