The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back


W3C CCG Weekly Teleconference

Transcript for 2022-10-25

Our Robot Overlords are scribing.
Harrison_Tang: All right well can I go on to this Tuesday's this week's w3c ccg meeting so this week we have two main Agenda 21 we invited an Eco the author the SSI on blockchain is a bad idea paper and to kind of share his thoughts and in addition to that we would like to talk about a potential proposal.
Harrison_Tang: Potentially tweaking our Charters and I think Kimberly can actually talk about that a little bit later any agendas that people won't bring up.
Harrison_Tang: All right so before we get to the agendas and introduction to reintroduction just want to do a quick reminder on the code of ethics in summary just make sure that you know we create and know maintain psychologically safe environment where people feel comfortable sharing their thoughts I'm sure that sometimes we don't necessarily agree with each other but that's make sure that.
Harrison_Tang: the respect is there.
Harrison_Tang: All right a quick I didn't know anyone can participate in these calls however old substantive contributions to any CG work items must be members of the ccg with full IP our agreement sign so the links are included in the agenda email tab sent out.
Harrison_Tang: make sure you have.
Harrison_Tang: Account and and sign the w3c community contributor license agreement.
Harrison_Tang: These minutes and all deal recording of everything set on this car are type with at WCC GitHub meetings link we actually have fixed the recording so that you can see the recordings in those in those in the links that we send out we use IRC to Q speakers during the call as well as to take minutes so type in cubed plus to add yourself to a cute.
Harrison_Tang: you have been questions B3.
Harrison_Tang: Remove remove your questions from the Q.
Harrison_Tang: And if you have any questions just feel free to to do the Q Plus and then I will acknowledge you monitor the the questions and I don't you.
Harrison_Tang: Any introductions and reintroductions.
Harrison_Tang: Anyone new to the community or haven't been active and want to kind of reintroduce yourself.
Harrison_Tang: I will I will make sure that we have set aside some time and for introductions reintroductions at the end of me as well any announcements were reminders.
Harrison_Tang: I think it's a public service announcement that IW internet and internet identity Workshop is in a November so you haven't actually solved for that just sign up.
Harrison_Tang: Mike I think I have a question.
Mike Prorock: Yeah actually just more of an announcement 115 ITF 115 is coming up I think most people are aware of that the high promote stuff has been working pretty well also was sometimes difficult but that's been working extremely well for the last few ITF so there are items in particular skit so as citt is formed as a working group now.
Mike Prorock: Taking off during this meeting.
Mike Prorock: Jose so JavaScript object signing corruption will be performing as also there will be some stuff that has definite impact particularly for the underlying Primitives we use in a lot of our specs here so.
Harrison_Tang: Great thanks Mike any other announcements were reminders.
Harrison_Tang: Any progress or action reports on the action items.
Harrison_Tang: All right before we get to the manager and and will come Nick Nico Kimberly do you want to kind of bring out the the other agenda regards to the Charter.
Kimberly Linson: Sure sure thanks Harrison so we have been discussing the ccg charter and I just want to put it in in the chat and also just in case folks don't.
<kimberly_wilson_linson> The mission of the W3C Credentials Community Group is to explore the creation, storage, presentation, verification, and user control of credentials. We focus on a verifiable credential (a set of claims) created by an issuer about a subject—a person, group, or thing—and seek solutions inclusive of approaches such as: self-sovereign identity; presentation of proofs by the bearer; data minimization; and centralized, federated, and decentralized registry and identity systems. Our tasks include drafting and incubating Internet specifications for further standardization and prototyping and testing reference implementations.
Kimberly Linson: Have it let me read it it's pretty short the mission of the w3c credentials community group is to explore the creation storage presentation verification and user control of credentials we focus on a verifiable credential set of claims created by an issuer and about a subject a person group or thing and seek Solutions inclusive of approaches such as self Sovereign identity presentation of proofs by the bearer data minimization and.
Kimberly Linson: Decentralized registry and identity systems are tasks include Drafting and incubating internet specifications for further standardization and prototyping and testing reference implementations so the the that Charter definitely I think gives a good sense of what we do here but it doesn't make any mention of dids or of the VC standard and that has.
Kimberly Linson: Create some real confusion in the community at large outside of ccg to the point where they're actually worsen folks start starting a community group to talk about dids and so we've begun to just sort of wonder about whether or not we need to add something to our Charter about the work that we are doing in those areas and but before we really started drafting.
Kimberly Linson: Or adding to the Charter we wanted to just bring it to you all as a community and get your feedback and input about whether or not you think this change is even necessary so I just like to open it to the Florida to have questions and discussion around around that.
<mprorock> /me thinks likely some minor additions to call out those TRs since the existing charter predates standardization
Kimberly Linson: Anybody feel strongly about not changing the the charter to include those things.
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Yeah I don't feel strongly about it but it does seem apparent that it's necessary given that there was another group already starting to try to have a conversation that we are already having.
