W3C

- DRAFT -

Verifiable Claims Working Group

22 Aug 2017

Agenda

See also: IRC log

Attendees

Present
Charles_Engelke, Chris_Webber, Colleen_Kennedy, Dan_Burnett, Dave_Chadwick, Dave_Longley, David_Lehn, Gregg_Kellogg, John_Tibbetts, Kim_Duffy, Manu_Sporny, Matt_Larson, Matt_Stone, Nathan_George, Richard_Varn, Ted_Thibodeau, Liam_Quin
Regrets
Chair
Dan_Burnett, Matt_Stone, Richard_Varn
Scribe
Matt Stone, stonematt, dlongley

Contents

<stonematt> scribe: Matt Stone

<stonematt> scribe: stonematt

<scribe> agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2017Aug/0011.html

introductions

<varn> varn

Reintroduction: varn

varn: works at ETS on credentionials for 30y in academia and legislature. working to pair testing and other credentials for individuals to represent themselves

Schedule expectations for current milestone (Issue & Verify)

<dlongley> scribe: dlongley

stonematt: A couple of weeks ago we sketched out some milestones. The first one following FPWD was a fundamental capability of issue and verify.

<manu> https://github.com/w3c/vc-data-model/milestone/3

stonematt: Wanted to spend a moment on bringing group back together on that as our next goal. As we get into discussion on composing/decomposing credentials... wanted to not get into rat's nest of nuance there and lose sight of our milestone. We will continue to refine data model, but it should be a guide post for us -- driving towards this milestone.
... Wanted to spend time to align on that as a goal and find out if this PR and the scope of discussion is the right one to have in light of this objective.

<scribe> scribe: stonematt

manu: digitial bazaar agrees that is a good first objective. feedback re: cwebber2 discussion re: test suite.

<burn> FYI, the milestone was not in dispute. The chairs just wanted to remind everyone that we had it and needed to remain focused on it!

test suite update

cwebber2: we need to be able to "test against some format, like JSON-LD, but support JSON also. discusses having a series of files w/out scipt that can be verified
... user could simply "verify" the file, but realize that's not good enough
... need to verify that the user's library could generate the signatures
... wanted to avoid web server that user can submit stuff to, b/c of increased overhead for support
... decieded to bundle a script/driver - 3 command lines
... 1) verifier - returns positive if programs verify
... would require shipping fully bundled issuer and verifier implementation
... would have hooks to replace your own issuer/verifier stuff

<dlongley> ok, so test suite would come with preissued credentials and some verifier code -- it could test itself and you can plug in your own implementation for issuer/verifier to the "driver".

manu: upside of this approach: simple and takes us through Rec. -- shouldn't have to redo it mid way through

<burn> +1 to test suite driver. Always best when groups do this.

manu: 1) issuer tool 2) verifier tool 3) test suite driver tool -- 3) runs entire suite and produces a report.
... makes developer's life simple

burn: thanks you, groups that do this are more succesful!

Status of PR 69

manu: ready to merge after a typo-fix.

<dlongley> +1 to merge

burn: any objectiions?

<burn> ACTION: Manu to merge once typo fixed [recorded in http://www.w3.org/2017/08/22-vcwg-minutes.html#action01]

no objection heard.

Brainstorm subtopics for Privacy and Security sections

<manu> https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Aprivacy

<manu> https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity

<varn> subtopics as well

<Zakim> dlongley, you wanted to comment on smaller pieces

dlongley: consider refactoring how we are putting privacy/security in the spec.
... perhaps have them be sub-topics of elements of each other section
... provides more context for those sections

<dlongley> +1 to having both general sections and specific ones

burn: will need primary sections as well as consideration within other areas

<Zakim> manu, you wanted to mention that we may want to link from what dlongley said to security/privacy sections "Things to be aware of..." and to also note that we have lots of topics

<dlongley> +1 don't wait to refactor, but suggest that subsections can be a way people get something small in

burn: really interested in getting more contributors writing.

<burn> right dlongley, agreed with motivation to have smaller bits

manu: agree that we need called out section b/c it was a topic during chartering.
... can't be completely diffused throughout the document
... also include content in each section that calls out areas of concern for security/privacy
... "also be aware of..."
... we have 20 open issues in the issue tracker related to security and/or privacy - start there. Please weigh in.

<Zakim> burn, you wanted to explain what goes into these sections

burn: typical content is - specific privacy concerns "one priv. concern is xxx; this is how we address it or why it's not relevant"

david chadwick working on issues around giving individual control around disseminating their information

scribe: have been working on this topic w/ the Community Group
... Kim has the link as well.
... if presenter is subject, content/text maybe slightly different than if the presenter isn't the subject

<dlongley> a simple privacy concern is "terms of use" -- when you hand over a credential to a verifier, how are the terms of use expressed or implied?

scribe: negative claims are also an issue.

<Zakim> kimhd, you wanted to ask which document (still not sure)

<dlongley> expressing terms of use (or providing a framework to do so) is in scope for data model.

