W3C

- DRAFT -

Verifiable Claims Working Group

20 Feb 2018

Agenda

Attendees

Present
Benjamin_Young, Dan_Burnett, Dave_Longley, David_Chadwick, Gregg_Kellogg, Joe_Andrieu, Liam_Quin, Manu_Sporny, Matt_Stone, Richard_Varn, Ted_Thibodeau, Tzviya_Siegman
Regrets
Chair
Matt_Stone, Dan_Burnett, Richard_Varn
Scribe
manu

Contents

<stonematt> Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2018Feb/0015.html

<scribe> scribe: manu

DavidC: I'll have to leave before end of hour.

manu: Can we talk about Subject != holder or multi-subject credentials.

stonematt: Let's discuss issues first, after Agenda review
... Any new folks to the group today?

No new participants.

<cwebber> scribenick: cwebber

<manu> We have a PR here about profiles: https://github.com/w3c/vc-data-model/pull/104

manu: this PR is really ready to be merged
... we gave a heads up, 'm going to merge this thing after the call
... DavidC has rightly pointed out there's issues with the language, we'll make a PR for that
... with profiles in place, I'm going to strongly assert we can do multi-subject credentials here with the current data model, and we can do subject != holder in a variety of ways
... I think what we're waiting on is a way to mark up use cases
... we need to show people how to do a marriage certificate or birth certificate, etc... those are the use cases I've heard
... the way we support all these use cases today.. gonna take them one at a time

<stonematt> does "multiple people" = "multiple subjects" ?

manu: say you need to make a verifiable credential that makes statemnets about multiple sets of people, and the statements themselves are not connected in any way... so and so is qualified as an accountant, a plumber, etc... I don't know a compelling use case where you do them all at the same time... but for the sake of argument let's say you do. the way to do that: have the claims statement as an array
... a statement about different DIDs
... I need to look again, but I'm pretty sure you can do that today, do a verifiable credential without a group ID, can be totally separate in the same credential, data model supports it today
... we just need to show people through markup
... second use case is subject != holder
... holder can be an assistant booking a flight for someone at an organization, in that case you'd have the credential from the subject with the passport, you might have a capability on it that says the assistant can use it, and the profile is assigned using the assistant's material in some way. there's a capability in the profile or something
... that asserts that I have a profile, and if you do a bit of sleuthing on the data model, you can see that the credential I sent you didn't belong to me but I can do it. Capabilities is one way, bespoke signatures another, but data model allows you to solve it in a varitety of ways
... that's use case 2 and I'd say that the data model supports that today
... third use case: when we need to talk about multiple different subjects that have different relationship to each other: parent-child, whatever
... you're saying the subject is the holder, but the issuer also wants to make some statements of other subjects in the network. in a birth certificate subject is the person born, and in there you'd create a relationship in the frame to the parents
... so subject in this case is person born, and in their birth certificate it says the parents are X and Y. You create relationships in the frame by creating parent ???
... so that's the third use case, asserting we support that as well in the data model
... all of this is debatable , but my assertion is the data model supports it. If someone wants to give use cases, we can close off a number of these

<manu> scribe: manu

DavidC: My problem is that there is too much ambiguity in the current data model, it does allow all of these things, but it's not clear when you get a Verifiable profile, whos it is, etc.
... That places a huge amount of effort on the Verifier or protocol to find it. I'd prefer the data model to remove all ambiguities, when you get the creential, from the credential/profile whether the subject is the holder, tell if there are multiple subjects, same subject, I'd like to remove all of this ambiguity. There is nothing concrete there, far too vague.
... Who is the subject? Is it all about the same subject? You should get the credential, it should tell you what's there, it should make it easier for the verifier to prove that's the case.
... If we want to support all of these use cases, you put properties in credential/profile to indicate what it is so the issuer/verifier knows what to look for.
... I could take credentials from multiple issuers, multiple subjects, so recipient knows exactly wht they're getting

<Zakim> stonematt, you wanted to ask multiple subjects decomposable?

<dlongley> we need examples.

stonematt: Somewhat parallel comment - when we finish this, tactical discussion -- group credential use case one, multiple subjects in a VC -- question about decomposition that verifier might be able to do, don't remember how that works, but would like to come back to that. Let's finish on David's question first.

<Zakim> manu, you wanted to agree, so we need examples and correcting language.

