The W3C Credentials Community Group

Meeting Transcriptions and Audio Recordings (2014-today)

Go Back

W3C CCG Weekly Teleconference

Transcript for 2023-03-07

Our Robot Overlords are scribing.
Harrison_Tang: Alright so thank you for joining today's w3c ccg meaning today we're very glad to have like Isaac Manu line Oscar Constantine to actually present and lead a discussion on list of verifiable issuers and verifiers before we get to the main agenda just want to do the admin stuff the regular admin stuff first so first of all just want.
Harrison_Tang: to remind everyone.
Harrison_Tang: About the code of ethics and professional conduct reminder just want to make sure that we'd be respectful to each other obviously we have been doing that for years but just want to remind that.
Harrison_Tang: Quick IP note anyone can participate in these calls however all substantive contributions to any CG work items must be members of the ccg with for IPR agreements signed make sure you have a w3c account as well as signing the w3c's w3c community contributor license agreement if you have any questions on those things please reach out to any of the cultures.
Harrison_Tang: Right so these meetings are recorded and the meeting minutes will be published within a few days I think we have been relatively discipline about that in the last few month but if you want to get any recordings or minutes and you don't see them to reach out to any of the cultures.
Harrison_Tang: GT chat 2q the speakers during the call and you can type in Q + to add yourself to the queue or q- to remove it you can do Q question to see who's in the queue.
Harrison_Tang: All right just want to get you the introductions and reintroductions if you're new to the community or you haven't been active and you are re-engaging with a community please feel free to unmute yourself.
Harrison_Tang: So Oscar I'm gon call on you a little bit do you mind kind of introduce yourself a little bit as well as you are cool YouTube intentional and puzzles that you are solving just say a few words.
Oskar_van_Deventer_(TNO): Let's just introduce my professional Persona and postcard from Dave Hunter and we didn't you know I'm responsible for the knowledge development and standardization on SSI Technologies so we do a lot of t n 0 by the way it should touch Research Institute and we do a lot of how do you say this Consortium projects or collaborative projects we are together with groups of stakeholders.
Oskar_van_Deventer_(TNO): we build things like within the Dutch blockchain.
Oskar_van_Deventer_(TNO): Collaborating on SSI pilot.
Oskar_van_Deventer_(TNO): Oh and I have been responsible for the SF lab program that finished a few months ago in which many European ship grantees were sponsored to build SSI Technologies and also to build Solutions and demonstrate them in customer project.
Harrison_Tang: Cool thank you thanks again for taking the time to present it join us today any other introductions were reintroductions.
<wendy_seltzer> /me Line Kofoed, we couldn't hear you
Harrison_Tang: Well thank you thank you Isaac thank you for taking the time and look forward to your presentation in a few minutes all right line do you mind please introduce yourself a little bit thank you.
Manu Sporny: We can hear your audio in a Porsche.
Harrison_Tang: Sorry I think we cannot hear you.
Manu Sporny: Not yeah we cannot sorry Lena.
Harrison_Tang: You might want to join with a different browser.
Harrison_Tang: If Chrome shoe work.
<line_kofoed> I'm in Chrome
Harrison_Tang: Yeah I think we cannot hear you so if you don't mind I'll call you later you can meet well yes yes perfect.
Harrison_Tang: Thank you thank you Dina thanks a lot.
Harrison_Tang: Any other introductions were reintroductions.
Harrison_Tang: All right let's get to the announcements and reminders anyone have announcements or reminders to the community.
Manu Sporny: Yes sorry I'm a bit unprepared for this but the there is an email that went out last week around feature freeze for the verifiable credentials working group so that group is going to basically stopped accepting new proposals New York items at the end of this month so in about three weeks there are some things that we're trying to get.
Manu Sporny: Get in.
Manu Sporny: And we could use support from organizations in this group one of them is the ecdsa data Integrity crypto sweet so there was an email that went out asking if companies want Hardware back security HSM support and they're using data Integrity please sign the letter of support there to say that you're interested in seeing the group standardized that there will also be a request coming.
Manu Sporny: Nowt probably next week or the week after.
Manu Sporny: Stir to request support for BBS signatures that's the on linkable signatures pairing based cryptography that allows you to do things like selective disclosure and different signatures each time you present to enhance kind of privacy when using verifiable credential so if you're an implementer if you're an organization that.
Manu Sporny: Needs either one of those two.
