Verifiable Claims Working Group -- 13 Feb 2018

<stonematt> Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2018Feb/0011.html

<scribe> scribe: dlongley

stonematt: We've extended the time block for use cases for Joe today.
... Introductions -- anyone new on the call this week?

Next Face-to-Face

<stonematt> https://lists.w3.org/Archives/Public/public-vc-wg/2018Feb/0010.html

stonematt: Dan Burnett sent out a note about the F2F meeting.

<JoeAndrieu> I have news.

stonematt: To the mailing list.
... We're starting to think about what we want on the agenda.
... Trying to work through some of the final logistics. If you have any agenda items to include at the F2F please highlight them now to get them into the minutes so Dan, Richard, and I can work through them.
... Dan was also putting together a link off of our group, W3C website to track logistics and do the invitations and so on and you may see that evolve over the next few days.

gkellogg: Paying to attend IIW -- is that necessary to attend the F2F?

stonematt: It is not necessary.

gkellogg: Last time there was much more overlap.

JoeAndrieu: I heard back from Heidi, been dealing with Phil Windley and facilitators and space logistics. We can get a room for Friday. We're welcome to have a space Thursday if we wanted. They wanted to clarify if they should set something aside for us.
... They "would like" participants to buy a one day ticket. There's a 20% off discount code on the three day tickets, but not the one day. One day may not be strictly required but they'd like payment.
... It will cost us -- and we need to figure out sponsorship. Heidi said "When we worked with Manu, one of the companies sponsored w/around $2000".
... She mentioned they also donated left over drinks and snacks which is nice.

<Zakim> manu, you wanted to say that people should pay for the space.

manu: Last year, I think it remember it being $2500 total with everything and Digital Bazaar footed that entire bill, we'd like this year to see others pitch in. We're happy to match this year but we would prefer to see shared skin this time around.

<JoeAndrieu> IIW: here is a 20% off discount code that is good on Regular and Independent 3 Day Tickets / now and on late as well. VCWG_XXVI_20

manu: The only other thing last year is that we bought everyone lunch which was pizza, not super expensive. Just a lunch concern and making sure we get an order in, etc.
... I want to point out that Phil, Kaliya, Heidi, etc have been very generous and I suggest people pay for a ticket. I think SpecOps would be happy to pick up tickets for independents.
... A note -- please don't take advantage of the hospitality that IIW has extended to us and please pay for a ticket.

gkellogg: One day ticket is $275.
... Sales start March 10th.

stonematt: We'll probably start going around beating the bushes for contributions to help fund the event this year. Thanks to Digital Bazaar for offering to match. Will try to find others to contribute as well.

gkellogg: Regular independent is $340, $272 with discount. May as well get a 3 day independent ticket if you are an independent.

stonematt: Does the discount work on the one day ticket as well or just the three day?

JoeAndrieu: Heidi's language implied it was for three day independent and regular tickets.
... (Not one day)

stonematt: We know a lot of you were planning on attending IIW and hopefully this isn't an additional burden, piggybacking on such events. If we have challenges on the day of overlap we'll work through those.
... We want to take care of the participants for the day after the event as well. A big chunk of the funds to IIW pay for internet connectivity and food at the conference, money well spent. As well as camaraderie of the event itself.

<Zakim> manu, you wanted to note projector

manu: Quick note: The projector costs were insane last year so we may just bring one this year.
... Bringing a small, portable projector along -- we can rent one, we will handle it.

JoeAndrieu: This is Joe, there is still an open question for what we're doing Thursday. Do we want a dedicated space for say, even half the day. Or we could just fit into the flow of the other sessions. That's still an open question regarding securing logistics.

stonematt: I think last year we had an open session in the unconference and used conference space.

JoeAndrieu: I think that's right.

stonematt: If generally speaking, people will be participating in the conference then we'll just fit in, but if there's resistance then we'll have to pay for a separate space.

JoeAndrieu: I liked getting IIW members that were new to the conversation and that's useful.

stonematt: Unless we hear objections, we'll plan to use the conference space and not get dedicated space on the overlap day. Any objections?

none

<manu> +1 to using conference space on Thursday, we don't need a dedicated space... also, we need to make sure we know what we're presenting...

stonematt: We're going a little longer on our time slot today, a little flexible so it's ok.

