Harrison_Tang: Alright so thank you for joining today's w3c ccg meaning today we're very glad to have like Isaac Manu line Oscar Constantine to actually present and lead a discussion on list of verifiable issuers and verifiers before we get to the main agenda just want to do the admin stuff the regular admin stuff first so first of all just want. ✪
Harrison_Tang: About the code of ethics and professional conduct reminder just want to make sure that we'd be respectful to each other obviously we have been doing that for years but just want to remind that. ✪
Harrison_Tang: Quick IP note anyone can participate in these calls however all substantive contributions to any CG work items must be members of the ccg with for IPR agreements signed make sure you have a w3c account as well as signing the w3c's w3c community contributor license agreement if you have any questions on those things please reach out to any of the cultures. ✪
Harrison_Tang: Right so these meetings are recorded and the meeting minutes will be published within a few days I think we have been relatively discipline about that in the last few month but if you want to get any recordings or minutes and you don't see them to reach out to any of the cultures. ✪
Harrison_Tang: GT chat 2q the speakers during the call and you can type in Q + to add yourself to the queue or q- to remove it you can do Q question to see who's in the queue. ✪
Harrison_Tang: All right just want to get you the introductions and reintroductions if you're new to the community or you haven't been active and you are re-engaging with a community please feel free to unmute yourself. ✪
Harrison_Tang: So Oscar I'm gon call on you a little bit do you mind kind of introduce yourself a little bit as well as you are cool YouTube intentional and puzzles that you are solving just say a few words. ✪
Oskar_van_Deventer_(TNO): Let's just introduce my professional Persona and postcard from Dave Hunter and we didn't you know I'm responsible for the knowledge development and standardization on SSI Technologies so we do a lot of t n 0 by the way it should touch Research Institute and we do a lot of how do you say this Consortium projects or collaborative projects we are together with groups of stakeholders. ✪
Oskar_van_Deventer_(TNO): we build things like within the Dutch blockchain. ✪
Oskar_van_Deventer_(TNO): Collaborating on SSI pilot. ✪
Oskar_van_Deventer_(TNO): Oh and I have been responsible for the SF lab program that finished a few months ago in which many European ship grantees were sponsored to build SSI Technologies and also to build Solutions and demonstrate them in customer project. ✪
Harrison_Tang: Cool thank you thanks again for taking the time to present it join us today any other introductions were reintroductions. ✪
<wendy_seltzer> /me Line Kofoed, we couldn't hear you
Harrison_Tang: Well thank you thank you Isaac thank you for taking the time and look forward to your presentation in a few minutes all right line do you mind please introduce yourself a little bit thank you. ✪
Harrison_Tang: Sorry I think we cannot hear you. ✪
Harrison_Tang: You might want to join with a different browser. ✪
<manu_sporny> please sign the letter ^^^ (if you want the feature)
Harrison_Tang: Okay all right let's get to the main agenda so today very glad and very happy to have Isaac mon you Lena and the Oscar and Constantine to present and be the discussion on this of verifiable issuers and verifiers this work focus on how a party or its agents can decide whether or not to engage with the counterparty in the transaction answering questions like can I trust X to do why is that. ✪
Harrison_Tang: diploma from a recognized University or should the. ✪
Harrison_Tang: Authorized verifier so personally I'm quite interesting this topic because I thought the trust framework the governance a lot of times are actually more important than the technology itself so I look forward to the presentation and discussion so I take the floor is yours. ✪
Harrison_Tang: Sorry Isaac are you okay with taking a question right now or you want to wait till the end. ✪
Harrison_Tang: Okay alright Andres you have a question. ✪
Harrison_Tang: All right we can come back to Andres later but Bob you have a short question was just take two questions. ✪
<andres_uribe> Sorry that was accidental
<harrison_tang> no worries
Oskar_van_Deventer_(TNO): That's later in the presentation. ✪
<manu_sporny> bobwyman -- the list IS a VC :)
<manu_sporny> (though that's not clear at this point in the presentation)
<manu_sporny> So, "look in the list" means "look in the list, which is contained in a VC".
<pl/t3_asu> Does "look" mean that the org on the list's status is checked to verfiy it's current (not revoked or expired)?
<pl/t3_asu> I think that might have been the confusion previously expressed ;-)
<manu_sporny> (in that the list has validFrom/validUntil data, revocation data... and the list is expected to be kept up to date)
<pl/t3_asu> This is a form of trust registry.
<smagennis> The list 'owner' then is the certifying body that states both that an individual entity in the list is correctly represented AND that the totality of the list is correctly represented?
<bobwyman> I'm concerned about having access to information that is not relevant to my query. When looking at the list, do I discover anything about members of the list who are not the subject of my immediate interest?
