The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-12-04

Ryan Grant: Hearing audio
Manu Sporny: Regrets: manu
Benjamin Young is scribing.
Benjamin Young is scribing.

Topic: introductions

Christopher Allen: Anyone new today? first time on the call? please `q+` or speak up
Sub-Topic: reintroductions
Christopher Allen: Hey kimhd have you been reintroduced recently?
Joe Andrieu: On a previous call
Christopher Allen: My name is Christopher Allen, I work on blockchain security
...I consult around better tooling for blockchains and DIDs

Topic: Announcements and Reminders

Christopher Allen: Next week we have the workshop on strong identity
Daniel Buchner: Do not bring your weak identity ideas to it
...if you've not already registered, I believe it's already full
Daniel Buchner: ;)
...if you'll be there next week, I look forward to seeing you there
Christopher Allen:
...there will not be a meeting on the 11th nor the 25th or 1st because holidays the spring there's rebooting web of trust
...wrapping up those details now
There's also the internet identity workshop
...april 30th through may 2nd
...if you have other meetings please email them to the list
...So, the CCG team went through how we review action items
...we've added a lot of tags to our issues help us manage those future weeks we'll be picking 3 items that we'll call "review next"
...we'll try and tackle those each week
...and let people know we're covering them on upcoming calls
...there are quite a few new additional tags, we've announced this, so that closes #35

Topic: DID resolver specification

Markus Sabadello: We are discussing the resolution architecture
...there are a number of open topics related to that
...the document linked there contains a short abstract, basic example, and a list of open topics
...there is also a topic paper from the last RWoT about DID resolution
...Dimitry and I have done a few calls to discuss this
...but as yet there's not much content on the document yet
...we're motivated to start working more on that now
Christopher Allen: Any blockers?
Dmitri Zagidulin: +1 To everything markus said
Markus Sabadello: No blockers on my side
...I am wondering a little bit about the process this an official work item?
...should we have regular calls around this topic?
Christopher Allen: So, that's exactly what we want to do for each of these items
...continuing on that, we have an action item
...for manu for verifying DID methods
Joe Andrieu: Present?
Christopher Allen: So, we'll address that later when manu's on the call
...these items are items that the community is doing
...and hear from anyone who has updates on these
...there are 7 items open
...we're working on a DID explainer
...that's today's main topic
...does anyone have any status updates on these?
...we still need to review the model specification?
...burn is that something the VCWG needs us today officially?
Dan Burnett: Technically yes
...the VCWG charter says we'll coordinate with a specific list of groups
...and we need official feedback
...which could be as minimal as "we looked at it, and it's fine."
Christopher Allen: So, we need an action item for that, because we need to do it soon
Ryan Grant: For purposes of testing DID Document parsing, I'm still looking for a corpus of valid DID Documents.
Dan Burnett: Yes, talk to JoeA about what "soon" means for VCWG
...Ryan Grant had sent a DID Document use case request
...seems he's still looking for valid DID documents, if you have such things please send those to rgrant
...he's collecting those
Dmitri Zagidulin: Rgrant - is there an issue or document where we can add DID docs?
...we also need to do a review of the various approaches so far--that'll be a future meeting
...we also keep seeing this security/vulnerability report on our repos, and that needs addressing on to work items