Topics to Cover at F2F

stonematt: Let's make this five minutes, quick brainstorm of ideas we want to cover without going into discussion. Give us a chance to think about it offline and then have a follow up. What should we cover at the F2F?

manu: I guess the question is -- what do we do on Thursday and what on Friday. On Thursday, my thoughts are that we give people a run down on where VC are today. An intro to give people a taste. I talked with Drummond on this and Nathan we need to coordinate as well.
... Talking about the story with DIDs, VCs, and OCaps all weave together to create this self-administered/self-sovereign identity.
... We want to weave a story throughout IIW. Day 1 and 2 may be DID centric. Maybe on Thursday we talk about how VCs and DIDs fit together. Save the VC stuff for Thursday don't go too deep into it until then. We may, on Tuesday need to do a quick update and then do in depth on Thursday.
... Topics for Friday, I imagine we'd want to focus on test suite and implementations. It would be really good if we had people that volunteered to read and review the spec and provide feedback *before* they show up at IIW. For example Evernym, Sovereign folks say spec supports what they need and we get issues before we show up.
... Then focus some time on that Friday F2F about how to move the test suite forward and how we'll get full coverage and things of that nature.

<stonematt> .q?

manu: At least those are high level thoughts on how we could structure the week.

<nage> +1 to IIW introduction sessions and test suite and implementation time Friday

<manu> +1 to focal use cases

JoeAndrieu: I want to endorse the Tuesday and Thursday comments from Manu. We could run multiple sessions. DIDs deserve their own sessions earlier in the week as do VCs. People would try and show up and do an hours conversation about it. I'd like to figure out what the focal use cases are. What are the five use cases we need to get more depth on. I think that fits in on Friday.
... I'd like to dive into that as a group.

stonematt: Is that focal use case idea, a discussion we could go through later on the call?

JoeAndrieu: Yes.

stonematt: I think that would be time well spent.
... Ok, we're at time there, that's good, moving on.

Open Issues

<stonematt> https://github.com/w3c/vc-data-model/issues

stonematt: We currently have 34 issues open on the data model spec today. As it sits right now. We had a call to action for the group to go in and start working through issues that haven't had activity recently and we might be able to bring towards closure.
... It occurred to us as we were planning on Friday that we haven't been attentional enough at getting these issues disposed of. Closing, table, etc. or working through them.
... I had 4-5 that I spun through that deserve some discussion. Manu mentioned at the top of the call that there were a few he's been working through this week as well. I hope the group has had some time to refamiliarize with the issues there. I'm going to make this an item over the next few weeks to get issues resolved.
... So we can move on.
... Please get on the queue to discuss.

DavidC: I did start at the beginning of the week and we managed to close one off. I've been very busy this week -- but I do plan to spend time this week and get rid of the old ones first.

stonematt: I really appreciate the activity and effort spent last week.

<Zakim> manu, you wanted to note how he's processing issues as an Editor.

manu: I started processing issues, just as an editor. I'm looking for things that we have already resolved or that we've closed the issue or that we could resolve with a tiny bit of effort, oldest issues first.
... Often they no longer apply because of some scoping issue, etc. the group has had. Unfortunately I didn't find too much low hanging fruit.
... I wanted to draw attention to suggestions. I want to suggest we start wrapping things up for the 1.0 spec. If we haven't made progress on an issue -- even if people think it's important -- we're not going to get there I don't think by the time we get to REC.
... If we don't have a spec editor for the thing or an implementation for it -- then it's not going to move forward.
... So I'm suggesting that we close those issues. That usually prompts people into doing work or gets people to admit we won't address the issue now.

<stonematt> https://github.com/w3c/vc-data-model/issues?utf8=✓&q=is%3Aissue+is%3Aopen+sort%3Acreated-asc+JWT

manu: The oldest issues we have are around JWTs. JOSE Web Tokens, etc. How to express VCs using JWTs. The only organization that I know of that are using claims with JWTs are the uPort folks. We don't know what those JWTs look like -- my hope is that they start attending these calls more.
... I don't know any one else implementing... you can still take a VC and shove it in a JWT, but no one knows what those look like/aren't using them. Folks in the group aren't following that path. So I suggest we close those issues because -- if no one shows up with an implementation and no one is taking lead in writing the spec text then we're done with that.
... That doesn't preclude us from working on it later on, but we can close issues.

<manu> https://github.com/w3c/vc-data-model/issues/1

<manu> https://github.com/w3c/vc-data-model/issues/2

<manu> https://github.com/w3c/vc-data-model/issues/3

<manu> https://github.com/w3c/vc-data-model/issues26

<manu> https://github.com/w3c/vc-data-model/issues/26

<manu> https://github.com/w3c/vc-data-model/issues/93

manu: Those are the issues we might be able to close because we say that no one is here doing work on JWT in a way that we can say something normative in the spec.
... Another set of issues that fell into a class were:

<manu> These fall into the class of needing examples: https://github.com/w3c/vc-data-model/issues/41 https://github.com/w3c/vc-data-model/issues/32

manu: We could close these issues if someone could create an example of how the data model expresses that. We have this pattern where people say "What about this type of credential" ... the only way to close the issue is to come up with an example to say how. Without a company pushing that forward there's no progress.
... We could close those issues if someone could volunteer to write the VC around that.

