15:02:14 RRSAgent has joined #vcwg 15:02:14 logging to http://www.w3.org/2017/07/18-vcwg-irc 15:02:23 present+ Chris_Webber 15:02:32 trackbot has joined #vcwg 15:02:56 trackbot, start meeting 15:02:56 Sorry, but no Tracker is associated with this channel. 15:02:56 trackbot, start meeting 15:02:56 Sorry, but no Tracker is associated with this channel. 15:03:13 trackbot, this is VCWG 15:03:13 Sorry, TallTed, I don't understand 'trackbot, this is VCWG'. Please refer to for help. 15:03:39 RRSAgent, draft minutes 15:03:39 I have made the request to generate http://www.w3.org/2017/07/18-vcwg-minutes.html TallTed 15:03:44 RRSAgent, make logs public 15:03:52 amigus has joined #vcwg 15:04:25 scribe: gkellogg 15:04:43 present+ Christopher Allen 15:04:46 present+ Ted_Thibodeau 15:04:49 JoeAndrieu has joined #vcwg 15:05:01 Topic: Agenda review, Introductions and Reintroductions 15:05:10 present- Christopher Allen 15:05:10 present+ Christopher_Allen 15:05:14 Present+ Adam_Migus 15:05:17 present+ David_Lehn 15:05:17 Zakim, who's here? 15:05:17 Present: Chris_Webber, Ted_Thibodeau, Christopher_Allen, Adam_Migus, David_Lehn 15:05:17 Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2017Jul/0004.html 15:05:20 On IRC I see JoeAndrieu, amigus, trackbot, RRSAgent, Zakim, gkellogg, stonematt, kimhd, Charles_Engelke, Colleen, TallTed, liam, dlehn, cwebber2, dlongley, deiu, bigbluehat, 15:05:20 ... ChristopherA, manu, robert 15:05:44 present+ Kim_Duffy 15:05:46 present+ colleen_kennedy Gregg_Kellogg Matt_Stone 15:06:30 topic: Introductions 15:07:00 varn has joined #vcwg 15:07:08 Kim_Duffy: our W3C membership just kicked in, so this is my first meeting. I work as a principle architect at Learning Machine, working on Block Certs with MIT Media Lab. 15:07:25 … I’m interested in the goals of this group. I’m also co-chair of the Credentials CG. 15:08:00 zakim pick a victim 15:08:10 zakim, pick a victim 15:08:10 Not knowing who is chairing or who scribed recently, I propose Matt_Stone 15:08:15 zakim, pick a victim 15:08:15 Not knowing who is chairing or who scribed recently, I propose Kim_Duffy 15:08:17 zakim, pick a victim 15:08:17 Not knowing who is chairing or who scribed recently, I propose Matt_Stone 15:08:31 nage has joined #vcwg 15:09:00 q? 15:09:05 Present+ Nathan_George 15:09:32 ChristopherA: Along with Kim, I’m chair of the Credentials CG in the W3C, I represent BlockStream. 15:10:22 Individually, I’ve been hosting Rebooting Web of Trust community, who’s goal is to go back to the PGP roots of 26 years ago with something better. We’ve had 4 gatherings with specs for the last couple of years. We just had a virtual hackathon, with good results. 15:10:35 s/Individually/… Individually/ 15:10:46 topic: Publishing of the FPWD for the data model doc. 15:11:09 stonematt: Manu sent regrets, but his expectation is to have a spec ready for pub by next call. 15:12:01 topic: Issues related to Revocation and Validation 15:12:20 The issue where this was discovered: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/issues/12 15:12:25 stonematt: Christopher sent a note from the hackathon on experiences. 15:13:12 ChristopherA email re morning discussion: https://lists.w3.org/Archives/Public/public-vc-wg/2017Jul/0005.html 15:13:35 Present+ Manu_Sporny 15:13:53 ChristopherA: This issue is from the hackathon. I’ve been developing a user model for how Web of Trust (WOT) would work. As an example, a daughter of imigrants wishes to contribute to efforts back in her homeland, but fears for sticking out, so is using pseudonomous technologies. 15:14:23 … Part of the purpose of the hackathon was to work around this using the DID anonymous identifiers scheme. 15:14:34 https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/issues/12#issuecomment-315569411 15:15:12 … Within that issue is the just mentioned sub-issue that basically has discovery. Basically, what was intereseting was that there was an in-out process to get a result that we could say was “verified”. 15:15:58 … NIST has a document that talks about verification, which says “you should only collect the information which is necessary to validate the identify for validation and verification” (but they don’t explain the difference). 