... I'll lead off with a public apology to Orie Steele from Transmute. Orie, with all good intentions on an email thread, made a recommendation that we should consolidate the various SVIP artifacts, under a particular repo
... I might have come across as prickly towards that, apologies
... about Interoperability Testing -- to that end, I've had one-on-one conversations with multiple entities
... for example, Drummond from ToIP, others,
... we think there's an opportunity to bring people together who want to do interop, to define a set of scenarios, that can expand the scope for what the SVIP cohort is working on
... targeting for Fri, Oct 30th
... in general, I'd love to work with CCG leadership, to make sure conversation stays on the rails, etc.
Heather Vescent: Anil, thank you so much, we appreciate your support to the community ✪
Manu Sporny: A while ago, end of 2019, as a part of DHS SVIP, there was a set of usecases around Permanent Resident cards ✪
Juan Caballero: Quick note in case it was ambiguous or unclear in Wayne's email: the Product Managers' group at DIF is non-IPR protected, completely open to nonmembers. ✪
... that the cohort worked on. Part of that work required us to define effectively a vocabulary (in the Comp Sci sense)
... contexts/definitions.
... we did that with the assumption that we'd take it to standards track, once it had vetting/interop testing
Anil John: As an FYI, we had the option of leveraging somethign unique to US context, or leverage a broader Citizenship vocab ... We chose the latter. ✪
... it went through testing / SVIP approval. and now we're submitting it to the W3C CCG,
... to take it to the next step towards global standardization
... the goal with the vocabulary is for it to be non-US-centric
... to be applicable globally
... so we'd like feedback from the community
... next step is to see if the group wants to adopt it as work item
Tim Bouma: I want to emphasize what Anil was saying. In Canada, we're looking closely to the CCG and Interop Suite, ✪
... one is to Anil / Tim. the other side is the technical characteristics
... for those that are not aware, JSON-LD is a fully internationalized standard. At its core, it supports multiple languages
... at two levels. One, in the data itself - the data is capable of expressing multiple languages
... so like, you can specify the Permanent Resident Card label in multiple languages
... the other part is not used very much, but it also supports it at the programming level as well
... if you have a programmer that codes natively in Spanish, it's possible to create JSON-LD contexts where all the properties are in Spanish, and there's lossless conversion to other languages etc
... so, there has been a lot of thought put in towards i18n in JSON-LD; it's baked in on the tech level
... so the question is - do other organizations want to use that mechanism
... might be useful in Canada which has multilingual requirements
Jim_St.Clair: thanks, want to applaud the vocab effort ✪
... and to keep the payload issue separate, since that varies so much
... we've done quite a bit of stuff on permanent resident cards
Heather Vescent: Question for Manu and other folks on this work item: What are your plans to make this a diverse and inclusive Work Item? ✪
... background: we're exploring having additional Diversity Requirements for new CCG work items
... that enable folks of different skillsets/background/biases to participate
... I don't think we're going to force this particular work item, but just going forward, we'll be adding this structure
... so, just wanted to start the conversation
Manu Sporny: At a high level - one of the reasons that we're bringing it to the CCG is to give it more input from people ✪
... so, the first level is bringing it to the CCG in the first place (to start the conversation). Which means, anyone on the planet can join the CCG, can have an opinion on the spec
... clearly that's not enough, wrt diversity / inclusion initiatives
... there has been discussion (and this is just on my personal behalf) - we're going out and talking with folks that are Permanent Residents who may be affected by this tech
... we have a deep desire to engage from a diversity and inclusion perspective. And this is where we need help from the community
... so, we very much welcome input
... I'll stop there
... this is first step, we want to take it to the next level, etc.
Heather Vescent: Thanks manu, you're definitely a forward thinker in the community on this, based on the work I've done with you on RWoT ✪
Anil John: Quick point - manu is not speaking for DHS SVIP, I am - the reason we are going through the CCG ✪
... is specifically to lower the barrier for global participation
... we have requirements for the companies working on this topic that they have to engage globally, publicly, through the CCG
... that's part of their contract with us
... and we very much want to get feedback on the work as broadly and inclusively as possible
... and we'd appreciate help / pointers from folks with difference viewpoints
Heather Vescent: Thanks Anil! Any other questions on this item? ✪
... topic: Dave Birch's presentation
... I've known Dave for almost 10 years
... I've learned so many things about digital identity from Dave, he's always got the most provocative and witty and interesting viewpoints
... he's written different books on Digital Identity and data. also been looking at IoT stuff as well
... also, he's challenged my thinking about the benefits of using SSI
... and it's always good to see different perspectives / pushback on things
Dgwbirch: Heather, thank you for the kind intro. ✪
... I want to talk about Identity, but make a slightly different point about it
... when people talk about Identity, they use usecases like logging into your bank, or buying a drink under 18 in California
... those are easy, to come up with usecases for obvious situation like that
... instead, I'd like to talk about what I'm calling The Stress Test for digital identity
... here are 4 stress tests we can apply to identity schemes
... basically, we need multiple actual root identities
... if you're a spy, how does a government give you a new identity?
