Mike Prorock: Recording is on awesome hello all and welcome to the weekly ccg meeting today we're going to be talking about the jmf plugfest this coming November and protocols and all sorts of fun stuff like that in addition we are going to be touching on some open issues that need some feedback in from the community just to make sure we want to adopt a particular a particular work item so. ✪
Mike Prorock: With that I'm going to dive into the normal pro forma so just a quick reminder that everything that this is a w3c meeting right we're covered this is covered under the code of ethics and professional conduct and I'll put a link to that in the chat typically don't have issues with that here but I just did do like to note that right up front anyone can participate in these calls however any and all active. ✪
Mike Prorock: Of contributors to actual work items. ✪
Mike Prorock: CG does need to be a member of the not of w3c but of the CCD itself which does require a W3 account so if you need that just go ahead and create that and then join the community if you want to actually sign the art of our agreement and actually began contributing to work these minutes in an audio recording of everything said are archived up on GitHub we do use the chat or IRC which is linked to the chat queue speakers so. ✪
<ian_davidson> I'm not getting any audio - is that a me issue?
<mprorock> In IRC type “q+” to add yourself to the queue, with an optional reminder
Mike Prorock: You type Q Plus Q minus to pull yourself etcetera and if for some reason you don't have access to chat or on able to type in just go ahead and unmute and ask to be added to the queue and then we'll get you in let me just type a note Ian that he may need to refresh. ✪
<mprorock> @ian you may need to rejoin - or possibly try chrome
Topic: Introductions and Reintroductions
Mike Prorock: Of all the audio side so we are using our robot overlords described and then volunteers to jump in and make any text Corrections if needed quick call out for any introductions I do see some new folks in I would say let's hold on anyone that Sharon is going to introduce directly when we jump into jump into that topic but. ✪
Mike Prorock: There anyone new to this call or new to the community that would like to introduce themselves mr. Paul Dietrich closer. ✪
Paul_Dietrich_GS1: Hey there Paul Dietrich I'm from gs1 us for participating under gs1 Global office with Phil Archer I'm in The Innovation team at the US and have been exploring using verifiable credentials for gs1 licensing I'm happy to be here participating. ✪
Mike Prorock: Awesome it is great to have you and glad to have you on the call and looking forward to kind of deepening engagement there and very happy to have you guys jumping right in and I think today's fun one to jump into Andrew Hughes I see you on the queue. ✪
<naomi> Good day, Naomi here with Velocity Network Foundation
Andrew Hughes: Hi everyone thanks it's been a while since I've been on a ccg call but I'm director of identity standards at Ping Identity and deeply involved in the iso work group for mobile driver's license where we two are wrestling with program and presentation so happy to hear what's going on and contribute and message back and forth. ✪
Mike Prorock: Awesome much appreciated and very glad to have you on this call and especially given I think a strong desire from this community in many many who work in this community to see alignment with verified you know around verifiable credentials particularly for online use cases John I see you on the key. ✪
John Kuo: Hi I'm a project manager for the pocket initiative at ASU which is an educational records as a species. ✪
Lance: Hey everybody you know Lansford Roots ID we grew up out of the cardano and at Ella prism identity platform ecosystem and been involved in trust over IP diff and Aries and I yeah this is my first ccg thanks to Sam Kern for let me know about it. ✪
Mike Prorock: Awesome great to have you Steve Eisler. ✪
Steve_Eisler: Everybody works for credit Vera a company that's very largely focused on workplace compliance and we are also entering the VC space here and yeah looking forward to collaborating with a lot of you on moving away moving forward. ✪
Mike_Peck: Everyone that I've been working here for a little while happy to join and I come from the K-12 space or I'm a director of technology for public school in the u.s. also exploring verifiable credentials and decentralized identity through my work in the web three space as a co-founder of at three Dow. ✪
Mike Prorock: Excellent awesome cool any other last intros just look at the queue here. ✪
Mike Prorock: Oh right there is a proposed work item on we did announce this to the list I think two weeks well I think it was announced three weeks ago two weeks ago we noted just on the agenda for folks to take a look at it I see a big plus one I think there's support from the chairs as well for this work item and this is issue 233 the work item in question is to build a dead rat did resolution test Suite. ✪
Mike Prorock: And this is obviously highly valuable. ✪
Mike Prorock: It even done to this including example test reports there's two owners that are non-conflicting so it hits all kind of the core requirements as being related to credentials work you know having multiple sponsors and folks engaged in it I'm gonna just watch the queue for a minute to see does anyone request more time I think the most I would want to delay this given the importance of the work and being fact that it's also been discussed and. ✪
Mike Prorock: If there's any objection not necessarily an objection to the work item at this point just is there anyone who says yep I need some more time humph to take a look at this before we officially vote to add it in and if not I'm going to run it just a quick proposal for plus 1 to indicate support minus 1 no support 04 neutral to adopt the work item so I'm just. ✪
Mike Prorock: Going to watch the queue for about 10-15. ✪
Mike Prorock: And just save a jumping in and then I'll type the actual official proposal. ✪
Mike Prorock: I call I am going to run this proposal now so hold your plus ones and I'll type it out and we'll get this on the record. ✪
PROPOSAL: Adopt DID Resolution Test Suite as a CCG Work Item
Mike Prorock: I'm just scanning here I'm not seeing any non support so last chance for anyone to speak up or I'm going to note on the issue that we are adopting it Tim I see a plus with nothing I'm assuming that's a plus one. ✪