Manu Sporny: Please make sure to take the time to put your name on the letter of support to the verifiable credentials working group that's it.
Harrison_Tang: Man you thank you.
Harrison_Tang: Are any other announcements.
Harrison_Tang: Any comments or new work items that people want to bring up.
<manu_sporny> Demonstration of Support for ECDSA Data Integrity Cryptosuite here:
<manu_sporny> please sign the letter ^^^ (if you want the feature)
Harrison_Tang: Okay all right let's get to the main agenda so today very glad and very happy to have Isaac mon you Lena and the Oscar and Constantine to present and be the discussion on this of verifiable issuers and verifiers this work focus on how a party or its agents can decide whether or not to engage with the counterparty in the transaction answering questions like can I trust X to do why is that.
Harrison_Tang: diploma from a recognized University or should the.
Harrison_Tang: Authorized verifier so personally I'm quite interesting this topic because I thought the trust framework the governance a lot of times are actually more important than the technology itself so I look forward to the presentation and discussion so I take the floor is yours.
Harrison_Tang: Sorry Isaac are you okay with taking a question right now or you want to wait till the end.
Harrison_Tang: Okay alright Andres you have a question.
Harrison_Tang: I'm drinks a few on me.
Harrison_Tang: All right we can come back to Andres later but Bob you have a short question was just take two questions.
Bob Wyman: Yeah I'm wondering when you say that somebody is in the list how literal.
<andres_uribe> Sorry that was accidental
<harrison_tang> no worries
Bob Wyman: Should we interpret that is that that there is actually a list or can it be simply that somebody has for instance Avicii that indicates that they are that they have an attribute that attribute being that they are a member of the list.
Bob Wyman: I guess the question is does anybody actually need to look to know to see the list or do they just look on the look or they just look at the VC that says that one is in the list.
Bob Wyman: Okay be great if it's some point you could explain why it's necessary to have anyone look at the list instead of just relying on a VC that says that someone is in the list okay that's.
Oskar_van_Deventer_(TNO): That's later in the presentation.
<manu_sporny> bobwyman -- the list IS a VC :)
<manu_sporny> (though that's not clear at this point in the presentation)
<manu_sporny> So, "look in the list" means "look in the list, which is contained in a VC".
<pl/t3_asu> Does "look" mean that the org on the list's status is checked to verfiy it's current (not revoked or expired)?
<manu_sporny> yes
<pl/t3_asu> I think that might have been the confusion previously expressed ;-)
<manu_sporny> (in that the list has validFrom/validUntil data, revocation data... and the list is expected to be kept up to date)
<pl/t3_asu> :+1:
<pl/t3_asu> This is a form of trust registry.
<smagennis> The list 'owner' then is the certifying body that states both that an individual entity in the list is correctly represented AND that the totality of the list is correctly represented?
<bobwyman> I'm concerned about having access to information that is not relevant to my query. When looking at the list, do I discover anything about members of the list who are not the subject of my immediate interest?
<manu_sporny> @smagennis -- yes, correct (IIUC)
<smagennis> thanks!
<manu_sporny> @bobwyman -- you get a list of all issuers for that assurance community -- so "A list of all entities that issue driver's licenses for your locality" or "A list of all physicians in your locality" and so on.
<pl/t3_asu> @manu - why would you need the whole list and no simply the answer to is the verifier I'm using valid or not? (on the list and of good standing)
<manu_sporny> if you want to ask questions like that, you'll be asking them of a centralized system, which will then track you :)
<pl/t3_asu> No, it's analogous to a ZKP - is this statement true? Or am I missing something?
<george_lund_(gds)> For parties identified by DIDs, it's clear how the key material will be retrieved. For parties identified by HTTP URIs (or I suppose UUIDs) does anyone know of standards for publishing keys? (We are leaning towards did:web but wondering about prior art, that doesn't eg clash with OIDC key material in JWKS)
<manu_sporny> You /could/ have the assurance community issue those VCs, but think about how you'd try to deploy something like that... where each issuer has to issue 2 VCs... 1) whether they're a "valid issuer", and 2) how many authorities have to issue those, and 3) that every Holder will have to carry every variation from each assurance community.
<manu_sporny> @PL/T3_ASU you might be presuming ONE centralized assurance community... vs. the more decentralized (there might be multiple assurance communities).
