The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2020-06-02

Wayne Vaughn: Mark these words, 2020 will be the year of the desktop linux
Markus Sabadello: Scribe+
Markus Sabadello is scribing.
Juan Caballero: And feeling guilty about never scribing but have very unreliable audio

Topic: Introductions and reintroductions

Kim Hamilton Duffy: Jorge del Prado, DIACC
Kim Hamilton Duffy: Don Waugh of DIACC
Kim Hamilton Duffy: Andrew Johnston DIACC Two Keys
Kim Hamilton Duffy: David Mason Gov of Canada

Topic: Announcements & Reminders

Martin Kuo from Peoples Group, Member of DIACC (from Canada)
Juan Caballero: Wait wut!?

Topic: Progress on Action Items

Manu Sporny: +1 To close W3C DVCG
Wayne Vaughn: Pick a screen sharing solution issue:
I'm sorry my connection dropped right after I volunteered as scribe.. :( I can continue now.

Topic: Chair Election

Brent Zundel: Is it a vote per ccg member, or per member organization?
Christopher Allen: We have asked Orie , identitywoman and Dan to help tally the results, which will be announced at the next meeting.
Kaliya Young: Yes
Orie Steele: I'd prefer not to
Joe Andrieu: Do we have confirmation from all three that they will help?
Christopher Allen: Orie are you on board?
Chris Winczewski: I volunteer to count.
Joe Andrieu: We also have to figure out what email alias we are using, then we'll send it out by announcement
Brent Zundel: Is it a vote per CCG member, or per member organization?
Kim Hamilton Duffy: I thought per member, joe, christopher, is that right?
Christopher Allen: My understanding it's per member (do you show up in the members list?)
Manu Sporny: Wait, per CCG member (individual) or per CCG member company (individuals and per company)
Kim Hamilton Duffy: On the W3C CCG site, there's a list of people who have officially signed up
Joe Andrieu: You have to have been a member at the time of the announcement
Heather Vescent: Just wanted to get clarity on the date that people had to join by. You guys haven't stated that date.
Heather Vescent: There are also people who follow this.. Do people have to join when the election was announced.
Joe Andrieu: May 12 was the date of the announcement
Heather Vescent: There might be people who want to participate who were less interested in participating prior to knowing that an election would be possible.
Kim Hamilton Duffy: Were we clear at the time that there would be a cut off date?
Heather Vescent: I never heard any explicit date until today.. We want the right people to vote, but there was not awareness that there was going an opportunity to have a vote.
Heather Vescent: We didn't know what election protocol to follow, we don't want to cut off people's ability to participate
Heather Vescent: I do think there's a question in my mind since I didn't hear a particular cut off date until now.
Manu Sporny: Agree with heathervescent , I was not aware there was going to be a cut off date.
Manu Sporny: We should point to a place with a public record of a cut off date.
Manu Sporny: I wanted to clarify, who can vote? Is this an individual based vote, or a company based vote?
Manu Sporny: E.g. Digital Bazaar has multiple people come to the meeting. I feel uncomfortable having an individual based vote, given the size of some companies.
Manu Sporny: It shoud be one member - one vote. As an individual you get one vote. As a large company you also get one vote. This makes it a community group.
Kim Hamilton Duffy: Manu I get your point, but if you look at actual people who are registered, there are not too many people per company
Joe Andrieu: Regarding the posted record, this link was the follow-up to the announcement made on May 12th
Joe Andrieu: So if you were not a member on May 12th, you don't get to vote
Manu Sporny: "Nominations and voting are open to all current CCG members as of the election announcement on Tuesday, May 12."
Manu Sporny: That is clear
Manu Sporny: Crystal clear - great.
Dan Burnett: Yep, clear
Joe Andrieu: The question is, who is a "member of the CCG" (as opposed to "member of W3C")
Heather Vescent: OK, that is clear. Thank you.
Dan Burnett: I think it's clear, based on what Joe just said.
Christopher Allen: +Q
Kim Hamilton Duffy: Do we still have a question individuals vs. member companies?
Dan Burnett: Manu is right, I have personally witnessed "room packing". There is potentially a risk, but announcement of a date was a good thing, this makes people show up.
Manu Sporny: +1 To what burn is saying right now.
Dan Burnett: That's when you have to wonder about people and their motivations. As a group we can look at it, and if it looks like crazy overwhelming votes by one company, we can do something about it. Normally, we only have 2-3 per company, and in this case usually they all contribute.
Christopher Allen: I wanted to be clear that the chairs get a list of all changes as people join and leave. There have only been 5 or 6 changes since May 12th, i.e. a small group of people who are not eligible.
Christopher Allen: We will send this list to the talliers.
Christopher Allen: If you are listed as a member you can vote. It's an individual vote, not a corporate vote.
Christopher Allen: We can change the charter if necessary, but I don't see a need for that right now.