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Not sure what shape that adjustment needs to be whether it actually needs to be a charter change or simply acknowledging the fact that we produced the original dids Etc or the pre working group document that went into the working group.
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Yeah so to try to be a little clearer because I'm a little not awake today.
TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Summarizing the work that has been done here and the work that is ongoing does not seem to me to require to change the charter it just needs to be documented so there might be an informative section of the charter as opposed to normative and we could do that I think pretty instantly.
Kimberly Linson: Thanks that that would be great.
Mike Prorock: Yeah it's going to note Ted that's actually a great thought about kind of some non normative language one of the things that shares have been running into as we can't actually edit the ccg page so we're chasing that down and trying to find out why that that anything under Steve.
Mike Prorock: There we go cool but yeah that's that's an excellent so we've got kind of a parallel item to see if w3c staff actually help date the community group page itself and that looks to be the case but we're getting some details on that Ted so.
Harrison_Tang: Yeah I would just like to add that the church has to receive like I think one or two feedback in regards to the current Charter being a little bit for like Maritime confusing it is quite worthy and so so the feedback was if we could actually simplify and clarify it further so it's not a specific so yeah so I think adding VCS or he bids like those kind of.
Harrison_Tang: villages like is something that's.
Harrison_Tang: Right because for example verifiable credentials is gaining quite a bit of more and more recognition so that we could help no kind of help clarify what we do here but I think more or less the main thing is about clean up the language to more for like baritone understand right for people who are not as familiar with this community.
Kimberly Linson: Yes this process of going through the the new proposed Charter would give us the opportunity to to to make edits to the whole thing so that's definitely it I thought too.
Kimberly Linson: So unless anyone is is strongly objecting my next ask is for anybody who's interested in sort of volunteering to to look at the language and provide some suggestions.
Kimberly Linson: And I you can raise your hand here if you want to or you can just reach out to me separately and we can talk about how we're going to going to move forward with looking at the language and Ted I would definitely appreciate your your historical wisdom on you know what what is non-normative that would be great so.
Kimberly Linson: Any other questions or comments about this.
Kimberly Linson: Thank you so much.
Harrison_Tang: Thank you Kimberly all right any other announcements or reminders or agenda that people won't bring up.
Harrison_Tang: All right so let's get to the main agenda talking about SSI on blockchain so three months ago I read a great research paper by Nico actually the back story is I was just / using kolya's news newsletter and then I saw this article and I read deeper into it I found it very very insightful and very very thorough so that we're very very pleased to accept.
Harrison_Tang: Leading by Nico the off.
Harrison_Tang: Are too tight.
Harrison_Tang: Talk about SFI on blockchain and his insights from his research now I know SSI Block Chain work three you know where the intersection of all these topics and hype terms as being that debated Topic in this community for the past few years so so I think you know it's going to be interesting right to actually have me Cole kind of bring his perspective and share your thoughts so anyway so without further Ado I'll just welcome.
Harrison_Tang: mmm Nico to to the floor and then kind of.
Harrison_Tang: Start by kind of sharing what he found right and he's thoughts in regards to why SSI on block changes might be a bad idea thank you Nico.
Niko: Yeah hi I'm Nico I'm a site reliability engineer rather large IT company to prefer to leave unnamed and yeah thanks for the reduction thanks for inviting me here I my interest is mainly in blockchain not necessarily SSI was the more of a bit of an accident I guess so apologies.
Niko: If I get like some.
Niko: You're wrong additionally maybe just one more thing before I get started here I woke up with a sore throat if I do lose my voice or cough the middle of the talk my apologies so I'll start with like summarizing sort of just going just really quick to my background and the then summarizing the main points of the article I'll see if I can hit some of the 15-minute Mark approximately.
Niko: so my.
<harrison_tang> Link to Niko's research: https://weh.wtf/ssi.html
Niko: My at work and focus on distributed databases and privacy engineering and in a previous life I used to work in fintech so there is a bit of a like I guess I have a bit of a presupposition for blockchain crypto stuff that my interest is mostly in blockchain less the crypto aspects of that sort of ecosystem I got really sucked into in quotes into the blockchain stuff around like.
Niko: 2016-2017 I played around with.
Niko: System then around 16 17 I started like started comparing so blockchain as a tech stack with my work experience in critical big Tech and I started to realize that I struggled both myself and also like trying to figure out how to do that but also like getting information other people how to do that how to surf apply the blockchain tech stack to the.
Niko: problems that I was seeing.
Niko: In my day-to-day work experience anything from functionality privacy compliance policy scaling usability blockchain seem to be lacking functionality not just a bit and like you know like hey there's like because the new technology there's just like chunks missing but like fundamental issues with the technology so it kept getting involved like the blockchain engineering discussions and eventually it took me five years I guess get that point but eventually I started.
