The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2018-12-18

Agenda
https://lists.w3.org/Archives/Public/public-credentials/2018Dec/0068.html
Topics
  1. Introductions
  2. Announcements and Reminders
  3. 2018 Year in Review
Action Items
  1. prime a discussion on PR changes to DID
  2. look at security model (as opposed to just cryptograph) or threat model of DIDs
  3. address requests for clarity on correlation and privacy claims of DIDs
Organizer
Christopher Allen, Joe Andrieu, Kim Hamilton Duffy
Scribe
Lionel Wolberger
Present
Adrian Gropper, Joe Andrieu, Ryan Grant, Brent Zundel, Ted Thibodeau, Christopher Allen, Amy Guy, Dan Burnett, Manu Sporny, Heather Vescent, Benjamin Young, Lionel Wolberger, Ken Ebert, Isaac Patka, Lucas Parker, Jarlath O'Carroll, Samantha Mathews Chase, Kim Hamilton Duffy, Chris Boscolo, Dmitri Zagidulin, Michaela Casaldi, Moses Ma, Chris Webber, Matt Stone, Kaliya Young, Bohdan Andriyiv, Mike Schwartz, Mike Lodder, Sam Smith
Audio Log
Joe Andrieu: Thanks, Chris!
Lionel Wolberger is scribing.
Christopher Allen: Please take note of the IPR policy, anyone can join, but to contribute you must agree to the IPR policy. [scribe assist by Manu Sporny]
Christopher Allen: Instructions for joining are here -- https://w3c-ccg.github.io/ [scribe assist by Manu Sporny]
Lionel Wolberger is scribing.
Agenda:
Kim Hamilton Duffy: Note scribe list has been updated for freshness

Topic: Introductions

Isaac Patka: First meeting, introducing himself
Working for Bloom
Decentralized identity solution in fintech
Interested in being compliant with the proposed standards here.
Welcome, Isaac (ditto)
Intro: Benjamin Young, working for Wiley & Sons
Always had credentialing issues. Wiley interested in VCs and the ecosystem to solve publishing related issues.
Welcome, Benjamin!

