The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2021-07-13

Juan Caballero is scribing.

Topic: Introductions and Re-Introductions

André Kudra: I'm from eSatus, I'm here as a guest to present the IDUnion project and the Bundezkanzleramt pilot project
Wyc: gratitude
Kaliya Young: My most recent big engagement has been co-chairing the interop WG at Good Health Pass; I also want to mention my recent CCG email about mDL RFP for comments
... i see a competition or antagonism between mDL and VC spec, so we should make sure the RFP is full of references to our work which miight be sidestepped

Topic: Announcements

Kaliya Young: Date (is still) 12-14 Oct for IIW proper
... and two mini-events on UX (22July) and business of SSI (4Aug)
Wyc: IIW recommended for people new to the space, good collaborative environment

Topic: Progress and Action Items

Wyc: new CCG co-chair, Mike Prorock-- no immediate action items

Topic: Main Event - André Kudra (eSatus) presenting on IDUnion and Bundeskanzleramt Pilot

André: I will present IDUnion first; slides presenting
... : of the 4 BMWi consortia, IDUnion is the one who is SSI to its core
... large consortium (slide of logos of all members)
... slide of all non-funded participants
... slide for third tier of "associated partners" - expressed interest and/or interacting on a research level rather than piloting level
... we work with Indy technology as our basis, but forked and with some specific EU use-cases and requirements
... in general it's a familiar architecture: wallets and Verifiable Data Registry
... slide of DLT-testnetwork - part of why the consortium was so succesful is that a testnet had already been stood up before the official application deadline
... and some use-cases were already being prototyped on that testnet with these companies participating (logos of many companies)
... wallet tech - Lissi (Commerzbank Main incubator project, now independent) and eSatus (SeLF fork)
... Business Partner Agent (cloud agent for LEI) from Bosch, Daimler and Siemens; SPherity's Cloud Wallet also involved in prototyping
<adrian_gropper> Are the end-user wallets open source?
... "European Cooperative" (specific legal category) which will govern the ID framework (Societas Cooperativa Europea, SCE)
... complex governance being planned and iterated as part of the project
... slide with 7 verticals, topics touched by that research cluster, and the 5-10 companies involved in each
... Interoperability slide - four distinct topic areas and logos of participating agencies
... implementation roadmap slide
... i would personally like to a faster roadmap, but production-grade trials scheduled for 2022
... 15million € from the BMWi, but for the non-academic participants, this is a matching grant which must be met 1:1 with internal funds
<tallted> Can we have a link to this slidedeck?
<wayne_chang> q
<tallted> q
Adrian Gropper: I am curious about the self-sovereign individual's representation here
<bumblefudge_> André: From an architectural perspective, everything is architected around the SSI principles
<bumblefudge_> ... for example, one project involved is elegibility for food support in Langen
<bumblefudge_> ... using SSI VCs to prove eligibility, issuing eligibility voucher for discounted food as VCs
<bumblefudge_> ... in the education space, we have worked with all the same use cases you've heard of already
<bumblefudge_> ... we are working with a couple universities to create a student wallet for student, parents, and teacher credential exchanges
<bumblefudge_> ... (field trip consents, etc)
<bumblefudge_> ... and coming from the classic IAM world, we have also been experimenting with SSI for AuthN and building access
<bumblefudge_> ... everyone who is involved from a use-case perspective has the SSI trust triangle in the back of their heads
<phil_l_(p1)> Are self-asserted achievements, skills, and abilities within the scope of credential types? (l.e. self-issued credentials)
<bumblefudge_> ... individual/end-user wallets and interactive consent is crucial to all the use-cases
Adrian Gropper: I don't agree that this addresses the consumer perspective but i think I've made my point
<bumblefudge_> 1?
<phil_l_(p1)> Q
<bumblefudge_> s/50million / 15 million/
<bumblefudge_> sorry, there is no automatic AI transcription, that/'s juan
<bumblefudge_> André: Sebastian Manhart, advisor for Digital Identification (BKA) created these slides
<bumblefudge_> ... so I may not be able to answer all questions
<bumblefudge_> ... slide1: Leyden's principles