Niko: Actually writing things down into a blog post or blog posts I guess the key point in that blog post is I generally really like the idea of self-similarity oh one more thing I'm speaking as this is my personal opinion not the one of my employer who may or may not have a single sign-on product I personally really like the idea of decentralizing these kind of things I think this is a the hi.
Niko: a centralization of.
Niko: Identity Services is a present and relevant problem that needs addressing but I also don't see how blockchain is needed I don't think blockchain helps the user and I do think blockchain slows adoption of south of an identity and it requires it makes it creates much more problems than it actually solves I think a.
Niko: That I found that also citing the blog is the European Union covid vaccine passport which to my knowledge use the w3c verifiable credentials and initially when they were trying to set this up and getting free but then like they try to put this on blockchain they failed then they removed the blockchain parts and with reasonable decentralization like individual countries issue like the certificates and pharmacies they managed to scale this up to 2 billion certificates.
Niko: In a way this is kind of the QR code on paper is kind of The Benchmark that it away blockchain needs to reach and I think a lot of effort is from from at least this hopefully the research that I've done and like the approach that I've seen a lot of effort is trying to is done to try to make blockchain work as good as a QR code on paper now we'll say I have.
Niko: Like this is not something as SSI.
Niko: Other projects like Logistics or social media have very similar problems when you know blockchain gets involved the reason why I wrote about SSI specifically is simply because that blog post was done first and then I got married and bought a house in didn't have time to finish the other ones actually okay okay so I'm going to go through like the main sort of advantages that I often saw sighted in.
Niko: You know blockchain deal to Integrations I'm going to go over these rather quickly and like I'm very happy to answer more in-depth questions during the Q&A later so once the things have often comes up is that anything really or just identifiers or verify your credentials on a blockchain are inherently more trusted for some reason I really barely ever found that claim substantiated.
Niko: way and it doesn't really make sense on a high level.
Niko: If anyone can ride to a deal T than the fact that it is on a deal t or a blockchain doesn't add anything like trust by itself right vice versa like if you have a centralized I could permission blockchain well you really kind of don't get any of the supposed advantages of blockchain Technologies like the trust is now delegated to the operator of that say hyperledger instance.
Niko: I think Sovereign is an example of a company that does that like okay well but now they affect the gate the what is on that block chain or not a similar argument often comes up with that the issuer's of the certificate like say like governments or universities for example our more trusted through having their certificates being on the blockchain but the same argument holds here too right if anyone can ride to it it doesn't really trust if only.
Niko: you people can write to it they trust just delegated and we have the same mole.
Niko: Pki structure that you have today in browsers like Chrome or Safari wear a company or very few entities decide who is trusted or not so the second sort of bigger Point like that of advantages are forgery resistance to quote us a from some Sovereign white paper I think there's the thing that the argument that the blockchain can tell you which certificate is the most recent one but.
Niko: this is.
Niko: Hard to get right in a privacy-preserving way but I'm sure there's like odd edge cases like domain TLS certificates would be something where this is possible and this is also done using the certificate transparency but for the average use case of like say you know something that is clearly linked to a person let's use a password as an example this does not work in the privacy-preserving way right because if.
Niko: whew if you.
Niko: He bought notifications have distracted me very quick if you want to check whether there is a second copy like a second passport in my name on The Ledger that requires some way of looking up in The Ledger whether you know for Nicole IV there is a second passport in The Ledger now this is clearly a GDP Our concern or.
Niko: no violation if.
Niko: Change or remove that entry GTR requires me to be able to erase or Rectify any kind of data that is stored by end any entity that is linkable to me and the the the answer to that that often comes up is I will just use zero-knowledge proves but that doesn't really change the fundamental issue I'd like as someone who verifies my.
Niko: identity that.
Niko: Needs to be.
Niko: Able to look up whether there's a fraudulent copy of that ID given some attributes that are clearly linked to me that is the GDP our relation if you wrap that in zero-knowledge proves it doesn't really change the fact I think if I am happy to talk about GPR been more during the Q&A it actually is much worse than that and there's lots of legal uncertainty even when it comes to bitcoin transactions because these are technically linkable to individuals to.
Niko: another related thing to forgery.
Niko: I'm stabbing and verified time stamping is one of those things where there's at least somewhat of a technical argument that is you'll start at here's a problem and here's the solution how we address this which frankly is something I was had a really hard time finding for a lot of other you know blockchain and aside equations so verify time setting effectively gives you an operand or lower Bound for when a document was issued but it's included.
Niko: in the Merkle tree and some deal T so you just kind of.
Niko: When the blocks are the mark on the roads were were issued now this kind of sounds useful and certificate transparency for example does that too but it's also really hard at least for me to come up with a concrete example like a an actual real world use case where this makes sense if you go for the through the passport model for example right the this would only be useful if.
Niko: you have it passport in your hand and you.
Niko: Name a color date of birth the ID government ID number the issuance date only passport expiration date on the passport but somehow what you really don't trust really want to verify is when that passport was printed right this this just doesn't really seem like a real life use case to me and you know furthermore like the issuer could just create multiple copies which you can't detect these.