<smagennis> But you still need to know in advance which assurance community(s) to trust
Manu Sporny: Isaac could you zoom in it's really hard to see any of that text if you don't mind if it's possible.
Manu Sporny: There we go.
Harrison_Tang: That was perfect.
<pl/t3_asu> @manu - yes I was assuming that you'd be primarily interested in a community relevant to your domain focus. Not that you'd be interested in several.
<manu_sporny> @smagennis yes, you do.
<manu_sporny> @PL/T3_ASU the position we're going from is "there might be multiple assurance communities you care about"
<pl/t3_asu> @manu - critical distinction. Thanks.
<manu_sporny> that is, it's easy to design for ONE centralized assurance body... harder to design for multiple assurance bodies.
<drummond_reed> I think we have to assume thousands or millions of assurance communities.
<manu_sporny> yes, +1 to Drummond. "You and your friends" could be viewed as an "assurance community"
<smagennis> @PL/T3_ASU, but you would need to know about them in advance, correct?
<bobwyman> Is it assumed that these lists are "small?" (for some value of small...)
<pl/t3_asu> Is there a link to this preso?
<harrison_tang> it's attached to the email sent to the community about this event
<manu_sporny> @PL/T3_ASU @smagennis yes, kinda... in general, you probably need to know about them in advance... OR, you can have them delivered to you as VCs and then decide (though, that's a fairly advanced use case)
<pl/t3_asu> Thanks @Harrison
<lucy_yang> @smagennis, TRAIN can support the discovery of trust lists too.
Harrison_Tang: Thank you Isaac Paul I think you're on the list on the queue.
<smagennis> @Lucy, discovery yes, trust - ...maybe
Paul_Dietrich_GS1: Yeah yeah thanks I'll take about two or three slides back where you had the json-ld example of bottom of that there's a your some background noise at the bottom of that list you kind of the language there it looks like where you're trying to restrict the contents of that scheme of further okay oops Yeah it's right there in the authorized to issue data element you've got a credential schema but then there's something down there.
Paul_Dietrich_GS1: they're below.
Paul_Dietrich_GS1: Schema property inside the credential schema can you describe what that is.
<lucy_yang> You need to discover them and then get to the trust building part...
Steve Magennis: :+1:
Manu Sporny: Yeah basically that's schema is a more fine-grained matching thing the idea here is that in this you know this is the this is a University registrar and it's basically talking about like all of the colleges that are allowed to issue you know a degree understanding that not every some organizations don't operate like that right but this authorized to issue field is basically saying the.
Manu Sporny: Defies this entity as authorized to issue this University degree credential in this credential once you match on University degree credential you have to make sure that that credential also matches this state the you a state so this is the this is the University of Utopia so you a is the state in which the University of utopia.
Manu Sporny: Yeah you know exist so the.
Manu Sporny: As a matching mechanism so you can in a broad sense a this entity is authorized to issue this credential this type of credential and more specifically that credential has to have these fields in it for this list to apply to it.
Paul_Dietrich_GS1: Yeah fantastic thanks Monty so that schema property there is actually a schema like the thing has to be a Json schema and it's any Json schema.
Manu Sporny: Yeah that's right yeah in theory I mean you know with this is a bit of a hand wave right now right we're very early in the process but yes the the expectation is that you'd put a Json schema in there in that would match against the credential the determine if you know this list covers that that that type of degree.
Paul_Dietrich_GS1: Yeah I like that flexibility mono and it might be worth putting a link to a scheme as well not just the embedded schema to support either.
<pl/t3_asu> That's a great way to designate who within a larger org has registrar approved authority for the credential being checked. Nice!
Harrison_Tang: But I have a question like this looks like a white list of protein sometimes like verifies like to approach it with a blacklist approach right so can this can this proposal be modified to to kind of enable Blackness approach to this I guess the - of verifiable issuers and presenters.
Harrison_Tang: Thank you and Mom you you have a comment about that he nihilist.
Manu Sporny: Yeah so you know allow listen to deny list the one of the arguments against deny lists is that listing all the people that are not supposed to do something is a really difficult thing to do when you're dealing with like criminal organizations right because the second they're on the list they figure out a different way and remember that these are like lists of decentralized identifiers which are like very in general incredibly easy to get in generate a new one for so.
Manu Sporny: My list is a constant game of whack-a-mole right the only.
