14:41:46 <RRSAgent> RRSAgent has joined #did
14:41:46 <RRSAgent> logging to https://www.w3.org/2021/09/07-did-irc
14:41:48 <Zakim> RRSAgent, make logs Public
14:41:50 <Zakim> please title this meeting ("meeting: ..."), ivan
14:42:01 <ivan> Meeting: DID WG Telco
14:42:01 <ivan> Chair: burn
14:42:01 <ivan> Date: 2021-09-07
14:42:01 <ivan> Agenda: https://lists.w3.org/Archives/Public/public-did-wg/2021Sep/0017.html
14:42:01 <ivan> ivan has changed the topic to: Meeting Agenda 2021-09-07: https://lists.w3.org/Archives/Public/public-did-wg/2021Sep/0017.html
14:46:54 <burn> burn has joined #did
14:49:33 <TallTed> TallTed has joined #did
14:54:42 <burn> present+
14:57:32 <ivan> present+
14:58:39 <brent> brent has joined #did
14:59:00 <TallTed> TallTed has joined #did
15:00:25 <cel> present+
15:01:00 <shigeya> present+
15:01:09 <brent> present+
15:01:12 <identitywoman> identitywoman has joined #did
15:01:15 <Deborah> Deborah has joined #did
15:01:16 <ivan> present+ drummond
15:01:22 <identitywoman> present+
15:01:28 <drummond> drummond has joined #did
15:01:31 <drummond> present+
15:01:33 <ivan> present+ TallTed
15:01:39 <manu> present+
15:01:56 <Deborah> present+
15:02:11 <ivan> scribejs, set Deborah Deborah Shands
15:03:38 <ivan> guest+ Jeremie_Miller
15:03:42 <burn> Topic: Agenda Review, Introductions
15:04:01 <Orie> Orie has joined #did
15:04:07 <Orie> present+
15:04:20 <ivan> present+ shigeya
15:04:22 <markus_sabadello> markus_sabadello has joined #did
15:04:25 <markus_sabadello> present+
15:05:18 <identitywoman> I can scribe
15:05:46 <burn> scribe+ identitywoman
15:05:50 <ivan> present+ dwaite
15:05:58 <burn> Topic: DID Rubric Status
15:06:11 <identitywoman> @burn next item is giving status.
15:06:25 <ivan> s/@burn/burn:/
15:06:26 <burn> https://github.com/w3c/did-rubric/issues
15:06:31 <brent> https://github.com/w3c/did-rubric/pull/49
15:06:47 <identitywoman> @burn main point is to convert DID rubric to a registry - this is an issue that is out
15:06:48 <ivan> present+ pam
15:07:01 <drummond> q+
15:07:25 <burn> ack drummond
15:07:37 <identitywoman> @burn before the existing group charter ends - important to get done before we shift to a maintenance charter.
15:07:53 <ivan> s/@burn/burn:/g
15:08:13 <markus_sabadello> q+
15:08:15 <identitywoman> drummond: more in-depth and complex
15:08:25 <identitywoman> (is that right?)
15:08:32 <burn> ack markus_sabadello
15:08:35 <Pamela> Pamela has joined #did
15:08:51 <ivan> q+
15:09:04 <burn> ack ivan
15:09:08 <identitywoman> peacekeepr: I miss-understood this proposal at first - it is just one part of it - just about adding additional criteria - I like it
15:09:39 <TallTed> q+
15:09:42 <identitywoman> zakim: I read it this morning - important to have it done as quickly as possible - so put in DID new charter that this will turn into an official registry document.
