The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back

Credentials CG Telecon

Minutes for 2021-11-30

Juan Caballero is scribing.
Juan Caballero is scribing.
Heather Vescent: Intro, continuation of 9/28 CCG Call and IIW sessions led by our guest, Andrew Hughes (Ping Identity)
...: one set of questions we didn't have time for the last time this topic was discussed was the backstory of ISO WG decision-making and timelines
<mprorock> did jitsi break audio in latest chrome?
Heather Vescent: Manu sent out an email about VC-mDL vocab recently, and i assume we will have time for that in Q&A without upstaging or stealing time from the main event
Andrew Hughes: Sgtm
<manu_sporny> Sounds great, Heather... Andrew, I have some thunder to share, we'll make a great team :)
Heather Vescent: IPR note
... call notes
... queuing guide for new folks
<mprorock> jitsi audio issue on chrome 96.0.4664.57 beta on linux and/or chromebook fyi - working on .45 on linux
<manu_sporny> /me curses.
<manu_sporny> /me will look into it.
Mike Prorock: Bug report - chrome updates can break jitsi, beware!
Heather Vescent: Intros & re

Topic: Introductions & Reintroductions

<phil_l_(p1)> Other browsers do exist ;-)
<tallted> standalone Jitsi FTW!
<andrew_hughes> /me but that can wait :)
Heather Vescent: Announcements and reminders

Topic: Announcements & Reminders

Manu Sporny: Did-core formal objections: radio silence
... since asking for a timeline 80 days ago. formal objection council met 2 weeks ago but no minutes published yet
... we will keep pushing for a timeline
... other announcement: weekly updates from VCWG -- published 1.1 of VC data model spec, from hereon in, the CCG will get updated any time there are major changes
... going forward, every monday there will be a github update email
... vc-edu and trace-vocab and other groups could also do the same, although it might lead to overload
<orie> you can also just subscribe to github repos... for notifications.
Heather Vescent: Tooling?
Manu Sporny: It's a W3C tool
Juan.caballero: did-pkh meeting start this week, feel free to come if you're curious about blockchain PKI and pseudo-did-methods
Heather Vescent: Question for manu: anything we can do to help with the did-core objection process?
<orie> /me this process seems to kinda not be working...
Manu Sporny: We've met with the objectors, taken notes, written them detailed responses... i can't think of much more CCG members can do, particularly if they're not W3C members
... one thing that W3C members CAN do is ask as well for the timeline
Manu Sporny: Definitely be polite and request timeline for the objection process (explaining that it's relevant to your organization's agenda and/or livelihood)
Heather Vescent: Would it make sense for VCWG to come report to this group some time soon?
Manu Sporny: I think probably not...
... unless people really want an update or have specific questions or issues they'd like to discuss with the whole CCG?
Heather Vescent: Calendar for rest of year: 7dec - update (and new cochairs?); 14dec - mprorock session, rest of dec- winter break
... anyone running task forces on CCG calendar, feel free to cancel meetings on CCG list and i'll update the calendar accordingly
<heather_vescent> New proposed work item:
Manu Sporny: Update on mDL-VC vocab work item proposal
<juancaballero> manu: convergence discussion has felt a little unmoored so some of us (db, mattr, spruce) worked together to make a strawman and internal interop test to see if a 1:1 mapping of mdl --> VC could work as a LD vocab for VCs
Adrian: wondering about revocation convo in SMART healthcard discussion?
<manu_sporny> /me bites his tongue. :P
... lessons to be had there?
<orie> does Smart Health Cards even support revocation?
<orie> I am not sure.
<manu_sporny> /me Not because Adrian's questions wasn't good... but because we warned them about the problem and they chose to ignore it.