gkellogg: I was going to suggest procedurally that it can be quite difficult to be faced with a whole raft of issues here as someone who wants to try to comment and know where to start.
... One thing we talked about in JSON-LD is to use some labels to drive this. So we could have each meeting ... for example there's a "blocker" label. If there are specific things that prevent progress and they had such a label that would provide us with some means to drive discussions vs. a page and a half of issues that show up on the website.
... We could similarly do that with things we might otherwise close but might want to defer. Rather than closing issues we could mark them as deferred. That would allow us to filter them out from different issue views.

stonematt: I like that idea. I was wondering if there was a status for closed but not resolved and deferred might be that.
... If we think that's appropriate I wouldn't be against that kind of activity.

DavidC: For now we'll take the FIFO methodology. In future meetings we may say "we'll talk about privacy/security/xyz label" and use that as a construct for discussion.
... I don't know if you want to delve into specific issues -- we've been talking high level so far. But subject != holder is a topic I'm interested in. It seems like that text that describes VerifiableProfile it doesn't say what the ID is and we say then that the ID is the ID of the holder it would resolve some of the issues. We would have a way of signaling whether holder == subject or not.
... Another thing we might want to do there is put some sort of relationship property to indicate what the holder's relationship is to the subject. Whether you believe it or not is a different issue. Those are some thoughts on resolving subject != holder issues.

<JoeAndrieu> +1 to relationship as an optional field in profile

stonematt: I think that's a good discussion to start in one of these issues and if we have some example text to bring into the spec (or start discussing) that would move that idea forward.
... I also went through and tagged some issues with the milestone "subject != holder" and, David, you're closer to this and if you can assign a milestone to an issue that would be helpful, but let me know if you can't and I'll do it for you.

<nage> We need to start thinking of this about binding to an entity, not necessarily to a particular ID (remember that attribute based credentials prove correlation to an entity without disclosing an ID)

DavidC: So you'd like subject != holder be milestone 2?

stonematt: There is a milestone for it. You can associate an issue with that milestone. I suspect everyone can do that so try it and if it doesn't work let me know. Shoot me the issue number and I'll do it.

DavidC: I'll have a look at it.
... I'm quite happy to put an action on me to do some draft text along the lines I've suggested to give something to the editors.

JoeAndrieu: Although this undermines Manu's effort to get closure on the JWT issues ... there was a lot of feedback at the last IIW against canonicalization and it would be good to talk to the advocates to get their engagement within the group.

stonematt: I think it would be good to try and get their engagement before we strike it.

<Zakim> manu, you wanted to note that he's listed suggested close dates.

manu: +1 for getting any kind of JWT engagement. The problem we've had with that approach hasn't been a desire for someone to go and work on it. It's been someone actually doing it. It's people saying "just use JWTs they solve your problem" and no one coming in and showing how they work in this use case (particularly in the complex ones).
... If we had someone come in and give us a spec and a proposal solving all the use cases with JWTs that would be great. What we can't deal with is mere assertions that JWTs solve everything with nothing else.
... We did try and make sure that JOSE and VC work together. The RsaSignature2018 signature suite uses JWS. So folks can't say we're not using the JOSE stack now, we are. We are also packaging additional things to fine tune the security characteristics of the packages. And making sure things work across multiple syntaxes, CBOR, XML, JSON, etc.

<JoeAndrieu> +1 to "doing the work"

manu: It's going to increasingly become part of the narrative that someone has to do the work to get these sorts of issues resolved otherwise we will be forced to close them.
... The conversation at IIW should be -- if you think JWTs can solve the issue, the people who have done work disagree and we want counterexamples of how they can work for these cases.
... The other comment I put myself on the queue was to respond to how we talk about these issues. I think the chairs should just pick a small set of issues to talk about during the call and we just go through it.
... You get everyone's thoughts and proposals for addressing an issue on the call.
... I'm a slight -1 to just deferring to issues. People don't respond to that. People will just say they'll provide their input later. Deferred just means "we won't deal with it in 1.0" and closing it forces people to talk.
... That's better than deferring. Keep in mind we can always reopen issues. A VC 2.0 group can always do that. Deferring issues just clutters the list and makes it seem like the WG is working on them but it really means we aren't.

<gkellogg> maybe both mark deferred and close, then can find closed deferred issues later.

manu: I think seeing the issues list is a tool for understanding scope and light at the end of the tunnel.

<Zakim> dlongley, you wanted to ask if that was before/after signature updates

<manu> dlongley: Just wanted to ask, in response to Joe -- at IIW there was some concern around canonicalization. Was that before we addressed some of those issues w/ signature suites that use JWS now?