<manu_sporny> @smagennis -- yes, correct (IIUC)
<manu_sporny> @bobwyman -- you get a list of all issuers for that assurance community -- so "A list of all entities that issue driver's licenses for your locality" or "A list of all physicians in your locality" and so on.
<pl/t3_asu> @manu - why would you need the whole list and no simply the answer to is the verifier I'm using valid or not? (on the list and of good standing)
<manu_sporny> if you want to ask questions like that, you'll be asking them of a centralized system, which will then track you :)
<pl/t3_asu> No, it's analogous to a ZKP - is this statement true? Or am I missing something?
<george_lund_(gds)> For parties identified by DIDs, it's clear how the key material will be retrieved. For parties identified by HTTP URIs (or I suppose UUIDs) does anyone know of standards for publishing keys? (We are leaning towards did:web but wondering about prior art, that doesn't eg clash with OIDC key material in JWKS)
<manu_sporny> You /could/ have the assurance community issue those VCs, but think about how you'd try to deploy something like that... where each issuer has to issue 2 VCs... 1) whether they're a "valid issuer", and 2) how many authorities have to issue those, and 3) that every Holder will have to carry every variation from each assurance community.
<manu_sporny> @PL/T3_ASU you might be presuming ONE centralized assurance community... vs. the more decentralized (there might be multiple assurance communities).
<smagennis> But you still need to know in advance which assurance community(s) to trust
<pl/t3_asu> @manu - yes I was assuming that you'd be primarily interested in a community relevant to your domain focus. Not that you'd be interested in several.
<manu_sporny> @smagennis yes, you do.
<manu_sporny> @PL/T3_ASU the position we're going from is "there might be multiple assurance communities you care about"
<pl/t3_asu> @manu - critical distinction. Thanks.
<manu_sporny> that is, it's easy to design for ONE centralized assurance body... harder to design for multiple assurance bodies.
<drummond_reed> I think we have to assume thousands or millions of assurance communities.
<manu_sporny> yes, +1 to Drummond. "You and your friends" could be viewed as an "assurance community"
<smagennis> @PL/T3_ASU, but you would need to know about them in advance, correct?
<bobwyman> Is it assumed that these lists are "small?" (for some value of small...)
<pl/t3_asu> Is there a link to this preso?
<harrison_tang> it's attached to the email sent to the community about this event
<manu_sporny> @PL/T3_ASU @smagennis yes, kinda... in general, you probably need to know about them in advance... OR, you can have them delivered to you as VCs and then decide (though, that's a fairly advanced use case)
<pl/t3_asu> Thanks @Harrison
<lucy_yang> @smagennis, TRAIN can support the discovery of trust lists too.
Paul_Dietrich_GS1: Yeah yeah thanks I'll take about two or three slides back where you had the json-ld example of bottom of that there's a your some background noise at the bottom of that list you kind of the language there it looks like where you're trying to restrict the contents of that scheme of further okay oops Yeah it's right there in the authorized to issue data element you've got a credential schema but then there's something down there. ✪
Paul_Dietrich_GS1: Schema property inside the credential schema can you describe what that is. ✪
<lucy_yang> You need to discover them and then get to the trust building part...
Paul_Dietrich_GS1: Yeah fantastic thanks Monty so that schema property there is actually a schema like the thing has to be a Json schema and it's any Json schema. ✪
Paul_Dietrich_GS1: Yeah I like that flexibility mono and it might be worth putting a link to a scheme as well not just the embedded schema to support either. ✪
<pl/t3_asu> That's a great way to designate who within a larger org has registrar approved authority for the credential being checked. Nice!
Harrison_Tang: But I have a question like this looks like a white list of protein sometimes like verifies like to approach it with a blacklist approach right so can this can this proposal be modified to to kind of enable Blackness approach to this I guess the - of verifiable issuers and presenters. ✪
Harrison_Tang: Thank you and Mom you you have a comment about that he nihilist. ✪
Harrison_Tang: Thank you and carry you are next on the key. ✪
<manu_sporny> Kerri, the "technical" answer to your question is: Just publish an updated VC. It works just like publishing a revocation list.
PL/T3_ASU: Thank you first of all I was carries comment in the latter question that I don't want you just ask is relevant to what I was interested in following up on I'll start by just saying how valuable I think this is going to be because as scary implied at particularly at institutions that are somewhat larger complex the registrar's typically have a binary choice of either having something go through a particular process. ✪
PL/T3_ASU: that typically is academic senate or something like that. ✪
PL/T3_ASU: Forever and the likelihood of getting things like that through is low or giving her another or he or she another opportunity to have a list of those departments that have or schools or whatever the unit maybe that have permission to issue a particular kind of credential relevant to their their program or what have you and giving that kind of flexibilities is a hugely valuable opportunity and let that let the process of how. ✪
PL/T3_ASU: it goes through the internal governance of the institution be a separate one so that's. ✪
PL/T3_ASU: Huge plus 1 that and and secondly the Fidelity or the or the granularity I should say of the credential type will become a hugely valuable at add-on because there are what 29 different types of credentials for just the obv three type of single assertion verifiable credential and in those in you know institutions of that sort are notable for their in. ✪
<smagennis> @bobwyman, who would be the 'owner' of such large lists?