15:09:43 <burn> ack TallTed
15:09:52 <drummond> +1 to Ivan's point -- we want to include this in the new charter
15:10:25 <ivan> s/peacekeepr/markus_sabadello/
15:10:33 <dwaite> dwaite has joined #did
15:10:45 <identitywoman> Tallted: I had started going over this with a fine tooth comb and made a stack of suggestions - I didn't quite understand how things were flowing as documents - main author should go through my comments and then I can do - they have been sitting there for 5 days
15:10:50 <ivan> s/zakim:/ivan:/
15:10:57 <burn> Topic: DID Spec status update
15:10:58 <identitywoman> burn: If he wants this to get in he needs to be very responsive to comments
15:11:05 <identitywoman> burn: did spec status update
15:11:23 <manu> q+ to ask when to create the final document.
15:11:27 <identitywoman> burn: as I think most of you know the W3C Advisory committee voted - we have had some comments and three formal objections.
15:11:42 <ivan> q+
15:11:50 <manu> q- later
15:12:16 <identitywoman> burn: the chairs and team contact and editors have been talking with W3C leadership - we don't know what is going to happen. The chairs at this point believe that none of these objections will mean it can't be publish as a recomendation.
15:12:33 <identitywoman> burn: if it is delayed the existing working group charter will get extended.
15:12:53 <burn> q?
15:12:59 <burn> ack ivan
15:13:01 <identitywoman> burn: if their is a delay the new charter will be modified.
15:13:40 <burn> s/if their is a delay the new charter will be modified./we may need to modify the new charter based on the objections/
15:13:46 <burn> ack manu
15:13:46 <Zakim> manu, you wanted to ask when to create the final document.
15:13:48 <identitywoman> zakim: I was PTO last week but Philip did pick up my role and i'm greatful for that he is talking to the objectors later this week - something should come out of that
15:14:14 <ivan> s/zakim:/ivan:/
15:14:28 <bumblefudge> bumblefudge has joined #did
15:14:56 <identitywoman> manu: do you want me to prep the document itself - we do have to create a final document and pull it.
15:14:58 <brent> q+ to ask if there may be editorial changes resulting from the objections
15:15:16 <burn> ack brent
15:15:16 <Zakim> brent, you wanted to ask if there may be editorial changes resulting from the objections
15:15:20 <ivan> q+
15:15:28 <identitywoman> manu: general question is timing
15:15:37 <manu> q+
15:15:50 <ivan> present+ by_caballero
15:15:51 <identitywoman> brent: will there be editorial feedback based on the objections
15:16:10 <identitywoman> brent: it seems much will be into the rubric or the implementation guide
15:16:14 <burn> ack ivan
15:16:18 <identitywoman> brent: will process the que but keep chort
15:16:48 <brent> s/brent: /burn: /
15:16:48 <burn> s/brent/burn/
15:16:58 <identitywoman> ivan: not generate a final status thing -  just take care of the outstanding editorial PRs
15:17:01 <brent> +1
15:17:41 <burn> Topic: SRI Review of DID Spec
15:18:00 <identitywoman> brent: would you like to give a brief introduction and then go into review
15:18:13 <JoeAndrieu> JoeAndrieu has joined #did
15:18:40 <identitywoman> deborah: should I put up slides - please do and if you have a link to put chat
15:18:54 <Orie> There is a PR that adds these slides to the did imp guide: https://github.com/w3c/did-imp-guide/pull/29
15:19:02 <identitywoman> deborah: we do a lot of research of government entities
15:19:23 <ivan> present+ JoeAndrieu
15:19:42 <identitywoman> deborah: my group does some research in cybersecurity
15:19:47 <dbuc> dbuc has joined #did
15:19:51 <dbuc> present+
15:20:39 <identitywoman> deborah: my customer Anil John - asked me to review the DID and come up with security and privacy criteria for DID methods - I was able to spend about 100 hours on this (normally it would take a long time)
15:20:56 <identitywoman> deborah: approach to developing the requirements - they are in the document at the back of the slides.
15:21:38 <Orie> q+
15:21:43 <manu> q-
15:21:50 <identitywoman> deborah: I re-ordered the slides official approval to get publically released. I don't have them on the web. You can put them on your repositories on the public web.