<manu> JoeAndrieu: I don't know, one of the core issues was canonicalization and not particularly the use of JWS or not.

<manu> JoeAndrieu: Some of the substantive concerns was the extra layer of overhead which reduces adoption.

stonematt: Time check -- we promised Joe 15 minutes for use cases so let's change topics.
... Otherwise I had a handful of issues to talk about.
... I think it's right to shift gears to use case discussion and bring the open issues discussion back next week with a handful of issues we could get resolution on during the call.
... Any objections to changing topics?

none

Use Cases

JoeAndrieu: I think we've had a good experiment at trying to see if excel driven use cases -- a mechanism to rate them and bubble up the ratings. We haven't gotten much engagement. That's not working the way I'd hope it might.
... I wanted to suggest, the idea that what we really need are to understand a core couple of use cases that we can illustrate explicitly. One in particular -- this came up in holder != subject, what are the use cases around a marriage license.
... The notion of both an easy use case -- here's an example of a use case with a marriage license in a normal, default situation. And then what's the sticky wicket version of that where it gets complicated. And we can handle both cases.
... That gives us more insight into the flexibility and power of the spec we're creating.
... I know of three things: 1. To get perspective so people can see what use case is for. 2. dive down to get depth -- use use cases to understand our focus. A focal use case is not saying things out of focus are not important, but limited time and resources -- making sure the focal use cases work with some depth, 80/20 rule.
... I'd like to shift conversation about spreadsheets to the focal use cases that really matter. I like the marriage license use case because it bundles a number of complex issues (subject != holder, etc.) multiple subjects, etc.
... That would be one suggestion for a focal use case. I'd like to get feedback on focal use cases for your company? For your initiatives, I think people have these issues. You know what you care about.
... I would hope that we could talk about those interactively over the next couple weeks and then at IIW pick no more than five and take time to hash that out.

stonematt: So throw out/brainstorm now?

JoeAndrieu: There's finance, retail, etc. from those, what jumps out?

<Zakim> manu, you wanted to mention digital city/state/nation identity card, loyalty/coupons, single attribute claims (age, email). and to mention employee id cards

<stonematt> +1 to this approach

manu: I like this way of framing it and more than the spreadsheet. Was hard for me to give feedback on the spreadsheet, sorry.
... Others probably in the same boat. A question about what's important to your company is a great way -- we're all here for a reason. Figuring out the overlap there is a healthy way to proceed.
... We have a commercial interest in some classes. Retail: loyalty cards and coupons -- can we express those using VCs. Use case is simple: You go to buy something and present loyalty card/coupons in a digital form.
... Identity cards is next. We all agree that we might be far off from using digital creds at a country level. But cities/municipalities are doing it. uPort has a use case in Switzerland (I believe, could be wrong). A small city doing a pilot.
... The other group of organizations that are really interested in digital ID cards are employers, hospitals, and they are wanting to move to digital creds -- using the same system to get access to buildings, so on.
... Final one is single attribute claims, over age 18, this is my email, etc.
... done.

stonematt: I like what Adrian Gropper has done with medicine and there's an idea of a lifecycle with a VC and I get stuck with use cases being too narrow and in medicine it goes around in a cycle/journey.

tzviya: I think that's a great point about the journey/life cycle. The education set of use cases, the online class, etc. for my company is important. A user identity for authentication -- access to online articles and journals. Institutional but same situation for online learning.

ChristopherA: My main thing that seems to be missing from this list is developers. There's all kinds of attributions associated with software development, with teams working on code together, from educational claims to claims about objects about a particular commit signed by A and ack'd by B, etc.

<stonematt> +1 on developer concepts

ChristopherA: Since most of us are developers in some sense or another -- natural synergy of using our own dogfood.

JoeAndrieu: Thanks. There's some work coming into the VCCG about developers and VCs. We'd like to see that come into the VCWG potentially to be published as a note.
... That's it.

stonematt: Thanks for the feedback today. I think it's time to adjourn. Joe is there a way you want us to continue to engage over the week?

JoeAndrieu: Yes. I would like someone to step up and have a conversation with me to flesh out one of these to get a baseline and a sticky wicket (complex) example.

<tzviya> I can do that with you, JoeAndrieu

JoeAndrieu: So we can look at one focal use case spending 10-15 minutes next week on that.
... So contact me if you'd like to do that. Just reach out via email.

<JoeAndrieu> joe@joeandrieu.com

<stonematt> I'm in Joe...

<manu> +1 to doing some of this at RWoT

- DRAFT -

Verifiable Claims Working Group

13 Feb 2018

Attendees

Contents

Next Face-to-Face

Topics to Cover at F2F

Open Issues

Use Cases

Summary of Action Items

Summary of Resolutions

Scribe.perl diagnostic output