<ian_davidson> I'm not getting any audio - is that a me issue?
<mprorock> In IRC type “q+” to add yourself to the queue, with an optional reminder
<mprorock> @ian you may need to rejoin - or possibly try chrome
Topic: Introductions and Reintroductions
Paul_Dietrich_GS1: Hey there Paul Dietrich I'm from gs1 us for participating under gs1 Global office with Phil Archer I'm in The Innovation team at the US and have been exploring using verifiable credentials for gs1 licensing I'm happy to be here participating. ✪
<naomi> Good day, Naomi here with Velocity Network Foundation
Lance: Hey everybody you know Lansford Roots ID we grew up out of the cardano and at Ella prism identity platform ecosystem and been involved in trust over IP diff and Aries and I yeah this is my first ccg thanks to Sam Kern for let me know about it. ✪
Steve_Eisler: Everybody works for credit Vera a company that's very largely focused on workplace compliance and we are also entering the VC space here and yeah looking forward to collaborating with a lot of you on moving away moving forward. ✪
Mike_Peck: Everyone that I've been working here for a little while happy to join and I come from the K-12 space or I'm a director of technology for public school in the u.s. also exploring verifiable credentials and decentralized identity through my work in the web three space as a co-founder of at three Dow. ✪
<manu_sporny> Kristina, but DID Resolution was incubated in DIF, but then the CCG is handling the test suite :)
<manu_sporny> (it's complicated) :)
<kristina> thanks manu
<manu_sporny> Feels straight-forward. :)
<kristina> what are the three? VC-HTTP API, OpenID4VCI and?
Evan_Lally_(Digital_Bazaar): Symmetry yeah I'm happy to prisoner and I can keep it under 10 minutes can you hear me okay. ✪
<dmitri_zagidulin> @Kristina - DIDComm2
<alex> DIDCOMM v2
Evan_Lally_(Digital_Bazaar): I'm pretty good so I have a few things to share here like to meet you said I'd like to talk about VC API and also about the combination of VC-API and CHAPI which is the credential Handler API these two work together to provide a really simple implementation for communicating verifiable credentials out of the web and when you use CHAPI with VC API you're working with a protocol that is designed specifically to enable choice. ✪
Evan_Lally_(Digital_Bazaar): and to really facilitate this open ecosystem. ✪
<kristina> re sharon, OAuth might be a better framing than OIDC (re poll)
Evan_Lally_(Digital_Bazaar): Marketplace of different issuers verifiers and involves so today I'm not going to get too deep into the technical weeds I will put some email contact information in place if anyone has questions about the protocols themselves or about implementing these protocols to meet the goals of jmf plugfest to that's because that's really what we're here today to talk about us how can we help you to be successful in the plugfest so like I said Champion VC API are really all about. ✪
Evan_Lally_(Digital_Bazaar): about providing an open ecosystem that. ✪
Evan_Lally_(Digital_Bazaar): Your choice and some of the examples were going to give are going to focus on issuing credential and storing it in a digital wallet so just be advised though that the champion VC API protocol work in many or all of the different use cases that involve communicating verifiable credentials it's just a little easier to think about it if you focus on something specific. ✪
Evan_Lally_(Digital_Bazaar): A user is signed up for a digital wallet that is chappy enabled which means that the wallet will register itself with the with the individuals browser as a credential Handler and this is really at the core of the CHAPI technology so once the wallet registers itself with the users browser as a credential Handler then when any third party site asks to issue. ✪
Evan_Lally_(Digital_Bazaar): or asked to present a verifiable. ✪
Evan_Lally_(Digital_Bazaar): All the browser using a polyfill will present the individual with the choice of which while if they want to use and so you can see here how this is designed to facilitate choice because any wallet can register itself with the individuals browser via this polyfill as a credential Handler and then that while it will show up as a choice whenever that individual goes to interact with the site. ✪
Evan_Lally_(Digital_Bazaar): Some examples and developer Doc's here at CHAPI dot IO so I'll paste the link to the site here there are also some links from Kathy dot IO to the relevant w3c community group reports for chappy and also for the verifiable credentials API if you want to learn about the details for issuers the integration is really simple and you can check out this site here to see some code examples for how to integrate chappie and VC API into. ✪
Evan_Lally_(Digital_Bazaar): to your issuer code each of these examples has a little. ✪
<anil_john_[us/dhs/svip]> It would be good that to cleanly separate the VC-API (as the credential delivery mechanism to a wallet) from CHAPI (as a wallet selection mechanism) -- with the clear implication that it would be possible to mix and match the delivery protocols (VC API, OIDC4VC etc) w/ CHAPI <shrug>
Evan_Lally_(Digital_Bazaar): That will take you to an open source example project which is an end-to-end project that is hosted here on GitHub pages and so we're linking you to the source code but there are also some examples here in the readme for each of these projects so in this case this is the issuer and you can go to a demo here. ✪
Evan_Lally_(Digital_Bazaar): If you're working if you're thinking about using VC API and champey for the plugfest we really recommend you hit this big button here at the top of CHAPI dot IO and this will take you to a tool excite that we put together called the chappie playground chappie playground has four different example verifiable credentials including this one who put together from jmf plugfest one and so if I select this example it will populate the URL here and then press the generate verifiable credential to use an issuer to. ✪
Evan_Lally_(Digital_Bazaar): generate a fully firm verifiable credential that is. ✪
<kristina> CHAPI can be usable with OpenID4VCI
<manu_sporny> Yes, correct.