Niko: of the fraud.
Niko: Like the forgery proof problems that we just discussed and also time stepping service already exists right there's rc30 161 you can also use dkim it's just barely used because I don't think this problem everybody comes up in practice another issue that is also very related to the forgery thing is there are very valid reasons for back data.
Niko: Ting documents for core.
Niko: Forge documents this can be anything from you know victims of domestic violence that changed their name there's people going to witness protection program people that transition genders or just like a plain old typo right shining a spotlight on your here's the digital identity that has been modified somehow can you know I want to go like the full-length Road I'm going to say like this can put like people's life in danger but.
Niko: it certainly.
Niko: It was more of a nuanced discussion so just just just going like oh well just like having a hard proof that this is accurate like does kind of doesn't really need the reality of the complexities of the situation I think so the last of two main points were is like Reliance on third parties and whether you own your data and I don't think either of these two things hold either I don't I think the Reliance on third parties.
Niko: is actually kind of.
Niko: Your smartphone is not realistically going to restore full copy of a blockchain system that scales to say like 300 million American Gillette at digital identifiers unification stored is looking to maintain like live updates of that so you will have to rely on some third party API that manage the blockchain for you which right now if you look at these sort of ecosystem.
Niko: mm of.
Niko: Third-party gateways in the cryptocurrency or like watching ecosystem you have in Ferrara which is kind of implicated in the censorship around what's calling in the tornado cash thing for example and and these part third parties have their own Financial incentives right they can they can serve you wrong missing and delayed data if you know they think this makes them more money right there's there's plenty of.
Niko: examples in these sort of payment ecosystem.
Niko: Are credit card companies just like even if there's no regulatory like direct reason to ban a provider they just don't want to deal with the pr of it I like erotic content sites are the common examples only-- fans for example we're paying providers just like shut them down so you have like you're effectively putting your trust in at this point unregulated API gateways so it's not that the Reliance on third parties decreases here at the owner.
Niko: data argument finally is I just don't.
Niko: If you're broadcasting your data onto a public Ledger everyone owns it are including all of big tag and all of the NSA and other secret Services you can't read Elite from it I mean like if if your threat model is that big tag or the NSA is listening to you in grabbing your data then now your threat model not only increases from does not only contain a this one big Tech that you store.
Niko: your daughter with.
Niko: It includes all big tax and all worldwide Secret Service as I had the common argument that people like oh like what this is not a problem is we'll just use encryption but that's orthogonal to blockchain step right if you're if you encrypt your data in a way that it's safe enough to put it on a public blockchain so that it's safe like it's defensible against every Secret Service and every big tag then it's safe enough for Dropbox it can put it on Dropbox and in addition you get.
Niko: gdpr enforcement against Dropbox you can sue.
Niko: They mishandled your daughter you don't get channeled attics mad on Alice's which is something you also get on public blockchains Weather Channel it is business model is you know the anonymizing people this clearly is a threat so I did the own your data argument just just does not I just cannot see how this works so the the these are the supposed conquered good sides.
Niko: but you also get done as.
Niko: Integrate into a system get additional complexity right you get cost you got Dev time compliance and I've made that semi joke before that a lot of times being spent making guilty work as good as it QR code printed on a piece of paper and I found a lot of projects that were stuck in this phase really like a lot of problems are working trying to work around the GPR issues around the we can't delete things and.
Niko: you get an online request.
Niko: I meant for example if you're if you want your ID checks and you're in some say Berlin Underground club where there's no or Pruitt reception but your QR code and papers going to work your blockchain enabled thing that needs like an internet connection was not if you have a big fast for the desert for example some of the countryside where the Internet is slow or broken you'll run into the same problems for public Ledger's you have transaction costs and of course you have gdpr and meta-analysis privacy problems.
Niko: so none of these problems these are.
Niko: Our would be deal breakers if they were offset by actual advantages but again I am having a really hard time finding those so I'm gonna go go really quick about the digital part because I think the literal part is resisting me going through various you know there is a blog posts and academic literature going from actually trying to extract information to just be.
Niko: at times with Moody and ran.
Niko: Unfortunately poor quality of some of the Articles just to give you a one or two examples like the ab c-- the European Bloc 10 Initiative for example like there if you dig into the documentation far enough you finally find a diagram where they describe how they're using the a deal T and they use it for rights only there's only arrows that right.
Niko: The Ledger no.
Niko: It's from it at the time I looked at least maybe they added something but at the time that was all there was IBM says on their blogs that you know their blockchain to Grace will avoid third parties but they ignore that you know almost all their blockchain products require that you log in through ibm.com when ibm.com login which is you know bit of a third party there's I think my favorite one was Forbes like one of the biggest like first Google results when you Google for.
Niko: or like blockchain as I was a Forbes article.