15:16:10 … I’ve chosen the words becaused VC has chosen them. 15:17:31 … VC means everything is complete with no inspections. We have an integrity check to look at aspects of the object itself, which might note it uses a particular signature mechanism. Then, you have to go inside the object to know what you need to look into further, for that I use “inspect into” to be clear that you need to know something about the object to continue, which is defined by the data model spec. 15:17:46 I assume we're talking about this comment? https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/issues/12#issuecomment-315569411 15:18:38 … From there, we have a variety of objects that need to be validated further, that’s the DID spec, look at the issues DID, which is incomplete, and need to go elsewhere. We need to inspect other aspects, which leads to a big loop of checks and validations. After that’s complete, I can then call to have it verified. 15:18:58 q+ to discuss difference between "verified" and "verifiable"... and need for "verification process". 15:19:27 … The discovery became more complex, as there’s a step above the VC, it still doesn’t necessarily mean you can trust it. In a centralized model you have the “root” of the certfificate; why trust one vs the other? 15:20:07 q? 15:20:16 … I’m calling that stage “confirmation”, which comes form the BitCoin perspective. They have a concept thata just because something has been verified, you still want to wait for 6 more looks before it can be trusted. 15:21:26 … Finally, I delved into revocation, at the highest level, it’s what to do when things go wrong, but it relates to everything else. It can happen at any level. Then you have something which is outside of the loop, where something else have gone wrong. Clearly, revocation is overloaded, and there’s aspects that can apply at all levels. 15:21:46 … I encourage you to take a look at the full user story, which is in the topics directory of Rebooting WOT. 15:21:49 ack manu 15:21:49 manu, you wanted to discuss difference between "verified" and "verifiable"... and need for "verification process". 15:23:08 manu: We have a raised issue about what the process is you go through to change a verifiable claim from “verifiable’ to “verified”. This is a good first step, the next step would be to put something like this into the data model spec. 15:23:27 (from the subissue) the logic of my ordering of these different spectrum words started with the name of the working group, Verifiable Claims. 15:23:27 INTEGRITY CHECK includes malformation and cryptographic signature or proof checks - this is defined by the signature system spec 15:23:27 INSPECT INTO means looking inside for something and then going outside to get it — this is defined by the data model spec 15:23:27 VALIDATION means that the conform to rules of the DID spec and the specific DID method. 15:23:27 VERIFICATION means that that everything is self-consistently INTEGRAL, the INSPECTIONS reveal no problems with VALIDITY, and thus the whole can be VERIFIED. 15:23:27 manu is it this? https://github.com/w3c/vc-data-model/issues/9 15:23:28 … Depending on the claim, you may skip steps or have other steps to go through. +1 for tetting this going. 15:23:29 CONFIRMATION relies of the VERIFIABLE CLAIMS to then make possibly more human judgements on different trust models to be used by the Web-Of-Trust. It also somewhat analogous to Bitcoin's terminology, where transactions require multiple CONFIRMATIONS. 15:23:29 REVOCATION deals with the edge cases where things go wrong. There may need to be processes associated with "where things go wrong" at each the stages above, as revocation currently may be an overloaded term. 15:24:04 q+ 15:24:12 … The group is called the “Verifiable Claims WG”, not the “Verified Claims WG”. We have to be careful to not make guarantees about soething being verified. 15:24:52 … We’re talking about the verification process, as a results I think the wording is good. Nate Otto has some other words to add to it. 15:25:45 I would add that verifiable also means that an inspector, if authorized to do so by the subject, can look inside the claimvelope and review the evidence relied upon by the issuer and decide if they consider it sufficient to accept the claim. 15:25:52 … The other point is that the more speciallized terminology we create, the harder it is going to be for other people to understand it. I’d rather we focus on the process, and think careful before adding more terminology, but rather focus on what actualy happens. 15:25:55 q? 15:26:23 q? 15:26:25 … The concrete request is to get this into the spec as a set of steps you go through. 