Mike Prorock: All right cool alright I am going to close this up and we are going to mark that resolved so we just copy the text so I get it right. ✪
RESOLUTION: Adopt DID Resolution Test Suite as a CCG Work Item
<manu_sporny> Getting zero negative votes in a group of 64 people is an achievement. :P
Mike Prorock: Just take note of this real time so that it doesn't get lost. ✪
Mike Prorock: So thanks so much all I think this is pretty critical from an adoption and a validation standpoint so very much looking forward to getting this in and I would say man oh yes you have noted correctly that's that's about as good as we can get there so awesome with that I am going to move is into the main body of the. ✪
Mike Prorock: Which is yeah oh sorry sorry about that man. ✪
Manu Sporny: Hate sorry Mike I had put myself on the I thought I'd try something with you just a real quick heads-up we need to move rdf data set canonicalization to a final community group specification and I think this is just me giving notice to the community that we're planning to do a final community group specification soon and we probably need to do that publication in the next. ✪
Manu Sporny: Work item so we need to move it over to them that's it. ✪
Mike Prorock: Great thank you Manny that's it that's an important call out and man who did put the link into the chat there and yes we will be on the lookout just feel free to email the list when that's ready and we'll hop right on so. ✪
Harrison_Tang: And by the way I also want to give a quick shout-out to market for contributing the ID Tennessee to the come. ✪
Mike Prorock: He has seriously thank you Harrison Manu TPAC. ✪
Manu Sporny: Yeah just real quick there is a what happened at w3c tpack last week I sent a summary email out to the ccg mailing list on anything that's publicly known so if you are wondering what happens there's a link there that that will highlight that stuff that's. ✪
Mike Prorock: Thank you and I appreciate the work on that because that is not trivial to assemble all that and figure out what's a see only etcetera so really appreciate that man. ✪
Topic: Wallet Protocol and JFF Plugfest #2
Mike Prorock: Um cool just checking q and not seeing a cue I am going to hand it over to Sharon to kick things off and let's start having a fun conversation and moving into protocols and context for the plugfest and how those are all coming into play and why etcetera so Sharon are you good to start talking. ✪
<kristina> what's the context re CCG also covering DIDs now? re the resolution that just passed
Sharon Leu: Yeah and I'm going to talk very briefly because I think the person that you want to hear from is not me so just to those who don't know me my name is Sharon Lou and I work in an organization called jobs for the future and we have the pleasure of facilitating a number of plug tests basically our goal is to ensure that credentials are mobile with individuals and this group The ccg and the VC edu task force in particular are the perfect Partners For Us in that essentially for this. ✪
Sharon Leu: Plug desk like this to and I'll drop the link in the chat in just a second. ✪
<manu_sporny> Kristina, CCG is where DIDs were incubated
<dmitri_zagidulin> @Kristina - I think it's just the proposal that CCG stewards the DID /resolution/ test suite, that's all
<mprorock> @kristina - that resolution is to build out the test suite, so that will be helpful for the next DID working group
Sharon Leu: What we're saying is that for wallet implementers they need to show that a verifiable credential issued from two different credential issuers can actually indeed be presented in their wallets and then on the flip side that credential issuers can issue verifiable credentials into different wallets and I think the key here is how does the credential get into the wallet and that is our main question and so what we said is that in order to participate you have to select from one of the. ✪
Sharon Leu: The three most common protocols that are used by this community so. ✪
Sharon Leu: I think I will turn it over to Dmitry to mediate this little discussion about the three different credentials and protocols and how they might be the right one for you. ✪
<manu_sporny> Kristina, but DID Resolution was incubated in DIF, but then the CCG is handling the test suite :)
<manu_sporny> (it's complicated) :)
Dmitri Zagidulin: Right exactly this is no pressure low stakes okay so time is short so couple words off contact citing so Sharon and jobs for the Future Foundation is sponsoring a open protocol interoperability plugfest the day before IW this November this this second jmf plugfest focuses on. ✪
Dmitri Zagidulin: Where's and wallets and of course how do we test interoperability given that within this community and adjacent communities several many Protocols are being developed we've taken the most the most active and established in progress protocols which is w3c ccgs VC API and credential Handler API as one open daddy Foundation. ✪
Dmitri Zagidulin: It's open as you connect for credential. ✪
<kristina> thanks manu
Dmitri Zagidulin: As to you and then decentralized identities foundations did Cam presentation exchange the issuance part of of that stack so. ✪
Dmitri Zagidulin: In order to demonstrate interoperability issuers and wallets will need to pick at least one of those three protocol groups and demonstrate and operability to two different ones which of course leads to questions from implementers which profiles of the particular protocol should we support but that's not what we gather to talk about today today we want we want to address the development team. ✪
Dmitri Zagidulin: Calls who are issuers or wallets. ✪
Dmitri Zagidulin: Are unsure of what to start with so we invited a representative Champions really from each of the three API groups to give a brief introduction about that groups approach to credential issuance and and hopefully say a few words on why development team would want to choose that particular protocol in general or for this particular plugfest so does that make sense everything. ✪
Mike Prorock: Watching the Q here and I think let's just Dive Right into me tree. ✪
<manu_sporny> Feels straight-forward. :)
Dmitri Zagidulin: Okay let's Dive Right In I think for the interest of time let's let's try to keep it under 10 minutes to each each group. ✪
Dmitri Zagidulin: And then hopefully they'll be time for questions Evan Lally speaking for the VC API Group would you be ready to present. ✪
<kristina> what are the three? VC-HTTP API, OpenID4VCI and?