Evan_Lally_(Digital_Bazaar): To a fake I think did here and then if I press the store and wallet button you'll see the champion VC API workflow so it pops up the CHAPI polyfill and I've told looks like in this browser I've already told that I prefer the various wallet and so it skipped over the selection screen and then you can see here this is a UI element that is rendered from the wallet then my in the polyfill so if you have different wallets the wallets can provide different. ✪
Evan_Lally_(Digital_Bazaar): analogy to the individuals in this case showing the. ✪
Evan_Lally_(Digital_Bazaar): Credential and then the credential is stored in the digital wallets if I go over here to my Baris wallet and refresh it I should see the credential that I just started so this tooling is available to everyone including the participants of the plugfest so if you are an issuer on what we can do is work with you to add your issuer back end to be one of the options from the playground so that we can just issue these example credential straight straight from your issuer to the. ✪
<ivan_(vid)> How it works with a mobile wallet?
Evan_Lally_(Digital_Bazaar): wallets or if you're a wallet we can work with. ✪
<dmitri_zagidulin> so a way to think about the separation is -- 1) CHAPI provides a Wallet Selector / mediator (which can be used with VC-API, OIDC4VCI etc), 2) VC-API provides the low-level API for a given wallet to talk to issuers/verifiers
Evan_Lally_(Digital_Bazaar): With champion BC API so that you can show the j-15 that you're able to receive one of these examples are done. ✪
Evan_Lally_(Digital_Bazaar): I'll put my email address in the chat if there's any questions I'm happy to answer them all flying or here with me. ✪
<manu_sporny> For a mobile wallet, you can click the "Use Native Wallet" button now... and in the future, native wallets will show up in the CHAPI selector... that's on the roadmap, hope to have that integrated within the next couple of months.
<kristina> so native apps can only use claimed URLs? ie app/universal links
<kristina> ah web share API..
Evan_Lally_(Digital_Bazaar): Yeah that's great so there is a native mobile feature in chappy and VC API already I can't show you that workflow right here because I'm using a browser but you can check it out or feel free to send me an email about it happy to walk you through it uses the web share API currently and we're working on some improvements now along the lines of what and you'll talk about. ✪
<dave_longley> Yes, kristina, that's an upgrade to CHAPI we're working on -- claimed URLs. Right now it uses Web share only.
<paul_dietrich_gs1> Any version info we need for the slugfest?
<mprorock> /me likes slugfest so much better than plugfest
<kristina> /me LOL
<evan_lally_(digital_bazaar)> thanks @dmitri - I've got to run, but @manu is here and much more knowledgeable than me anyway :)
<manu_sporny> Thank you, Evan! That was great!
<dave_longley> CHAPI just allows wallet selection -- you can run any protocol after the wallet has been selected. VC-API is one such protocol.
<shawn_butterfield> Is there a link to this presentation? Did I miss that in IRC?
<mprorock> not sure on a link to the preso
<mprorock> but i am sure dmitri will coordinate and get presos posted to the list
<kristina> what can be used as an invitation other than a QR code?
<manu_sporny> Kim!!!! :)
<kim_duffy> what a nice greeting!
<kristina> Is there a syntax to request specific credential in DIDComm, or none without Presentation exchange/
<kristina> (Hi, Kim!)
<dave_longley> Note about how CHAPI works: Any "invitation link" (any URL for any protocol) could be passed through CHAPI so the user can select any wallet they've registered with their browser.
<manu_sporny> In other words, CHAPI can support a DIDComm introduction as well (if there was interest in doing that)
<kristina> does DIDComm define how to return the credential? guess no
<aditya_-_entrustient> Are connections necessary in WACI-DIDComm for issuance of credential and Is the WACI DIDComm interoperable with Aries? The protocols look very similar.