Topic: Work Items

Christopher Allen: Any status on any of these?
Dmitri Zagidulin: Yes, send a pull request to [scribe assist by Ryan Grant]'s the list of issues the chairs are focused on
...we go through these every Friday to make sure they're being addressed
...we're also working to tag all our issues
...and seems we've accomplished that so far
...anyone's encouraged to submit issues related to their work
...and now we'll address unassigned issues
...we need a lead on #28 Review VC Data Model Spec there anyone who could read through that and lead a discussion on a future meeting?
Andrew Hughes: If no one else wants to do it, I can do that
...and I'm happy to accept supporting contributors as well
Christopher Allen: Anyone here from EIP who could address #21?
Markus Sabadello: I'm definitely not from the Ethereum Community
...but I could contribute a bit there
...I worked on the related DID method
...but I'm not probably the best person for handling #21
Christopher Allen: So your task can be to find someone to address it that's done we need someone to lead a discussion on #18 JWK cryptosuite spec
...things such as CBOR, IPLD, etc.
...anyone up for this one? maybe someone from microsoft?
...we're looking for someone to generate a report about IPLD, JSON-LD, etc.
Daniel Buchner: So, we have been working on some of this
...we've worked with larger financial groups and things wanting token auth
Daniel Buchner: That's the status I have for now anyway
Christopher Allen: Daniel if you can think about a future meeting where we can go into more details
...maybe sometime early in january the meantime, what is your github name?
Daniel Buchner: Csuwildcat
Christopher Allen: That closes out that part of the agenda
Daniel Buchner: Summary: there is a flavor of JW*-based DID auth in DIF that supports RSA and secp256k1, and we have been getting feedback from potential large corp/gov adopters that they want OIDC support at some level, where possible. We're going to continue working on the former, and trying to make the latter compatible, wherever we can went a bit longer today, but it's what we'd like to tackle this process each week
Dmitri Zagidulin: I'd like to add some thoughts about JWT
Christopher Allen: Sure, go ahead
Dmitri Zagidulin: We did a call recently about JWT
Dan Burnett: Verifiable Credentials, NOT Verifiable Claims :)
...there's a lot of interest in using existing JWT infrastructure to support DIDs and VCs
...the general consensus was that we're going to go for a mechanism
...where we can use any of these wrappers
...JWT, CWT, or future ones
...and then embed the full VC in the claims part of the token, instead of mapping various attributes from JWT
...everyone on the call has expressed a commitment sort of stuffing the entire VC into the claims portion of the JWT
Christopher Allen: So, whoever else was part of the community, feel free to add some agenda items
...create URLs, etc, to help people find how to use JWT, etc as these sorts of enveloping packages
Dmitri Zagidulin: Does anyone have a link to those minutes?
Jonnycrunch3: was this my issue we mentioned earlier? or something else?
Christopher Allen: I think we need to find if that's handled by this enveloping idea
Jonnycrunch3: so, my issue was in the DID spec
...and in the VC data model spec
...I summarized it in my paper
Christopher Allen: We should probably discuss it in the CG and make a work item for it
Dan Burnett: JWT special call minutes:
Moses Ma: DID Monetization discussion/meeting is likely going to be held on Thursday December 13th at noon PST. Zoom conference, for 1 hour. Featuring Dr. Po Chi Wu. Sign up here:
Moses Ma: Hi all, sharing some call details
...I've also invited Christine Sandberg should be a nice interesting call
Christopher Allen: Great. there's a sign-up link the future, there's an announcements repo
Moses Ma: Here's the time planning noodle: And an initial list of possible business/revenue models:
...where people can share things like that'd help to give folks more advance to post those there would help us so they always show up in the announcements section on these calls
...on to the meat of our discussions...