Niko: They claim that the idea on the LT will allow that online shopping will be delivered to wherever you are at the moment which I thought was the do substantiate that's like that clay let's put it that way I found similar results on a slightly higher level on some of the the academic literature I will say there's a there's a ton of research like articles here and obviously I didn't go through all of them went through the top five results.
Niko: top five most.
Niko: Will scholarly subject but I found similar results to the blog articles where there's a lot of claims that are simply than not followed up on or substantiate some of the academic literature at least pointed out some of the same problems that I mentioned it before I think my favorite my favorite point there was that one of the papers claim that that deal T would.
Niko: wow in some cases.
Niko: Real-time proof of correctness for example that you're not a terrorist when when you checking into the airport and I thought there was a I didn't know finding out whether someone's a terrorist is as easy as putting that into a that piece of data into a blockchain and I went through a couple of real-world projects I found like some of them from the blog post and the articles that are look.
Niko: before and I think.
Niko: I'm guessing at numbers like about the 15 projects like say 10 projects 7 word that to stop doing blockchain and the remaining One Sovereign they effectively run a private hyper Ledger instance and reached out to them because they had that one example where the international Aviation Transit Authority I added I think they were having a partnership with them and I reach out to them like how does do they use blockchain.
Niko: and then they effectively admitted that while they don't.
Niko: They run their own whatever like centralized database and we just you know give them a copy of our internal hyper Ledger instance like a data dump and they play that into their database they also said that they are exploring other options other than deities of the kind of moving away from it to the real world projects I mentioned earlier that like at this is not necessarily a society specific these only second article that I wrote on the my blog was that it looked into a total of 34 critical real-life blockchain projects.
Niko: and I found exactly the same results across the board with other non SSI.
Niko: So to summarize I think SSI is an extremely interesting area of research I think this is a thing that has solves a problem that is present as it had before but there's plenty of hard problems right like that things like from like you know privacy matter results that's how you deal with identity theft how you make it work for Tech a literate people which is really sort of the main anti SSI argument.
Niko: that I see from my friend Circle.
Niko: Interesting fun and challenging problems and I again I am biased here because like I am from these sort of blockchain skeptic ecosystem but I do feel a lot of work is being put into making blockchain as useful as as my sequel that instead could be spent on you know make it so actually solving the hard problems that would benefit.
Niko: the end user.
Niko: I hope that was was a useful summary.
Harrison_Tang: Thank you Nicole any questions.
<john_kuo> That was terrific, thanks
Alan Karp: Trying to figure out and I was trying to figure out how to unmute so how do I prove ownership of the did if there isn't some sort of a agreed-upon place to make that claim.
Niko: Um I mean you would you would have your private key that matches the public key encoding you did right.
Alan Karp: Right but somebody else could produce the same did with a different key.
Niko: Right so this I think it goes into the forgery aspect right like how do you how do you avoid that there's two dids referring to the same individual right but you cannot.
Alan Karp: No no no no two dudes referring to different I create a did but Mikey have my did Doc and all that you come along and use the same did but with your own key in your own did Doc and now a third party comes along and doesn't know which is which.
Niko: Right what what what is what is in the in the did here though like what is the thing that's that's effectively signed off when you when you create the the did.
Alan Karp: Well you know claim that I'm now in carp and I live in a particular place whatever did Doc that I think that matters here and then and then you claim that your alankar blue lives in a different place or whatever.
<greg_bernstein> Public key in DID
<tomj> forgery can be blocked by a ipfs method - blockchain not required
Niko: Right but the the the I mean that is that is a thing that I can do on the blockchain to write I can just upload the did to the blockchain and now there's two divs that say Alan carb on the blockchain.
Alan Karp: Right but as I understand the rules only the first the first one wins.
Alan Karp: Where are you.
Niko: The first one is determined by by what right so there's got to be like a 300 million did on the blockchain and as we discussed as I mentioned before for privacy reasons you cannot have literally Alan carb in there or a hash of Allen card in there because that would be a GDP our biology.
Alan Karp: Right right but but if the did is going to be useful at all I think you should be able to guarantee that the first one to claim the did owns it and can put whatever they want and they're did Doc and somebody else who comes along and cleans the same did should not be recognized as owning that did.
<phil_l_(p1)> How can a person claim the same DID? The keys are unique.
Niko: Right but but again right like there there's no way to determine whether there is a previous instance of that did on the blockchain so the only thing that you could potentially do is refer to the time stamp that is encoded in like with the did on the blockchain right like so the verify time something argument.
Alan Karp: Well it's no it's the deepest in the chain is the winner.
Niko: Right but I think this is this is somewhat related to the time-stamping thing right like the.
<brentz> this is why there needs to be a cryptographic binding between the DID and the initial public key for that DID
Alan Karp: Well it's order its order but it doesn't depend on time it's just the first one first of all icon on it to claim the did owns it.
Niko: Right so I mean in this scenario where someone is presented with both that's right so if the person was just presented with one of these there was no way to tell which one is the true Alan carb that right.