15:21:59 <burn> ack Orie
15:22:20 <cel> also was put on ML: https://lists.w3.org/Archives/Public/public-did-wg/2021Aug/0022.html
15:22:31 <identitywoman> orie: there is a pull request for these documents (report and slides) for the implementation guide (may not be final home)
15:23:09 <ivan> -> Slides of the presentation https://lists.w3.org/Archives/Public/public-did-wg/2021Aug/att-0022/DIDSecPrivCriteriaOverview-public.pdf
15:23:27 <identitywoman> deborah: I did a little bit of a job from the perspective of a government agency that wanted to create a high value credential and apply that to a DID. What charateristics apply that to a DID - so a government agency can apply that to a DID.
15:24:03 <identitywoman> deborah: sketched an approach for a security and privacy approach - to illuminate to the customer - that were not garden variety issues.
15:24:11 <ivan> -> Security & Privacy Assessment criteria https://lists.w3.org/Archives/Public/public-did-wg/2021Aug/att-0022/DID-Criteria-V4.0-public.pdf
15:24:26 <identitywoman> deborah: authentication, authorization, login, identity verification etc. these are garden variety
15:25:15 <identitywoman> deborah: I looked at versoin 1.0 core achitecture document - I knew nothing about implementation. I had opportunity to discuss some of the entities funded by Anil.
15:26:32 <identitywoman> deborah: if you are going to do security - well established "system security engineering" two called out Common Criteria - protection profiles - specifications for security for national security - a bunch of international agreements to accept assessments of multiple labratories that are accredited.
15:26:58 <identitywoman> deborah: these are estanblished for products. These are established for functional requirements.
15:27:29 <identitywoman> deborah: NIST is thinking about standards for systems not just products - integration, deployment proceedures - examples of places for developing criteria.
15:27:47 <identitywoman> deborah: we have had decades of systems security engineering
15:28:05 <identitywoman> deborah: we don't have - a lot in a similar vein around privacy
15:28:41 <identitywoman> deborah: found introduction to privacy engineering by NIST - maps to fair information practices and principles - they are adopted in various international contexts - (re-written some times).
15:28:59 <identitywoman> deborah: abstracted up
15:29:16 <identitywoman> deborah: approach to developing a criteria - small examples
15:29:38 <identitywoman> deborah: define the system -
15:29:59 <identitywoman> deborah: I focused on the standard - if you develop criteira against which your system will be evaluated.
15:30:21 <identitywoman> deborah: realisitc threats - identity fraud was the one I identified.
15:30:50 <identitywoman> deborah: define security objectives to address realistic threats.
15:31:13 <identitywoman> deborah: separate security requirements from the objectives - what parts addressed by rest of the environment
15:31:43 <identitywoman> deborah: supported by a vast aray of things  - and list assumptions of how you rely on those things.
15:32:13 <identitywoman> deborah: define privacy objectives and requirements - abstraction above fair information practices and principles
15:32:44 <identitywoman> deborah: typically when you get a working group collaborating together you get a common criteria protection protocols - based on a standard.
15:33:36 <identitywoman> deborah: different classes of technology infrasturucture that you are assuming - you could develop different criteria - then sub-set to work collaboratively to develop these types of standards. The standards are young you are still develping them they are very security critical.
15:34:13 <ivan> s/develping/developing
15:34:15 <identitywoman> deborah: then your system is evaluated by others - fair play different users - government agencies - may choose on criteria that you don't appreciate.
15:34:56 <identitywoman> deborah: example criteria assessment
15:35:51 <identitywoman> deborah: Blue - government agency should they create a passport - is the DID good enough from a security and privacy perspective - is the DID method strong enough for a  digital passport?
15:36:11 <identitywoman> deborah: could be verified during on boarding
15:36:27 <identitywoman> deborah: green is good - is a DID document authentic - check a hash volume
15:36:38 <identitywoman> deborah: brown think about suporting but not in specification.
