The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back


Credentials CG Telecon

Minutes for 2021-03-10

Manu Sporny is scribing.
Heather Vescent: A little history of why we're having this meeting. Michael posted link to Solid community news
Heather Vescent: Thought that this could be a good opportunity to hear about each others groups
Heather Vescent: Where we could collaborate, where it might make sense to collaborate -- share what we're doing.
Heather Vescent: Ice breaker -- both groups are working on technologies to work on storage, data privacy, similar goals -- curious of each other, but haven't deeply collaborated yet. There is appetite from CCG on where we could collaborate.

Topic: CCG Intro

Heather Vescent: The goal of this meeting is to give an overview from CCG of lay of the land, later this afternoon, we want to hear from Solid wrt. working together.
Heather Vescent: Agenda for today -- quick intro to CCG, then brief CCG history from Manu, Brent is going to go over DID Core, mprorock Prorock and Orie will talk about Universal Wallet and Encrypted Data Vaults, and Dmitri will cover collaboration - provide ideas/insights on how we can move together.
Heather Vescent: We can go to top of the hour, if there is enough interest, we might go 15 minutes over.
Heather Vescent: Slide 4 - how CCG works... CCG is open to everyone.
Heather Vescent: CCG is a big tent that gathers work from variety of groups... we spin things off into their own official W3C WGs, we also have task forces... Kim runs Education TF, DID Resolution run by Markus, Secure Data Storage join task force w/ DIF and CCG
Heather Vescent: We have a new Infrastructure TF - manages a lot of the operational technology infrastructure of the group, Wayne is in charge of that.
Heather Vescent: One of the things Wayne and I work on as cochairs - we want to work on cross-pollination -- DIF, IEEE, DHS SVIP, IETF -- potential technology partnerships/collaborations -- one of the reasons we're having the call. Solid really fits into the collaboration aspect.
Heather Vescent: We have 422 members, open to all -- slide 7
Heather Vescent: We did a survey last year -- slide 8 -- lots of things happen in CCG early on... when they're being developed, conceptulized -- leadership is current open (one chair position)... other two chairs are Heather and Wayne. I came into role to try to prevent unintended consequences of technology. Wayne focuses on technical operations and wallets.
Heather Vescent: We have work items -- ongoing registries, task forces... and then reports -- commentary notes specifications -- slide 11
Heather Vescent: We have a work item process, propose, adopt, ongoing draft, publication, then close (if applicable)

Topic: CCG History

<dmitriz> scribe+
Manu Sporny: Quick background on CCG history [scribe assist by Dmitri Zagidulin]
<dmitriz> ... it was founded around 2014. Initially, an offshoot of the Web Payments Group
Dmitri Zagidulin is scribing.
... to do credentials, authentication, etc.
... which evolved into Verifiable Credentials. then DIDs
... we started with low stake and high stake credentials
... as the community grew, scope broadened, we started working on things like VCs for Supply Chain,
... VCs for non-person entities (orgs, devices)
... started looking at different type of proofing mechanisms (blockchain-based cryptographic proofs. proof of work, proof of stake, etc)
... that brings us to today
... today, we're looking at things like - Verifiable Credentials version 2.
... the CCG has been successful in setting up this incubating pipeline
... things incubate in here, then go on to W3C working groups, to IETF, etc, to get standardized officially
... so we did JSON-LD, VCs, DIDs
... so next up -- what updates do we need to make to VCs?
... and then where do we store these things? that's the Confidential Storage spec & taskforce, and that's where SOlid comes in
... we're focused on privacy; privacy-preserving and privacy-first
... we try to be careful about tech and its consequences
... wallet protocols, data portability, things like that
... there's a lot of things we could collaborate on, with the Solid community
... we looked at our roadmap, current and upcoming, and this is the list (slide 13)
... these are all the things that might overlap with Solid
... as you can see, there are a LOT of work items here
<bblfish> perhaps if the screen share goes full screen?
... there' json-ld that you're using. also VCs, DIDs, wallets, secure storage, linked data signatures,
A lot of stuff
... apologies for the small text - there's a lot of items to fit :)
... anyways, the details are less important, but the main idea is - we'd definitely like to collaborate
... so this is just a starting list.
<mprorock> if you click on heather's name in the attendee list it sill go fullscreen
... that's it for those slides. back over to Heather
Heather Vescent: Over to Brent -- speak to DID Core? [scribe assist by Manu Sporny]