Topic: Mobile Drivers License: Andrew Hughes

<cel> Refresh
< Screensharing hiccup >
<mprorock> permissions issue
<heather_vescent> Thanks Andrew and Manu!
Andrew Hughes: Shareable version of slides forthcoming for the minutes
... and apologies for technical difficulties
... Long time since CCG, lead of identity standards team at Ping Identity; before that was identity standards lead at Idemia, which specializes in many identity products and flows
... I am trying to be a clear channel for information on the mDL
... (within bounds-- I can't share the specification itself, for example)
... i won't go through each slide 1 by 1 (this a longer slidedeck from IIW)
... and important disclaimer: I am presenting on my own behalf, not that of my employer
... Sept 2021 - 128013-5 (part 5) published, which covers connect, exchange, verify flow over specific set of transports (QR, NFC, BLE, Wifi aware)
... related standards: ISO 23220 pts 1-5 ->building blocks for mobile eID apps (which 18013-5 relies on... "backfill" order of operations is hard)
... 18013-6 test methods
... 18013-7 "day 2" topics - holder/prover authN, "verification without the verifier" (??), verification over the internet
<heather_vescent> Adrian, can we take your question at the end when we have others on the queue?
Andrew Hughes: Requests and responses (protocol work)
<adrian> sure
... sidenote: uL presented on this to CCG in detail
... multiple documents and namespaces allowed in a single request/response
... but mDL (18013-5) is one such document type and namespace
... (for the international DLs); AMVA has added an additional namespace for state-level data models/overlays
<heather_vescent> Adrian, can you mute yourself please?
... s/AMVA/AAMVA/*
Andrew Hughes: Although there are many private and state-level stakeholders, decision process has largely focused on NATIONAL scale
... motivations (IMHO and not my employers')
... issuer-centric (i.e. state drivers' bureaus); issuance definition deferred
... identification document was a secondary consideration, which happened in a later stage of the design after core drivers' licensing use-cases were fleshed out
Andrew Hughes: Contextualizing the adoption path and likely future of the spec: too issuer-centric to get widespread private sector uptake; not web-native enough to get widespread web uptake; co-existence with more web-native standards like VC seems a realistic hope to hold, imho
Andrew Hughes: Random addenda: android working on "identity credential API"; apple actively working on native mDL/mDocs support in Apple Wallet; AAMVA and international corollaries are making swift progress specifying trust frameworks (modelled on ICAO master CA list) for production-ready issuance infra a few years down the road
Andrew Hughes: MDL app scope: data model/data shape sketch
Andrew Hughes: Layering diagram
Andrew Hughes: Flow overview: 1 device engagement (handshake), 2 data retrieval (verifier scans holder's QR code with authorized reader hardware)
... "reverse engagement" still being discussed in ISO WG
Andrew Hughes: MDL flow chart schematic
Andrew Hughes: Security goals
Andrew Hughes: Data elements: not ideal, there's some awkward stuff made to keep verifier from having to trust ANY compution on device (nothing like predicates-- data queries flattened into static values)
Andrew Hughes: Session data is all in CBOR
... it keeps me up at night
Andrew Hughes: Data integrity - a very hard problem, i hope the vocab work item group can make some progress on this
... namely, the Mobile Security Object sent as a whole in all protocols
Andrew Hughes: Certificates - ICAO
Andrew Hughes: What is not in 18013-5
... scope was limited so that a "day1" could be published, lots of this stuff was left out for this tactic
Adrian: My question goes back to the very beginning: wallet focus for in-person, but everything else is in day2? could someone like me who participates in W3C or IETF participate in the ISO?
... perhaps this is leverage for us to intervene in day 2?
<mprorock> that is honestly totally unrealistic - ISO is where this will stay, and from a US standpoint NIST is the path
Andrew Hughes: TBH it's quite unlikely that the ISO group would take substantial feedback from CCG, or W3C, or anywhere else; front door is ISO via ANSI or your national body
... I have no good answer; it is what it is, all I can do is volunteer to relay some signals from outside
<mprorock> Join ISO, or work through NIST - open comms and practical implementable examples, etc
Heather Vescent: Is there a vice-versa? Any way we can send someone to the ISO WG?
Andrew Hughes: Invited guests can come to meetings and speak
... there are people in the decentralized id/VC world at the table already, i'm hardly the only one
... I personally look forward to seeing the work put together by DB, Mattr and Spruce, and I think implementable, tested code is the strongest inticement to invite guests
... The conversation is ongoing with many stakeholders, and all of the member orgs are contributing to expanding the scope and bringing in input from the market and the communities we know
Manu Sporny: Thank you so much for taking the initiative and donating your time here. you mentioned the "MSO" object and how it fits-- i have no easy answer
... there are ways to make it work, but it would require cooperation/dialogue with the mDocs implementers
... which can be quite hard to have from outside the ISO WG and its IPR perimeter
Andrew Hughes: Anyone who wants to talk about implementation details, feel free to reach out, those implementers aren't completely closed off to dialogue, although it might need to be indirect and definitely wouldn't happen at WG meetings proper
Manu Sporny: What is the best way for us to engage? What we've been doing doesn't seem to be working
... the WG was listed as an official liaison in the VCWG chartering process, and there was essentially no interaction until very recently
... I would imagine we're going to continue that activity as much as we can
... and of course we'll continue this VC vocab work in the open so that people can engage at least on our side of the conversation
... and the work-item team, all W3C members, could take the conversation via W3C liaison channels?
Andrew Hughes: ISO works on "paper, in-person meetings, and formality" - liaison officers are the formal channel for these kinds of inputs. I am such a liaison and there are others as well, I will look into seeing if anyone else wants to be designated for this
<mprorock> @andrew - would love to have that discussion re liaison - can you fire an email to the chairs on that topic?
Heather Vescent: +1 Mprorock
... a test suite and interop artefacts are always a welcome conversation-starter
<heather_vescent> "we all win together when the specs work together" Love it!
... when the specs work as broadly as possible and as designed/imagined, this convo is easier to have
... and if there are use-cases or formats or transports needed for the mDL to be useful in the world, that's another good inroad to conversation
<juan_caballero_(spruce)> thanks andrew! great stuff
<kerri_lemoie> Thank you!
<cel> thanks