15:26:33 ack ChristopherA 15:26:35 q+ 15:27:46 q+ 15:27:50 q? 15:27:51 ChristopherA: I agree with what manu said, the words can be a rat-hole, but I didn’t hear about the fact that it became clear we need to know what spec does what. The space of the different pieces of a VC, and how they come together as a whole into a VC that can be considered to be “verified” at that point. We don’t have a spec on what it means to confirm it, and also have this revocation thing which touches all of them. 15:28:04 … I’m trying to weave something aroud all the different specs. 15:28:10 ack varn 15:28:14 side note -- Please expand all acronyms/abbreviations on first-use in any document. e.g., DID has multiple expansions (apparently 44! http://www.acronymfinder.com/DID.html). Distributed Identity was not the first meaning that I applied in reading, and makes meaning #45. 15:28:44 varn: I like Christopher’s narative, and that it is non-normative. This is an example of the different components that need to be part of the process. I don’t know if we need to name them. 15:29:03 I found it! Here's Nate's work on the list of validity checks to verify a verifiable claim: https://github.com/w3c/vc-data-model/issues/9#issuecomment-281394529 15:29:13 +1 on evidence — it is needed for CONFIRMATION 15:29:14 q+ 15:29:24 q+ to point out Nate's work 15:29:27 … The whole idea of verification is really a 2-step process. One part Christpher descdribed. The other part is to look at the evidence you have and decide if you believe it. 15:29:33 BTW, here is the full Alice WoT user story: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/RWOT-User-Story.md 15:29:47 q? 15:29:54 ack nage 15:30:23 q+ 15:30:25 Nage: There’s the idea that your revoking the VC, or that you’re revoking the keys used to make the credential. We need to call this out. 15:30:38 q? 15:30:45 ack amigus 15:31:24 iso documents are not public, anyone send me a copy with those definitions. 15:31:28 q+ to separate out "Revocation" from this discussion, which can be implemented in a variety of ways. 15:31:41 q? 15:31:44 amigus: The definitions that NIST works form are based on ISO, and the working definitions are verifies that it works correctly, and validates that it fulfills an intended function. They’re still debated, but the basics 15:31:53 ack manu 15:31:53 manu, you wanted to point out Nate's work and to separate out "Revocation" from this discussion, which can be implemented in a variety of ways. 15:32:05 manu: I found the work Nage did on this. 15:32:06 Nate's work on the verification process: https://github.com/w3c/vc-data-model/issues/9#issuecomment-281394529 15:32:27 … This is input that Christopher mentioned, as long as the others. 15:33:34 … The topic has revocation, but we’re reallly talking about the process and language about it. There are many different ways of doing revocation. This now specifies a real simply mechanism, but not that it is the only way to do it. 15:33:55 q? 15:34:08 q+ 15:34:09 … That’s a tar-pit that could consume us. The spec just needs to show one way to do it, in addition to making it extensible to allow others. 15:34:21 … I’d like to split that issue out. 15:34:23 TallTed: key detail of revocation is revocation *of what*. claim, certificate, authority, etc. 15:34:28 ack ChristopherA 15:34:56 q+ to be specific - revocation of the verifiable claim, specifically the identifier associated with the verifiable claim. 15:34:58 TallTed: also, difference between revocation vs retraction vs refutation 15:35:36 q+ to note we're having another terminology issue here, I'm being very technically specific when I say "revocation", it isn't reputation, it isn't refutation, etc. 15:35:57 ChrisopherA: My challenge is that as soone as you usse the word “revocation”, it becomes a rat-hole. You mentioned 2 things that were revoked, but I can think of more. There’s a word “refutation”, as well. Sometimes that is what is needed, to say that something is false at confirmation level all the way down to the key failure, which is diffferent than the “revocation” act, which is after everything has been done. 15:36:34 … If we’re clear that things can be true/false at different levels, it’s different than the explicit cancelation after the fact, even if we don’t use those specific words. 15:36:46 ack stonematt 15:37:09 Revocation: the official cancellation of a decree, decision, or promise. Refutation: the action of proving a statement or theory to be wrong or false. 