The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2021-06-22

Manu Sporny is scribing.
Heather Vescent: Welcome to the call today - as all of you know, I love planning and Agendas and we're doing something different today. Agenda-less call, challenge given by Anil. It's out of my comfort zone, but good to step out of comfort zones.
Heather Vescent: We will have a planned call next week, don't worry. :)
Heather Vescent: There are interesting ideas in this community, not everyone wants to step up and be on the hook... lower barriers to participation, just see what bubbles up from the community.
Heather Vescent: That is the UN-agenda for today. We'll go through standard stuff and regular business before jumping in to no Agenda.
Heather goes over IP Note - you must be CCG member to provide technical input. You don't need to be a paid member. You do need to have a W3C account.
<heather_vescent> Minutes:
Heather Vescent: If you would like to say something, type q+ to add yourself to the queue.
Heather Vescent: Please be brief so others can chime in -- but today, be as long-winded as you want. It's unstructured. Meeting held by voice, not IRC, be on topic.

Topic: Introductions and Reintroductions

Heather Vescent: Anyone new that would like to introduce themselves?
Steve_Gance: I'm in Olympia, Washington, working with Concentric Sky on badging, more interested in Verifiable Credential stuff -- new, listening in, lots of homework to do, listening in, thank you.
Heather Vescent: Please feel free to reach out to me directly or CCG 101 group to answer specific questions you might have.
Heather Vescent: I'm trying to shepherd and help create materials to understand community and how it works so you can contribute. Just shoot me an email or join CCG 101 calls.
Steve_Gance: Great, thank you.
Heather Vescent: Any reintroductions?
<econnell> next time- my mic is glitchy!
Adrian Gropper: Hi Adrian Gropper, I have a dual role -- CTO of non-profit for Patient Privacy Rights, volunteer there, tiny operation. I also lead an implementation project of the standards in the SSI community as well as authorization-related standards all around healthcare use cases, which I authored for Verifiable Credentials in form of a prescription.
Adrian Gropper: In W3C invited expert on Privacy, trying to promote interest of consumer here.

Topic: Announcements and Reminders

<heather_vescent> Announcements:
<heather_vescent> scribe+
Manu Sporny: Announcement for the DID WG, the DID core recommendation is in the second candidate recommendation, until mid-July. There were two features that are not getting implemented. A minor nuance in the W3C process, but necessary to be specific and clear. Doing another revision. We are still taking implementations - and have gotten a couple (universal resolver). There is still time to submit an implementation report. We have 20-30 implementations, so this is really good feedback. If all goes well, we will proceed, and vote and ratify as a global standard.
DID Core 2nd Candidate Recommendation is here:
Heather Vescent: Any other announcements/reminders?