Evan_Lally_(Digital_Bazaar): Symmetry yeah I'm happy to prisoner and I can keep it under 10 minutes can you hear me okay. ✪
<dmitri_zagidulin> @Kristina - DIDComm2
<alex> DIDCOMM v2
<kristina> ah
Evan_Lally_(Digital_Bazaar): I'm pretty good so I have a few things to share here like to meet you said I'd like to talk about VC API and also about the combination of VC-API and CHAPI which is the credential Handler API these two work together to provide a really simple implementation for communicating verifiable credentials out of the web and when you use CHAPI with VC API you're working with a protocol that is designed specifically to enable choice. ✪
Evan_Lally_(Digital_Bazaar): and to really facilitate this open ecosystem. ✪
<kristina> re sharon, OAuth might be a better framing than OIDC (re poll)
Evan_Lally_(Digital_Bazaar): Marketplace of different issuers verifiers and involves so today I'm not going to get too deep into the technical weeds I will put some email contact information in place if anyone has questions about the protocols themselves or about implementing these protocols to meet the goals of jmf plugfest to that's because that's really what we're here today to talk about us how can we help you to be successful in the plugfest so like I said Champion VC API are really all about. ✪
Evan_Lally_(Digital_Bazaar): about providing an open ecosystem that. ✪
Evan_Lally_(Digital_Bazaar): Your choice and some of the examples were going to give are going to focus on issuing credential and storing it in a digital wallet so just be advised though that the champion VC API protocol work in many or all of the different use cases that involve communicating verifiable credentials it's just a little easier to think about it if you focus on something specific. ✪
Evan_Lally_(Digital_Bazaar): A user is signed up for a digital wallet that is chappy enabled which means that the wallet will register itself with the with the individuals browser as a credential Handler and this is really at the core of the CHAPI technology so once the wallet registers itself with the users browser as a credential Handler then when any third party site asks to issue. ✪
Evan_Lally_(Digital_Bazaar): or asked to present a verifiable. ✪
Evan_Lally_(Digital_Bazaar): All the browser using a polyfill will present the individual with the choice of which while if they want to use and so you can see here how this is designed to facilitate choice because any wallet can register itself with the individuals browser via this polyfill as a credential Handler and then that while it will show up as a choice whenever that individual goes to interact with the site. ✪
Evan_Lally_(Digital_Bazaar): Some examples and developer Doc's here at CHAPI dot IO so I'll paste the link to the site here there are also some links from Kathy dot IO to the relevant w3c community group reports for chappy and also for the verifiable credentials API if you want to learn about the details for issuers the integration is really simple and you can check out this site here to see some code examples for how to integrate chappie and VC API into. ✪
Evan_Lally_(Digital_Bazaar): to your issuer code each of these examples has a little. ✪
<anil_john_[us/dhs/svip]> It would be good that to cleanly separate the VC-API (as the credential delivery mechanism to a wallet) from CHAPI (as a wallet selection mechanism) -- with the clear implication that it would be possible to mix and match the delivery protocols (VC API, OIDC4VC etc) w/ CHAPI <shrug>
Evan_Lally_(Digital_Bazaar): That will take you to an open source example project which is an end-to-end project that is hosted here on GitHub pages and so we're linking you to the source code but there are also some examples here in the readme for each of these projects so in this case this is the issuer and you can go to a demo here. ✪
Evan_Lally_(Digital_Bazaar): If you're working if you're thinking about using VC API and champey for the plugfest we really recommend you hit this big button here at the top of CHAPI dot IO and this will take you to a tool excite that we put together called the chappie playground chappie playground has four different example verifiable credentials including this one who put together from jmf plugfest one and so if I select this example it will populate the URL here and then press the generate verifiable credential to use an issuer to. ✪
Evan_Lally_(Digital_Bazaar): generate a fully firm verifiable credential that is. ✪
Evan_Lally_(Digital_Bazaar): To a fake I think did here and then if I press the store and wallet button you'll see the champion VC API workflow so it pops up the CHAPI polyfill and I've told looks like in this browser I've already told that I prefer the various wallet and so it skipped over the selection screen and then you can see here this is a UI element that is rendered from the wallet then my in the polyfill so if you have different wallets the wallets can provide different. ✪
Evan_Lally_(Digital_Bazaar): analogy to the individuals in this case showing the. ✪
Evan_Lally_(Digital_Bazaar): Credential and then the credential is stored in the digital wallets if I go over here to my Baris wallet and refresh it I should see the credential that I just started so this tooling is available to everyone including the participants of the plugfest so if you are an issuer on what we can do is work with you to add your issuer back end to be one of the options from the playground so that we can just issue these example credential straight straight from your issuer to the. ✪
<ivan_(vid)> How it works with a mobile wallet?
Evan_Lally_(Digital_Bazaar): wallets or if you're a wallet we can work with. ✪
<dmitri_zagidulin> so a way to think about the separation is -- 1) CHAPI provides a Wallet Selector / mediator (which can be used with VC-API, OIDC4VCI etc), 2) VC-API provides the low-level API for a given wallet to talk to issuers/verifiers
Evan_Lally_(Digital_Bazaar): With champion BC API so that you can show the j-15 that you're able to receive one of these examples are done. ✪
Evan_Lally_(Digital_Bazaar): I'll put my email address in the chat if there's any questions I'm happy to answer them all flying or here with me. ✪
<manu_sporny> For a mobile wallet, you can click the "Use Native Wallet" button now... and in the future, native wallets will show up in the CHAPI selector... that's on the roadmap, hope to have that integrated within the next couple of months.
Mike Prorock: Excellent and just watching chat here I would note that an ill made a very good point which is that it's possible to mix and match CHAPI and VC API with other things so don't necessarily assume that one implies the other and vice versa right these are things that can be for instance chappie working with open ID for instance as the wallet selection so there are some options there Dimitri I'll hand it back to you there after that Interruption so. ✪
Dmitri Zagidulin: Thanks no not at all and I just wanted to also address one of the one of the questions in chat from Ivan which is how would tap your VC API work with the mobile wallet. ✪
<kristina> so native apps can only use claimed URLs? ie app/universal links
<kristina> ah web share API..
Evan_Lally_(Digital_Bazaar): Yeah that's great so there is a native mobile feature in chappy and VC API already I can't show you that workflow right here because I'm using a browser but you can check it out or feel free to send me an email about it happy to walk you through it uses the web share API currently and we're working on some improvements now along the lines of what and you'll talk about. ✪
<dave_longley> Yes, kristina, that's an upgrade to CHAPI we're working on -- claimed URLs. Right now it uses Web share only.
Dmitri Zagidulin: Thanks have an end to add to that yeah to answer Christina's question in chat so the way that the wallet selector works with Native mobile apps is to use the web share API so mobile apps register with the operating system that they support a particular type of credentials and so you can pass that credentials straight from the CHAPI dialogue to the appropriate mobile app. ✪
<kristina> gotch
Dmitri Zagidulin: All right any other questions before we move on to the next API. ✪
<paul_dietrich_gs1> Any version info we need for the slugfest?