15:37:50 stonematt: This discussion seems pretty essential as we understand how the echo-system works and get some experience. As I listen to the discussion, we talk about keys being revoked or rotated, and DIDs, but those should be the provenance of the DID spec. 15:38:14 … We just need to know how to implement their veification as a loop in our data model. 15:38:42 q? 15:38:54 ack manu 15:38:54 manu, you wanted to be specific - revocation of the verifiable claim, specifically the identifier associated with the verifiable claim. and to note we're having another terminology 15:38:57 ... issue here, I'm being very technically specific when I say "revocation", it isn't reputation, it isn't refutation, etc. 15:40:30 manu: This discussion demonstrates that there isn’t clarity about what we’re talking about. When I said revocation before and that we needed to put something in the spec, I was being very specific about the end result. The process you go through is important, and we may want to talk about it in the spec, but what I’m looking for as an editor is: which property to you use to say it’s revoked? This is specifically not refutation, which IMO is out of scope. 15:41:30 … We’re talkinga bout an issue retracting something they said, and the revocation of the VC (it’s id). I’ve issued an issue with this id, and I’m now saying that it is invalid. The way you go to discover that is to go through a field in the VC and implementing whatever revocation mechnism is there. 15:41:30 q? 15:42:09 … We need to suggest at least one revocation mechanism that we believe will be fairly easy to implement. It may not have the anonymity we want, but we need to specify something. 15:42:37 … The converstaion Chistopher is talking about shoul happen, but perhaps in the CG. The result of that should be something tangible in the VC data model spec. 15:42:43 q? 15:43:59 stonematt: for next steps, we need to reconcile Christpher’s note with Nate’s and come up with a straw-man for a document in or next to the data model doc to discuss revocation and result in a VC that rings true. 15:44:14 q+ 15:44:24 … We can put some structure around the discussion and get some language that could go into the data model. 15:44:36 +1 to that being the right next step, I think ChristopherA should lead that discussion. 15:44:40 ack ChristopherA 15:45:16 ChristopherA: I think there is a concept of something that is explicitly higher-level than the VC. we might call it “confirmation”, and say that we don’t do that. 15:45:25 … That’s a good piece to untangle out. 15:45:32 q? 15:45:37 q+ 15:46:11 (BTW, this issue is also entangled with privacy requirements) 15:46:12 stonematt: I understand where manu is coming from about being careful that we don’t assert something is “Verified”, but we need a way to talk about a positive outcome of such a process. 15:46:20 q+ to suggest that ChristopherA suggest some language 15:46:22 q? 15:46:33 q+ 15:46:37 ack manu 15:46:37 manu, you wanted to suggest that ChristopherA suggest some language 15:46:57 i think the phrase that will be true at the end of the verification process is that the claim was accepted or rejected by the inspector. The fact that a claim is accepted or rejected be a data element or could become a new verifiable claim. 15:47:00 manu: I’d lke Christopher to take the lead and look at other terminology and Nate’s stuff and get a proposal for language to put in the spec. 15:47:16 … We should talk about the verification process in the spec. 15:47:19 Link to the Verification section in the Data Model spec: https://w3c.github.io/vc-data-model/#verification 15:47:30 Zakim, who's here? 15:47:30 Present: Chris_Webber, Ted_Thibodeau, Christopher_Allen, Adam_Migus, David_Lehn, Kim_Duffy, colleen_kennedy, Gregg_Kellogg, Matt_Stone, Nathan_George, Manu_Sporny 15:47:34 On IRC I see nage, varn, JoeAndrieu, amigus, trackbot, RRSAgent, Zakim, gkellogg, stonematt, kimhd, Charles_Engelke, Colleen, TallTed, liam, dlehn, cwebber2, dlongley, deiu, 15:47:34 ... bigbluehat, ChristopherA, manu, robert 15:47:43 q? 15:47:56 … We talk about structural validity, entity validdity etc. Once we get that in there it can be refined. THis might take a couple of months to get through. 15:48:04 +1 for putting them in that space per manu 15:48:05 q+ 15:48:17 ack TallTed 15:49:14 TallTed: One of the challenges we’re going to have is what does verifiable claim mean? My understanding is that the verification is to say that source emitted this claim, and nothing more. Not to say that it is true. 15:49:40 +1 to TallTed - yes, that's exactly the purpose of a verifiable claim... not to say "This is the truth", but to say "I know who said this, they still assert this, and it's up to me to do something with that information". 