Topic: Decentralized Identifiers

Brent Zundel: Decentralized Identifiers -- assuming most of you know what they are -- basics are, it's a URI, allows individual to prove cryptographic control of it [scribe assist by Manu Sporny]
Henry Story: Manu did a full hour coverage of the last difficult to read slide in the video linked to here https://twitter.com/bblfish/status/1368897757365288965
Brent Zundel: Born out of need to have some way to identify holder of credential where identifier can't be taken away -- slide 16 [scribe assist by Manu Sporny]
Brent Zundel: Highlighted need -- but not driving force -- lots of use cases for DIDs -- basics are, identifier user controlled, resolvable, cryptographically verifiable, and decentralized [scribe assist by Manu Sporny]
Brent Zundel: Doesn't /require/ a centralized authority, can be used with one, but you may be missing the point if you do it that way. [scribe assist by Manu Sporny]
Brent Zundel: DIDs are not human friendly, but they are better than URL and Email in many cases -- user controlled, resolvable, crypto-verifiable, decentralized, and have a trust model flexibility. [scribe assist by Manu Sporny]
Brent Zundel: DID spec does not define an identity system... DISD are designed to be part of identity systems. DID is a stable identifier, bound to a set of public keys [scribe assist by Manu Sporny]
Brent Zundel: DID Methods enable different trust models -- did:peer - peer-topeer communication of key changes, did:ion keys are backed by crypto-blockchains, did:sov non-profit governance of distributed ledger, did:web relies on DNS. [scribe assist by Manu Sporny]
Brent Zundel: Did:key is the simplest did method, ideal in many use cases -- generative from the did:key:PUBLIC_KEY identifier. [scribe assist by Manu Sporny]
Brent Zundel: DID Resolution -- process of going from a DID to a DID Document -- it's a separate spec from DID Core spec. Resolution is outside scope of DID WG. [scribe assist by Manu Sporny]
Brent Zundel: We have defined interface -- process itself is outside scope of charter. [scribe assist by Manu Sporny]
Brent Zundel: DID Documents contain public keys, service endpoints, authentication options, and other metadata useful in discovery and verification. [scribe assist by Manu Sporny]
Brent Zundel: DID Methods are unique in what they provide. [scribe assist by Manu Sporny]
Brent Zundel: One use of DIDs today -- DIDComm -- DIDs for secure communication. Version 1.0 has been in production since 2018... v2 is under development at DIF. DIDComm can be used w/ any DID Method over any transport, you can use it peer-to-peer -- creates encrypted, authenticated messages asynchronous between many parties. Relies on JOSE stack for a lot of its tech. [scribe assist by Manu Sporny]
Brent Zundel: It ends up working similar to onion routing... slide 23 -- alice sends message to bob... encrypted message wrapped in envelope, sent to mediator, mediator opens envelope -- take contents and send to bob (can't read contents)... bob gets envelope, opens it, sees message, sends it on to bob. [scribe assist by Manu Sporny]
Brent Zundel: Bob's mobile says "I got a note from alice" and can read it. [scribe assist by Manu Sporny]
Brent Zundel: End to end encrypted communication [scribe assist by Manu Sporny]
Brent Zundel: There are challenges in authentication systems... distribution of public keys -- plagued auth systems for a while... DIDs resolve into DID Documents that contain up to date public keys, keys can be rotated even though identifier doesn't change (this is key innovation), keys tied into getting into different services can be tied to same identifier... if I want to stop using single identifier, have option to do so. [scribe assist by Manu Sporny]
Brent Zundel: Status of spec -- incubated in CCG, produced thorough document that we took as our starting point for DID WG -- september 2019 -- we are expecting to go into Candidate Recommendation next week... we voted to transition yesterday, thrilled to be at this point... we want implementations, feedback, want it to be a global standard -- data model, resolution interface, look forward to resolutionprocess being define in future. [scribe assist by Manu Sporny]