... (and how do spies work in the future, anyways - a very changed landscape)
... you need things like convincing LinkedIn Profile (much harder to forge than a passport)
... then there's biometrics
... how far can James Bond get in Shanghai, if the traffic cameras pick him up walking down the street
... a generic example of this is Witness Protection
... a state wants to delete a certain identity for a person, and give them a new one
... so, you can't get away with just a single uniqueness register
... My second example is - Whistleblowing
... (img a newsroom full of reporters / newshounds)
... so how do you do Whistleblowing, with these identity schemes? it's complicated
... for example, I'm a nurse in the hospital, and need to report the surgeon (being on ketamine).
... but me being a nurse at the hospital is /essential/ to the report. (it's meaningless otherwise)
... on the other hand, if I have to disclose that I'm a nurse, I won't make the report in the first place
... so, how do I make a report, as a whistleblower, if a report needs to have weight and reputation?
... there was a good example in the papers a few weeks ago. a journalist who's been writing stories, and then one of these stories had some kind of anomaly
... and it turned out - it wasn't a real person.
... they claimed to be a student writing for a university. But they didn't exist at all
... and the newspaper said they tried to check their identity, but couldn't for some reason
... a friend of mine went on a holiday to Egypt, and got very sick
... so sick that her and her boyfriend were confined to the hotel
... they called down to the desk, explained how ill they were, hotel said they'd contact somebody
... somebody came along, examined them
... said there's no real recourse but a saline and sugar drip
... when they got back, they claimed the invoice from the examination on their health insurance
... and the insurance co refused to pay - the person treating them had no credentials
... so, we need to have a mechanism for presenting credentials (as you all know), without presenting identity
... so my second stress test is - can you disclose a credential with an unbreakable connection?
... now, you guys know how to do this, using cryptography
... but trying to explain this to regular people, who think of index cards and plastic drivers licenses, is difficult
... the third example is Wellness.
... we tend to have a lot of discussion on privacy and security. But to what extent is privacy absolute?
... what if something goes wrong, is there a way to smash the glass / override?
... say you're a 19 year old graduate at MIT, that sort of absolute privacy setup might sound good to you
... but we live in a society. For example, in the UK, they unveiled a Covid 19 tracing system
... if I've given someone Covid, should I be forced to disclose it to them?
... what if I discover that someone's been spreading the virus to hundreds of people - should I be able to report?
... so, identity schemes need conditional (not absolute) anonymity,
... with consent from everyone involved
... we need to spend more time thinking about emergent / systemic properties of identity
... so, if somebody comes up with an idea for an identity scheme, how does it work in a society, not just for individuals?
... the fourth example is Adult Services, which I'm using as a catch-all examples
... it's about Partitioning
... you're familiar with this, but many people in the conversation aren't
... I need to be conditionally anonymous. But I also need to have a partitioned identity
... say I've got a blinded key to demonstrate a credential. Every time I go somewhere and use that key, I can be linked. So, I don't want to use a key / the same identity everywhere
... I need partitions / personas / profiles.
... work, play, facebook, etc.
... take the Belgian phone id, "it's me".
... but 99% of uses on the internet, it should be "it's NOT me", since it's nobody's business
... knowing who you are is the exception, not run of the mill
... so, how will the reputation economy function with this sort of partitioning?
... also, remember, you need to be able to pass money around between these partitioned identities
... so that gives me my 4 Stress Tests
... the question is - is it at least plausible to hypothesize structures that can pass those tests?
... I think yes, but I'd like your feedback (on the tests themselves)
... here's some thoughts on what a solution might look like
... on the first point, about delegation and agency - yes, I've been looking at that, especially in context of IoT
... for example, how do I tell an entrance gate at a car park, that it's my car?
... say if somebody else is driving
... but, excellent point in general
... about Authn vs Authz - in my thinking, the issue of AUthentication is about the /digital/ identity (do you have control of this key)
... whereas Authorization is about the use of credentials (/capabilities)
... so, I've got my key or identifier, bound to credentials. Sometimes, mere possession is enough. Sometimes, will require authentication (proof of possession of a private key)
... so, I definitely see those two things as separate, but I get how they're linked in practical use
Manu Sporny: Thank you Dave, this has been a fantastic presentation ✪
... if you were to look more deeply into the work from this group, we're implementing a lot of things highlighted in your deck
... so, you can use us to point to, as a group implementing a subset of those items
... question for you is - what can we do, to get more of your time? You have a very interesting view of the ecosystem
... the community would benefit in implementing the things you're talking about. (Plus, you talk about them very saliently.)
Jonathan Holt: Those usecases are very enlightening, thank you ✪
... in polite company, we talk about them in the order you gave them.
... but really, it's in reverse order, in terms of priority
... I'm reminded about Tim Berners-Lee's comments about porn driving so much of web technology
... payments, encryption, so many things
... as a doctor (I'm a physician), everyone's asking about Covid credentials
... and I think they're a terrible idea
Dgwbirch: I just came from a webinar with Tech UK, and there was a q&a session about this. The gov't here passed a law that required mandatory age verification for adult services. ✪
... several companies here in the UK spent lots of money spending a solution for that. And, a lot of us thought it would serve as a springboard
... at the last minute, the government decided not to do it. (resulted in several court cases)
... but I agree, we need to have grown-up adult conversations about this! would be a big step forward
... it's a great reason for the population to enhance privacy-enhancing digital credentials