<cwebber> scribenick: cwebber

manu: I completely agree with DavidC, I think the language in the spec is ?... we need examples. That's the blocker, I don't think talking in the issues is the right place, though DavidC has been doing great work there. We have an advanced concepts section in the spec, I think we should put these subject != holder and multisubject examples in the spec in the advanced concepts part
... marriage certificate and birth certificate seem kinda close? I'm looking for clear use cases, birth certificate is great, I'm a bit of a loss of the other two... I'm lost as to where to make totally independent claims in the same verifiable credential. I guess subject != holder is a simple one, we have 2 of 3, I just don't know what to do with the disconnected thing... I fear the completely disconnected ones may be a bad use case, but I know what

to do for 2 of 3

<scribe> scribenick: manu

JoeAndrieu: For completely independent things, we're talking about in a profile, right?

<cwebber> manu: we're talking about just verifiable credential layer, you can have two completely different and disconnect islands of information, and that could happen in verifiable profiles as well

manu: no, in a credential, you can have completely disconnected claims. you can have that in a profile as well.

JoeAndrieu: Subject broken out - optional relationship property in profile. would address good portion of David's desire for rigor.

liam: Listening to David's summary -- if you have a data model, when you're implementing, you shouldn't need any information in the data model... it should be complete.

<stonematt> JoeAndrieu: echoed David's suggestion for an optional relationship attribute on the claim to model describe nature of subject/holder relationship

liam: We have to avoid something coming in and telling us what's in the data model.
... if you can have unrelated claims/credentials come along in the same package, in same data model instance, there are security questions. You don't want someone to inject extra credentials in the process.

<Zakim> liam, you wanted to assert the dm must be complete and sufficient & to angst about multiple credentials in one thingy. although i have 3 different birth certificates

liam: digital signatures help, but they don't necessarily prevent.

<dlongley> would be good to have an example of an attack that we're concerned about

DavidC: When someone issues a credential, you can say who is creating a credential. All about the same subject, even if ID is different, or about different subjects.
... It makes it clear if it's about same person or different people
... Then we have the profile, holder who is not subject, holder has ID, ID of holder is same as ID of credential, then you know holder is subject.

<dlongley> seems like using different subject IDs for the same person in the same credential is an unwanted correlation risk more than anything.... i'm wondering what the use case is for that.

DavidC: Clearly the key must go with the ID, otherwise you won't validate the signature. Holder can put additional information in there, say whether they are all about different subjects. Holder has to say. Issuer cannot say. issuer says something is about one person, different issuer is issuing about one person. Holder then has to say - these are about different people.
... I don't think this is difficult, we just need to be more clear.
... New section on subject != holder, then examples. I need to write some examples, more ideas on how to do those. We should add this section.

<Zakim> manu, you wanted to note that rigor is up to the vocab... we have schema.org relationships and to say digital signaturs prevent injection of extra stuff

<cwebber> manu: we shoudl very carefully look at whether terms are in schema.org and reuse that

<gkellogg> +1 to keep vocabulary narrowly focused on VC and defer other relationships to appropriate vocabularies

<dlongley> +1

<cwebber> manu: we have to be very careful about introducting properties and be minimal about it

<cwebber> manu: esp if it's application or market version specific vocabulary term, because we should not be in that space

<dlongley> but ok to give examples.

<stonematt> +1 to be careful about inventing/asserting vocabulary - also +1 to have an anchor point to support something like an existing relationship vocabulary

<cwebber> manu: re what liam said: the thing at the VC/VP level... if all your credentials and profiles are signed, I reject the notion that can be tampered with easily, the signature protects everything inside the container. something outside the container can introduce injection attacks. so maybe we should talk about injection attacks within and without

<cwebber> manu: and when you can and can't trust the info

DavidC: One concern is extensibility, this is extensible, they can add properties. That's not the issue, we don't want to rule that out. We do want to have the minimum in there, minimum data model, we know what we have. People can extend it.
... About ontologies - we can specify the property, put the property in the data model, and give an example. Actual values returned by actual ontology that people should use. We can put a marker in there, have you have this field - what value is is determined outside.

<Zakim> JoeAndrieu, you wanted to talk about bringing forth semantics embedded in credential transfers in the real world

DavidC: Have to step away now, please assign items to me.

JoeAndrieu: We don't want to develop ontologies, but we do need to state relationships. Allow ontologies where we have terms for something. Vital thing here is because we're in a digital context, we don't have something embedded in real world. Giving driver's license has semantics that we lose in real world. Profile saying holder, that's important. optional relationship field we can address w/o too much complication/overhead.

<Zakim> liam, you wanted to note a malicious credential gets signed

liam: Digital signatures reduce chance that something can be tampered with, but they don't stop someone malicious from adding things before something has been signed.