Topic: Universal Wallet and Encrypted Data Vaults

<heathervescent> Presenters - we are good on time. Thank you!
Orie Steele: I'm Orie Steele, one of the developers that works on DIDs and VCs and Digital Wallets -- supporting technologies for all of these areas of interest - two specs that we can talk to -- Universal Wallet spec... JSON-LD vocab for things that are stored in a wallet. [scribe assist by Manu Sporny]
Orie Steele: Purpose is to provide data models and abstract interfaces for activities of digital wallets -- Digital Wallets cover a large spcae today... cryptocurrency transactions, digital asset manaagement, identity credentials, supply chain credentials, authorization capabilities, keys for managing digital identity... that specification is being worked on in CCG [scribe assist by Manu Sporny]
Orie Steele: There is sample code implementing spec, React UI to think about this from a visual standpoint [scribe assist by Manu Sporny]
Mike Prorock: One aspect that most interest me, privacy and do it in a secure manner. Second how do we make sure that developers coming into this space to set the stage for them to do this stuff correctly -- both from UI standpoint, UI callback into standardized sets of libraries -- also from interaction from backend perspective. OpenSSL provided gateway to put out HTTPS or exchange keys or do that stuff effectively. [scribe assist by Manu Sporny]
Mike Prorock: How do we leverage this stuff to build systems. Lots of potential for things to improve -- data ultimately has to be stored and ultimately exchanged... this is interesting thing w/ Solid -- you're after similar goals there. Closely related to EDVs -- selective disclosure, etc. [scribe assist by Manu Sporny]
Orie Steele: Thanks mprorock, yes, there are plugins for different DID Methods, EDVs, one part of COnfidential Storage Stew [scribe assist by Manu Sporny]
Orie Steele: Moving on to Confidential Storage specification [scribe assist by Manu Sporny]
Orie Steele: SOme folks in Solid community may be aware of this work, join work item for CCG and DIF -- two primary sources of input -- EDV spec and Identity Hub specification/docs. What we're trying to do here is create a set of specs for confidential storage associated w/ DIDs. [scribe assist by Manu Sporny]
Orie Steele: We have DIDs that have public key material, public keys are good for signatures, but you can also use them for key agreement and encryption -- use key agreement functionality to provide confidential storage service -- client-side encryption content, storage providers can't see your data, can't sell it. [scribe assist by Manu Sporny]
Orie Steele: EDV APIs are very simple... basically encrypted blob storage... not a high frequency database w/ relational thing... just an encrypted blob store with simple indexes. Primary use case for EDVs are wallet backup, key management/recovery -- I think of EDVs as a standards-based password manager database... you don't want service provider to run away with all of your data... not really built for things much beyond that. EDVs might one day be massively [scribe assist by Manu Sporny]
<manu> more scalable -- but just password management wallet recovery/backup is useful enough alone to be compelling.
Orie Steele: Identity Hubs is second aspect of this... Identity Hubs are powerful enough to build Decentralized Twitter from -- Identity Hubs are more complex, vision is much bigger. [scribe assist by Manu Sporny]
(Identity hubs are basically exactly like Solid pods :) )
With an emphasis of replication.
Mike Prorock: +1 Dmitriz
Orie Steele: If you're familiar with Firebase or GunJS - vision for Hub -- IPFS, GunJS, OrbitDB, Semantic Replication of content -- a lot of really cool database technologies that are made to handle use cases that are significantly more complicated rather than static file storage. [scribe assist by Manu Sporny]
Heather Vescent: Thanks Orie -- want to add anything, mprorock? [scribe assist by Manu Sporny]
Mike Prorock: Yes, Hubs are a deep topic -- hit on EDVs primary use case -- area we're exploring, secure exchange of proprietary information -- my day job is machine learning, sets of training data, model outputs from highly proprietary data, have to be exchanged securely if you can't do on premise, this is the area that most interest me for EDVs -- facilitate those use cases and user privacy and protection over their own data. [scribe assist by Manu Sporny]
Heather Vescent: Collaboration -- slide 28 -- all information on how we could engage -- CCG is big tent, links on collaborating are on the slide -- you can get onto mailing list, Github where we do work is here. [scribe assist by Manu Sporny]
Heather Vescent: If you're intersted in any of the ideas, join CCG meeting... Wed at 10am PT, 1pm ET [scribe assist by Manu Sporny]
Heather Vescent: Brent and Dan Burnett run DID WG -- meets Tuesdays 8am PT, 11am ET [scribe assist by Manu Sporny]
Heather Vescent: We also have VC Maintenance WG -- if you have any questions -- Brent, Wayne are cochairs there. [scribe assist by Manu Sporny]