Manu Sporny: You're able to do that is when you're potentially leading you know dealing with the nation state that doesn't see any reason they need to change you know they're their ID so we one of the one of the arguments here is focus on allow lists and just State the entities that you trust to deal with these types of credentials in by default everybody else is not on that allow list right and that's the way you deal with kind of bad.
Manu Sporny: Actors in the system so it's more of kind of like a.
Manu Sporny: Data than a stick based approach because if you take the stick based approach with like an identifier that is massively cheap to Mint a new one you're probably never going to be able to list all the Bad actors or all the bad identifiers for all the Bad actors that's.
Harrison_Tang: Thank you and carry you are next on the key.
Kerri Lemoie: Thanks if two questions you don't mind I'll be quick the one is how do you handle updates to this list which are are certain to happen pretty frequently and then the second one would come from City open badges Community because I've heard it quite a bit will there be a consideration to add things like this issuer is allowed to issue this very specific credential not a schema type but actual you description of a credential.
Kerri Lemoie: Which they have that concept of an open badges.
Kerri Lemoie: Familiar with that.
Kerri Lemoie: Yeah I wish her well let's do one question at a time I'm sorry the first one was how does this system handle updates to this list.
<manu_sporny> Kerri, the "technical" answer to your question is: Just publish an updated VC. It works just like publishing a revocation list.
<lucy_yang> If anyone is interested in the pilot work Issac is referring to, you can find more info here:
<manu_sporny> (which is a type of VC)
Kerri Lemoie: Okay yeah I was I was curious about that because you can imagine that maybe multiple listings of each issue or might be needed to represent historical context or something like the last one was we often get these copyright questions where we say okay this issuer is allowed to issue this very specific credential I see schema in here and I was wondering if there was a consideration to do something like that.
Kerri Lemoie: Okay thanks Isaac.
Harrison_Tang: All right happy lt3 you're next in the queue.
PL/T3_ASU: Yes you hear me okay.
PL/T3_ASU: Thank you first of all I was carries comment in the latter question that I don't want you just ask is relevant to what I was interested in following up on I'll start by just saying how valuable I think this is going to be because as scary implied at particularly at institutions that are somewhat larger complex the registrar's typically have a binary choice of either having something go through a particular process.
PL/T3_ASU: that typically is academic senate or something like that.
PL/T3_ASU: Forever and the likelihood of getting things like that through is low or giving her another or he or she another opportunity to have a list of those departments that have or schools or whatever the unit maybe that have permission to issue a particular kind of credential relevant to their their program or what have you and giving that kind of flexibilities is a hugely valuable opportunity and let that let the process of how.
PL/T3_ASU: it goes through the internal governance of the institution be a separate one so that's.
PL/T3_ASU: Huge plus 1 that and and secondly the Fidelity or the or the granularity I should say of the credential type will become a hugely valuable at add-on because there are what 29 different types of credentials for just the obv three type of single assertion verifiable credential and in those in you know institutions of that sort are notable for their in.
PL/T3_ASU: in in.
PL/T3_ASU: Channel complexity shall we say thanks.
Harrison_Tang: Cool next we have Bob.
Bob Wyman: Yeah thanks is interesting presentation I wonder though if you could say anything about the your your assumptions concerning the size of these lists you know clearly a list with.
Bob Wyman: A presents a different processing problem than a list with maybe 100 million members.
Bob Wyman: Um you know what can you just say something about you know what where do you what do you think is a reasonable size list what size list are you targeting does list size matter what should we do when lists become very large Etc.
Bob Wyman: Okay I guess an application I'd be think of is imagine you have millions of self Sovereign Social Web users each of whom is able to issue certificates describing essentially The credibility of other people so there you would have potentially millions of of of issuers right.
<pl/t3_asu> s./in in/ /
<smagennis> @bobwyman, who would be the 'owner' of such large lists?
<dmitri_zagidulin> @bobwyman - although I don't think list size matters, the spec should have a pagination mechanism
<dmitri_zagidulin> because you're essentially asking "what's the size of a database?". well, how much memory/disk space you got?
<george_lund_(gds)> it sounds like a thing you could bolt on to ActivityPub :-)
<manu_sporny> @bobwyman -- there doesn't have to be a single owner since the data model allows the data to be combined/composed together... so, what we're probably talking about is merging LOTS of little lists.
Harrison_Tang: Thank you Lucy you're next.