15:49:42 +1 to TallTed scope of VC 15:49:51 if it is about a subject, the association between the claim and the subject should be part of it as well 15:49:51 q? 15:49:53 … We care that it is represented accurateliy, and came from the source the presenter said it came from, and the technology needs to support this. Basically, we’re verifying the provenance of the claim, not the accuracy. 15:50:11 +1 provenance, also currency (via non-revocation) 15:50:43 and whether the subject has given permission for the claim to be inspected must be verifiable 15:51:08 ChristopherA: I’m reluctant to take it alone, as I’ve found it needs more back and forth, and I think we have a lot of stuff that feels entangled. That comes back to things like the language we’re using for the roles. I’m still uncomfortable with some of the terms, and this has impact on the language. If we take Ted’s possition, those roles are conflated with other things. 15:51:19 @varn I think "verifying" anything about the subject is extremely problematic 15:51:39 q? 15:51:43 ack ChristopherA 15:51:53 … I don’t know how to untangle things, I’d love to see the ISO specs. I’m willing to join a task force that might meet about this a couple of times, but I can’t take it on my myself. 15:52:07 maybe this is a topic for RWoT? 15:52:18 q+ 15:52:26 q? 15:52:28 … This is an issue for RWoT already. 15:52:33 ack manu 15:53:27 manu: This is an iterative process; we need to put something out there that can be revised. I can talk a stab at it after FPWD and attempt to collect other things; I think I have a concpet on how to start doing that. If people scream, at least we know that and can go elsewhere. 15:53:34 q? 15:54:08 Please do! 15:54:28 … Ted hit the nail on the head, which says we’re not that far off. If Christopher is okay with my trying to merge this we can make a second pass and see if it aligns with everyone’s thinking. 15:54:38 q? 15:54:49 I'm happy to review, and I can probably sync up with Nate Otto on it as well 15:54:57 +1, great, thanks kimhd! 15:55:31 stonematt: next week to 10 days we’re about the FPWD. What items should we cover in next weeks call? 15:55:37 q+ 15:55:46 q+ to ask about status of FPWD - we're good to go w/ editor edits? Date? 15:55:51 q? 15:56:00 ack ChristopherA 15:56:01 @JoeAndrieu i agree but we have put the idea that a person identifier can be part of a VC so we have the issue to address regarding whether the person subject of the claim has and identifier that is sufficient to allow one to associate the claim with them. Whether it is sufficient is up to the inspector. 15:56:02 … It would be nice to have something processed before we spend call time. 15:57:01 ChristopherA: A number of interesting things came up when we were trying to do VC for WOT. Maybe not next week, but at some point soon, I’d like to have various examples and pare them down in the a relativeliy mature set of examples that work. 15:57:07 We were supposed to do that here: https://github.com/opencreds/vc-examples 15:57:14 (no one has submitted anything yet) :) 15:57:25 q? 15:57:36 … WoT example, education, health. Works with JSON-LD, signature systems, DIDs, etc. Has proper sub-names, key-names, etc. 15:57:46 ack manu 15:57:46 manu, you wanted to ask about status of FPWD - we're good to go w/ editor edits? Date? 15:58:26 manu: My understanding is that the group approved pub of FPWD. If we pull work that’s out there, are we still go with FPWD. Can we set a date? e.g. next thursday? 15:59:07 stonematt: We did approve publication. We approvied Inspector/Verifier. Otherewise, we agreed to move forward with FPWD and Thursday would be a good target. 15:59:24 manu: I want to be sure noone’s planning on a formal objection? 15:59:51 stonematt: no one mentioned anything. 16:00:02 manu: So we won’t be talking about FPWD next Tuesday. 16:00:15 thanks everyone 16:00:16 stonematt: We’ll put a call out for agenda items. 16:00:39 rrsagent, draft minutes 16:00:39 I have made the request to generate http://www.w3.org/2017/07/18-vcwg-minutes.html manu 16:00:40 RRSAgent, draft minutes 16:00:40 I have made the request to generate http://www.w3.org/2017/07/18-vcwg-minutes.html TallTed 16:00:46 RRSAgent, make logs public 16:07:52 amigus has joined #vcwg 18:07:48 Zakim has left #vcwg 18:39:41 gkellogg has joined #vcwg