Topic: Collaborating with Solid/CCG

Heather Vescent: Over to Dmitri for ideas on tips/ideas/suggestions [scribe assist by Manu Sporny]
Dmitri Zagidulin: Best first step is to join each others calls -- weekly CCG meeting is a great way to get invovlement. I try to bring Solid voice to CCG community... there is almost 100% overlaps between Solid and CCG work. I want to highlight two of them: DIDs and Confidential Storage. [scribe assist by Manu Sporny]
Dmitri Zagidulin: That link is a solid spec issue about integrating DIDs... involves a picture, easier to talk about -- there is a good fit between Solid WebID and CCG DIDs... either directly as did:web, or maybe as did:key -- DIDs are spiritual successor to WebID -- learned from WebID lessons... they essentially drop in -- Solid could adopt DIDs. [scribe assist by Manu Sporny]
Dmitri Zagidulin: That would enable more technology interop for Solid -- Solid Pods supporting DIDs would be a fairly easy lift. [scribe assist by Manu Sporny]
Dmitri Zagidulin: The other thing would be Confidential Storage group -- it's all about storage, of direct interest to Solid community -- confidential storage -- EDVs narrow scope -- direct drop in backend for Solid LDP containers... once Solid has key material that enable encryption/authorization, EDVs are an easy drop in. [scribe assist by Manu Sporny]
Dmitri Zagidulin: Hubs are more or less Solid Pods -- Hubs have a bit more emphasis on replication, Solid Pods have a bit more focus on Linekd Data / RDF -- both are high level personal data servers that provide querying, authn, inboxes, notifications -- everything that you need to build decentralized apps -- area where Solid is 2-5 ahead of the conversation while the CCG has been focusing on lower-level encryption/signing/identifiers, Solid has been racing ahead [scribe assist by Manu Sporny]
<manu> and saying, "Once we have that in place, what will we need"
Justin Bingham: +1 - Totally agree on those focus points
<justinwb> for collaboration
Dmitri Zagidulin: What is a decentralized app manifest? What sort of higher level data structures will apps need? But conversely, Solid doesn't have Linked Data Security, Encryption, VCs, etc... The two communities are very complimentary, interopable -- there is a lot of material of interest to the Solid community, start with DID integration, would love to see more Solid folks on Confidential Storage call. [scribe assist by Manu Sporny]
Heather Vescent: Great -- thanks for the overview -- this is not everything we're doing in CCG -- we wanted to hone presentation to things you might be interested in -- ice breaker to get both groups on same page wrt. entry points for collaboration. [scribe assist by Manu Sporny]
Sarven Capadisli: Thank you, that was great, lots of material and homework for Solid CG to follow up on -- question, touched on this, views/experimentation around key management in browser -- I know we have CHAPI -- adoption, interest, experimental applications demonstrating CHAPI before browser makers. [scribe assist by Manu Sporny]
Sarven Capadisli: Solid ecosystem would like to take advantage of all work around credentials -- Solid working on browser [scribe assist by Manu Sporny]
Orie Steele: There are 3 places where we see key management intersecting... EDVs and Wallets -- representation for keys that are extractable and non-extractable -- remote KMS, Azure Key Vault -- Universal Wallet EDVs mechanism for storing extractable keys -- WebKMS spec, vendor agnostic interface for working with remote key management servers... [scribe assist by Manu Sporny]
Orie Steele: Some of the, universal wallet spec, has some support for non-extractable keys stored in browser. [scribe assist by Manu Sporny]
Amy Guy is scribing.
Manu Sporny: Is the question what works in chapi today and what's the plan in the future? CHapi was created many years ago. An offshoot of the original webid work in 2011. During that time we .. digital bazaar was involved in original webid work, we did the first purely polyfil implementation of webid. The thing we were concerned about was browsers taking clientside certs out of the browser, we wanted a polyfil to enable weibd to survive. That polyfil
Became chapi over 6 years
... now chapi is used to do more things, it moves data from one website to another using purely polyfill tech, no dependency on browser ever implementing it - but we would like them to on the community's terms
... people may not be aware that when browser vendors get involved things don't always go in the direction you want, sometimes agendas are not aligned