15:37:07 <identitywoman> deborah: Red is bad - outside of the technical space and really implossible to verify by looking at DID method software and services
15:37:12 <burn> q+ dbuc
15:37:13 <identitywoman> deborah: looked at list
15:37:31 <manu> q+
15:37:55 <identitywoman> deborah: conclusion - work together to develop a really security profile
15:38:36 <identitywoman> daborah: position what needed to be dealt with - existing common criteria protection profiles - related to DID method type systems
15:38:54 <burn> ack dbuc
15:39:29 <identitywoman> daniel: in the red green brown - red is meant to indicate subjectivity?
15:39:44 <identitywoman> deborah: no it was not be a subjective
15:40:23 <identitywoman> deborah: the approach by next door - they send a post card to your physical address - you have to go type that into - a minimal external process - it is not subjective it is  outside the technical process.
15:40:46 <identitywoman> daniel: trying to understand the difference with the green
15:41:11 <identitywoman> daniel: distinction - thirty voters - mathmatical
15:41:36 <identitywoman> deborah: it is quite likely that a government agency will only accept a thing that is mathmatically based
15:41:45 <drummond> Can Deborah (or someone) share the URL of her final set of slides?
15:41:55 <identitywoman> deborah: there is another group at SRI working on the cryptography
15:42:14 <identitywoman> deborah: I have not assessed these things based on if they are subjective or not
15:42:39 <cel> q+ evaluation of DIDs for VC issuer vs DID subjects
15:42:42 <burn> ack manu
15:43:27 <identitywoman> manu: this is really fantatic stuff thanks for putting it together and sharing with teh group - some of them have seen your research for the first time here.
15:43:37 <identitywoman> manu: the group developed some security and privacy considerations
15:43:53 <identitywoman> manu: we also devloped some criteria for the DID rubric.
15:44:33 <identitywoman> manu: I think some of the things that you highlighted I don't think that they are in any of the document. This has produced different types of criteria.
15:44:35 <burn> q?
15:44:55 <identitywoman> manu: I think what you have developed will likely belong in the specification itself.
15:45:03 <burn> q+ cel to ask about evaluation of DIDs for VC issuer vs DID subjects
15:45:07 <identitywoman> manu: how concrete does it need to be.
15:45:28 <identitywoman> manu: talk about the concrete implications give governments or large entrprises something to look at.
15:46:01 <identitywoman> manu: sit down and steal yourself - and go look at some of the criteria protection profiles - look at how gory the details are for the process they go through.
15:46:15 <identitywoman> sorry last line was deborah
15:46:32 <burn> s/steal yourself/steel yourself/
15:47:00 <identitywoman> deborah: look at the indepth work that is done to really look at how they approach it
15:47:29 <identitywoman> deborah: look at what happens if there is something that could go wrong - they are going to be very nit picky
15:47:54 <identitywoman> deborah: make peace with the level of details that are needed - there are going to be operational assertions and proofs.
15:48:39 <burn> ack cel
15:48:39 <Zakim> cel, you wanted to ask about evaluation of DIDs for VC issuer vs DID subjects
15:48:40 <identitywoman> burn: one more question and then go into one detail.
15:49:16 <identitywoman> charles: I was wondering about considerations of DIDs for issuers of verifiable credentials - I wondered about that (focus on DIDs as subject of credentials).
15:49:36 <identitywoman> deborah: my focus was on the systems that generate and issue DIDs
15:49:51 <identitywoman> deborah: was asked to look at wallets recently - I have been crawling through wallets
15:50:14 <identitywoman> deborah: They can look at DID method implementation they can poke and discuss - software for DID methods
15:50:30 <identitywoman> deborah: are they good enough - apply passport credentials to DID.
15:51:20 <identitywoman> deborah: if I get a passport credential and decided to get a new wallet - the government agency doesn't get to pick what wallet I put the credential into - how those credentials are managed those who are subjects of credentials or hold credentials on behalf of others - that is something else.
15:51:26 <drummond> Deborah's point is profoundly true. But I do expect there to be security standards for wallets.
