1A/ I Co-chair the DID WG and VCWG, AMA

From IIW

I Co-chair the DID WG and VCWG, AMA

Tuesday 1A

Convener: Brent Zundel

Notes-taker(s): ?, Charles Lehner

Tags for the session - technology discussed/ideas considered:

DID WG, VCWG, W3C, Verifiable Credentials, Decentralized Identifiers, Open Standards, Q&A, AMA

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

What is the current process?

At this point, the W3C process calls for the Director to determine if the formal objections against the DID Spec will stand.

What role do the people involved in DIDs have in the rollout of vaccine passports?

The participants of the W3C process and their conversations are public, so anyone can take that set and compare it with the set of those involved in vaccine passports

Is the primary objection and dispute resolution primarily related to Mozilla’s objection?

Talking about objections to DID (TH Edit: moreover making enquiries about advancements over recent years).

Timothy Holborn To Everyone

11:49:54 AM

other work: https://medium.com/webcivics/permissioned-commons-7fc33a1ce23e


some old DID related works (noted as Quins, suggesting quads + DIDs) https://lists.w3.org/Archives/Public/public-schema-gen/2017Feb/

(TH Edit: re below - i didn’t ask if blockchain (or moreover Decentralised Ledger Technologies, as to include DHT Hybrids, etc.) was unethrical - not sure who asked.).

Is technology related to blockchain unethical? Some say if it’s based on Proof of Work, yes; some say it’s more nuanced. Hard to reach agreement. Positive direction with W3C Ethical Web Principals: not official guidance for W3C Working Groups, just a set of ideas that folks in the TAG (Technical Architecture Group) wrote.

Response about Ethical Web Principals: DIDs enhance several: personal accountability, individual control, verifiable data…

If W3C wants to add horizontal review requirement for energy usage, we’re happy to try to do that… although it’s hard because it’s just a data model… none of the methods are official specifications. Bulk of conversation.

Argument: we can’t determine if the spec is good enough until there are specified DID methods. Until there are specifications with multiple interoperable implementations, we can’t… When chartered the group, that was considered too large a scope - so we are prohibited from specifying DID method specifications. So we’re caught (in a Catch-22). We’re hoping that the ultimate decision will be that this group did what it was chartered to do, and future groups can do more.

Timothy asks question about “Cool URIs don’t change”...

(TH Edit: nb: https://www.w3.org/Provider/Style/URI )

Energy use… could an ontology be created to quantify the energy payload?

(TH Edit - NB: per ‘permissive commons’ documents above, was part of the design IMO)

Brent: totally possible. But why are we being singled out in particular? Web pages with fancy CSS (and videos, JavaScript) are computationally expensive). Introducing features into CSS increases the computational requirements of web pages. Should this be quantified too?

We think energy use will be one of many criteria to determine appropriate DID methods… along with various decentralization requirements, censorship resistance… a number of concerns any user/implementer ay be concerned with.

Timothy Holborn To Everyone

11:58:34 AM

per: https://lists.w3.org/Archives/Public/public-schema-gen/2017Feb/0006.html NB: google doc noted in linke

Brent: … So the DID WG created a Rubric… so implementers can compare.

Rabble asks about Secure Scuttlebuttt… low resource requirements, can run on Raspberry Pi…

Is this the only W3C thing having to with blockchains?

Brent: I think that’s a safe assumption

Timothy: respectively, I disagree…. (TH edit - comments out of context… can provide links if deemed useful) Carvello… linked data ledger stuff… RDF… huge falling-out between Henry(?) ?... can see in the legacy between Turtle notation and JSON-LD… Commercial vs. network aspect… SOLID… Acamy(?)... Legacy about decentralizing discovery… part of the purpose about getting the golden handcuffs out… providing the ability to consume linked data in a decentralied and private manner, as well as having a better provenance over the assets. I can’t say ( TH Edit: ‘I can’t see’, (different to ‘say’) - provenance important, re: HTTPA, etc.))how that vision has carried on…. Universal Declaration of Human Rights…

Timothy Holborn To Everyone

11:58:34 AM

per: https://lists.w3.org/Archives/Public/public-schema-gen/2017Feb/0006.html NB: google doc noted in link

Timothy: … excluding beyond the traditional scope of W3C work… perhaps there are threats to international law (EDIT: Inter-national world-order, ie: support for jurisdictions, etc.) and order… to transcend concerns… to have human agency. (TH Edit: “Inforgs” vs. ‘Identifiers’ as ‘identity’)

Brent: I would say that desire for individual agency is what drives most of the decentralized identity work that I’ve been a part of…

… Mobile Driver License already incorporated into Apple and Google Wallets… requires verifiers to contact issuers… doesn’t describe what the protocols are for verification of those drivers licenses… that requires different vendors to set up their proprietary processes… a prime example of those golden handcuffs… Once a vendor sets it up and gets it going with Apple and Google, if we get DIDs and VCs and interoperable way to request and present them, are the driver license authorities going to change from something that’s already working for them? We fear not...