Alan Karp: Regulars sure there is like walk the chain see if there's an earlier one now that might be computationally expensive but at least it's possible.
<phil_l_(p1)> @Brenz right
Niko: But they wouldn't be able to find is like an earlier one that says Alan carbon it because I.
Alan Karp: No no wait the did the did itself is what they search for.
Alan Karp: We have two people claiming ownership of the same Dead one is earlier on the Chain than the other.
Niko: Oh oh oh okay.
Niko: Right so what exactly is sorry like what exactly putting on the challenge of putting the these the signature of the Dead on the chain.
Alan Karp: I'm putting the did and the public key of the dead and then I can associate whatever else I want with the did Doc.
<dmitri_zagidulin> I think there's a queue?
<tomj> who is it that prevents a forgery on a blockchain? That must be a trusted entity
Niko: Right so I think this is this is still like related to the trust of time stamping argument there's really there's this I got a summer thoughts on party this kind of like safety mechanism okay sorry I think I know what you're getting at um.
Niko: Hahaha let me think about that.
<mahmoud_alkhraishi> can we process queue? theres a number of straight forward answers here.
Niko: I really like this thank you so much like this is this is the kind of stuff that I was that I was not finding in the the researcher I'm trying to think of like a concrete example how how this comes into play though.
Niko: Sure sure absolutely so sorry for blanket here.
Harrison_Tang: Actually sorry Nico I think maybe you can formulate your thoughts and then and then take it offline we have other questions so thank you I will yeah thank you Alan I think yeah no problem I think this this this question is specifically in regards to putting pids on blockchains I think in your research you mentioned about not putting personal information and Pi or VCS verifiable credentials on blockchain I think that's a bad idea.
Harrison_Tang: this question is more specifically about the IDS.
Harrison_Tang: So so I think maybe we can take this Offline that will have will have other other people in the cube alright so see the queue Keith.
Phil_L_(P1): One two and two.
Keith Kowal: Thanks for your presentation Nico I think it might be useful go through just like a little history of credentials on blockchain like in in historically there was some platforms putting VCS and moist ABC's we've kind of mean Pi on blockchain I guess blocks are to be good example of that but I think in the last few years there's no more sets aside platforms that at least no popular SI platforms that put Pi on blockchain anymore I think most of us are using blockchain for things like putting.
Keith Kowal: Which is really around key management but no pii.
Keith Kowal: You can get into a question about the holder did and and even some platforms are no longer even putting holder did anything that even resembles pii is not going on blockchain anymore and then we put things like schemas on blockchain revocation list replication mechanism sometimes go on blockchain so I think maybe it's just a progression in the industry I think you cited Sovereign quite a few times like Sovereign never you know they had they have a large DPI a about you know Pi on blockchain is quite a lot written mean typically they were putting things like.
Keith Kowal: Issuer dids cred deaths schemas on blockchain but they would never put Pi on.
Keith Kowal: Extreme Measures to make sure that no Pi I ever went on blockchain so just a couple of you know hope that.
Niko: Yeah thanks for that I I did some kind of see that too when I was going through projects that you know like we're still alive that Sovereign particular yes they they I saw that document where they talked about avoiding Pi on blockchain but again like this is your kind of starting to wonder like why is our things on boxing like a revocation list for example is.
Niko: it's going to sound like we have.
Niko: I'd like they they work good enough for realize like for real life purposes I personally don't see like why you know what the advantages of putting these in a blockchain for so you mentioned I wanted to other things that I unfortunately missed.
Keith Kowal: Yeah and I think that's the main conversation today is those other things like particularly did schemas revocation should they be on a blockchain or not I think God selects the center of a lot of our conversations these days.
<tomj> once a did is bound to any pii, like for example a eid or uinversity degree w/th dates and other details the privacy is gone forever for that did
Niko: I do you maybe want to go back to Allen's Point real quick because if I understood it correctly like you have the the signature like the second Randy Daddy on some of that magic on the blockchain but what happens if like you for example rotate your key right one of theirs what if you create like what stops me from creating a new D ID for example this has Alan Carr and signed up myself that is has a different hash.
Niko: Then you know that you want that you.
Niko: That's I'm sorry I met Nation.
Alan Karp: Yeah that's yeah that's not the issue that's fine that can always happen but it's just somebody claiming a did that I somebody else claiming it did that I claimed first that's the issue.
Niko: But again like I'm really happy to take this offline but I would love to see like a concrete example where this comes into play because I think there's.
Niko: This doesn't strike me as like a real-life sort of problem I think.
Harrison_Tang: All right Paul.
PaulDietrich_GS1: Yeah I just wanted to share a use case on this same discussion we're having an imagine that you're in some trading network of loosely connected trading partners and say a partner presents me a credential and they need to prove something legally before I can interact with them for global trade and then you know our lives go on and then in sometime in the future or regulator comes back to me and says well did you verify that Partners Prudential and what proof do you have that that credential verified at that specific time.