Topic: TAG charter review

Moses Ma: Okay, will enter a pull request...
Christopher Allen: The W3C's Technical Architecture Group (TAG) is charged with reviewing technical specifications and group charters
...they have a new methodology called an explainer
...because they weren't really satisfied with our primer
...we've begun that explainer
...there's a variety of thoughts from some folks
...I've linked to the google doc
....JoeAndrieu do you want to take it from here?
Joe Andrieu: If you've made edits and would like to present your work, please jump on the queue
...basically, we'd like to get through this document with some rough content
...once we've done with some of the work in the last week, we can discuss this more
Ryan Grant: As I recall, at the last meeting we left off looking for politically appropriate use cases. Did we make progree on this?
Joe Andrieu: Maybe kimhd you have some examples?
Samantha Mathews Chase: Presnt+, scenario 1 is an international student applicant
...the DID is first kept on a hardware wallet
...then a decade later, she shares that elsewhere
...the folks involved were able to verify the credential without direct contact with past employers and universities
...the TAG's explainer explainer did ask for code I'm hoping to get a sample DID and VC into this explainer in place of code
Ryan Grant: Does Oxford need to sign a nonce to prove that they still stand by issuing Sally's diploma? Do we have an offline-verifiable-credential already?
Moses Ma: Christopher, can you post the URL to the repository where you want a pull request for a new work item/meeting/project - announcements? issues?
Kim Hamilton Duffy: I'll mock up a VC for scenario 1
Joe Andrieu: So this was my write-up, and although it reaches beyond "just DIDs"
...I was able to fold in interesting scenarios showing that it helps remove the burden of authentication from the university
...or for them to even be involved in the loop to verify
...hopefully it highlights things accurately
Jonnycrunch3: one concern is around non-goals
...I understand this is the W3C which seems very married to HTTP and DNS
...and there are vulnerabilities in those protocols
Dmitri Zagidulin: What particular vulnerability do you have in mind? limiting this to just those protocols seems limiting
Joe Andrieu: The explainer doesn't ask for things that map to those concerns
...but I may just add them anyway
Christopher Allen: Specific to this educational scenario's probably important to mention that VC's may be wrapped in various proofs for this usecase is a timestamp that they know it was valid at the time of issuance
...but there might be 3 proofs
...a short term signature proof
...with an expiration on the signature
...that point might need to be in there somehow
Joe Andrieu: Do you think timestamps are a unique selling points for DIDs?
Christopher Allen: I think one of the principles of DIDs however, is that we're part of an ecosystem're talking about a VC here
...and that encodes those proofs're right this isn't technically part of the DID spec
...but it does show that multiple proofs is part of our technology
Joe Andrieu: It's also not part of the VC spec
...timestamping is kind of its own thing
Christopher Allen: Maybe we point that it may be a service offered or something...but we'll see
Brentz: I just wanted to say we should have a very simple use case
...ideally one that doesn't involve VC
...something I can identify and resolve
...I'm not sure we're highlighting the best things that DIDs provide
"Knows" from last year
Joe Andrieu: What's a better use case?
Brentz: maybe IoT?
...I'll work on one and suggest it
Joe Andrieu: If you could write something up, that would be great
...simpler is better
Drummond Reed: I'd be happy to help also
Markus Sabadello: The idea that was just mentioned
...that the DID can prove control of it prior to doing anything more
...that seems to be what people mean when they say DID Auth
...something as simple as single-sign on
...but this time with an identifier no one can take away from you
...and doesn't hard code the identity provider
Joe Andrieu: So, how would that be different than just WebAuthN of the critiques is that DIDs aren't any different
Markus Sabadello: I could name a number of reasons
...we've already included them in our report we want to go into that now?
WebAuthN isn't necessarily self-sovereign, need third party
Christopher Allen: I think that it's worth trying to find one
...but I admit to having a skepticism around sign-sign on or email signing
...because it connects us to lots of areas where folks will object
...the educational one doesn't currently have a contender in this space it's less likely to be contentious
...maybe rotating a TOFU would be interesting
...but short of that, we hit other things
Joe Andrieu: TOFU == Trust on First Use
Markus Sabadello: With DID Auth you can change the authentication method (key pair, password, biometrics, whatever) without changing the identifier.
Ryan Grant: Can someone remind me where our past use case work is?
...I feel like we did lots of this previously