<mprorock> didcomm itself is broadly transparent to payloads which can be nice
<mprorock> aries framework go is not a bad way to start down interop and common support across differing profiles based on our experience
<alex> I noticed that the issuance credential contains a credential manifest but while looking at the issuance on OIDCv4 there is no mention of a manifest. How do those interpolate?
<kristina> I mean, is it a general DIDComm message that includes a returned credential, how does a verifier know how to understand the payload?
<kristina> yeah, I would imagine DIDComm for issuance is Credential manifest and not Presentation Exchange? (they are complementary, sure..)
<niels_klomp_-_sphereon> OIDC4CI doesn't use Credential Manifest AFAIK, rigth Kristina?
<kristina> we have a simple syntax how issuer publishes what credential type/format/display info it supports in its metadata
Torsten_Lodderstedt: That will be I lost a lot of time. ✪
Torsten_Lodderstedt: I have to be yeah can you see my screen. ✪
Torsten_Lodderstedt: Okay so I'm just familiar with the tool so bear with me. ✪
Torsten_Lodderstedt: Alright hello everybody my name is Laura said I've got a pleasure to be one of the co-authors of the open and you connect for I from credentials protocol family with me and Nicole I think today is Christina gets Buddha and David Chadwick David are you here as well. ✪
Torsten_Lodderstedt: Doesn't seem to be the case all right so can you see the. ✪
Torsten_Lodderstedt: Okay so David just one question for orchestration purposes do you want to show you a demo. ✪
<bumblefudge> (bit a delay-- sharks chewing on the transatlantic wire perhaps)
<mprorock> we can hear you fine david
<dmitri_zagidulin> oh nooo, I think we have a network partition - Torsten can't hear DavidC
<mprorock> a missing oauth scope
Torsten_Lodderstedt: Okay I can't hear you all right so let's get started so the open idea for verify credentials issuances one initiative that is conducted at the open Ade foundation in cooperation with the decentralized identity foundation and I saw and what we do is we Define a set of protocols that can be used for different interfaces that are relevant to decentralize Identity so we've got the presentation side of things where we have opened a D4 verifiable presentations and self-issue do pv2 and. ✪
Torsten_Lodderstedt: The issue on site which we will be focusing on today which is. ✪
Torsten_Lodderstedt: Technical standpoint open ID for verify potentiation ons is a off authorized or protected API so the credential issue exposes an HTTP based API and all the security around it might be the user authentication consent for credential issuance and on and other stuff is being done using a wolf so how that happens is quite simple so first of all the wallet sends an authorization request on behalf of the user to. ✪
Torsten_Lodderstedt: the credential issue which specifies which kind of. ✪
Torsten_Lodderstedt: And after the issuer has for example of antiquated the user and requested and gathered consent the credential issue as an authorization server issue of access token this is this is when the vanilla of stuff if there is a long-term connection the credential issue of might also issue a refresh token which is pretty interesting because that allows to for example refresh credentials in a very pragmatic way so you can issue a short term. ✪
Torsten_Lodderstedt: credentials and then from time to time for a new career. ✪
Torsten_Lodderstedt: So I request the authorization to obtain a credential and then obtain that credential in different formats because the open ID for verify credentials issuances credential format agnostic so we want to we want to support a variety of credential formats going forward and then there is the actual a credential issuance ATI this is a 0 of protected and point a resource solve a lot of terminology and the wallet uses the access token and. ✪
Torsten_Lodderstedt: early request to credential with that request also comes things. ✪
<kristina> wallet sends the request to the Issuer, wallet may already know which issuer, which credential type (wallet initiated); or it might get that idea from the initiate issuance request (issuer initiated flow)
Torsten_Lodderstedt: And in response the credential issue issues a credential or put a perhaps also multiple credentials we are working on better issuance as well. ✪
<alex> How does the credential manifest fit in here? Is it optional in transaction 0 ?