PaulDietrich_GS1: Because right now of course Keys have rotated revocation list.
PaulDietrich_GS1: So what do I need to cryptographically prove that yes I validated that credential at the time and I think that comes back to these same two things like how is the Dig documents stored in can I get a copy from that time because Keys may have changed and it might have been at the time I used a key that's now not in the did Doc anymore and the second is a revocation list unless I keep a copy of that signed list with that credential in a future time I might not be able to prove that that credential was revoked or not revoked unless there's some time recorded history.
PaulDietrich_GS1: like blockchain Sony going to pass that back to you as a potential way to kind of think about this as a trading partner.
PaulDietrich_GS1: In the future.
PaulDietrich_GS1: I have to prove that I did validate a credential that someone did pass some certificate test and what do I need to do to cryptographically prove that and what is the lift on me as the person who has to prove that to a regulator.
Niko: Right yeah thank you for that so the.
Niko: Time-stamping servers is is really the main answer for the time recorded history these things already exists it is effectively a trusted third party like did you search or Google or whatever like they and any number of these affecting his signing off on a time stamp this happens implicitly when you send emails so really when you you know when you do internally in your company have a conversation about you know verify.
Niko: buying that.
<tomj> putting a transaction on block chain is a different use case that putting a did on a blockchain
Niko: So that training partner for example the email track record will implicitly already have the cryptographically verified signatures and the timestamp signatures that prove that you actually did this at the time now of course you can make the argument we want to you know automate this and you want to like have a more standardized flow around digital credentials or the verifiable credentials for example.
Niko: but I do think and I do think that that.
Niko: That's that's fine with like the technology for this is already there at the time the technology that timestamp see things and that you know makes things all of the bull way into the past is already there has been there for 30 years.
PaulDietrich_GS1: I think the question for me is more like okay I'm signing in to use this W3 system there are verifiable credentials their revocation lists like what's the standard way to do this do I mandate my trading partners go put these timestamps and their messages because if I receive an email from them with the timestamp all that proves is that I received it it doesn't prove that I validated it and if I send an email back that said oh I just want to send you an email to let you know this really did validate that feels to me like weak evidence.
PaulDietrich_GS1: because it doesn't really show that I did validate it.
Niko: Right I think I think in that case it really mean like the question is really what does validation mean in this context is like a cryptographic validation.
PaulDietrich_GS1: Well it's very clear that I have to prove to a regulator that I follow the rules at the time and if the rules were the time to prove that that person was a registered licensee of some trading characteristic then a cryptographic proof maybe the right way to do it I could of course go back to paper documents and phone calls and Records but I think that this technology is trying to get us beyond that.
<tomj> this discussion is now off track completely
Niko: Right I so what I'm getting so okay so first of all there is I'm very very happy with the verifiable credentials and the PID and these sort of approach of like creating a better way of creating a standardized way of asserting certain facts I think.
<phil_l_(p1)> We're mis-using "validation" -the issue is verification (does something mathematically match). Nothing more.
Niko: Opinion as someone who has been involved the pgp and TBT GPD ecosystem for a while it's a mess it's hard to use it's bad the x.509 signing system is not exactly user-friendly either so I do think the idea of creating you know a better standard for signing off on facts is an absolutely great thing to have.
Niko: Like my my only angle here is like does this require blockchain and if again like if the technology for time-stamping a certain fact is already here doesn't need a blockchain system so in your example like if you have the mechanism to demonstrate that you ordered it some sort of you know regulatory requirements then you can record that fact in say they verifiable credential.
Niko: or like a is of some.
Niko: Mint and then you can have that timestamp by a Time Savings over for example like this technology already exists like I don't think the complexity overhead of doing a deal T adds anything of value here stomach hurts.
Harrison_Tang: Thank you Marcus.
Mike Prorock: Filthy mind meeting.
Markus Sabadello: I wanted to say just a few words about the question of how do you prevent someone else from claiming the same teeth with a different document so that is the job of the T method to to ensure that right in most in most State methods you cannot actually arbitrarily choose your teeth so you cannot just claim any any string as a as it did but in.
Markus Sabadello: Says that the.
Markus Sabadello: Currently it's cryptographically your boy did mess up to be unique for example one of the earliest block chain based in methods which was PTC are in that case that it is not for example a uuid that you can just claim and write the blockchain but in that case the deed is actually an address on the blockchain it's a pointer to a specific transaction on the chain and that will only ever point to one.
Markus Sabadello: Place on the on the blockchain.
Markus Sabadello: You cannot associate another tip document and claim that as yours with some other did methods like did key for example that did itself is derived from from a public key right so that the deed itself is your key so you cannot you cannot just use a different date document and the claim that to be the correct document.
Markus Sabadello: This is what did methods are expected to guarantee this is what did resolution process makes sure that you actually get the corrected document for the deed and in the in the tit specification we also use the term of a verifiable data registry right so that there's the assumption that the identity document is created and then resolved.
