The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2020-05-19

Kaliya Young is scribing.
Kaliya Young: Introduction & Reintroductions
I'm Alan from Accredible

Topic: Introductions & Reintroductions

Manu Sporny: Welcome Alan! Glad to see you here! :)
Thanks for the warm welcome
Manu Sporny: Welcome Adam, thanks for joining us! :)
Christopher Allen: Introducing himself from Credible - digital credentialing company [scribe assist by Kaliya Young]
Kaliya Young: Sorry that was Adam talking
Adam Lemmon: Thanks Manu!
Kaliya Young: @Kimhd: head of the digital identity consortium rebuilding educational credentials based on VCs and DIDs - many folks from educational call are joining this call too.
Kim Hamilton Duffy: VC-EDU task force

Topic: Announcements & Reminders

Dmitri Zagidulin: Wait, that was 1pm Eastern
Kaliya Young: @Identitywoman: presenting tomorrow at Festival of identity about book Domains of identity -
Manu Sporny: Secure Data Storage WG calls:
Manu Sporny: SDS WG calls happen 4pm ET on Thursdays
Manu Sporny: (And may be rescheduled soon)
Kaliya Young: @Orie: as far as I understand the only thing that is remaining is to announce on the website it is closed - and then following W3C procedures.
Kaliya Young: @Orie: the git hub pages preview is the last thing to be shut down.
Orie Steele: Repo has notice that the group is closed:
Orie Steele: Website has notice:
Kaliya Young: @Dan: manu and i talked about an outline of a proposal. Main question is where do you want that process to live.
Orie Steele: Remaining item is just to formally close the wg with w3c.
Kaliya Young: @Joe: where do we put it?
Kaliya Young: @Chris: fine with it being in regular registration part of the document
Kaliya Young: @Joe: we invited johnathan holt to give us a report out.
Kaliya Young: @Johnathan: CMIO - chief medical informatics officer. Started the company March 1. On stage. HIMS..before trump.
Kaliya Young: @Johnathan: the hackathon was my idea of an alternative because well we couldn't go to HIMS... I love hackathons.
Kaliya Young: @Johnathan: we have 400 participants from 70 countries we had 60+ mentors 40+ projects finalized and announced winners yesterday. Wanted the mindset of digging in to solve problem (vs passive bystanders).
Kaliya Young: @Johnathan: we had 3rd place winner - pandemic reserves for pandemics. they used smart contracts.
Kaliya Young: @Johnathan: we didn't limit folks to etherium and wanted to show interoperability
Kaliya Young: @Johnathan: 3D supply chain management - modeled the roles of all the players in the system, and get a system running
Kaliya Young: @Johnathan: Dplazma one - they used verifiable credentials around plasma in the crisis. you can donate your plasma. Blood typing and privacy preserving.
Kaliya Young: @Johnathan: deep in the weeds on VCs and maybe was hard on the projects that used them because of that.
Kaliya Young: @Johnathan: information - validated and secure,
Kaliya Young: Johnathan: ears on the ground
Kaliya Young: @Johnthan: data is the medicine we need
Kaliya Young: So many buzzwords.
Kaliya Young: @Johnathan: REsilance in the crisis.
Kaliya Young: @Johnathan: reimagine new normal
Kaliya Young: @Johnathan: Vitalik and Joe Lubin. HHS head. Brian Belendorf.
Kaliya Young: Johnathan: very successful.
Kaliya Young: @Kimhd: mentioned one aspect was privacy preserving can you share details.
Kaliya Young: @Johnathan - ZKPs in the plasma - offer and accept in the smart contract - including blood type - just pointer to DID on chain. What was in the contract was the DID.
Kaliya Young: @Joe: main event today update on CHAPI
Kaliya Young: @Joe: and newly VP request spec.
Kaliya Young: @Chris: next week will be a town hall to talk to any of the candidates.
Kaliya Young: @Joe: there are three seats available. 2,3 years.
Juan Caballero: Very cool @Jonathan_holt! Not seeing a writeup of the prize-winning teams on the website, is that forthcoming? V curious about the plasma project (having recently watched that movie)
Kaliya Young: @Manu: will start and along with Dmitri & Dave longly
Kaliya Young: @Manu there is a slidedeck
Kaliya Young: @Manu: CHAPI became a work item several years ago and then VCrequest just became a work item.