Topic: Action Items

Heather Vescent: Update on Infrastructure Task Force?
Wayne Chang: Not too many updates recently, seems to have stabilized, APAC call waiting on 3rd co-chair to do that, grateful to manu for providing further updates to infrastructure, thankful to heather for updates on how to scribe.
Heather Vescent: Are you having any other meetings?
<heather_vescent> Open co-chair role:
Wayne Chang: No meetings scheduled, might be a good idea to have meetings every month or two.
Heather Vescent: We need another co-chair, it's a lot of work for two people -- we need to solve this in some way.
Heather Vescent: The way we've done this in the past is by having a 3rd co-chair - one challenge we've had at this time about the role -- people interested, for various reasons, folks have decided not to take the stage -- lots of stuff going on -- packged calendar.
Heather Vescent: There are 4 W3C CCG calls on my calendar!
Heather Vescent: Also confidential storage, and VC EDU -- we are doing a LOT of work in the CCG -- not only happening in this main meeting... wanted to query the community on how we could solve this. Should we cut down number of main CCG meetings?
Heather Vescent: We might want to ask other meeting runners to come into rotation on weekly call -- current state of co-chairs is not sustainable and if we do not have a solution to it soon, you might end up with no co-chairs.
Heather Vescent: Not a threat, different co-chairs prioritize the work at different levels -- we are doing a lot of work in community -- we'd like work in community to be supported done.
<orie> sounds like expectations should be changed regarding what chairs are responsible for doing.
<heather_vescent> Orie q+
Manu Sporny: We need to make this sustainable, perhaps we should lean on others already running meetings.
Orie Steele: I think you said you were joining all calls... that's a lot to ask chairs... not sustainable.
Orie Steele: Not just Chairs volunteering, people running calls -- generally speaking, in order for this community to be effective, we need to work async in a way that's effective. Call time should be focused on resolving disputes that are not being resolved async.
Orie Steele: My understanding of Chairs is process manager but not significant work item contributor... I cannot imagine Chairs being able to be aware fully of all work items... it's a lot to ask.
Manu Sporny: If there is a perception that chairs are involved in everything, that's not sustainable.
Heather Vescent: I don't attend all meetings, I attend them sometimes and do CCG 101 -- I do disagree that Chairs need to know work items going on, but that can happen async.
Heather Vescent: The point with six CCG calls, lot more work happening on work item, pool of work and people in leadership roles are spread across six meetings instead of 1-2.
Heather Vescent: Any other comments on this topic?
Jeff Stephens: Just as an example, not directly related to how it's done here -- biometric standards bodies -- they have subcommittees, they have chairs on sub-groups as well...
Jeff Stephens: Don't know if you can set up a hierarchical structure for this group, something to think about.
Heather Vescent: That's an interesting idea, haven't had hierarchy in the past, how would community like to do that?
Manu Sporny: +1 To roll up to the CCG chairs
Ted Thibodeau: I am the crazy person who is trying to attend every call of every group in which I have a vested interest -- there is some need for some level of hierarchy here -- inherent in work items being subtasks of CCG -- there is a hierarchy there.
Ted Thibodeau: Not all calls need to be attended by CCG Chairs -- need to be aware if work items are going to reach conflict level -- if split group should be multiples or single.
<orie> DIF has staff I think.
Wayne_Chang: It is getting to be a lot of workload, lots of work items, even if we had 3rd co-chair, would it be enough? Work items accountable? I keep thinking if it's possible to have more dedicated resource on behalf of CG, then we need budget, responsibilities, governance, CCG need it's own entity? Having a pair of hands that could help, paid obligation, explicit support of W3C staff, show up to meetings, notes, recordings... that's been hinging on