Topic: Announcements and Reminders

RWoT Feb 27-March 1, might move a bit. Looking at Barcelona.
Should have that closed by Jan 8
IIW April 30-May2, Mountain View
NO MEETING NEXT TWO WEEKS. Update your calendars. Next meeting Jan 8
Manu Sporny: Will we review strong identity workshop
Chris Webber: Added to agenda
Chris Webber: We use github issues to manage our action items.
Samantha Mathews Chase: Can i get a couple of moments help with my use case for the DID explanation doc if there is time? stuck on a piece of it.
Dan Burnett: Eq?
Chris Webber: DID resolver specification status?
Kim Hamilton Duffy: I don't see Markus
Manu Sporny: Veres One DID method status
Good progress, a new testnet that is almost feature complete is near production.
No ETA right now, but work is progressing, lots of testing, LB work
Testing the DID method, looking good.
D2 should roll out in Jan, then D3 will come after that
... and that will be the DID method spec that we need.
Chris Webber: Looking forward to that!
@Manu ... are there GitHub repos for the Veres One test net code you just mentioned?
Manu Sporny: @John_BCGov -- yep... https://github.com/veres-one/veres-one -- but don't try to run it unless you really know what you're doing -- we'll have packages out shortly (in a month or so) -- please wait for those.
Thx
Samantha Mathews Chase: https://docs.google.com/document/d/1JIWWs8YTWP83Hao5UXyrgpddYu9F0v8lGDUo0Usor10/edit?usp=sharing this is the correct doc yes? for DID explainer
Manu Sporny: @Lionel_Wolberger, we need like 10 more engineers :P
Chris Webber: CCG created the VCWG so is obligated to review its specification
Kim Hamilton Duffy: Correct Sam
Ideally, someone who was not involved deeply in the process.
... Who is willing to read the spec. Volunteer.
Isaac Patka: I can look from our perspective
Lionel Wolberger: Manu, Chris: +1
Isaac Patka: Github.com/ipatka
Dan Burnett: CCG coordination goes very well. This transition request, we can argue we have a good and continuous relationship
... but this review will be critical, as it is done by someone not party to the work that happened so far
... your work will really contribute.
Heather Vescent: Voicing concern about DID monetization
Manu Sporny: +1 To samchase
... the two words monetizing & ID should not be in the same sentence
... proposing: Solutions for SSI
Heather Vescent: +1 Sam
Chris Webber: Is this for a future report or a white paper.
Kim Hamilton Duffy: Manu you should jump the q
Joe Andrieu: We did discuss it, briefly.
Joe Andrieu: The sense of it was to use the lighter weight RWOT
Manu Sporny: +1 Sam, to remove "monetizing"
... this does seem to be an RWoT paper since the scope of the group should be the spec itself and not the ecosystem
Moses Ma: I'm totally fine to change monetization to business model and move our brainstorming to RWOT...
... this doc feels exploratory, so it may be better in RWoT
Kim Hamilton Duffy: +1 To RWOT move
Moses Ma: And the plan is to write a paper for RWOT
Joe... wishing you a fast recovery, reading your notes.
Joe Andrieu: Thanks, Lionel
Kim Hamilton Duffy: Respec questions, what is that.
Kim Hamilton Duffy: Respec
... that is what we use
Kim Hamilton Duffy: Tutorial: https://youtu.be/0eQXU6Z-A6Q
Kim Hamilton Duffy: These resources will help anyone needing help with Respec
... if you are blocked or on hold, just let the chairs know.
Chris Webber: Work items for CCG process, registries process. WIll need repos for those.
... older items that we inherited *DID engagement spreadsheet and model * polyfill * specifications
... we would like clarity around these items. complete/ archive ??
Agenda: unassigned items
Agenda: Results of strong auth workshop
Manu Sporny: W3C Workshop on Strong Authentication & Identity was pulled together
... from the AUTH community and the IDENTITY community
... broad community to find out what is state of the art
... W3C encourages these discussions to uncover if specifications are needed, and which standards body should host that work
... Presentations start the day, then discussion, then common areas of consensus
... then work items are curated
... generally a workshop report results from the meeting
... the minutes are available and not under IPR restrictions
Manu Sporny: The report should be out in Jan
... it was well attended with about 70 people
Chris Webber: I attended, I would add: there was a wide variety of presentations including DID discussion from people not actively involved in the CCG
... it felt like there is already a DID standard, but, there isn't
Kim Hamilton Duffy: On a good path to reconciling differences.
Joe Andrieu: I'm good, Chris
... Got an opportunity to test out the new DID strategy starting with the Verfiable Claim (education)
... and it worked, there was less pushback on that motivating example
... lesson learned, leave out "registries" next time
Lionel Wolberger: Microsoft was hosting, I believe? What was their position? They have huge identity plays in progress and they tend to be interested in innovation, but sometimes they don't move. [scribe assist by Manu Sporny]
Kaliya Young: Let's just say that they had multiple perspectives. :) [scribe assist by Manu Sporny]
Schizophrenic
Chris Webber: Microsoft is a big player with many legacy systems, with other MS people wanting to innovate
Christopher Allen: Microsoft has legacy stuff and so they have that legacy stuff, and they have some future looking stuff, so it was as much Microsoft talking to each other as to the rest of the community. [scribe assist by Manu Sporny]
Agenda: Explainer
Chris Webber: Anyone taking the lead on that? Anyone feel they own it? Next steps?
Joe Andrieu: I thought I was leading the charge. Dan Burnett also volunteered to help.
Manu Sporny: +1 To JoeAndrieu leading the charge! :)
Manu Sporny: Suggest deadline of mid-Jan to coincide with the auth workshop report.
... It should reach the 480+ companies in the W3C, with 60+ companies saying a WG is called for
Chris Webber: Since CCG next meeting is Jan 8th, that seems a good target
Christopher Allen: Ack?
Joe Andrieu: It's just time on task
... what actions do we need to take to make this target?
>>Cue here, the sounds of silence<<
Joe Andrieu: Sounds right!
Dan Burnett: Will try to make that target.