<bumblefudge_> ... slide2 - wide variety of government papers to be digitized securely and privately
<bumblefudge_> ... aligned directly and primarily with the EU-wide EU-ID specifications and directives
<bumblefudge_> ... which are comparable to W3C and want to be in dialogue with the W3C work
<bumblefudge_> ... it's a strong public/private cooperation project, and has been quite succesful thus far
<bumblefudge_> ... slide: 3 ways in which SSI supports an EU-wide data infrastructure - eID rails, privacy standards, and adoption-oriented interop
<bumblefudge_> ... slide: diagram of EU ID with eIDAS 1.0 and SSI as pillars
<bumblefudge_> ... slide: Angela Merkel quote
<bumblefudge_> ... slide: C-levels from 19 of the biggest enterprises in Germany called into Angela's office to get cracking on an EU-interoperable identity infrastructure for Germany
<bumblefudge_> ... the project jumped into action the next day (that meeting was in December 2020)
<bumblefudge_> ... the Bundeskanzleramt got involved right away and is in a steering role, relying on consultancies for operational support
<bumblefudge_> ... they created a public/private cooperation driven by the CHancellory but also organized into verticals, each of which has at least one major German enterprise participating
<bumblefudge_> ... first pilot use case launched publicly in May: Lindner, Motel One, and Steigenberger hotel groups doing log-in
<bumblefudge_> ... and check-in with a Basis-ID (eIDAS-compliant Personalausweis / Personal-ID by Bundesdruckerei / Federal Mint)
<bumblefudge_> ... no more paper sign-ins at hotels -- business travelers can now do check-in with company account and invoice directly
<bumblefudge_> ... this is live since mid-May
<bumblefudge_> ... Dorothee Bär (Digitization Ministry) photo opp
<bumblefudge_> ... 2000 business travelers have already used it for logging their travels, limited as they are by Covid
<bumblefudge_> ... this is integrated into many other projects, such as the projects of vSDI, the SDIKa consortium, the Bundesdruckerei Optimos 2 secure-element project
<bumblefudge_> ... for on-device TPM cryptography
<bumblefudge_> ... last slide: roadmap for rest of 2021 for Chancellery project
<bumblefudge_> ... major items in the 2021 workplan: eiDAS-compliance feedback/specifications, explicit alignment with EU-wide eID specs as they are published,
<bumblefudge_> ... and pilots to test cross-border interop and use-cases
wayne_chang is scribing.
Bumblefudge_: i've posted a link to the IDUnion technical slide deck.
Bumblefudge_: interop roadmap, did-spec, etc. in the roadmap. this could generate more questions.
<bumblefudge_> wyc:
<bumblefudge_> wyc: what is the best way for people from the W3C ecosystem to get involved with the IDUnion?
<bumblefudge_> André: My favorite path would be to set up some kind of form in IDUnion for international guests and interlocutors
<bumblefudge_> ... the IDUnion is still very much hammering out its workplan and its venues and rhythms
<bumblefudge_> ... but I am personally lobbying for a prominent stage for international dialogues and collabs
<bumblefudge_> ... having an engagement model for those dialogues will be crucial and I will come back to present once we have something like that
Adrian Gropper: In the US, we've had pushback against digital identity
Adrian Gropper: It's also been a states' rights issue
<bumblefudge_> ... in that federal govt and states disagree on scope of federal eID and interop
<bumblefudge_> ... cf RealID debates
<bumblefudge_> ... is there an analogy in Germany?
<bumblefudge_> André: Well of course there is debate
<bumblefudge_> ... and currently public discourse has a lot of arguments against a very strong privacy stance
<bumblefudge_> ... as an impediment to Covid recovery and remediation
<bumblefudge_> ... what you see here is the federal government's proposal to avoid that kind of debate
<bumblefudge_> ... and preserve a decentralized, citizen-first privacy model for eGov and private sector use-cases
<bumblefudge_> ... but we have to combat a dominant narrative in public discourse that frames the problem as privacy/GDPR versus the economy
<bumblefudge_> ... and there is also a strong pull of habit for giving the government full control over government (non-digitally)
<bumblefudge_> ... so there is a delicate matter of adoption without playing into fears of a government-centric digital sphere
<bumblefudge_> ... if you look at the election platforms of the upcoming Sept elections
<bumblefudge_> ... cybersecurity and privacy and digital identity are suprisingly prominent across ALL the parties