... the design for chapi is such that if we converge that's great but if we don't that's fine too
... there are anumber of implementations that use chapi to move credentials back and forth
... this interop work has been demonstrated through the DHS SVIP, an interop test suite we're constantly showing it
... it's already or going to be a CCG work item
... it is definitely being used today
... examples on the chapi polyfill site of how to build a system that can send and request credentials
Henry Story: No, the polyfill is not Origin based, in the sense you're asking [scribe assist by Dmitri Zagidulin]
<heathervescent> thanks for scribing Amy!
... happy to point you to tutorials
... dmitri has a demo already working for solid
... where are we going? ideally we want it implemented in the browser, and it is built in such a way to align with the credential manager - totally different interface
... credential manager is already in the browser, and we built chapi in a way to layer on top of that if the browser vendors are interested
... for it to become of interest to them, we have ot show tens of millions of people using the api
... that's usually when it becomes convincing. That's why the polyfill exists
... that's why wer'e having multiple vendors moving things around
... we're refining it so when broser vendors come around to implement its well formed
<csarven> manu thanks! clear. will follow up
Dmitri Zagidulin: Chapi and chapi based wallets are a good fit for solid because they're essentially a superset of webid tls clientside cert functionality
... with better UI and more choicecs of providers
... there have been several proof of concept pilot deployments already
... 4 or 5 implementations in the wild that i know of. And done a solid integration with did web I'd be happy to demo
Amy Guy is scribing.
Dmitri Zagidulin: You've should've told me that before! =) [scribe assist by Sarven Capadisli]
Sarven Capadisli: I've been saying it for months! :) [scribe assist by Dmitri Zagidulin]
Justin Bingham: Agree on the collaboration point around interop that dmitri raised
... dbuc and I were talking about interop things
... where is the best place to action the collaboration?
... the weekly session or a separate session about the interop or the identity hub work?
... we're doing a ton of work there, if that work is happening in parallel and we agree we can probably do good stuff together rapidly, I don't want to miss that opportunity
<bblfish> What I wonder is how one gets it to work? Is it that aach web site used the CHAPI playful when they want to have their clients use credentials, and that polyfil then calls into one's the in built browser API?
Orie Steele: Join the Secure Data Store WG: https://github.com/decentralized-identity/confidential-storage
Dmitri Zagidulin: Confidential storage calls
... the CCG itself is very interop focussed
... and there are a lot of presentations within and outside the community there
<justinwb> perfect - ty orie
Heather Vescent: The CCG has the main meeting, the big tent
... from time to time we have updates from the task forces
Dmitri Zagidulin: Re your implementation! I'd love to see it. [scribe assist by Sarven Capadisli]
... the task forces spun out of the big tent because of interest in drilling down
... so they spun off
Sarven Capadisli: Sure thing! [scribe assist by Dmitri Zagidulin]
... we ended up having qute a few of these, all important and focus on different things
... on mondays the VCs for education group meets
... markus has restarted some of the did resolution stuff which was very critical
... dmitriz and tobias and kaliya chair the confidential storage
... all of those are included in the overall CCG, as well as other things
<mprorock> have to bail, thanks all
elf Pavlik: We have well documented use cases with authorization. What is the best way to get feedback on those use cases.. from people or task forces that work with authorizatin?
... how to use VCs and capabilities to address authz related use cases?
Dmitri Zagidulin: It would make a lot of sense for us in solid to present to the confidential group on these authz use cases
Orie Steele: EDVs are built on https://w3c-ccg.github.io/zcap-ld/ today
... a narrow subset of those authz have been discussed by encrypted data vault interested community, but there's a larger conversation to be had about authz use cases for hubs
<orie> looks like they could be compatible with the Solid spec / approach
Heather Vescent: I'd also love to see it in the regular CCG call
<dmitriz> totally, +1 to presenting to CCG!