<dmitri_zagidulin> @bobwyman - although I don't think list size matters, the spec should have a pagination mechanism
<dmitri_zagidulin> because you're essentially asking "what's the size of a database?". well, how much memory/disk space you got?
<george_lund_(gds)> it sounds like a thing you could bolt on to ActivityPub :-)
<manu_sporny> @bobwyman -- there doesn't have to be a single owner since the data model allows the data to be combined/composed together... so, what we're probably talking about is merging LOTS of little lists.
<sandy_aggarwal> Coming from a bank tech side, I heavily use "Effective Date" and "Expiration Date" logic. Are you planning to include such attributes?
<manu_sporny> @dmitri -- remember that pagination might be difficult since these are VCs... so if you have aggregated lots of VCs (lists of issuers), you could paginate those... but pagination among items might be more difficult.
<manu_sporny> @Sandy VCs have "validFrom" and "validUntil", and these lists can be represented as VCs... so the answer to your banktech questions is: "Yes, they have expiry information."
Harrison_Tang: All right Paul your next on the queue. ✪
Paul_Dietrich_GS1: Yeah I think I like the flexibility in this data model so plus 1 I think it might be valuable to look at use cases within the development of this that aren't just lists meaning that are also doing issuers where this is passed down in a distributed way so for example all we have millions of members and creating a list for them would be possible but using this data model the issue them certificates that show their verifiable and having them present those I think would be. ✪
Paul_Dietrich_GS1: If the group could come to consensus on the data it contains. ✪
Harrison_Tang: All right Sandy your next time thank you. ✪
<kerri_lemoie> @lucy - I was king about the approved credentials that issuers are allowed to issue. In Open Badges there's a concept of an achievement that may be described by one organization and issued by someone else but many are concerned about knowing if issuers have permission to issue credentials contaning that content.
Sandy_Aggarwal: Yeah hi thanks I think manual already answered my question so I thank the developed from invalid to I think kind of dress the effective date logic so essentially anything we're coming in I think I can talk to take discussion offline with somebody but I'm wondering how the actual Logistics behind this is actually gonna work if you have like a huge list of users that they are all or issuers and they all have their effective dates and. ✪
Sandy_Aggarwal: dates keep changing like the how do we manage the auditing part of that so let's. ✪
<pl/t3_asu> @Drummond - BC Gov's Org Book scales to how large approximately? I'm guessing tens of thousands but I may be an order of magnitude off
Sandy_Aggarwal: You have an existing issuer and the effective to date have rules from the end of this quarter to the next quarter or the next year so do we just try cut the existing where I could do a new one so I guess I have some questions about that maybe we can come back that later on given that it's almost 1:00. ✪
Sandy_Aggarwal: If you think as I can I'll probably try to read more the South Point a we'll see if I can try to find some specific answer I think I think just living off with 10 second thing is in my opinion what happens that a city like ongoing at it's like especially if you have a huge massive scale like that becomes a challenge because then like how do we really go to single source of Truth in that cases like if things getting constantly added in. ✪
Sandy_Aggarwal: in that key for web special with the with the dates in there. ✪
Sandy_Aggarwal: So you have a dead you know it's on top of that like you know you always got to check all the other way to beat with that you know with the with dates everything and obviously day Scott all correlate to a standard date like whether this UTC or something not just Regional date. ✪
Sandy_Aggarwal: I think I'll lead the full thanks. ✪
<smagennis> @Sandy, yes large lists == large liability
Harrison_Tang: Thanks Andy thanks Isaac I think where I write time so thanks a lot thanks again Isaac on you Lena Oscar and Constantine for a great discussion I think today's today is one of the most active discussions we had and so thank you. ✪
<kerri_lemoie> Thanks for introducing this! Looking forward to more discussions about it.
<drummond_reed> Most excellent presentation and discussion. Thanks!
<pl/t3_asu> Great work
Harrison_Tang: All right that concludes our that concludes that this week's at w3c ccg meaning I will publish the meeting notes in by tomorrow and you can look at upcoming agenda in the link in the email tab set up right thanks thanks a lot have a good one bye. ✪
<bobwyman> Also, is there any way for a member of the list to restrict the list of those authorized to see if they are on the list?