Dmitri Zagidulin: Eyeball Dietrich and chat is asking any particular version that we need to focus on for the slugfest. ✪
<mprorock> /me likes slugfest so much better than plugfest
<kristina> /me LOL
Dmitri Zagidulin: I believe the both the credential Handler API and the VC API versions have been relatively stable the last handful of months so whatever the latest one is on the specs so if you see a pi I believe it's version 3 and whatever the 1.0 CHAPI is. ✪
<evan_lally_(digital_bazaar)> thanks @dmitri - I've got to run, but @manu is here and much more knowledgeable than me anyway :)
Dmitri Zagidulin: Wonderful I think you so much and yeah just just to reiterate that the the two apis already mentioned by my Evan I have a credential Handler and be Capi are separable that they handle slightly different aspect of the wallet to assure interaction so they can be mixed and matched with other protocols okay. ✪
Dmitri Zagidulin: Have from the did Cam camp today to present. ✪
Dmitri Zagidulin: Sam wonderful okay so Sam let's hand it over to you to talk about did Cam again if possible under 10 minutes. ✪
<dave_longley> CHAPI just allows wallet selection -- you can run any protocol after the wallet has been selected. VC-API is one such protocol.
Mike Prorock: NB: this is human in the loop stuff - System to System (e.g. for traceability) is different, though may align with protocols discussed here ✪
Sam Curren: Totally I'll be I'll be brief there's been previous conversations about did come and so I'll be short on that appreciate the invitation to meet you for putting this together quick background on did come in and I've got a slide up here in the future that sort of helps compare a little bit but did come itself is a little bit like saying HTTP in the sense that there's lots of stuff that you can do over HTTP and there's lots of stuff that you can do over did common so this is the diagram that we typically use the sort of describe what that looks like. ✪
Sam Curren: You're talking between two parties two of those Protocols of course there are the focus here might be the issue credential in percent per. ✪
<kristina> JWM...
Sam Curren: Inside a that have been built on top of a sort of did come as a foundation quickly here's the the standards that did come and when I say did come for the duration of the conversation I'm talking about did convey to is that's the focus of the work at the diff and so here's the the standards that are that those are based on for the for the various pieces we've got code libraries and a whole bunch of different languages and again this is only the V2 links that are present here for did convey to and then just quick example of what this looks like with a library right you. ✪
Sam Curren: I mean you know that has a type in that has attributes to it and then you you pack that for the recipient and transmit it and then unpack happens as a similar operation we're not showing of course all the exceptions here and what happens if it's been tampered with or whatever else but this is the basic sort of main flow that you're you're going through so the reason I'm bringing some of the stuff up is because this will help differentiate a little bit between. ✪
Sam Curren: The other approaches and what did come does the only. ✪
Sam Curren: Is that you have it did with an income and point that doesn't mean the user has to be in front of a screen although that's common it there's no requirement for hosting infrastructure so there's really low requirements to make this happen the other reason why I bring this up is that any protocol that we're talking about here that also communicates dids has the potential to integrate and mix-and-match a little bit with did calm in the sense that if you start with an interaction via some other API you discover it did come and point on the did that you're provided in that process you can of course in. ✪
Sam Curren: Actions after that and so there's also kind of a nice blend and the integration point is specifically a resolvable did with a dead coming point so here's a good slide I stole this from Daniel Hardman and it kind of helps compare a little bit this is I list the VC API HTTP API here the intention here open any connectors it could have a similar istagram not precisely this because it's it doesn't rely on exactly the same dependencies but the similar and so. ✪
Sam Curren: I lied the difference between the did come spec itself which is here and then the stuff on top of it and I've listed wacky here and I'll talk about that in a second as the wacky did come effort that happen in the dip as well to produce a narrow as possible profile that can be used for interactions using did Cam and also a combination of technologies that have been defined elsewhere so so here's the idea and how to think about it we say did come generally we each kind of mean all of this but but the did come spec it. ✪
Sam Curren: Self only specifies this and has nothing to do with credential passing and then there are defined. ✪
Sam Curren: Saying protocols that live on top of that and so just a little bit of a clarification there the real magic here is actually the that I want to share is the as the wacky did come effort I was I cannot take all the credit for this I was a participant but there was lots of work done by lots of others and so the the link to that is here and the it has examples and all the information gathered together in one spot about how to actually make this work and so there. ✪
Sam Curren: And good diagrams and demonstrations of what those actually look like here's an example of what the service endpoint looks like for a for a did come and point and it did document their this addresses routing which is how we get around and allow those with smart phones or other consumer-oriented devices to to end up as kind of first-class citizens in the in the exchange here without a need to to host API infrastructure or something somewhere. ✪
Sam Curren: Else and then this talks about the encryption pieces of that. ✪
<mprorock> not sure on a link to the preso
<mprorock> but i am sure dmitri will coordinate and get presos posted to the list
<kristina> what can be used as an invitation other than a QR code?
Sam Curren: That's handled for you but and then the actual flows are described here QR codes are often used for invitations and so the path there instead of taking the the CHAPI approach with browser involvement or polyfill there's it takes a little bit closer to the open ID approach where it works with browsers but kind of using regular Technologies and not direct involvement from the browser's to make that happen and so here's the various flows that are here I'm. ✪
Sam Curren: Goes in the QR code ends up looking a little bit more like this and then here's an example of offering a credential using the issue credential protocol and so the this attachment here is a credential manifest and so here on is actually not defined necessarily here but but by that other related spec but this gives you an example of the kind of shows you the whole thing in there and then there's of course example dids used in the in the concept there so don't need to walk through the whole thing but this is the place. ✪
Sam Curren: To come to if you've got questions in would and would likely be. ✪
<kim_duffy> what a nice greeting!