Timothy: 2013..2014… no KYC… Identity Credentials… HTTPA 2010… with accountability… built on a DHT… Intention to create an ecosystem… You’re not an identifier, you have a semantic input(?)... identifier you have agency over…. Observer… semantic agent… not by an identifier linked to someone else’s system…. Don’t see how… translates to human rights…

A true worry for me… seeing protests around the world… I want to raise it…

Brent: There are lot of people involved in the community who share your concerns. Generative Identity Group has lots of position statements and guidance. Phil Sheldrake leads that effort…

Kazue: I’ve been out of contact with W3C - you mentioned VC WG - I thought it was a community group?

Brent: current status: Credentials Community Group (CCG) - a place for anyone to come (W3C member of not) to incubate ideas around credentials and digital identity. CCG created first draft of VC spec… VCWG was created to guide that spec through the W3C process. VCWG published VC Data Model v1 as a standard 2 years ago. CCG also incubated DID Core specification… DID WG spun up to do that… That’s the group you took out to dinner in Japan

Kazue: 2019, good times.

Brent: My favorite...

… Passed DID specification through wide review… multiple review periods… In final phases, a number of objections have come up… mostly focused on difficulties in testing how truly interoperable the spec is… We’re addressing those objections and anticipate having a resolution by the end of this year. While the DID WG has been working hard, the VCWG has been maintaining that spec, fixing bugs… hope to have a new version of it published by end of year. Future: original plan was for VC WG to begin working hard on version 2 of that specification, along with subspecifiations on signature types for the way VCs interact with DIDs/keys… but now in a holding pattern, waiting for resolution about the DID WG…

Kazue: thank you. Another question: I don’t quite remember which draft I read; I had a difficulty understanding the difference between the holder and data subject. Probably my question is…. DID… they should have a secret key corresponding to the public key in the DID document? …. Is it a holder or the data subject?

Brent: Really good question… It’s part of an ongoing conversation with the VCWG… The VC Data Model talks about issuer, holder and verifier as roles that entities can play when interacting with VCs… but the specification itself only talks about issuers and credentials subjects. The issue of who or what the credential is about versus who is presenting it is unfortunately something that still needs clarity and to be resolved. For most use cases, the holder and the subject are the same identity… or it’s very clear…. For example in supply chain use cases, the subject is “this pallet of steel” - not a person so can’t hold keys. So it needs more clarification, I think. Definitely an ongoing conversation.

Kazue: Thank you. One scenario I read about is parent and children… the parent could be the holder, and the children the data subject… something like that.

Brent: Right. We believe the Data model is flexible enough to support use cases like that for guardianship and delegation…. But it’s not prescriptive enough [for interoperability]...

Kazue: Thanks


per: https://lists.w3.org/Archives/Public/public-schema-gen/2017Feb/0006.html NB: google doc noted in linke

FWIW: from 2015: https://www.slideshare.net/Ubiquitousau/trust-factory-slides-2015

this might help too: https://www.slideshare.net/Ubiquitousau/human-identity-inforg

started in WebPayments CG which led to: https://www.w3.org/community/credentials/2014/08/06/call-for-participation-in-credentials-community-group/

TImothy: … Golden handcuffs…. Given objections, vaccine passport mechanisms…

(TH - Sought to identify who was involved with VaccinePassports & what market saturation DIDs have with respect to VaccinePassports world-wide).

Brent: No… Patent exclusions, IPR protection… At every step in the process, folks get to call out patent exclusions… Candidate Recommentation… then Proposed Recommendation (current status) another round… This is using a specification that is patent and royalty free, even though it’s not yet an official recommendation.

Timothy: So does that mean… they can take it up with W3C?