Topic: SVIP Interoperability Plug Fest

Kim Hamilton Duffy: This was sponsored by DHS, we have Anil_John on this call as well as participating companies
Anil John: I'm happy for participants to report, then I can add some comments from the government side.
Manu Sporny: To give background on DHS Silicon Vallery Innovation Program (SVIP), this is a program in the US that creates contracts between companies working on technologies that are helpful to DHS
Anil John: I also sent a overview deck on SVIP and the work that we have been doing in this space to the CCG list as an FYI
Anil John: Just sent
Manu Sporny: This particular set of companies are building and deploying DID and VC technologies, the vast majority are active participants in this CCG.
Manu Sporny: One of the things the program is trying to do is ensure that there are good open standards in place for the technologies we are creating.
Manu Sporny: The desire is to prevent vendor lock-in, to demonstrate that there is real interoperability (not just companies pretending it)
Manu Sporny: This is open to companies outside the U.S.
Manu Sporny: Typically such programs are limited to only E.U, or only U.S., etc.
Manu Sporny: This is novel since it accepts anyone in the world working on DIDs, VCs.
Manu Sporny: One thing that we had to do was demonstrate interoperability between the systems we are deploying
Manu Sporny: There were a number of use cases, such as Permanent Residence Cards, and supply chain use cases around steel and timber imports
Manu Sporny: These are real use cases, real governments involved, real technologies built out to achieve these use cases
Manu Sporny: The common underpinning thing was we are all using DIDs, VCs, all conceived by this community group.
Manu Sporny: At the very end of it, we had to demonstrate interop, we had to show e.g. one company issuing a VC, another company picking it up with their wallet, and presenting the VC to a verifier built by yet another company.
Manu Sporny: This meant interop between different DID methods, resolvers, CHAPI, encrypted data vaults, etc.
Manu Sporny: Anyone else from the cohort want to add anything?
Joe Andrieu: (Anil's email)
Anil John: I sent an email describing the program
Anil John: This had interoperability using seven different platforms, using the baseline of the standards that have been incubated and championed
Anil John: This is not software monoculture, this is real multi-party interop
Anil John: Anybody who makes an argument that this is impossible and we can't do it.. We demonstrated that it's possible. Doesn't mean that there isn't more work that needs to be done.
Orie Steele: I wanted to say thank you to Anil_John and the other SVIP companies. This work has been really really helpful in demonstrating technical interoperability.
Orie Steele: This is not done, the test case repositories will continue to be maintained
Orie Steele: Even if you are not part of the SVIP cohort companies, this is open to all of CCG, and anyone if welcome to contribute
Jonathan Holt: I'm concerned about a hard constraint on JSON-LD. We have other formats such as CBOR
Jonathan Holt: Is there are plan for other interopability to expand the proof testing?
Anil John: From our perspective, our focus continue to be on JSON-LD.
Anil John: We have companies in this cohort that in addition to supporting JSON-LD, they also support other mechanisms
Anil John: They want to support across the broader ecosystem. We require JSON-LD but don't stop others from supporting other technologies
Orie Steele: Jonathan_holt I'm trying to support JWTs... but unfortunately the VC Data Model was overly inspecific regarding their interactions with controllers / DIDs... I think we will see some interoperability tests for them eventually.
Markus Sabadello: What we've done in this program isn't limited to the program itself. One of the requirements was that what we did had to be contributed to CCG and opened up to wider discussion. [scribe assist by Manu Sporny]
Markus Sabadello: The work will continue there - that's been really valuable, not only was the program for implementing the government use cases, but it's strengthened the community as a whole. That's the most important/interesting part for me. [scribe assist by Manu Sporny]
Kim Hamilton Duffy: Anil, I'm going to turn over to you at 10 minutes before the hour. That will give you a few minutes to talk plus a few more for Q&A. Sound ok?
Orie Steele: Regarding CBOR and JSON DID Documents... there are currently 0 did documents that are expressed as only JSON or CBOR, AFAIK... so one major reason not to focus on them... is that they are even more experimental than JSON-LD DID Document represenations.