<kristina> Is there a syntax to request specific credential in DIDComm, or none without Presentation exchange/
<kristina> ?
Sam Curren: The most appropriate Target for something like a plugfest happy to answer there's lots of other stuff going on in various communities but but that's probably part of another conversation I am telegram Sam on all the socials or telegram Sam at gmail.com if you would like to reach out and ask questions or ways that I can help and that's that's my summary any any questions are we holding questions to the end. ✪
<kristina> (Hi, Kim!)
Dmitri Zagidulin: Thank you so much Sam I will take a couple of questions right now I just want to add to so again first of all thank you so much for coming by to present on this so specifically for jmf plugfest the protocol one of the three protocols that were supporting and asking people to potentially Implement is specifically the one that Sam mentioned here you wacky did come so the. ✪
Dmitri Zagidulin: Of that stack there was I believe there was a question from Christine about invitations other than QR codes and then another question about is there syntax to request specific credential and did Cam. ✪
Sam Curren: Yes so let me leave me tempos and I stop sharing so that I can see the chat the there you can also use a link that this the same data that's in the QR code but it's presented in a link for them in order to to pass an invitation the other thing is that the invitations only needed if you don't already know the did of the other party if you happen to know that the the did of the other party then you just send a message there's not really an invitation step needed there and so. ✪
Sam Curren: And so that's just you know if I walk up or I'm. ✪
<dave_longley> Note about how CHAPI works: Any "invitation link" (any URL for any protocol) could be passed through CHAPI so the user can select any wallet they've registered with their browser.
<manu_sporny> In other words, CHAPI can support a DIDComm introduction as well (if there was interest in doing that)
Mike Prorock: +1 Dave - there are some nifty things you can do with that for wallet selection ✪
Sam Curren: Haven't been interacting with them that can make it easier the the protocol to support a specific credential yes so so presentation exchange is one of those there are other formats depending on the types of credentials you're actually requesting for example there's a non-credit specific one if you're working with a non credentials but the protocol itself doesn't Define those those are defined by the other the other formats that are. ✪
Sam Curren: In past so presentation East Asia really good one to use. ✪
Sam Curren: Offices but but the the did come protocols themselves don't actually have an opinion about what credential is passed inside of them. ✪
<kristina> does DIDComm define how to return the credential? guess no
<aditya_-_entrustient> Are connections necessary in WACI-DIDComm for issuance of credential and Is the WACI DIDComm interoperable with Aries? The protocols look very similar.
<mprorock> didcomm itself is broadly transparent to payloads which can be nice
Sam Curren: It's it defines how to return the credential but not what the credential format is I'm answering Christina's question in chat so it comes back in a payload that says here is the credential but it does not define of course the details about what is inside the credential format itself so whether you're turning a json-ld credential or a JWT credential or a non-credit those all passed back in the same message as part of that so it definitely does Define how to return the message but not the details of what's inside the messages itself. ✪
Sam Curren: Or the sorry the credentials itself. ✪
Sam Curren: Is the wacky to come and interoperable with Aries so there were a lot came so did come itself came from Aries so the fact that there's some stuff that looks similar there is normal there is planned efforts there the the completion of the did come to spec landed it it's slightly inconvenient time for the area's community and that there are already engaged in the pursuit of a VIP to which is their interoperability profile than the area's community and so it will be. ✪
<mprorock> aries framework go is not a bad way to start down interop and common support across differing profiles based on our experience
Sam Curren: Be and there are some some of the Ares projects that already have it. ✪
<alex> I noticed that the issuance credential contains a credential manifest but while looking at the issuance on OIDCv4 there is no mention of a manifest. How do those interpolate?
<kristina> I mean, is it a general DIDComm message that includes a returned credential, how does a verifier know how to understand the payload?
Sam Curren: Early Universal support for that there will be in the future but there isn't now mostly because of an accident of the timelines and in that Community sort of already being engaged in an effort the next effort will definitely involve a transition to did come to and also all of the all the associated changes that make wacky support nearly automatic. ✪
<kristina> yeah, I would imagine DIDComm for issuance is Credential manifest and not Presentation Exchange? (they are complementary, sure..)
<niels_klomp_-_sphereon> OIDC4CI doesn't use Credential Manifest AFAIK, rigth Kristina?