... if the solid community has questions or wants to run ideas o r uses cases, we can put that on the agenda
... have a CCG call dedicated to that
Manu Sporny: +1 To presenting to CCG -- Solid Authorization use cases
Adrian Gropper: I am particuarly interested in authz
... I second the thought that you should join us in confidential storage calls as a starting point
... that is the focus of my attention
... I also try to interact with the IETF GNAP work
... and today at 5 o'clock is a meeting where justin richter is presenting the GNAP work to the interop work group
... that's a DIF thing
... I will also be acting as a respondant
... if you want a really up to date perspective on what's going on between SSI groups and IETF groups on authz that's a good starting point, or email me
Adrian Gropper: Can you please share link here [scribe assist by elf Pavlik]
<elf-pavlik> ty
... I'll get the links
Manu Sporny: We've got dmitri sitting between both communities for a while
... it would be good to understand where solid's priorities are these days
... what is the most pressing thing on your midn and where are you trying to make progress?
Adrian Gropper: <P>DIF Interop WG Call&nbsp;<br></p><ul><li><b><a href="https://github.com/decentralized-identity/interoperability/blob/master/agenda.md">Agenda</a>&nbsp;-&nbsp;</b>agenda, minutes, recordings and useful links</li><li><b><a href="https://dif.groups.io/g/interop-wg">mailing list</a></b></li><li><b><a href="https://identity.foundation/interop/">website</a></b></li></ul><p></p>This meeting has an alternating timing to involve all timezones.&nbsp;<b[CUT]
... to see if there's any alignment there
<heathervescent> Thanks Adrian
... understanding solid's priorties, roadmap, would be really good
... I know there's a roadmpa timeline sent to the ccg
... maybe we can work on aligning what people would be most motivated to work on over the next 6 mnths and go from there
Heather Vescent: They might be talking about that this afternoon
Heather Vescent: Thanks everyone!
<manu> Thanks to the Chairs of both groups for coordinating!
... How can we help you engage and collaborate with our work items?
Sarven Capadisli: Manu https://solidproject.org/TR/ for Technical Reports etc. May want to have a look over https://solidos.solidcommunity.net/public/Roadmap/Tasks/
Sarven Capadisli: There are so many areas that we can meet at.. from our end we need to understand the scope or coverage that some of the credentails specs and implementations you have, and on the solid end, and where they overlap
... that will help us better see to what extent we should take some specs in solid and where to stop and know where credentials are coming in
... we dn't want to come up with yet another approach to addressng similiar needs
... I don't have a specific answer on how that would work, but being more familiar with the material helps from both ends. I know dmitri is. We're slowly making our way into the credentials work
Heather Vescent: Would it make sense for a few folks from ccg to come and do a tour of some of the specs?
... during a call or a separate call where .. sometimes its intimediating to open up a document or a spec in progress and really understand the context
Heather Vescent: +1 To more / focused calls [scribe assist by Sarven Capadisli]
... would it make sense for someone to give a tour and walk through that stuff and present some of those things?
Henry Story: That's going to be very useful
... the main thing is going to be to - we'll explain next - the use case we have
... so I can see for example credentials being very useful and tying these into access control systems
... it's a question of which parts of .. how doe these work, where can one try these things out and play with them?
... that's the only way you can really get a good idea of how it's working
... from that one can start thinking about how it would best fit
... the recent book on SSI I found really helpful, and manu's talk recently
... just a question of if I want to try to implement that where do I go?
... what's missing and how does it fit our use case
... would be useful to have sessiosn where one can work through these questions
Heather Vescent: Would you expect that in your call or would you come to a ccg call, or smething separate?
Henry Story: I've started sending mails to the ccg but I should come to the calls
Heather Vescent: We'd love to have you
... any last questions?
... thanks to everyone today. See you back here at the same link in 2 hours at 10 am pacific
<bblfish> thanks
<bblfish> was the link to the talk this afternoon posted here?