The Chairs, as we have more work items, more meetings, task forces, might be easier for someone good at this to work on this like W3C staff.
<orie> does OIDF / TOIP / IETF have staff?
Manu Sporny: That sounds fine (staff), the second we talk about staff, it's money and a bunch of meta problems and we stop working on the technical work, and now we have management of a psuedo standards group.
<heather_vescent> ... maybe we shouldn't do as good of a job as we are right now. Maybe everyone should take a step back and see if things fall over.
<heather_vescent> ... some things we can't slip, we need minutes and notes, this is a fundamental protection for the community.
<wayne_chang> TOIP has staff
<heather_vescent> ... but coordinating things, takes a lot of work and is largely unseen.
<wayne_chang> IETF has.....people whose employer allows it to be part of their job
Mike Prorock: What is your typical weekly workload for Chairs?
Mike Prorock: Maybe focused Chair roles?
Mike Prorock: Can we group by function rather than group?
Mrporock: That might get more interest -- functional?
Heather Vescent: Wayne, want to provide how much work you do?
Wayne_Chang: Work is anywhere from 2-6 hours a week, a lot of it is reading... would spend more time... if I had more time would spend more time on speakers, want to ask community on speakers, last few weeks 2-4 hours.
Heather Vescent: I don't spend much that time -- in order to put agenda together, do minutes, follow up in Task Force -- 2-3 hours per week. Cochair leaderhsip meeting haven't been happening since March -- no long term planning, strategic planning, ensuring anyone doing minutes.
<orie> yikes, if we are going to turn this call into a slander session.
Heather Vescent: I don't mean to be combative, but Wayne, hard to understand how you put in that time.
<orie> I don't see this call doing anything useful for us.
Wayne_Chang: No need to call out people on a call, happy to discuss in a separate call.
<mprorock> If you can locate that responsibility/role doc that would be awesome
Heather Vescent: If you manage your time, and we are efficient about things, you attend some meetings -- 2-3 hours includes running this meeting -- CCG101 call -- I don't know if that answers your question Mike.
Mike Prorock: If you find that doc, I'm happy to share with folks with interest in the space.
Heather Vescent: The doc is in IRC -- in preparation for open co-chair role.
Heather Vescent: Publishing minutes used to take a long time, now easier than to Kim/Manu, have documented a lot of stuff.
Heather Vescent: Easier to understand how things are done now... we should do mentoring and leadership succession planning -- need to be successful co-chair, manageable time... happy to mentor someone if they want to come in. Wayne and I had discussed that one year co-chair could be good. Any questions or comments?
Heather Vescent: Any other questions/comments about the issue?
Ryan Grant: Heather, wanted to thank you especially for minutes training. I can help out on minutes occaisionally, this is a much smaller responsibility / work item than being a co-chair in general sense. The thought came to me, are there other delegation on specific items that people can volunteer for? Volunteer queue.
Ryan Grant: Even though we're considering another co-chair, it would also make the co-chairs lives easier.
Mike Prorock: +1 Rgrant - i think that is a great idea
Heather Vescent: Yeah, I think that's definitely one of the things we wanted to do -- there is management process time there, getting people to easily volunteer -- hidden goals of CCG101 is to make it easy for folks to communicate and make people part of CCG in low-stakes area.
Heather Vescent: Get feet wet with community -- if someone wants to do that, I'm willing to help with that.
Heather Vescent: There needs to be heavy lifting from folks other than chairs to jump start that.
Heather Vescent: There are more things we want to do -- diversity reviews of work items.
Heather Vescent: Any final comments for today? If not, we can move forward.
Heather Vescent: Thank you for having that conversation, this community is not afraid of conflict, not worried.