<kimhd> Privacy & Security Requirements for Credentials Ecosystem: https://goo.gl/ZeyJUS

<Zakim> liam, you wanted to comment on privacy

liam: when we chartered this group, there were people who made formal objections or comments - would be good for chairs to reach out to AC forum to get use cases

<scribe> ACTION: chair to ask on ac-forum for specific privacy example concerns and use cases [recorded in http://www.w3.org/2017/08/22-vcwg-minutes.html#action02]

<Zakim> nage, you wanted to talk about subject

nage: medical records and others where subject may be 3rd party.

<dlongley> could scope it by "type of credential"

nage: context is important for terms of use

<Zakim> manu, you wanted to note acceptableUse and DO_NOT_CORRELATE issues/discussion. and to mention PING as well - reach out to them

manu: 2 open issue 1) around defining "acceptable use" mechanism
... 2) "do not correlate" flag

<varn> one issue is related to when a party is seeking one or more claim/credential holders and how that seeker will inquire as to whether such holders exist and if so, would they want to share enough details to accommodate the seekers interest and avail themselves of the opportunity that the seeker is offering. Some subtopics--how a holder can expose part or all of a claim/credential, how the seeker will discover them/communicate offer, broker role, and holder choice

manu: would like to agenda time for "do not correlate" discussion.
... should start reaching out to other organizations for feedback on the FPWD
... ask for input from PING group at w3c and accesibilty group

<Zakim> burn, you wanted to talk about readability before contacting communities

manu: also good habit to ask for feedback on a regular (~3mos) basis

<varn> how "right to be forgotten" would apply to a claim/credential and how that can be incorporated as a data element in the model or in the validation or verification so that the data can be found and "forgotten"

<burn> stonematt

<dlongley> stonematt: It might be worth while as a group to take this discussion, which is good, and over the next week or two get these placeholders in our stack so there's a list of issues that we're going to go fill out as we reach out to other orgs and parties so it's not a big black hole.

<dlongley> stonematt: That's something we could probably do as a quick PR to have an inventory of issues to go address.

<Zakim> manu, you wanted to note we have issue markers in the spec for almost all known security/privacy issues.

manu: asserts that the current spec is good enough to share/expose and ask for feeback
... not the FPWD, the current editor spec
... asking for objections

burn: would like to have content in the security/priv section as well as issue markers

crickets...

<varn> i think it was the part that said if you suggest it you have to take responsibility for doing it

burn: would like volunteers to read doc for security/privacy issues.

<MattLarson> MattLarson can as well

<varn> varn will

<burn> Nage said he will review the markers

<manu> This is the latest: https://w3c.github.io/vc-data-model/

chadwick: where is the latest copy

<Charles_Engelke> I will review, too.

Aslo review the issues list

issues list: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity and https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Aprivacy

chadwick: terminology around "credential" and "claim"

burn: can't replace "claim" with "credential" for historical reasons

<dlongley> can't remove it, but need to keep it in a much smaller box.

<Zakim> manu, you wanted to say "no, we can't remove claim" :)

manu: claim may be resulting in confusion around "claim", but it's the term that's in the "charter". Credential is a loaded term and means things in other contexts (as well as "Profile")
... need to define relationship between profile, credential, and claim

<dlongley> also becoming a term of art.

<dlongley> (or a more popular one anyway)

<Zakim> kimhd, you wanted to discuss CCG work item overlap and how we can help

<dlongley> need an intro that is both technically accurate and politically acceptable :)

kimhd: wanted to discuss topic that she included above "privacy and security ecosystem" would/should feed this group

<Zakim> burn, you wanted to mention that claim may be an atom (but longer discussion needed to confirm that)

burn: a claim is more than a term of art and used widely. the question is "what is an atom" and "what is non-divisible"? a claim is taking on that concept

adjurn.

Summary of Action Items

[NEW] ACTION: chair to ask on ac-forum for specific privacy example concerns and use cases [recorded in http://www.w3.org/2017/08/22-vcwg-minutes.html#action02]
[NEW] ACTION: Manu to merge once typo fixed [recorded in http://www.w3.org/2017/08/22-vcwg-minutes.html#action01]
 

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/08/22 15:58:14 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/poll AC Forum/ask on ac-forum for specific privacy example concerns and use cases/
Succeeded: s/3d/3rd/
Succeeded: s/????/PING/
Succeeded: s/aksing/asking/
Present: Charles_Engelke Chris_Webber Colleen_Kennedy Dan_Burnett Dave_Chadwick Dave_Longley David_Lehn Gregg_Kellogg John_Tibbetts Kim_Duffy Manu_Sporny Matt_Larson Matt_Stone Nathan_George Richard_Varn Ted_Thibodeau Liam_Quin
Found Scribe: Matt Stone
Found Scribe: stonematt
Inferring ScribeNick: stonematt
Found Scribe: dlongley
Inferring ScribeNick: dlongley
Found Scribe: stonematt
Inferring ScribeNick: stonematt
Scribes: Matt Stone, stonematt, dlongley
ScribeNicks: stonematt, dlongley
Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2017Aug/0011.html
Got date from IRC log name: 22 Aug 2017
Guessing minutes URL: http://www.w3.org/2017/08/22-vcwg-minutes.html

WARNING: No person found for ACTION item: chair to ask on ac-forum for specific privacy example concerns and use cases [recorded in http://www.w3.org/2017/08/22-vcwg-minutes.html#action02]

People with action items: manu
[End of scribe.perl diagnostic output]