See also: IRC log
<scribe> scribe: manu
Varn: We're going to hear from
Tzviya and Benjamin today about RA21 and Verifiable
Claims
... Then prioritize W3C TPAC efforts.
... Data Model spec, current milestone progress - what are
issues in the way, prioritize, etc.
... Then discuss future agenda topics.
<bigbluehat> http://ra21.org/
tzviya: We did discuss this
briefly last week. Benjamin and I have been working with RA21 -
scholarly publishing community. This is very similar to
Education use cases in this group. Wiley publishes many
journals and releases them into the library world. A user can
be an institution or individual.
... We need to authenticate in many ways, which is bad, we
don't want a NASCAR situation. There are issues on the use
case. We met with RA21 leadership yesterday to discuss if they
want to move forward with Verifiable Claims. They have two
pilots going right now, one based on SAML, and another based on
an older technology. They want to do a Verifiable Claim
Pilot.
... We do need to sit down with them to document the use cases.
They're a bit slow with cutting edge tech, so they need more
reassurance that this works today.
burn: Ok, thanks - good use cases.
<Zakim> manu, you wanted to discuss SAML and Credential Handler API Demo.
tzviya: There is a good bit of focus on UI - similar interfaces...
<bigbluehat> current SAML related pilot at RA21: http://ra21.org/index.php/pilot-programs/p3-wayf-pilot/
<dlongley> manu: So two things: The SAML thing is interesting partly because we're looking into how to carry VCs across SAML stuff, so that's not out of scope. I understand these older orgs have SAML setups and may be hesitant to move away because of time and energy put into it. We have looked into how to express a VC in a SAML communication and there's a fairly straightforward way of doing it.
<dlongley> manu: It does require some new systems to be setup. But it is compatible with the systems these orgs have setup.
<dlongley> manu: Maybe a way to move forward there.
<dlongley> manu: There is also an email that went out to the list yesterday.
Credential Handler API Polyfill: https://lists.w3.org/Archives/Public/public-vc-wg/2017Sep/0020.html
<dlongley> manu: This goes to your consistent UI thing you're talking about. There's a new Credential Handler API polyfill. A demo video we put out last night that is showing what the UI could look like when moving VCs around.
<dlongley> manu: That may help you and Benjamin to get your mind wrapped around the UI we're talking about. That's experimental stuff but it's out there and works to ship VCs around. Based on both possibilities you've outlined this group has ways of engaging on both of them.
tzviya: Yes, that helps... this is a large group, moves slowly, just giving you a heads up that publishing doesn't move at a rapid pace.
burn: Is there something that you want this group to do as an action item?
tzviya: I need to touch base with
RA21 and then I'll follow up with the group.
... To set expectations, it'll be a slow start punctuated with
WE NEED IT NOW!
... We'll know more by W3C TPAC.
Benjamin: Thanks to everyone that worked on the polyfill - it looks very close to what RA21 wants wrt. UI, so that's good. We'll both be at TPAC, and I'll be in the VCWG meeting, will provide updates there.
<burn> https://goo.gl/8voHZS
burn: If there is something
that's not on that list, please put it on there.
... There may be overlap with finish off current milestone and
other topics listed. Don't worry about overruning time, that's
a good problem to have.
varn: We only have one discussion leader identified - who can lead discussion on these items? Do we need to assign.
<dlongley> manu: Haven't had the bandwidth to volunteer for anything yet, I will volunteer one thing and may volunteer Longley for another since he'll be in the same room.
burn: Any other volunteers?
Varn: If we get to it, I can volunteer for Claimvelope, Verifiable Credential, Verifiable Profile.
Burn: We're coordinating with other groups now, the Agenda will get more structured going forward.
<burn> https://github.com/w3c/vc-data-model/milestone/3
<Zakim> manu, you wanted to provide update.
https://github.com/w3c/vc-test-suite/tree/gh-pages/tests-1.0
<dlongley> manu: Chris Webber doing travel/client work, not working on test suite this week or next. There have been additional tests added to the test suite, we now have all the tests we need to pass every milestone. The thing that is holding us up is implementations. Chris was on to do implementations but hasn't had enough bandwidth. DB may pick up some of the implementation stuff or at least get our JS based libraries on task to get us past milestone one.