Anil John: The intent of us being public about this, sharing lessions learned, making test suite public available... We want to feed back into the community what worked and what didn't work, to improve the standardization process.
Manu Sporny: I wanted to explain what we thought would be easy but ended up being very challenging.
Manu Sporny: As Anil_John pointed out, when you have a real use case, and you have to implement the use case AND do interop, you find things you didn't anticipate
Manu Sporny: E.g. the VC specifications have a test suite, it was implemented, everybody passed. But when we started issuing and consuming VCs, some things didn't line up
Manu Sporny: In the VC work, we were not working on APIs, so we only started working on that during SVIP.
Manu Sporny: We thought those APIs would be simple, but they turned out to be very difficult. Systems that need to interop must have such APIs.
Orie Steele: The IPID DID method is built on dagCBOR and I am supporting 3 other implementers. [scribe assist by Jonathan Holt]
Manu Sporny: It took us multiple months for the organizations to collaborate on this, we had multiple calls about the design of those APIs.. Even after we locked down the spec, we needed to tweak things in order to get interop working
Manu Sporny: We (Digital Bazaar) thought this would eat up 10%-15% of our time, but it was more like 40%-50% of our time.
Orie Steele: Jonathan_holt can you link the repos for dagCBOR here?
Manu Sporny: The good news is that at the end of the day, this helped us hammer through issues.. Because of that, we were ultimately able to demonstrate interop between different companies
Manu Sporny: We were able to push things beyond just the lowest layer (the W3C VC test suite), and have higher-level tests for real interop
Orie Steele: [scribe assist by Jonathan Holt]
Kim Hamilton Duffy: It would be interesting to understand a bit more the kinds of challenges you ran into, maybe a few examples.. This could inform future standardization efforts
Kim Hamilton Duffy: What can we learn from this going forward
Anil John: Just a couple of quick points.. The work is by no means done. We demonstrated a foundation level of interop
Anil John: Because of Covid19 we were not able to do actual testing, only demos
Anil John: In the future we expect to increase actual testing
Anil John: Two areas I am worried about from our organization:
Anil John: We are the only global authoritative issues of a U.S. Permanent Residence Card. One of the question that had a lot of discussion is, will you accept a DID that is coming to you, or are you expected to issue a DID for the subject?
Anil John: We are concerned that all DID issuance infrastructure is not the same, wallets are not the same, security characteristics are widely unknown.
Anil John: We expect to whitelist a set of DIDs and wallets we will accept. The criteria we will use for that is completely undefined.
Anil John: In the absence of a broader ecosystem, we plan to brute force this. In Phase 3, red teams will investigate the solutions
Kaliya Young: "Tech friends: I think now is a good time to submit PRs to systems you work on that replace terminology like whitelist/blacklist with alternatives like allowlist/denylist. Besides not having any racial overtones, they are clearer to non-native English speakers too."
Anil John: That brute force mechanism is what I am using in the absence of something more rigorous in the community
Anil John: The second piece of it is:
Anil John: We need to pay a whole lot more attention on the user experience of wallets. In my own head, we have the ability to do challenges and prizes. Would this be useful to make the technology available to more people?
Anil John: I'm giving a lot of thought to this to move forward
Kaliya Young: Allow listing is a better term :)
Ryan Grant: My question is, what is the timeframe for determining whitelisting criteria for wallets, and where will DHS store the whitelist?
Kaliya Young: Lets deprogram problematic language
Anil John: I don't know the criteria yet. The companies are now moving into Phase 2, and there will be red teams in Phase 3.
Anil John: We're going to have to develop a set of criteria, then verify it at least for the companies that are under contract with us.
Jonathan Holt: I wrote a post about wallet portability
Anil John: That blog post is my personal opinion, not the opinion of the government
Anil John: In the interop event, we demonstrated multiple wallet providers being able to interop with multiple issuers and multiple verifiers.
Kim Hamilton Duffy: Thanks for joining