<kristina> nope
Dmitri Zagidulin: No problem no problem which and we should we can save subsequent questions for our after the Odyssey group goes my actually my clarification question is would you say there's a large overlap between wacky did Cam and the Ares protocol if if a team is familiar with the areas they should have any problem supporting wacky did come is that correct. ✪
<kristina> we have a simple syntax how issuer publishes what credential type/format/display info it supports in its metadata
Sam Curren: There is a large there is a large overlap if they're not already using like the crunch of manifest and presentations change stuff then that will be a little bit of extra work but yes it's very similar and so the other differentiator that I wanted to mention if you're if you're choosing between what you which one you want to support for the plugfest is that did come is not designed as a browser oriented interaction or an interaction that requires you to be present in the sense that you're in an open ID kynect exchange it does similar things to those but one of the differentiators. ✪
Sam Curren: Dating factors is that once you have a connection you can send a message over that connection at any time so if you. ✪
Sam Curren: The party for example and you would like to request a new credential of a new type or an updated one for for example then that can be done directly via did calm and not necessarily have to be done with an interaction through you know involving a browser or something similar so that's probably the biggest differentiator again there's lots of overlap there but because of the of the protocol oriented nature of the thing it works well for that so my comment there apply specifically to mobile wallets. ✪
Sam Curren: The protocols do of course support web wallets but but. ✪
Sam Curren: Frenchy ation the ability to reach out at a future time using those protocols when the user may not be in front of the same screen or in front of a computer at all but just have their mobile device is one way to make that happen and I know that that's not a differentiator there's other features there as well I'm not trying to start a feature where discussion but but that's something that if you're interested in it might be worth your attention. ✪
Dmitri Zagidulin: Thank you so much Sam all right let's let's move over to open it you connect and then we'll take questions to the three presenters in general so who will be presenting for openers you connect their high potential issuance. ✪
Torsten_Lodderstedt: That will be I lost a lot of time. ✪
Dmitri Zagidulin: Wonderful take it away Torsten. ✪
Torsten_Lodderstedt: I have to be yeah can you see my screen. ✪
Torsten_Lodderstedt: Okay so I'm just familiar with the tool so bear with me. ✪
Torsten_Lodderstedt: Alright hello everybody my name is Laura said I've got a pleasure to be one of the co-authors of the open and you connect for I from credentials protocol family with me and Nicole I think today is Christina gets Buddha and David Chadwick David are you here as well. ✪
Torsten_Lodderstedt: Doesn't seem to be the case all right so can you see the. ✪
Dmitri Zagidulin: We do have David thank you go ahead. ✪
Torsten_Lodderstedt: Okay so David just one question for orchestration purposes do you want to show you a demo. ✪
<bumblefudge> (bit a delay-- sharks chewing on the transatlantic wire perhaps)
David Chadwick: I wil show the tools we have ready [scribe assist by Manu Sporny] ✪
<mprorock> we can hear you fine david
<dmitri_zagidulin> oh nooo, I think we have a network partition - Torsten can't hear DavidC
<mprorock> a missing oauth scope
Torsten_Lodderstedt: Okay I can't hear you all right so let's get started so the open idea for verify credentials issuances one initiative that is conducted at the open Ade foundation in cooperation with the decentralized identity foundation and I saw and what we do is we Define a set of protocols that can be used for different interfaces that are relevant to decentralize Identity so we've got the presentation side of things where we have opened a D4 verifiable presentations and self-issue do pv2 and. ✪
Torsten_Lodderstedt: The issue on site which we will be focusing on today which is. ✪
Torsten_Lodderstedt: Technical standpoint open ID for verify potentiation ons is a off authorized or protected API so the credential issue exposes an HTTP based API and all the security around it might be the user authentication consent for credential issuance and on and other stuff is being done using a wolf so how that happens is quite simple so first of all the wallet sends an authorization request on behalf of the user to. ✪
Torsten_Lodderstedt: the credential issue which specifies which kind of. ✪
Torsten_Lodderstedt: And after the issuer has for example of antiquated the user and requested and gathered consent the credential issue as an authorization server issue of access token this is this is when the vanilla of stuff if there is a long-term connection the credential issue of might also issue a refresh token which is pretty interesting because that allows to for example refresh credentials in a very pragmatic way so you can issue a short term. ✪
Torsten_Lodderstedt: credentials and then from time to time for a new career. ✪
Torsten_Lodderstedt: So I request the authorization to obtain a credential and then obtain that credential in different formats because the open ID for verify credentials issuances credential format agnostic so we want to we want to support a variety of credential formats going forward and then there is the actual a credential issuance ATI this is a 0 of protected and point a resource solve a lot of terminology and the wallet uses the access token and. ✪
Torsten_Lodderstedt: early request to credential with that request also comes things. ✪
<kristina> wallet sends the request to the Issuer, wallet may already know which issuer, which credential type (wallet initiated); or it might get that idea from the initiate issuance request (issuer initiated flow)
Torsten_Lodderstedt: And in response the credential issue issues a credential or put a perhaps also multiple credentials we are working on better issuance as well. ✪
<alex> How does the credential manifest fit in here? Is it optional in transaction 0 ?
<kristina> credential manifest is not used
Torsten_Lodderstedt: Couple of protective potential and point we leverage all the different flows that exists in the wok universe and all the packages that existed including the different methods for securing all this authorization flows we have defined a new code new pre-authorized code flow for some of the user experiences are can be found in the decentralized world but at nicely fits into the into the OR framework or of open ID for a very vibrant relationship. ✪
Torsten_Lodderstedt: science is credential format agnostic so can be used with high voltage. ✪
Torsten_Lodderstedt: With ISO mdl with over credentials and that also it requires us to support different kinds of proof of possession for key material which we do if a wallet wants to know what the issue was capabilities are there is a metadata facility which we in the end derived from the of an open idea metadata facility that can be used to exactly determine this kind of information. ✪
<kristina> the same access token (symbolizing user consent) can be used to issue same credential of multiple formats (W3C VC and ISO mDL for example) or bind the same credential format to different key (mulitple DIDs)
Torsten_Lodderstedt: Is the request for a wallet that request authorization to request a credential of type open batch credential this is this is all vanilla opener off and when the issuer is done processing the authorization request the the wallet gets in the code that it changes for an access token and that access token which is shown here in that in that part of the message is sent to the HTTP a protected API. ✪
Torsten_Lodderstedt: so we've got a couple of parameters over. ✪
<mprorock> that multi format / binding behaviour may be of help when bridging mDL to VCs
Torsten_Lodderstedt: The format in this case it's lldp on the scoby see which means it's an Audi proof we want to bind to credential to a dead key and we also have a gws object that is the proof of perception of the private key corresponding to that date so that's basically it is and then in as a result what we get is a response which determines the format no surprise that's ldp on the school BC and we've got the credential which can be. ✪
Torsten_Lodderstedt: which must be of the format that they decline. ✪
Torsten_Lodderstedt: You're real that's the sequential that was issued which is a open Richmond Dental. ✪
<kristina> if you have an existing OAuth infrastructure, the minimum is to add a new credential endpoint, if you are using scopes to request a certain credential (which allows even large scale systems like msft to move to this model)
Torsten_Lodderstedt: Why should you consider to use open ID for graduations their couple of reasons for that first of all it's it leverages the Simplicity and security of Olaf I mean all of is is successful because it is secure as a simple to use and there are tons of libraries available in all what kinds of programming languages and we are basing on that second the the protocol works for all kinds of bullets so could be a native app can be weapon. ✪
Torsten_Lodderstedt: it can be can be something hybrid there are protein. ✪
<dmitri_zagidulin> @kristina - does that mean that the issuance initiation endpoint is optional?