<dlongley> manu: There were a couple of things that came up with creating the test suite. Specifically, the newer sections like evidence field ... how do you list the evidence that was collected to generate the VC ... there's not much we can test there without more discussion. It might be a TPAC discussion topic, we need people to tell us what kind of evidence they want to list with a VC. For example, I issued a Driver's License and the evidence I used was that they
<dlongley> took the paper test, driver test, I saw them in person and verified their SSN and saw their SSN card, etc.
<dlongley> manu: So we need concrete use cases for that evidence field.
<dlongley> manu: Same thing for revocation. We have a simple revocation list thing but we need to discuss the format. Hopefully in the next couple of weeks ... there's not much that can happen with milestone 1 until the test suite is done and I suggest that we move onto other issues until we're unblocked. I hope we have an operational test suite for TPAC.
<kim> manu there are good test scenarios for evidence in education. I can help round some up
Burn: That brings up a point - make good use of TPAC time
Manu: Kim, thanks - that would be super helpful.
<dlongley> manu: I think the issues will naturally slot into the schedule we have. But we may want to triage them. We may want to shove the issues into each one of the issues that have been raised. Identify verification or bundled claim, etc. They should map cleanly to issues we have. That's another way of building the agenda.
Burn: I suspect the Chairs are
going to try to balance completing items that can be finished
quickly/efficiently and have significant topics to discuss. It
may not be a goal of getting all of M1 done by then. TPAC time
is valuable for general discussions, as you know.
... Will RWoT affect attendance?
<kim> I'll be at rwot
<ChristopherA> +1
<varn> question: who from our group is involved with the credential transparency description language be worked by http://credentialengine.org/ and they had a new release in August see http://credreg.net/ctdl/release
<dlongley> manu: It's really the evidence thing. The revocation thing we can guess at and put something in front of the group. We need use cases for evidence. Kim did say she could round some up with the education space.
Kim: I'm interested with aligning
OBI w/ Verifiable Claims - I'd like to align those examples.
I'd want to run them by that group to make sure they're
representative.
... They should be fairly easy to round up, make sure the
examples are solid.
<dlongley> manu: After we get through the evidence thing we may have some burning issues to discuss.
Varn: This relates a bit to evidentiary items... who has been involved with Credential Transparency?
<dlongley> manu: Stewart Sutton who had participated early on in the group is the one that did a lot of the work for the CTI. But he has not been able to join us as of late. Gregg ... I don't know if you're on the call today, you might seem him at the DCMI meetup thing that you're going to.
<dlongley> manu: No one is participating regularly that I know of.
Varn: Have you looked at their Vocabulary - are there evidentiary items in there?
<Zakim> tzviya, you wanted to ask about federation use cases
Varn: The only reason I mention it is because these folks have to recognize credentials. I would expect that they would have worked on that, we want to reuse their work if they have.
tzviya: Someone asked me if I had use cases for Federation - what are you looking for?
<dlongley> joe said this last week... :JoeAndrieu: please raise issues for any use cases not yet represented, especially if they can be highlighted as education-related... booked elsewhere the next couple weeks, but can dig into this again thereafter
tzviya: I'm talking about with respect to login - I go to NYU, have access to all of NYU library, then move universities - how do I get access at the new university?
<dlongley> https://github.com/w3c/vc-data-model/issues/71
dlongley: W3C TAG has a self-questionnaire on security and privacy - we should produce a response that runs down these questions... we may not be able to answer some of these questions because they don't apply... but they will ask us to fill this out at some point.
Burn: Who is "we"? Is there someone that can volunteer to take a first stab at it.
DavidC: I'm happy to do that,
I've already started on security and privacy document.
... I'm happy to do a first cut of that for next week.
<dlongley> thanks david!
<scribe> ACTION: David_Chadwick to do security/privacy review for TAG. [recorded in http://www.w3.org/2017/09/26-vcwg-minutes.html#action01]
<trackbot> Sorry, but no Tracker is associated with this channel.
<dlongley> manu: I do want to do some front running... going down the agenda. There's a thing on Identify Verification that Joe Andrieu brought up.
<dlongley> manu: "How do you establish that the holder of the VC is also the subject?" ... So how do you know that it's me that's handing over a driver's license/educational cred/etc.