Timothy Holborn To Everyone

per: https://lists.w3.org/Archives/Public/public-schema-gen/2017Feb/0006.html NB: google doc noted in linke

FWIW: from 2015: https://www.slideshare.net/Ubiquitousau/trust-factory-slides-2015

this might help too: https://www.slideshare.net/Ubiquitousau/human-identity-inforg

started in WebPayments CG which led to: https://www.w3.org/community/credentials/2014/08/06/call-for-participation-in-credentials-community-group/

https://web-payments.org/minutes/2014-09-04-igf/workshop-report.html is also historically relavent...

Timothy: people did a bunch of work… (TH Edit, i noted also - freely - as…) to make sure there is royalty-free patent-? Standards…

A handover system? When a project is started, and when a legal support for that standard is brought about… at the moment, DIDs is not a W3C standard…

Brent: As I said before, the step from going from Proposed Recommendation (PR) to Recommendation involves the same patent exclusion round that other steps involve…

… My reading of the process doesn’t differentiate any particular decision… At several points in the process, all the AC members were presented the spec, and given a time period to declare patents. In PR, same thing. As of this moment, the doc is a proposed recommendation, and not encumbered by any patents… To my understanding, there aren’t any further moments for people to come in and introduce patent concerns… I think we’ve gone through all of them.

Timothy: Respectively (TH Edit - word was “respectfully”), I don’t think the W3C… (TH: defines (secured, ie: patents was the inference)) prior art… the respondents… (TH Edit - pre vs. post ‘standard’ acceptance’, is it vendors or is it W3C as the patent-pool management entity) when we did payment standards, we did …. And then IPA (TH Edit: Payments led to Credentials, which was initially defined as ‘verifiable claims task-force’ as to support focus’), and we split out credentials… effectively the browser companies said… rewrite the thing… (TH Edit - referring to the Payments Spec, produced via webpayments CG) Then Credentials CG was established… for verifiable claims/passports… (TH Edit - NQR - comment - verifiable claims had a bunch of intended applications, concern has been expressed about Vaccine Passports specifically; alongside concern that other use-cases have seemingyl been set-aside (ie: ontologies on ledgers, etc.) Thank you for the response.

Brent: Luckily, we haven’t had that happen with VCs and DIDs… but yes I’ve heard those horror stories from Manu about Credentials for Web Payments.

method registry: https://github.com/w3c-ccg/did-method-registry

https://miro.medium.com/max/3258/1*iGzdEyUWAzT7TDjU6IUvTQ.png from https://medium.com/webcivics/inforgs-the-collective-info-sphere-67a660516cfd might also be helpful.

Frederico Schardong To Everyone

12:17:43 PM

https://www.w3.org/blog/news/archives/5862 linked http://manu.sporny.org/2016/browser-api-incubation-antipattern/

Kazue Sako To Everyone

12:19:18 PM

Thanks, @Frederico. I will take a look

Christian Paquin To Everyone

12:20:46 PM

can't hear me?

@Kazue, it took me a few minutes to find... this research paper is quite related to your question: https://ieeexplore.ieee.org/document/9333857

Timothy Holborn To Everyone

12:19:14 PM

https://www.w3.org/blog/news/archives/5862 linked http://manu.sporny.org/2016/browser-api-incubation-antipattern/

Kazue Sako To Everyone

12:19:18 PM

Thanks, @Frederico. I will take a look

Christian: … at airport… reading notes…

… Question about VC in general… The VC system…. In a way we tried to build it 10 years ago with …. And failed…. Wallet form factors…

… I see a lot of blink…. Very tied between DID space…. Often considered the same… I see a lot of use cases for VCs outside of decentralied identity… Enterprise scenarios… blockchain related.

… Are there efforts geared toward more enterprise scenarios using VCs?

Brent: I appreciate you pointing out that often VCs and DIDs are talked about hand-over-first, and while they are related standards and seen as components of SSI architecture, each of them has use cases beyond that. I.e. David C., in UK, building for use cases with certificate authorities and X.509 certificates… not using DIDs at all… The VC spec describes a data model that allows any data to be passed along in this envelope in a way that we hope is interoperable… it allows a verifier to have the assurance that the [payload] was not tampered with.... Any use case that can make use of it should look at it, regardless of it is DID-based.

Christian: I see a lot of use cases for … That use VCs… but not aware of any use cases...

Brent: will put link in notes… At this point, because the community that standardized VCs is also the community that standardized DIDs, many use cases are holding them together, but I will be surprised if that stays the case going forward… [many use cases going in different directions]

Christian: …. Vaccine credential… like the CDC card… just a bearer token… in the spec draft, VC with a DID, it got removed half-way, because too much… was needed for that use case.

… There was a lot of… security/identity people saying “What’s that”.