<kristina> credential manifest is not used
Torsten_Lodderstedt: Couple of protective potential and point we leverage all the different flows that exists in the wok universe and all the packages that existed including the different methods for securing all this authorization flows we have defined a new code new pre-authorized code flow for some of the user experiences are can be found in the decentralized world but at nicely fits into the into the OR framework or of open ID for a very vibrant relationship. ✪
Torsten_Lodderstedt: science is credential format agnostic so can be used with high voltage. ✪
Torsten_Lodderstedt: With ISO mdl with over credentials and that also it requires us to support different kinds of proof of possession for key material which we do if a wallet wants to know what the issue was capabilities are there is a metadata facility which we in the end derived from the of an open idea metadata facility that can be used to exactly determine this kind of information. ✪
<kristina> the same access token (symbolizing user consent) can be used to issue same credential of multiple formats (W3C VC and ISO mDL for example) or bind the same credential format to different key (mulitple DIDs)
Torsten_Lodderstedt: Is the request for a wallet that request authorization to request a credential of type open batch credential this is this is all vanilla opener off and when the issuer is done processing the authorization request the the wallet gets in the code that it changes for an access token and that access token which is shown here in that in that part of the message is sent to the HTTP a protected API. ✪
Torsten_Lodderstedt: so we've got a couple of parameters over. ✪
<mprorock> that multi format / binding behaviour may be of help when bridging mDL to VCs
Torsten_Lodderstedt: The format in this case it's lldp on the scoby see which means it's an Audi proof we want to bind to credential to a dead key and we also have a gws object that is the proof of perception of the private key corresponding to that date so that's basically it is and then in as a result what we get is a response which determines the format no surprise that's ldp on the school BC and we've got the credential which can be. ✪
Torsten_Lodderstedt: which must be of the format that they decline. ✪
Torsten_Lodderstedt: You're real that's the sequential that was issued which is a open Richmond Dental. ✪
<kristina> if you have an existing OAuth infrastructure, the minimum is to add a new credential endpoint, if you are using scopes to request a certain credential (which allows even large scale systems like msft to move to this model)
Torsten_Lodderstedt: Why should you consider to use open ID for graduations their couple of reasons for that first of all it's it leverages the Simplicity and security of Olaf I mean all of is is successful because it is secure as a simple to use and there are tons of libraries available in all what kinds of programming languages and we are basing on that second the the protocol works for all kinds of bullets so could be a native app can be weapon. ✪
Torsten_Lodderstedt: it can be can be something hybrid there are protein. ✪
<dmitri_zagidulin> @kristina - does that mean that the issuance initiation endpoint is optional?
<dave_longley> How are the acceptable cryptosuites for the DID proof expressed? (not vc-jwt vs. ldp, but rather ... Ed25519Signature2020 or JsonWebSignature2020, etc.)
<kristina> for the issuer, issuer metadata
Torsten_Lodderstedt: More advanced implementations that that utilize our protocol and a guy for that and if you want to implement it you can use the off library of your choice and there are plenty of them available all it needs is in addition to the of Library you need to set up the HTTP protective and point to actually in this is symmetric fashion process the credential issuance request and reduce the response and if you happen to have an existing oauth or open ID deployment. ✪
<dave_longley> how easily can you separate the authz server from the issuer server?
<kristina> very easy
<dmitri_zagidulin> @kristina - what about for the wallet? (how does the wallet specify which crypto suite it prefers to receive?)
Torsten_Lodderstedt: More lecithin you and pointed at deployment and use your existing infrastructure the authorized access and even use the existing identity data to turn your open a t.o.p into a credential issue which we think is a key success factor because credentials needs to be minted from parties that already have identity data and so I think we this is a way to really foster adoption of the decentralized identity principles the protocol itself. ✪
Torsten_Lodderstedt: self does not have a certain selection or Discovery back. ✪
<alex> Can you do selective disclosure using BBS+ signatures?
<kristina> in microsoft's implementation, we use existing authz endpoints that deal with billions of transactions and for the issuance, building a new endpoint
<mprorock> easily speperable, and also easy to get support plugged into existing oauth services
<dave_longley> does the issuer server or the authz check the DID proof? ... if the issuer server, does it also function as an authz server by serving authz server metadata RFC8414?