Topic: No Agenda, Agenda

<rgrant> /me tests emotes from jitsi
Heather Vescent: The purpose here is for open space -- interesting things that are happening? Is there something that's annoyed you recently.
Heather Vescent: California VCs? Something interesting/exciting that has inspired you?
Mike Prorock: Yeah, had an interesting experience yesterday, demonstrating for government agency -- and when you look at regulatory items, there is a comfort level with pen/paper that makes it slow to move away from.
Mike Prorock: We're dealing with agriculture, food safety... doing track and trace for food recall -- the question came up -- how do we know that this data is ok? What was entered is what was presented?
Mike Prorock: VC data model on VC we just issued -- a light bulb went off for the audience for people that have traditionally been paper-based... good feedback moment for work we're doing... they said: "I got it, see proof beside data, can call different systems to say this data is fine"
Mike Prorock: It was cool to me, used to working more to people speaking same langauge... but this one hadn't seen a VC before, but they got it right away, other solution on market for digital signage didn't have same security constraints under the hood.
Mike Prorock: Really well received, when we talk about moving off of paper, over to digital, confidence is important.
Heather Vescent: Very cool, Mike.
<mprorock> and crickets
Manu Sporny: Wanted to ask, would love to hear from the community, where are we going? What should our next focus be?
<heather_vescent> ... we have six different groups, all of them are helpful, but if we had to converge on a big topic, what would it be?
Kaliya Young: Q+ mprorock
<dmitri_z> authorization :)
Kaliya Young: Fighting QR Codes ... I think that sharing digital encodec information about people is incredibly dangerous and worrying. I think the concerns that BC government need to be taken seriously.
Kaliya Young: We need to figure out how to explain the difference between VCs and VPs and what is being unfolded right now with covid vaccine certs.
Heather Vescent: How can the community support that?
<cel> is there a link to concerns of BC folks mentioned by identitywoman?
Kaliya Young: I'm trying to take material that was drafted by BC folks, shape it into a whitepaper, it may even be coming out with some sort of statement. People can't understand the differences, it's all just "digitally signed stuff, isn't it just the same?"
Heather Vescent: So you mean, a statement from the CCG?
Kaliya Young: Potentially... this is one of the significant bodies working on this technology.
Heather Vescent: Let's see what people say -- work item to track, interesting idea.
Mike Prorock: Thanks for that Kaliya, that whole issue, digitally signed info, what's the difference is a big one... we have to find a way to communicate effectively on route we'd like to take. QR Codes used to display VCs, difference in how FHIR Smart HealthCards are doing things.
Mike Prorock: We need to speak clearly about those differences, but recognize that this stuff is out in the world... how can we help move this stuff toward a better privacy option.
Mike Prorock: Appreciate you bringing that to light, Kaliya.
<identitywoman> that is what i'm talking about.
Ted Thibodeau: I think that fighting to never use QRCodes is a battle that is already long lost -- took a decade to hit in the western hemisphere, they're useful when used appropriately -- use them appropriately. Only put in public information, information that is encrypted, that sort of thing.
Ted Thibodeau: They can be used on vaxcerts to point to other information, but should not include anything in bold face on QR Code package -- just by scanning QR Code, decode, people will be happy vs. street address and phone number.
Adrian Gropper: I've studied the relationship to VCs and DIDs in relation to health records as long as VCs and DIDs... I don't understand the problem with QRCodes, there can be problems, we need to be careful not ascribing privacy interest for convenience.
Adrian Gropper: If we don't have communities of employers, patients, representing themselves, instead represented by proxies, it's easy to confuse people about digital standards because of that -- the context is so important
Manu Sporny: +1 To what Adrian is saying.
Manu Sporny: Reflect on the QR thing, Kaliya's intent is the data in the QR code, not the QR code itself. The data you put in them, can be concerning, health record stuff is dangerous, as Kaliya mentioned on the mailing list. It is not a VC. Manu's personal opinion is not a VC, isn't interoperable, but they got a bunch of tech providers to agree to use it, so there is that. There are some deeply concerning things about the way it is deployed. +1 to voicing that opinion.
<heather_vescent> ... what we (the company) have seen, is companies using VC, Verifiable Credentials, it's got a good brand, a number of companies external to this community, in ways that are not aligned at all for the technology to be, and they aren't even using the technology (we developed here) under the scenes.
<heather_vescent> ... it would be good to make a statement, like the way this is constructed, is problematic, because of [specifics] and here are concerns.
<heather_vescent> ... I think the working groups should be able to say stuff like that.
<heather_vescent> ... and people will listen, if we can agree to the statements.
<heather_vescent> ... writing a paper is something that will (likely) fail. But a paragraph. +1 to Kaliya for the community to say things like this in an official capacity.
<heather_vescent> ... also curious about all this plumbing that we assume exists (e.g. LDS) but this community is busy, but has not been involved in the 300 emails that have changed hands in the semantic web group.
<identitywoman> (I'm working on a white paper about the issues with QR codes at ToIP) - would be great to have a paragraph about the issues from CCG
<kim> we can make it easier on ourselves by defining conformance criteria and getting ahead of the messaging; being more precise with "Verifiable Credential"
<heather_vescent> ... what people are seeing there, is a disinterest from teh CCG because we (the CCG) is not there participating. So commenting about what is going on in the market, (Health Record) but I feel like we are tripping over some fundamentals. We are assuming some tech will be formalized. (Being a little hyperbolic.) BUt people are not seeing this community's thoughts about this. And this is a problem, because we have a big stake in that work succeeding. There may be some fundamental work that we need to do (e.g. LDS).
Mike Prorock: +1 Manu - LDS is a key fundamental base for the rest of all the things
Heather Vescent: It sounds like there is interest in putting together statement about something. Want to invite Kaliya to start issue on CCG Github as something to start. This would be great.
Heather Vescent: Diversity / inclusion -- work together, would support that as a Chair and org.
Ryan Grant: As focus for group, maintain visual picture of various projects we're aware of are interop'ing... I keep trying to build that picture on the calls, some days it works well, some days it doesn't, just an idea.
<kezike> Right Kim, similarly I was going to suggest encouraging implementation of vc-http-api as vetting mechanism via the test suite conformance
Ted Thibodeau: Just a suggestion, Kaliya -- don't know if you're interested, co-author, co-editor, brief statement that sums up where CCG and VCWG stand on QR Codes -- we all know X.
<identitywoman> sorry - I forgot we have dates for the special topics IIWs July 22nd for UX/UI in SSI and August 4th for the Business of SSI.
Kim Hamilton Duffy: The thing around misuse of Verifiable Credentials, several things now that we're getting into a state -- conformance criteria, make lives easier on ourselves if there are tests -- we don't have to be so reactive to people saying: "This is a Verifiable Credential." -- might save us from every instance of violation, of which they are many.
<mprorock> thanks all!
Heather Vescent: Thanks all for the meeting today -- next week, Victor from CCG101 that will go over survey we sent out. Thanks everyone, have a great day.