<kristina> yes
<dave_longley> How are the acceptable cryptosuites for the DID proof expressed? (not vc-jwt vs. ldp, but rather ... Ed25519Signature2020 or JsonWebSignature2020, etc.)
<kristina> for the issuer, issuer metadata
Torsten_Lodderstedt: More advanced implementations that that utilize our protocol and a guy for that and if you want to implement it you can use the off library of your choice and there are plenty of them available all it needs is in addition to the of Library you need to set up the HTTP protective and point to actually in this is symmetric fashion process the credential issuance request and reduce the response and if you happen to have an existing oauth or open ID deployment. ✪
Mike Prorock: +1 Kristina - this also maps well to the system to system use cases at scale we see in supply chain that are alos leveraging oauth and scopes in a similar manner ✪
<dave_longley> how easily can you separate the authz server from the issuer server?
<kristina> very easy
<dmitri_zagidulin> @kristina - what about for the wallet? (how does the wallet specify which crypto suite it prefers to receive?)
Torsten_Lodderstedt: More lecithin you and pointed at deployment and use your existing infrastructure the authorized access and even use the existing identity data to turn your open a t.o.p into a credential issue which we think is a key success factor because credentials needs to be minted from parties that already have identity data and so I think we this is a way to really foster adoption of the decentralized identity principles the protocol itself. ✪
Torsten_Lodderstedt: self does not have a certain selection or Discovery back. ✪
<alex> Can you do selective disclosure using BBS+ signatures?
<kristina> in microsoft's implementation, we use existing authz endpoints that deal with billions of transactions and for the issuance, building a new endpoint
<sam_curren> Yes
<mprorock> easily speperable, and also easy to get support plugged into existing oauth services
<dave_longley> does the issuer server or the authz check the DID proof? ... if the issuer server, does it also function as an authz server by serving authz server metadata RFC8414?
Torsten_Lodderstedt: With all kinds of those mechanisms so for example you can use custom schemes which works well along a across a cohort of native wallets you can have selectors you can have something like choppy so you can combine it with whatever is needed and there are different different examples deployed in the wild one other thing that I would like to emphasize is that you to the way out. ✪
Torsten_Lodderstedt: oh up works and open at the works. ✪
<kristina> @dmitri, for the wallet depends on the chooser mechanism
<kristina> @dave, issuer server
Torsten_Lodderstedt: Out of flexibility how you are constructed designed the user interaction at the issuance site because you've got the full user interface control can authenticate the user can do whatever you want and needs to gather user content and so on the protocol works for same device and cross-device scenario and it supports different security levels we have recently been working on a design options for really substantial and high security levels which are required for example for regulating. ✪
Torsten_Lodderstedt: these schemes like ìitís but a simple. ✪
<kristina> @dave currently, issuer server's metadata is being published in the authz server metadata
Torsten_Lodderstedt: And as I said it's credential format courtesy diagnostic so if you once you have implemented it in your issue it's easy to support different different kind of credential formats because I'm in my opinion that's important because this Market is so emerging and there are so different approaches on the way it's good to do to have that option in the pocket there are couple of of implementations already underway and I will also like to mention that I so has decided to adopt that for. ✪
Torsten_Lodderstedt: Take credentials and with that I'm through with my slide deck if time permits. ✪
<niels_klomp_-_sphereon> yes
Mike Prorock: That one one quick kind of chair question with the iso note there with this potentially then provide a path for use of mdl and verifiable credentials say for dual issuance cut type scenarios or bridging mdl over to verifiable credentials where required. ✪
<dave_longley> @kristina - so would that perhaps be separable in the future? it seems that the issuer should be responsible for generating the challenge nonce and expiration period since it will be checking the DID proof it is used in (not the authz server)
Kristina: Yeah so they're really implementations emerging where people are using up any pervasive product location most ISO mdl format a credential and every CVC on so diet is possible that your site on the presentation on depends on the choices that I saw working at feel make the near future but there is really high probability we can enable a password the same presentation response can include those I swim Geo and there was received. ✪
Torsten_Lodderstedt: All right just met I can run you a quickly through the demo just takes a minute or so. ✪
Dmitri Zagidulin: Yes sir if you don't mind real quick since I think there's more questions go ahead. ✪
Shawn Butterfield: +1 To this approach... Using OAuth to bootstrap the interaction is extremely valuable for enterprises with identity walled gardens. Allows for a much smoother transition to decentralized trust infra. ✪
Manu Sporny: Yes, it is not easy and hence big caveat "if we are successful" :D ✪
Torsten_Lodderstedt: Okay so let's assume I'm in my wallet is in this case it's a web it's a web wallet. ✪
Dave Longley: +1 To ensuring authz and issuing servers in OIDC4VCI can be cleanly separated (i think there's more work to be done there, but it's a really important goal) ✪
<mprorock> chair hat off: +1 to this approach - and mesur.io plans to add support
Torsten_Lodderstedt: So I don't have to credential in my wallet now I request a credential in this case the wallet offers me several issues I mean it's a bit similar to what we have seen in the first presentation so we already know some of the issues and then I'm being sent to the issue and this is this is a simple standard oauth authorization request as you might see from the URL and I'm logging in to the site and I. ✪
<mprorock> that is for human in the loop use cases for us
Torsten_Lodderstedt: Screen but it's a prototype and here's the see that that's that's that's everything so I went through the authorization process the walnuts get an access token and and obtained the credential and then I accept that credential and that's it right so that's how easy as it can look and with that I'm done with my presentation. ✪
<shawn_butterfield> Shortest demo ever. Love that.