Topic: 2018 Year in Review

Joe Andrieu: I was thinking we could just go through those quickly and say whether we (2) completed it (1) made some progress or (0) didn't make progress
Moses Ma: Voice call died for me
Dan Burnett: Final reports become input to standards-track work that can become Recommendations
Chris Webber: Review of the tasks and activities that went on in the last year.
Manu Sporny: Looking at the PDF file
... reconciliation draft is done, that is a major achievement, there is only one DID spec now.
... no big disagreements left (v1.1.1.1) DONE!
... DID Method Registry is done and we refer to other specs in that registry
... some specs are asking to be added to the registry, they are pretty solid
... Test Suite: Non-existant. no progress in 2018.
1.1.1.4 Cryptographic review: still needs more work particularly the proofs and signatures
... in other groups there is discussion
... there was a proof of correctness in another group
Mike Schwartz: Open PRs in the spec
... will those PRs help or hurt?
Manu Sporny: Yes, we probably do need those done, tho your concern is justified
ACTION: prime a discussion on PR changes to DID
Mike Schwartz: Affirms that he will get to it.
Manu Sporny: Let's start in Jan before RWoT
Moses Ma: Q
Chris Webber: Not so much a crypto review, we may need a security review
Lionel Wolberger: It sounds like you're asking for threat modeling? [scribe assist by Manu Sporny]
... e.g. you start trusting the keys from here
ACTION: look at security model (as opposed to just cryptograph) or threat model of DIDs
Moses Ma: Can also call it failure mode analysis.
ACTION: address requests for clarity on correlation and privacy claims of DIDs
Moses Ma: We need to game out how to a phishing organization might game the system.
Lionel Wolberger: Might include in that correlatability and privacy violations.
What would you phish?
Moses Ma: Thrreat model, a phishing company, could they pose as a valid DID service?
Chris Webber: DID resolver services would not be the right model
Heather Vescent: Are you suggesting a kind of pentesting?
Ryan Grant: Done threat modelling, and is including more DID things there
... happy to collect threat model questions
Lionel Wolberger: Manu: Echo suggestion for more threat modelling +1
... have not red teamed these systems.
Mike Lodder: DREAD or STRIDE?
... surfacing this work (which seems to be going on inside corporations)
... Veres One volunteers for a pen test, dread, strident
Jarlath O'Carroll: RE: earlier discussion (couldn't respond earlier) - if you need someone to review spec/doc over the Holidays from a somewhat lay person's perspective, then I'm happy to do so ... if so, please let me know the details
... ecosystem red teaming, ecosystem threat models, would be essential to being thought leaders
... We were criticized for allowing different key formats
... this came from people experienced in jot work
... based on seeing Evernym Sovrin Ethereum Bitcoin RChain Veres One
Mike Lodder: +1 To COSE
... feels like COSE expressions of key formats would be compact, fit into JSON LD
... CBOR Object Signing and Encryption (COSE) protocol...
Chris Webber: Have spoken with Brave, we opened the door.
... The variety on the keys might be here because we are a multi-party system
... multiple choices enable things like "I have a Sovrin key and you have a Veres One key"
... the same keys can be registered on both systems
Dan Burnett: This is the crux of the "Interop" question we heard at the workshop
... that can be secure
... Interop comes up BECAUSE we chose not to stipulate one DID for all
Samantha Mathews Chase: Interop has to be incentivized.
Moses Ma: Revenue models brainstorming-- DID Business Models does sound better
Samantha Mathews Chase: No DID anything it's not a business
... will share a link to the great work in the brainstorming (DM to get that from Moses)
Samantha Mathews Chase: It's a standard that opens doors for new markets
... follow-up in January , invited ____ <<-- name?
Sam Smith: Interop
Happy holidays everyone ... see you in 2019!
... this index will work somewhat like the internet archive
... will each entity help pay for sustaining the interoperability?
Moses Ma: Let me know if you want the recording link for the DID monetization/business model brainstorming call.
Chris Webber: No discussion at that level
... they do each charge something
Sam Smith: I suggest this approach
... setting sustainable costing would be helpful
Chris Webber: We can add that to agendas next year
Agenda: Plus and Delta
... no time for audio
... put into IRC highlights (BIG PLUS)
Heather Vescent: Could we do a survey, where people could submit appreciative and critical feedback anon?
... or changes you would like to see
Lionel Wolberger: +1 To survey !
Manu Sporny: Plus - we doubled the size of the community and met tons of new great people as a result!
Joe Andrieu: @Sam it might be worth checking out the Veres One financial model. The net net is that each method advocate has their own business questions to answer
Heather Vescent: Plus can then send to the list.
Heather Vescent: I will volunteer to create/run the survey
Heather Vescent: I am the data/researcher master. ;-)
Samantha Mathews Chase: +1 For survey
Heather Vescent: My pleasure
Lionel Wolberger: +1 Chairs run clear meetings, with clear agenda, goals, rules of engagement
Samantha Mathews Chase: Thanks Heather!!
Joe Andrieu: That's a wrap for 2018!!! Thanks, Everyone!
Dan Burnett: Good job, Chairs!
+100 To the thanks for the chairs
Ditto
Samantha Mathews Chase: You guys have really been a highlight in my year!
Moses Ma: Happy holidays!
Samantha Mathews Chase: Thanks
Manu Sporny: +1 Hooray for Chairs!