Torsten_Lodderstedt: With all kinds of those mechanisms so for example you can use custom schemes which works well along a across a cohort of native wallets you can have selectors you can have something like choppy so you can combine it with whatever is needed and there are different different examples deployed in the wild one other thing that I would like to emphasize is that you to the way out. ✪
Torsten_Lodderstedt: oh up works and open at the works. ✪
<kristina> @dmitri, for the wallet depends on the chooser mechanism
<kristina> @dave, issuer server
Torsten_Lodderstedt: Out of flexibility how you are constructed designed the user interaction at the issuance site because you've got the full user interface control can authenticate the user can do whatever you want and needs to gather user content and so on the protocol works for same device and cross-device scenario and it supports different security levels we have recently been working on a design options for really substantial and high security levels which are required for example for regulating. ✪
Torsten_Lodderstedt: these schemes like ìitís but a simple. ✪
<kristina> @dave currently, issuer server's metadata is being published in the authz server metadata
Torsten_Lodderstedt: And as I said it's credential format courtesy diagnostic so if you once you have implemented it in your issue it's easy to support different different kind of credential formats because I'm in my opinion that's important because this Market is so emerging and there are so different approaches on the way it's good to do to have that option in the pocket there are couple of of implementations already underway and I will also like to mention that I so has decided to adopt that for. ✪
Torsten_Lodderstedt: Take credentials and with that I'm through with my slide deck if time permits. ✪
<dave_longley> @kristina - so would that perhaps be separable in the future? it seems that the issuer should be responsible for generating the challenge nonce and expiration period since it will be checking the DID proof it is used in (not the authz server)
Kristina: Yeah so they're really implementations emerging where people are using up any pervasive product location most ISO mdl format a credential and every CVC on so diet is possible that your site on the presentation on depends on the choices that I saw working at feel make the near future but there is really high probability we can enable a password the same presentation response can include those I swim Geo and there was received. ✪
Torsten_Lodderstedt: All right just met I can run you a quickly through the demo just takes a minute or so. ✪
Torsten_Lodderstedt: Okay so let's assume I'm in my wallet is in this case it's a web it's a web wallet. ✪
<mprorock> chair hat off: +1 to this approach - and mesur.io plans to add support
Torsten_Lodderstedt: So I don't have to credential in my wallet now I request a credential in this case the wallet offers me several issues I mean it's a bit similar to what we have seen in the first presentation so we already know some of the issues and then I'm being sent to the issue and this is this is a simple standard oauth authorization request as you might see from the URL and I'm logging in to the site and I. ✪
<mprorock> that is for human in the loop use cases for us
Torsten_Lodderstedt: Screen but it's a prototype and here's the see that that's that's that's everything so I went through the authorization process the walnuts get an access token and and obtained the credential and then I accept that credential and that's it right so that's how easy as it can look and with that I'm done with my presentation. ✪
<shawn_butterfield> Shortest demo ever. Love that.
<niels_klomp_-_sphereon> If you ask me without going into politics of SSI, the integration into OID allows for far easier adoption in existing enterprise systems
<anil_john_[us/dhs/svip]> It feels as though the metadata created by the issuer is distributed across multiple locations (did document, revocation status info, OIDC stuff etc.) Given that DID resolution provides a cross-network mech for mapping the identifier of an issuer to a did document.. Would it make sense to consolidate the location long term (i.e. target of resolution(
<mprorock> Chair Note: please do feel free to engage on list to keep things rolling and deep dive on various items
<aditya_-_entrustient> Is there a playground available for OpenID connect? And should we be using SIOPV2 as a guide?
<kristina> please think of OpenID4VCI differently from SIOPv2/OpenID4VP side
<kristina> Issuance using OAuth does not have the limitations of turning user's native app into an authorization server :)
<kristina> @Adytya working on, conformance test suite for OpenID4VC
<aditya_-_entrustient> @kristina - Thank you. Can I use OpenID4VCI to package requests from Aries?
<mprorock> handing things over to Harrison as I am at a hard stop - really appreciate the time from everyone today - this is an awesome topic
<manu_sporny> hahaha :P -- yes, the path forward is crystal clear :P
<dmitri_zagidulin> @manu - hahahaha glad to clarify! :)
<davidc> You need to enter the un: user and the pw: password to authenticate to the site
Harrison_Tang: Thank you thank you Dimitri thank you Sharon and thank you to all the presenters. ✪
Harrison_Tang: Maybe I'll see you around the queue but you probably already on that make that announcement right. ✪
<kristina> @Aditya, why would you do that..? package Aries req?
Harrison_Tang: Sounds good we do have two minutes so please do. ✪
<torsten_lodderstedt> need to leave for the next meeting - thanks a lot for the opportunity to present our work
<dmitri_zagidulin> thanks everyone for attending, and for your excellent questions. We realize that this is a difficult topic that's hard to fully cover in 10 mins each, we encourage you to ask follow-up questions.
<harrison_tang> thank you, Torsten, for sharing
<dmitri_zagidulin> thanks Torsten!
<sharon_leu> thank you, torsten!
<aditya_-_entrustient> @kristina - Create Out of band credentials using Aries and use OpenID4VCI to transfer to a holder?
<niels_klomp_-_sphereon> I wouldn't see why that wouldn't be possible
<rgrant_ryan> thx everyone
<kerri_lemoie> Thanks all! Great call!
<sharon_leu> Thank you!
<dave_longley> You can also use VC-API to generate VCs and then delivery them using CHAPI + OIDC4VCI.
<julie_keane> Thanks all
Harrison_Tang: All right thank you Dimitri and thanks everyone for attending will conclude this week's meeting will work on publishing the minutes in the next few days and then you have any questions please feel free to send it to the mailing list thanks. ✪