<dlongley> manu: We have something running in production that does that that's aligned with the various VC specs. The problem is that there's a very fine line and we should only be working on the data model. There are things in the data model that apply but we can also say something non-normative to talk about how to authenticate yourself as the subject of a claim.
<dlongley> manu: To say "this is me, this is my driver's license." I'm going to try and draft up some language to cover that ... any objections from the group or do you think anyone would complain and say it's outside of the charter even though it's non-normative? Any thoughts on that? If no, I can just draft something and see what we think.
Burn: From a Charter perspective, we're ok - I'd err on the side of putting text in and having someone request that we take it out of the spec.
dlongley: There are data model elements to this aspect, so saying that this is where you have this info in the data model, so it's interoperable, and give examples of how it could be used is not normative. We show how the data model can be used... use case for it.
DavidC: I think part of the verification is that there is something in the claim links to the person that's presenting it. The data model needs ot have some aspect - we don't want to support masquerade.
ChristopherA: Or at least, optionally support masquerade.
DavidC: Masquerade is pretending to be someone that you're not. Saying "I'm not the subject, I'm someone else" is fine
ChristopherA: I agree with the
semantics.
... From a cryptography standpoint, it's more nuanced.
... I'd like to get input from the group wrt. what the language
requirements are - Bitcoin community could be a lot more
evangelized if we have a C++/Python version.
<varn> presenter offers what data elements to verify self and describes role as subject of claim or holder/broker. They also have to present data elements proving they have permission to present it if they are not the subject.
ChristopherA: What libraries do we have, what's their status, what are the needs of various parties? Java version, Go version...
<Zakim> manu, you wanted to talk to Python version.
<dlongley> manu: Just to talk to the Python version. Chris Webber has been working on a Python version that works more or less. That thing's doing fairly well. At the close of the milestone we should have JS and Python implementations. So LinkedDataSignatures, VC libraries, etc. We should be able to support the bitcoin community with a Python version. The C++ version is more challenging. Like 6 years ago we had a JSON-LD processor in C++ but it's a non-trivial
<dlongley> undertaking as usual with C++. Scripting libraries will get support much sooner than non-scripting ones.
<dlongley> manu: We're pretty far along with node.js and in the browser, and Python and Ruby and Java I think.
<dlongley> manu: There's a Go implementation for JSON-LD.
<dlongley> ChristopherA: What I'd like to see then as part of the documentation or a repo ... a unified list of these resources and where they are in github and maybe some pointers on who is working on them. Unified place for them. Have that as a work item to keep that up.
<dlongley> +1
<dlongley> manu: +1
<dlongley> burn: A link off of the WG would be fine that points to a page with running implementation stuff.
<scribe> ACTION: Manu to create link to running implementations off of WG page. [recorded in http://www.w3.org/2017/09/26-vcwg-minutes.html#action02]
<trackbot> Sorry, but no Tracker is associated with this channel.
DavidC: About presenter comment from Richard Varn - do we have recursive credentials? So, presenter provides credential and recursively includes other credentials.
<varn> good idea. not that i know of. may not be thew only way we want to do it.
DavidC: I have a credential which has some property and I want you to take over that property and take over that credential... I put a VC given to me, into the VC, I put your identifier as the holder, and I put me as the issuer and sign it.
dlongley: We do have a concept of a chain of trust, so if you present a VC that is signed by you or someone else - you can look at the other entitity. So you get an education credential from some university and you can go to the university to see if they have accreditation. I don't see why you can't bundle all of those into a single container. is that the cocnept that you're tlaking about?
DavidC: When you think of the
X509 Certificate Chain, similar things could happen w/
Verifiable Claims... instead of having linking and separate
credentials, you have one credential which has one property
inside the other one. You can recursively go through the code -
parsing/validating as you go along.
... At some point, you fidn that the property is not a
credential, and you find that it belongs to outer-most
holder.
Longley: So you're asking to have credentials embedded in credentials.
DavidC: I wasn't sure it was supported - but if it is - it would provide someone that is the subject to specify that they're the holder.
<DavidC> correction: the subject to specify that the holder is authorised to present the credential
Varn: The other dimension that I want to capture - whether person presenting is authorized to do so - you could do it with or without nesting - within statements/permissions - there are different reasons why I might authorize someone to present my credential.