<niels_klomp_-_sphereon> If you ask me without going into politics of SSI, the integration into OID allows for far easier adoption in existing enterprise systems
<anil_john_[us/dhs/svip]> It feels as though the metadata created by the issuer is distributed across multiple locations (did document, revocation status info, OIDC stuff etc.) Given that DID resolution provides a cross-network mech for mapping the identifier of an issuer to a did document.. Would it make sense to consolidate the location long term (i.e. target of resolution(
Dmitri Zagidulin: Wonderful thank you so much so we're eight minutes till the top of the hour I'm got a lot to go through in the interests of time we usually repeat the questions asked in chat but in this case we're going to skip them so if those are you joining in voice only please take a look at the chat transcript afterwards to make sure you haven't missed the questions for the opening you connect group I want to say a couple more words and then handed over to. ✪
<mprorock> Chair Note: please do feel free to engage on list to keep things rolling and deep dive on various items
Dmitri Zagidulin: Jeff next steps I see there's mono and the Q so before before we go over to tamanho I want to mention that so thank you so much to all three presenters for coming and talking about API snacks developers who are unsure which which protocols to to implement please direct questions to the either the ccg public mailing list or the. ✪
<kristina> please think of OpenID4VCI differently from SIOPv2/OpenID4VP side
Dmitri Zagidulin: Reminder to implementers that all three protocol Stacks allow for did authentication and that is something that I will be requiring at the jmf plugfest so championed the VC API which we didn't get go into too much detail here besides pointing out that it's there and it's kept separable from credential Handler API I urge you to look into the details on your own but couldn't handle it behind. ✪
Dmitri Zagidulin: Education wacky did Cam has a mechanism for did off and then I'm going to connect 4 DC issuance has a mechanism for did also when you pick a protocol that will determine your method of did authentication which we will be looking for a jff. ✪
<kristina> Issuance using OAuth does not have the limitations of turning user's native app into an authorization server :)
<kristina> @Adytya working on, conformance test suite for OpenID4VC
Dmitri Zagidulin: Sighs Cristina mentions an inch at the opening to connect families Protocols are three separate protocols so there's separately self issued opening you connect there is open and you connect for VC issuance which is what was presented today and then there's a separate one operated you connect for presentation which is something that incidentally that the jmf plugfest 3 will be testing okay any other quick questions before. ✪
David Chadwick: Just to show tools that are available via NGIAtlantic, profile for OIDC, web pages for people to join details and tools to help them. [scribe assist by Manu Sporny] ✪
Dmitri Zagidulin: Wonderful thank you so much in case we run out of time to show the tools can you paste the URLs to the tools in chat here for people to investigate thank you so much. ✪
<mprorock> handing things over to Harrison as I am at a hard stop - really appreciate the time from everyone today - this is an awesome topic
Sharon Leu: Great thank you all for such a great presentation I feel like all of the questions are answered and everyone is exactly what they're supposed to do right perfect because the deadline to choose a protocol for your participation in plugged S2 is September 30th end of the day whatever your time zone is so I think that everyone has gotten an email from us about how to do this how to do the quote-unquote selection which is basically updates a Google spreadsheet there. ✪
Sharon Leu: Can you to be technical questions which I'm sure there are. ✪
<manu_sporny> hahaha :P -- yes, the path forward is crystal clear :P
<dmitri_zagidulin> @manu - hahahaha glad to clarify! :)
Sharon Leu: Are available on the PC edu mailing list so please definitely subscribe to that send an email to public Dash pcc.edu and hit the put the word subscribe in the headline I guess the same way that you do any other listserv and ask your questions there so I think that's it September 30th part of why we have September 30th is the deadline is Because unless you select a protocol it's very difficult for you to find partners with you know. ✪
David Chadwick: https://idp.research.identiproof.io/ for wallets to test OIDC. It works for cloud wallets, same device smart wallets and cross device smart wallets ✪
Sharon Leu: Ability with and the deadline for that will be the following week after that so yeah let us know if you have any additional questions or what some technical assistance but look forward to working with everyone again and thank you all for your time. ✪
<davidc> You need to enter the un: user and the pw: password to authenticate to the site
Dmitri Zagidulin: Thank you so much Sharon so again if you have questions about protocol Choice please please post on the mailing list your next task is as implementers to decide in protocol and find interoperability Partners meaning if you're issuers you're going to need to find wallets if your wallet provider you're going to need to find issuers other than your own to test with. ✪
Dmitri Zagidulin: I believe that's it Harrison over to you. ✪
Harrison_Tang: Thank you thank you Dimitri thank you Sharon and thank you to all the presenters. ✪
Harrison_Tang: Maybe I'll see you around the queue but you probably already on that make that announcement right. ✪
<kristina> @Aditya, why would you do that..? package Aries req?
Harrison_Tang: Sounds good we do have two minutes so please do. ✪
<torsten_lodderstedt> need to leave for the next meeting - thanks a lot for the opportunity to present our work
<dmitri_zagidulin> thanks everyone for attending, and for your excellent questions. We realize that this is a difficult topic that's hard to fully cover in 10 mins each, we encourage you to ask follow-up questions.
<harrison_tang> thank you, Torsten, for sharing
<dmitri_zagidulin> thanks Torsten!
<sharon_leu> thank you, torsten!
<aditya_-_entrustient> @kristina - Create Out of band credentials using Aries and use OpenID4VCI to transfer to a holder?
<niels_klomp_-_sphereon> I wouldn't see why that wouldn't be possible
<rgrant_ryan> thx everyone
Dmitri Zagidulin: Thank you again David for for demoing and this brings up a good point so on the jmf side will be looking for API communities to put forth testing sites like that to make it easier for wallet implements test against and vice versa so we look forward to using David's and similar similar projects on the VC API and credential Handler side. ✪
Dmitri Zagidulin: All right I think that's up top of the hour for us. ✪
<kerri_lemoie> Thanks all! Great call!
<sharon_leu> Thank you!
<dave_longley> You can also use VC-API to generate VCs and then delivery them using CHAPI + OIDC4VCI.
<julie_keane> Thanks all
Harrison_Tang: All right thank you Dimitri and thanks everyone for attending will conclude this week's meeting will work on publishing the minutes in the next few days and then you have any questions please feel free to send it to the mailing list thanks. ✪