Markus Sabadello: From some kind of.
Markus Sabadello: Data layer or Data Network and so it simply doesn't work like that where anyone can just clear claim and identify and and then Associated the document you have to go through the creation and resolution process defined by the did method.
Niko: Right thanks thanks a lot so this kind of brings me maybe a bit back to the what is the concrete like workflow and or use case here that that argument damaged right because like.
Kristina: Yeah can I can I speak to that I'm next on the Queue and I think we have four minutes left.
Kristina: Yeah so you know we can discuss multiple deployment models multiple seems to be written on blockchain and I think you're right side like I blockchain is not an absolute necessity in realizing the assure holder there if our model that were if I were credentials enable but it can be useful right and one place it can be useful is writing the actual decentralized identifiers on the chain and why because it mainly the idea.
Kristina: Of the user's individual users right.
Kristina: So I'm sure as you.
Kristina: Over 50 credentials when they are presented as verify what presentations who's hold your binding they need the verifier needs the holders keys to verify the signature on the presentation and if it's a signature buys Erasure which is you know usually a company and Enterprise to get the keys of zip company you know you can use multiple existing mechanisms like x.509 certs or you know dot all known gwas your I like.
Kristina: like what not but how do you find the keys.
Kristina: The visual user seriously like if it's a user's you know you we can't expect every single individual to host a domain so we can put those well known and then attach hittable KS URI we can expect to issue ex-wife or nice to a single individual on so that's where you know can we have this public place and again we can debate what kind of watching type is best suited but can we have this public place where anyone can look at that.
Kristina: identifier to psyche so be able to verify that.
Kristina: You're binding signature on the profile presentation and to your point and the reason why I said it's not absolute necessity because if you don't care about key rotation and you don't care about finding any other information other than just public keys because you can put not just probably keys but other information other service and points to City ID document to like if you don't care about that go ahead and pass a roll public key in a verifiable credential so the very far just you know uses.
Kristina: a troll public key to verify the signature on the presentation.
Kristina: Is where the.
<markus_sabadello> See this old repo for a loooong list of (mostly dead) "blockchain identity" projects: https://github.com/peacekeeper/blockchain-identity
Kristina: I'll chain piece would not be needed but if you want if you want to be rotation if you want that you know the ID document extensibility that the ID is will give you like it becomes an option writing that users holders dids like on the Chain like that's I think the minimum.
Niko: So I thought that that was that was a lot again as I said in the beginning right like SS as I or giddy's is not exactly my my big specialty I'm more in the blockchain world so I do want to make one quick comment I think we're almost out of time but you mentioned like can we have a public place to look up an identifier to a key and the GDP our answer is no we cannot not if you cannot have if you don't have.
Niko: have the option to remove the identifiers to.
Greg Bernstein: Example: https://keys.openpgp.org/
Niko: Gene mapping from that ledger and that is kind of literally the text and in GDP are yeah I think we're kind of out of time but I'm happy to take more questions offline I think my email address is putting them in it somewhere.
Harrison_Tang: No I haven't included that but Nico weekend follow up after the meeting and then and then we can send over the contact information to those who want to follow up.
Mike Prorock: Yeah and honestly some of this discussion is detailed enough you know just like cheer hat on and jumping in since we're like out of time but like you know Nico if you don't mind I mean having some of this discussion on the list could be really helpful because there's a lot of interesting Nuance here and this is part of what builds up this body of knowledge that lets us actually go ask and answer these questions better in the future and refine them and identify questions we didn't think about asking and cetera so.
Niko: I'm happy to join discussions on the list are.
<keith_kowal> Thanks Niko!
Niko: Thanks for having me.
Harrison_Tang: Thank you thank you Nico and thanks everyone for joining the this week's at w3c ccg meeting again nickel thanks a lot for taking the time to present your findings and then thanks everyone for a very interesting discussion thanks a lot bye.
Niko: Well again thank you very much.
Harrison_Tang: Oh no thank you thanks a lot no like as I mentioned earlier there might be some good conversations from this so thank you for taking the time you know to answer them in a very methodical manner so thanks a lot.
Niko: Yeah I mean as I said before right I love being challenged I'm obviously biased right I'm obviously coming from the kryptos and blockchain skeptic universe and its really good stuff to have these kind of conversations also in your own voice chat and not just in a text format because it's really it.
Niko: it's good Team Challenge.
Niko: I really enjoyed this and I'll have things to think about.
Harrison_Tang: Yeah definitely I think you know that's the main goal I think to have great conversations and you know I really appreciate you taking your time here because I kind of know this my some conversations back and forth so I appreciate you coming coming into the meeting thanks a lot.
Niko: Yeah it's been a pleasure I got to run into my next meeting thank you so much have a good one.
Harrison_Tang: Cool and then I'll send you a follow-up email and thank you and if you have anything to add or anything that you want to take off lines and just let me know and I can make those introductions and connections I haven't gone by.