<dlongley> yes, terms of use/policy issues.
Varn: if I'm presenting it for job application, application for college, limit it for that purpose - purpose of presenting, you have to bundle those together. I am presenting, I have permission to present, I have permission to present for this reason.
DavidC: Policy on use of credential is there - perhaps further policy can be more restrictive.
Varn: We need those descriptions in there.
<Zakim> manu, you wanted to talk about recursion vs. graphs. and to talk about delegation.
<dlongley> "compositional credentials and compositional policy"
https://github.com/w3c/vc-data-model/issues/48
<burn> +1 to composition on both
<dlongley> manu: We have an issue for terms of use and I expect to see a property for that in the data model. What would help the discussion is a grounded use case. For example, an assistant needs a passport from someone they are booking a flight for to travel over seas. It has a terms of use component and it has a component ... so the terms of use thing is one aspect.
<dlongley> manu: The other aspect that David is pointing out is delegation. Terms of use is important even when you're the subject handing things over (only use my shipping address to ship a package to me, don't market/mine my data).
<burn> trying to deal with delegation today sounds like a big chunk to bite off
<dlongley> manu: Terms of use for a passport would be for card rental use only. And in addition to that you can delegate. It's a very complex topic and we haven't picked up and discussed in the group. Part of what David Chadwick is outlining here is "how are we doing delegation" ... are we doing it through bundling/embedding credentials or what. Fundamentally we're dealing with graph based data structures here. So that nesting is the wrong way to talk about these
<dlongley> things. You're really talking about the interconnectedness of the graph.
<dlongley> manu: Can you start at the subject and trace a path to the holder in some way. There may be many paths back to the holder. The question then becomes have we though about delegation such that it is possible to trace a path from the holder all the way back to the subject and such that the subject that the subject has expressed the terms of use on that credential. That's a pretty big multipart discussion. The suggested path forward is ... we've broken out
<dlongley> terms of use, it's own thing on the side.
<dlongley> manu: I don't think we've broken out what David just said ... how do you establish the relationship between the holder and subject when they are different entities. We will be discussing how to find out if the subject *is* the holder, but we haven't talked about tracing a path from the holder to the subject, etc. That could be super complex. There's a question of how much we want to explore because it could get complex.
<dlongley> manu: Those are my thoughts now that I think I understand the points David was making. We're not tracking it.
DavidC: Two points - issuer provides terms of use... subject provides terms of use. Do we cover both of those in the data model? Should subject terms of use be outside of data model?
<dlongley> or the verifier suggests a terms of use that the subject will accept (or not). (not sure if that was said)
<dlongley> that's more likely when sharing credentials on the Web.
https://github.com/w3c/vc-data-model/issues/48
<ChristopherA> (heading over to w3c-ccg)
burn: We need to know if you need dial-in for TPAC, let us know!
<burn> But dialin is discouraged -- should not be the primary way to attend
This is scribe.perl Revision: 1.152 of Date: 2017/02/06 11:04:15 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) WARNING: Replacing previous Present list. (Old list: Tzviya_Siegman, Dan_Burnett, Ted_Thibodeau, Benjamin_Young, Manu_Sporny, Gregg_Kellogg, colleen_kennedy, Richard_Varn, Dave_Longley, ChristopherA, Kim_Hamilton_Duffy, Matt_Larson, Nathan_George) Use 'Present+ ... ' if you meant to add people without replacing the list, such as: <dbooth> Present+ Tzviya_Siegman, Dan_Burnett, Ted_Thibodeau, Benjamin_Young, Manu_Sporny, Gregg_Kellogg, colleen_kennedy, Richard_Varn, Dave_Longley, ChristopherA, Kim_Hamilton_Duffy Present: Tzviya_Siegman Dan_Burnett Ted_Thibodeau Benjamin_Young Manu_Sporny Gregg_Kellogg colleen_kennedy Richard_Varn Dave_Longley ChristopherA Kim_Hamilton_Duffy David_Lehn David_Chadwick Found Scribe: manu Inferring ScribeNick: manu Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2017Sep/0019.html Got date from IRC log name: 26 Sep 2017 Guessing minutes URL: http://www.w3.org/2017/09/26-vcwg-minutes.html People with action items: david_chadwick manu WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]