<bumblefudge_> ... digital sovereignty could actually become a major flashpoint in the election debate so far
<bumblefudge_> ... wyc: thanks so much
<bumblefudge_> ... André: Thanks for giving me so much time, and I hope it was useful and I will come back when I have more news and invitations to collaborations
Adrian Gropper: I would like to hear more about the mobile driver's license issue
Mike Prorock: +1
<bumblefudge_> i linked to it above
Kaliya Young: There is an extensive preamble and 13 or 14 questions-- preparing a response could be a time-intensive process
<andre_kudra> I will drop off and leave you to your meeting. Thank you so much again!
<charles_e._lehner> Thanks Andre!
Kaliya Young: I did go to the public hearing they posted
<bumblefudge_> ... but the mDL people were there, Stanley from the ACLU (who has also publicly called out the phone-home capability built into the mDL standard)
Bumblefudge_: just gonna ask, mDL standard is ISO right? ask our guest about this
<bumblefudge_> Adri: The way Kaliya framed this earlier was as a challenge to our work here
<bumblefudge_> ... and the standards we work on
<bumblefudge_> IdenitityWoman: The mDL standard spawned something called MDoc
<bumblefudge_> ... developed entirely in ISO (only accessible via national standards bodies and some very large enterprises)
<bumblefudge_> ... and a few companies involved in our space have access but it isn't public, it's a very proprietary place to make software
<bumblefudge_> ... my personal interpretation is that there is a documentation/IAM incumbency
<bumblefudge_> ... that is trying to skew the standard in a way that they will be the only vendors positioned to sell governments issuance and wallet capabilities
<bumblefudge_> ... and it is not interoperable with VCs or VC-based
Heather Vescent: Want to query the community if this could be a topic for a community work item to formulate a collective response
<bumblefudge_> ... this could go a couple different ways-- do we A.) want to make a statement or response? and if so, B.) how?
<mprorock> I would note that we likely have 10 days to prepare a response
<bumblefudge_> ... who would lead/manage the rpocess
<bumblefudge_> ... there was a NIST response process done fairly quickly
<bumblefudge_> ... mprorock: The reason I called it 10 days and not 17
<bumblefudge_> was that we would need to review (as chairs) any draft and bounce off the group in a reasonable time for objections
Mike Prorock: I am personally very committed to this so I want to know whether to work on this individually or as a community
David Chadwick: I am involved in the mDL
<bumblefudge_> ... and I had to response to the draft ballot (an earlier work item related to mDL) and I proposed changes that would make it more interop with VCs
<bumblefudge_> ... and I presented it to the CCG at the time, explaining that they had good protocols but a bad data model and we had the inverse
<bumblefudge_> ... I wanted to get a work item going to prototype some hybrid or interop test
<bumblefudge_> ... and the mDL v2 does actually have a reasonable chance of interop with VCs
<identitywoman> The JSON-LD data model or just JSON?
<bumblefudge_> ... but it didn't make it into v1 because of a lack of prototyping and testing and scoping of VC interop
<bumblefudge_> ... americans were in a hurry for v1 and rushed it to release without the VC work
<bumblefudge_> ... and there have been questions about hte "backchannel"(phone home mechanism) and that is likely to be cut in v2 because
<mprorock> extemely helpful, thanks David
<bumblefudge_> ... of conversations within the group
Adrian Gropper: Question question: Is this a standards-org issue where ISO wants to stay out of open-source and avoid W3C or is that a red herring?
David Chadwick: Because it's a formal standards body, their process is very nation-state/member-state-based (ANSI, BSI, DIN, etc)
<bumblefudge_> ... and the publications are not free (although some standards they release are royalty-free and public, like X.509)
<bumblefudge_> ... they have got some good examples (and some atrocious ones) in their history
<cel> s/loyalty/royalty/
<bumblefudge_> ... DavidC: Kaliya asked about JSON and JSONLD in the VC that mDL will interop with
<bumblefudge_> ... and the answer is JSON but with an @Context - uses JWT signing
<bumblefudge_> ... so the interop with mDL hinges on the JWT support
<jeffo-stl> Nice add on Adrian, ya!
<bumblefudge_> wyc: please pay attn to the mailing list to get involved
<bumblefudge_> Auf Wiedersehen, my loyalty-free friends!