15:52:28 <identitywoman> burn: in our world a passport is not a DID it is more like a credential -
15:52:50 <Orie> Imagine issuing a passport to an identifier that is bound to a physical harware wallet, then not being able to change wallets....
15:53:11 <identitywoman> deborah: so a government agency - if I provide a DID this is my identiifer - I want a passport credential assserted with me as a subject - sorry that DID was not generated by a DID method that we think is good enough.
15:53:32 <identitywoman> deborah: stricktly focused on dids and did methods
15:53:52 <identitywoman> deborah: one of the recomendations that I made around access control and access policy
15:54:33 <identitywoman> deborah: you have a number of controlers that can manage a DID document - there are controlers that are not mention. recomend that you can list all the modifiers that can change the did document
15:54:51 <identitywoman> deborah: it seems to me that any of the did controlers can modify any of the elements of a did document.
15:55:19 <burn> I disagree with identifying controllers.  Circular because now how do you identify them?
15:55:36 <identitywoman> deborah: it seems appropriate - to define the extent of a specific did controler over - limited scope of impact.
15:55:49 <markus_sabadello> q+
15:56:02 <identitywoman> deborah: develop minimalistic policy access language - identify which did controlers are permitted to do what to the document.
15:56:31 <identitywoman> deborah: it is a pain in the neck - a number of DID controlers can have full access to the document - this could be a real problem.
15:56:36 <burn> ack mark'
15:56:39 <burn> ack markus_sabadello
15:57:36 <manu> q+ to ask how we continue to collaborate?
15:57:38 <identitywoman> Markus: thanks deborah for the presentation - this question of access control this varies a lot between different did methods - would your recomendation to require this in the DID core - or do you think it is acceptable to add it to the rubric and then the government could choose a did method that they want
15:57:49 <identitywoman> Markus: where you should enforce this
15:57:50 <burn> zakim, close the queue
15:57:50 <Zakim> ok, burn, the speaker queue is closed
15:57:53 <manu> q-
15:58:08 <manu> We should definitely follow up with Deborah
15:58:22 <manu> Figure out how we continue to collaborate on this type of work -- it's important.
15:58:29 <identitywoman> deborah: enforcment is always on implementation - your method will have a controler policy
15:58:55 <drummond> Access control policy for DID methods is DID method specific.
15:59:28 <identitywoman> deborah: to show you are serious about the security end of things - requiring there is a security policy with these types of things - specifying this at a high level seems like it is important in this type of thing - split this up into subsets - different styles of technology implementation
15:59:46 <identitywoman> burn: I think there a lot of great opportunities for discussion/collaboration
15:59:58 <identitywoman> deborah: there is e-mail we can meet again - happy to do that.
16:00:20 <identitywoman> burn: folks are welcome to communicate with you individually
16:00:45 <Orie> Thanks deborah!
16:00:49 <identitywoman> daborah: it is a pleasure - facinating technology space
16:00:52 <identitywoman> Thanks Deborah!
16:01:07 <ivan> rrsagent, draft minutes
16:01:07 <RRSAgent> I have made the request to generate https://www.w3.org/2021/09/07-did-minutes.html ivan
16:01:22 <ivan> zakim, end meeting
16:01:22 <Zakim> As of this point the attendees have been burn, ivan, cel, shigeya, brent, drummond, identitywoman, TallTed, manu, Deborah, Orie, markus_sabadello, dwaite, pam, by_caballero,
16:01:23 <TallTed> Orie -- your muted actions above should be inline comments!
16:01:26 <Zakim> ... JoeAndrieu, dbuc
16:01:26 <Zakim> RRSAgent, please draft minutes
16:01:26 <RRSAgent> I have made the request to generate https://www.w3.org/2021/09/07-did-minutes.html Zakim
16:01:28 <Zakim> I am happy to have been of service, ivan; please remember to excuse RRSAgent.  Goodbye
16:01:32 <Zakim> Zakim has left #did