Dave Longley: S/VCrequest/VP Request/
Kaliya Young: @Manu: we were going to do a demo today might not have time - may schedule another time.
Kaliya Young: @Manu: basics of credential handler API.
Kaliya Young: @Manu: slide 2 what we are talking about here how it fits into the ecosystem.
Kaliya Young: @Manu: this should look familiar - issuer, holder, verifier.
Kaliya Young: @Manu: Verifiers request VCs as presentations.
Kaliya Young: @Manu: CHAPI and DIDComm are about how to get data from point a to b it is about getting data around between different roles in the ecosystem.
Kaliya Young: Slide 3: expand those arrows and show what is going on inside those arrows - these are really request response cycles - send request to the other role. CHAPI is dumb pipe between these roles - communication challenges that these request and responses flow over. Fundamentally this is all it is.
Manu Sporny: Way to get the data between these roles. [scribe assist by Kaliya Young]
Kaliya Young: @Manu: next is more of the details. in Slide 4. highlights how chapi really works and why we need it as a transport mechanism. They think in terms of the web browser and HTTP. that is one way of getting data around the web. That is not the only way. Chapi does use HTTP. It uses another mechanism that not a lot of people know about that exists in web browsers. it is important to understand they security model for web browser - every tab has a s[CUT]
Manu Sporny: One tab can't talk to the other. by default the tab open to yelp can talk to the tab you have open in gmail this is how to keep data safe in web browser. The red dotted lines - think of those as the firewall around your browser tabs. They can talk to apps on your desk top or mobile phones. There is a link that is a mail to link - when you click that you will open it in a e-mail application (other examples, map app, uber app - deep linking). [scribe assist by Kaliya Young]
Manu Sporny: Can ping an app and ask it to open. The big problem that needs to be solved - how do you get an issuer talk to digital wallet OR how do get a digital wallet to talk to a verifier. That is where CHAPI comes in - it uses tricks in the browser. [scribe assist by Kaliya Young]
Juan Caballero: Illusions, michael!
Kaliya Young: @Manu: this slide is really important (4) so I want to spend time on it. and things not obvious to the none-browser literate. WebSITE A and application A - the website gives you HTML and java script. It executes as a 'web app" within your web browser - it is executing ON your machine. Two things to take away from this. The web apps themselves are firewall from each other. The website gives software to your web browser to Run. The website is [CUT]
Manu Sporny: Dave did I cover everything you wanted me to cover? [scribe assist by Kaliya Young]
Kaliya Young: @Dave: to run a web application you download HTML & java script to run in your browse r- CHAPI is a feature you add to your browser to handle request for VCs and other types of data. instead of having the web servers between you and your digital wallet - this helps them maintain state in those applications. you don't loose the state of the site this also enables the browser to present multiple choices for multiple wallets.
Kaliya Young: @Dave : CHAPI mediator piece lets you pick the digital wallet you want to mediate that request. CHAPI just passes through the request to the digital wallet to parse that response.
Manu Sporny: Video of what CHAPI looks like in practice:
Dan Burnett: I think Jonathan is asking where CHAPI info is stored in the browser between sites/apps
Manu Sporny: Without a demo this feels pretty abastract [scribe assist by Kaliya Young]
Manu Sporny: Video is almost three years old - things have come a long way. [scribe assist by Kaliya Young]
Jonathan Holt: Yeah, how do you pass "state"?
Manu Sporny: The chapi mediator on slide 4 new thing happens - works across every major browser. [scribe assist by Kaliya Young]
Dmitri Zagidulin: Jonathan - I can address the question about state when we talk about the VP Request spec