Joe Andrieu: Yeah, I'll look those up
Heather Vescent: There were like ~20 use cases in that document.
...we came up with 10-12 DID focal use cases was sent to the TAG
...and our proposed charter
...but folks didn't find it compelling enough to replace the explainer
Ryan Grant: I just dropped the link I found in the notes would be interesting to know what of those were not compelling
...and share that feedback with the group
Heather Vescent: It wasn't clear what the next step was with that document. We could do a group survey/analysis of those use cases/
Joe Andrieu: Some of it was just "I don't care about use case X" and they moved on
...the stuff in there isn't sorted at all either; just very raw input
Heather Vescent: I was confused by the origin of the use cases in the explainer document
...I wondered why we didn't use stuff from Ryan's work
...lots of people contributed to that a recovering Silicon Valley product manager
...I'd want to do analysis on these uses cases sort out which seems most appropriate and strongest for this audience
Ryan Grant: I think the thing missing is principles of politically desirable use cases. order to make the case with W3C management
...the easiest thing you could do is a survey
...getting feedback on the various use cases help understand and categorize these see which actually resonates with the community
...we had a lot of contribution
Samantha Mathews Chase: Agree with heather, we should score those use cases, combine all other docs and rate and order them
...but it lacked quantitative feedback
Samantha Mathews Chase: That doc was the reason i joined and I would happily update it
Samantha Mathews Chase: As I'm sure others would
Joe Andrieu: To reflect the process that got us here
...we did present those other use cases to W3M
...and as a result to that feedback, we kicked off discussions around DIDs Unique Selling Proposition
Heather Vescent: Ok. The results of that feedback wasn't clearly communicated back to this group.
...what are the pain points which DIDs uniquely solve
...we've discussed this for the last several weeks
...and what's currently in the explainer is an attempt to focus on the Unique Selling Proposition
...and narrow that to a few scenarios make that case
...that's how we got here
...we had some great discussions in the last couple weeks
...that highlighted some of these USPs "no one wants to manage their credentials"
Samantha Mathews Chase: Why don't we add our newthoughts and feedback to the top of the doc
Christopher Allen: So. we still want to continue exploring use cases
...refine them, add to them, etc.
...the difference with the explainer
Samantha Mathews Chase: And encourage everyone to go back and clean those up
...the explainer specifically is under a time constraint
...we really wanted it out last week
...the TAG wanted to know specifically why DIDs were different/better than existing specs/approaches like WebAuthN
...we needed to lead with something they'd understand relative to other things they're evaluating
...we now have a very specific audience we're trying to appeal to
Ryan Grant: This is the first time I've heard that we should be making a list of features that we have that webauthn doesn't have. That's annoying.
Andrew Hughes: Are these the major value points of DIDs?
...that, I believe, is how we ended up on this educational scenario
Andrew Hughes: * DID are self-issued identifiers
Andrew Hughes: * DID use cryptographic proofs to demonstrate the ‘owner/controller’
Andrew Hughes: * DID cannot be ‘cancelled’ by an authority
Andrew Hughes: * DID make key rotation possible (the ‘identifier' part is separate from the 'cryptographic proof' part)
Andrew Hughes: * DID are resolvable
Andrew Hughes: * DID can be directly used and referenced in any DLT (by writing a new DID method)
Andrew Hughes: *
...where it would seem like a first for the TAG
Joe Andrieu: So. we're running out of time
...samchase if you'd like to chime in
Samantha Mathews Chase: We're working to get our pilot off the ground
...if we're going to work back from that document
...basically I think the main point is letting someone have not just single sign-on
...but also carry their preferences with them
...and in that scenario, you make data brokers become separate from identifying entities
...just giving people over the tagging of their data when they give it to you they're confident
...I'd love to help, but sadly I'm really swamped before the holidays
Joe Andrieu: We are a bit under the gun week are 2 events
...those in attendance will be reviewing this doc
Samantha Mathews Chase: I'll type something up today thanks for the fire under my butt
...and getting a lot of feedback from WebID, WebAuthN folks
Moses Ma: Christopher or Joe, did I do this right and in the right place?
...we're doing all this to support the charter activity
...which is also under the gun
...we've got a train that's moving forward and we'd like you to hop on samchase if you can
...we're a little bit after the hour
...ok, no meeting next week
...see you 2 weeks from now
Moses Ma: Thanks and bye folks