VC an empty shell… an artifact of what was there before… signed JWS…

… Introduced some friction.... But smart health cards are wrapped in VCs… in a form that might not feel optimal for the VC community…

Brent: I know you said you’re not involved in that work anymore, but I think it would be beneficial to raise issues in the VC spec… it has guidance on how to use VCs as JWT… I think for VCI Smart Card creatorse to jump in the VC spec to jump in and say, “here’s how we’ve done it with JWT….” let’s work together to make sure it is reflected in the specification…. That would help everyone out… Personally I think the JWT section of the VC spec could be improved.

Christian: … health-care related… FHIR… medical community… that’s why it got adopted fast… I guess it might be worthwhile to do a post-mordem to see what could be done better…. A miracle that all these people talked and were able to agree on something… we couldn’t because of the time frame… Retrospective… what could be done better… Maybe conflicting with JSON-LD and …. Lower level crypto primitives… pushing for the privacy-preserving signatures and whatnot - don’t really care how they’re wrapped...

Brent: Give me the data that needs to be signed, and we’ll figure out how to sign it in a privacy-preserving way…

Christian: … Containers important… for standards to be adopted…

Brent: I was pleased to hear you were involved with the YouProve(?) work at Microsoft…. I was involved in the first round of designing anonymous credentials in Hyperledger Indie… We liked YouProve…

Christian: …. Blog post…. BBS+... also looking at it again more recently…

… Early on Chaumian signature being used… privacy… blind signatures… for some use cases, all the way to very complicated credentials with some predicate functionality that is hard to specify and implement… as something in between, YouProve is something closer to the simpler thing… but still have feedback that it’s too complicated and too slow... Hard to get anything other than …. Adopted. Goal is to get a good use case….

Brent: Applied Cryptography Working Group at Decentralized Identity Foundation has a work item to implement a BBS+ incubation as an incubation as IETF draft.

Kazue: … Surprised to see you here… along time ago… small world…

Christian: I’ve been away for a few years… now scaling down…. May go back to some more experimental work.

Brent: I hope we can go to real world crypto this year

Kazue: you mean next year. Not sure if will be physical or hybrid… Japan in 2023.

Karim: no question, just attending…

Charles: asking about DID in New York State Excelsior Pass

Brent: I had heard about that… but haven’t looked more closely yet… not sure.

Christian: … about verifiable …. Group pushing for …

Brent: Charles was asking about Excelsior Pass… we’ve also talked about Vacciations… Good Health Pass

Christian: Was anyone here involved in Good Health Pass?

Brent: I was... Got support for BBS+ signatures

Christian: … I would have liked to see such a standard adopted. I heard that in Holland they shipped…. Digital Cooperative Certificate… Surprised…

Karim: but in the end the system got hacked… couldn’t get credentials out… don’t know how robust it is…

Christian: probably built by some specialized people…. Have some risks there.

… Felt like too urgent to introduce credential there… but now have credentials in our hands…

… A better stepping stone.

Brent: In my view, the VCI and Good Health Pass are not conflicting, just approaching the problem from two different directions. VCI: get it out fast. GHP: what’s the best way that people should do this. I think if GHP is right, then both groups will converge anyway. If GHP is wrong, VCI will head in a better direction.

Christian: Yes… the VCI (Vaccination Credential Information) - goal is not to be a COVID “Pass” or “certificate” - it just attests to the clinical fact that you got vaccinated. Then there are different entities/industries that could use that as input…. The travel industry… could give you a “pass” / “green checkmark”.... So it just means you got these two doses on these dates, not that e.g. you are allowed to enter restaurants… Not a pass…. Larger than just COVID…. Any immunizations, any … more general than just COVID.

… Now, especially because of the absence of any other passes, people are showing these directly…. Ideally they would be used as input to other passes...

Timothy Holborn (TH) note: whilst i did not highlight it in the DID session, part of the design was to obtain / transcode media (ie: https://www.mico-project.eu/ ) undertake phonetic analysis, then package it as a ‘verifiable claim’ - ie: police interview, or law-enforcement interaction with various media, etc - as to ensure, persons are able to take digital evidence (of lived experiences) to a court of law. I’ve made some corrections above, as may illustrate the merits of said use cases. Otherwise. Cheers. Tim,.

A DID project that does have anything to do with Verifiable Credentials: https://identity.foundation/didcomm-messaging/spec/

A VC project that doesn’t have anything to do with DIDs: https://verifiablecredentials.info/