Manu Sporny: Just available to 2.4 billion people - they don't have to install a digital wallet - raw diffusion into populous. it forwards request on - presentation request response router. [scribe assist by Kaliya Young]
Kaliya Young: @Manu: so that is the architecture.
Kaliya Young: @Manu: Chapi is a dumb pile that is QR code - multiple other things can move along chapi - VC request and response. DIDComm messages could move over chapi. it is a low transport layer thing something that is really important for us to deploy for everyone to have web-based wallets.
Kaliya Young: @Manu: question about privacy - chapi doesn't have an opinion - other people do have an opinion - this is why we have secure data stores - key value store is on your machine the you decrepit on your device - privacy implications on the layers above chapi.
Kaliya Young: @Manu: VC request spec on slide 6
Kaliya Young: @Dmitri: if chapi is a dumb pipe and only has two function calls. To get a store. CHAPI is that protocol - what are you getting and what do you store - when an app is requesting..
Kaliya Young: @Dmitri: slide 7 this is just the datamodel
Kaliya Young: @Dmitri: can be serialized to a URL so pass around to mobile applications any number of transport mechanisms. In the browser.
Kaliya Young: @Dmitri: we are going to talk about in - what is the thing in bold -
Kaliya Young: @Dmitri: on slide 9
Kaliya Young: @Dmitri: what do these queries actually look like - query property (Slide 10)
Kaliya Young: @Dmitri: passing one or more queries - + recipiant view - specifying key agreements to encrypt quires and results coming back.
Dmitri Zagidulin: The only thing that these quires are requesting are verifiable presentation in response to some kind of challenge from the web application. one more quires [scribe assist by Kaliya Young]
Adrian Hope-Bailie: What is the relationship between this format and the transactional authorization data model [scribe assist by Kaliya Young]
Juan Caballero: +1
Kaliya Young: @Dmitri: - nothing yet - cause in dialogue with Justin Richer
Dave Longley: Note: When a digital wallet responds to a VP query, it does so with a VerifiablePresentation, and that VP will include the requested information (e.g., VCs) and an authentication proof to demonstrate control, for example, over a DID -- this authentication proof must include the challenge sent by the requester.
Kaliya Young: @Dmitri: slide 11 on one of those queries on that list of queries. One of the common type of query is a query by example. Mongo DB or Couch DB or one of those types of mechanisms. pass a template in the Database. Query by example type.
Kaliya Young: @Dmitri: stating why you are requesting the Verifiable presentation.
Kaliya Young: @Dmitri: you can specify all sorts of thing - issuer, particular fields, the wallet does the processing - and returns to you the verifiable presentation that contains the result.
Chris Webber: Special version of the firefox browser that allows for the use of fido keys that allow for use with this? [scribe assist by Kaliya Young]
Dmitri Zagidulin: That was a modified browser to work with web authentication protocol. [scribe assist by Kaliya Young]
Kaliya Young: @Manu: fundementally waiting for the WebAuthn to interact within the browser - doesn't mean we can't do fito2 to login to digital wallet.
Manu Sporny: What that showed was a modified version of chromium. we were using a digital key to sign it - we can't do that yet. Visa, mastercard, PayPal need same functionality from WebAuthn for that. [scribe assist by Kaliya Young]
Kaliya Young: @Dave: agrement to add support we need - browsers just have to implement
Dmitri Zagidulin: So, storage API in service workers? [scribe assist by Jonathan Holt]
Kaliya Young: @Chris: where are the keys being generated? how does someone protect:
Kaliya Young: ?
Kaliya Young: @Dmitri: keys are only handed by the server side wallet providers.
Kaliya Young: @Dmitri: you would be using Chapi and VCpresentation request can you sign this or
Kaliya Young: @Chris: always going to ask where they key is stored.
Thanks all
Kaliya Young: @Joe: that is it for this week. next week is town hall June 2 report out on the SVIP interop plug fest.