Lucy Yang: Yeah thank you I have a clarification I'm a success so this format you're trying to standardize is its implementation agnostic right I could like the train can implement this or something else that using different technology you can also implement this is that the idea for for for this work.
<sandy_aggarwal> Coming from a bank tech side, I heavily use "Effective Date" and "Expiration Date" logic. Are you planning to include such attributes?
Lucy Yang: And the credential you're talking about is particular you're trying to standardize here is the credential for issuers and verifiers which certified kind of certify that they are on a trusted list that's the scope is that it.
<manu_sporny> @dmitri -- remember that pagination might be difficult since these are VCs... so if you have aggregated lots of VCs (lists of issuers), you could paginate those... but pagination among items might be more difficult.
Lucy Yang: Okay and these are different from what credentials issuers are issuing right in a particular kind of context.
<manu_sporny> @Sandy VCs have "validFrom" and "validUntil", and these lists can be represented as VCs... so the answer to your banktech questions is: "Yes, they have expiry information."
<drummond_reed> BC Gov's OrgBook already is a fully indexed, scalable registry of VCs.
Lucy Yang: Okay okay cuz I cuz I was a little bit confused by the question and Carrie asked earlier I saw she was asking about the issuer's issue and credentials instead of the credentials for the issuer's but anyway thank you.
Harrison_Tang: All right Paul your next on the queue.
Paul_Dietrich_GS1: Yeah I think I like the flexibility in this data model so plus 1 I think it might be valuable to look at use cases within the development of this that aren't just lists meaning that are also doing issuers where this is passed down in a distributed way so for example all we have millions of members and creating a list for them would be possible but using this data model the issue them certificates that show their verifiable and having them present those I think would be.
Paul_Dietrich_GS1: be a valuable model.
Paul_Dietrich_GS1: If the group could come to consensus on the data it contains.
Harrison_Tang: All right Sandy your next time thank you.
<kerri_lemoie> @lucy - I was king about the approved credentials that issuers are allowed to issue. In Open Badges there's a concept of an achievement that may be described by one organization and issued by someone else but many are concerned about knowing if issuers have permission to issue credentials contaning that content.
Sandy_Aggarwal: Yeah hi thanks I think manual already answered my question so I thank the developed from invalid to I think kind of dress the effective date logic so essentially anything we're coming in I think I can talk to take discussion offline with somebody but I'm wondering how the actual Logistics behind this is actually gonna work if you have like a huge list of users that they are all or issuers and they all have their effective dates and.
Sandy_Aggarwal: dates keep changing like the how do we manage the auditing part of that so let's.
<pl/t3_asu> @Drummond - BC Gov's Org Book scales to how large approximately? I'm guessing tens of thousands but I may be an order of magnitude off
Sandy_Aggarwal: You have an existing issuer and the effective to date have rules from the end of this quarter to the next quarter or the next year so do we just try cut the existing where I could do a new one so I guess I have some questions about that maybe we can come back that later on given that it's almost 1:00.
Sandy_Aggarwal: If you think as I can I'll probably try to read more the South Point a we'll see if I can try to find some specific answer I think I think just living off with 10 second thing is in my opinion what happens that a city like ongoing at it's like especially if you have a huge massive scale like that becomes a challenge because then like how do we really go to single source of Truth in that cases like if things getting constantly added in.
Sandy_Aggarwal: in that key for web special with the with the dates in there.
Sandy_Aggarwal: So you have a dead you know it's on top of that like you know you always got to check all the other way to beat with that you know with the with dates everything and obviously day Scott all correlate to a standard date like whether this UTC or something not just Regional date.
Sandy_Aggarwal: I think I'll lead the full thanks.
<smagennis> @Sandy, yes large lists == large liability
Harrison_Tang: Thanks Andy thanks Isaac I think where I write time so thanks a lot thanks again Isaac on you Lena Oscar and Constantine for a great discussion I think today's today is one of the most active discussions we had and so thank you.
<kerri_lemoie> Thanks for introducing this! Looking forward to more discussions about it.
<drummond_reed> Most excellent presentation and discussion. Thanks!
<pl/t3_asu> Great work
Harrison_Tang: All right that concludes our that concludes that this week's at w3c ccg meaning I will publish the meeting notes in by tomorrow and you can look at upcoming agenda in the link in the email tab set up right thanks thanks a lot have a good one bye.
<bobwyman> Also, is there any way for a member of the list to restrict the list of those authorized to see if they are on the list?