<dlongley> hmm, they aren't signed by your "trusted store" they are signed by the issuer -- so the issuer (or someone attacking the issuer in some way) would have to inject something malicious.

gkellogg: Going back to keeping vocabularies narrowly focused, there is an interop consideration. We should keep VC vocabulary focused on claims themselves, but if there is no best practice, specific classes properties from schema.org, then we have a tower of babel problem understanding what's being said.
... Maybe we could use SHEX or SHACL that is a constraint language, create a profile that people can test against wrt. interop.

We have an issue for this: https://github.com/w3c/vc-data-model/issues/76

<Zakim> tzviya, you wanted to ask about subject !=people

tzviya: Almost all of the use cases have subject as people... Manu had mentioned schema.org, some use cases could be creative works that are the subject. Publication/book is the subject.
... School issuing may be subject, book may be subject, school may be receiving credential. People are not always the subject. For topic of bundling, could be people AND orgs.
... Institutional credentials that have a collection of people. Institutional access, collection of people. We have to think broader than people.

<Zakim> manu, you wanted to respond, we support that.

<Zakim> stonematt, you wanted to discuss the groups of people idea

<cwebber> manu: it's important to do examples around things that aren't just people, you can even do examples around concepts such as love or the sky, but we need to provide more concrete examples around that

stonematt: Without getting into the weeds just yet, Joe and I met about use cases discussion. Talked about organizations that have individuals that are granted access to libraries.
... I'd like to wind this discussion down, spin Joe's use cases discussions back up.
... Anyone else want to provide input here?
... great discussion, btw... this was a healthy and productive discussion.

<JoeAndrieu> +1 for pulling in the PR

<cwebber> manu: if you look at the ?? spec you can see lots of examples, we could take the same approach here, or we can link off-site to the use cases. if every use case has an example of the kinds of credentials made in the process that can show that we're done

<cwebber> manu: so maybe this is a good segway into the use cases: once we've identified use cases, how do we identify when they're done. where do the examples reside? I think we'll need a conceptual example in the spec, but can put specific examples in use cases doc

<scribe> ACTION: Manu to create 3 new advanced concepts sections - subject != holder, multisubject, data islands

Use Cases

JoeAndrieu: How do we know when we're done, and how do we represent it?
... This is an eternal question in requirements engineering.
... We're done when we're done, but that's tautological.
... As for where we put it in the document, maybe we need 5-6 focal use cases. 5 is the ideal number. If we are going to do a straightforward interaction, and sticky wicket, those are two different use cases.
... There are easy versions and sticky wicket versions. Don't know trade-offs on where to put it in the document.
... Focal use cases, illustrate how we meet them.
... We have walked through Tzviya's use case, understand what it meant. We have a couple of different architectures, whitelist directory... whitelist is not that interesting. That's straightforward w/ data model already. Trust framework seems more interesting. Issuer issuing claim under trust framework.
... There is a system allowing certain members at one University to access another University.

tzviya: Open Athens

JoeAndrieu: So, access for student to shared resources. I don't think we have in the current data model, for issuer to provide information stating their authority.

manu: We do have evidence?

JoeAndrieu: feels like a square peg, but we should think about it in a bit more depth.

<dlongley> the issuer itself can have its own credentials, which could be discovered by dereferencing its identifier

JoeAndrieu: Matt's use case - someone has enhanced diploma, grades on classes, in 2a, labor market (monster.com), the subject of that wants to selectively disclose grades they got in classes. They don't want overall GPA.
... That may be the simple version, we don't know where the sticky wicket is.

<dlongley> ^i would expect that to be the main way to keep discovering more information, if that's needed... just keep dereferencing subjects to discover more information/credentials.

JoeAndrieu: That's ongoing work.

stonematt: The nature of relationships between issuers to issue related credentials. Category of discussions that we haven't uncovered much.
... Tzviya's assertion about university case, IP rights to grant credential, delegate credential to someone in my network to do training on my behalf and grant my credential. Issuer delegation.

tzviya: Tzviya's use case, we could jointly issue PAC10 credentials that are equal to one another, each one would get university access anywhere in the world. Harvard may view all those credentials as equal.

JoeAndrieu: Maybe we can try evidence first, see how that works out.

stonematt: Maybe what we're talking about here is "jurisdiction", do I have authority to issue this type of credential.

<tzviya> the existing Ed use cases https://www.w3.org/TR/verifiable-claims-use-cases/#education could be fleshed out further

JoeAndrieu: My update - use cases haven't been updated in a while, want to focus it around use cases we looked at. Since we're exploring deeply.
... Maybe we can pick 3 use cases, 2 variations (easy / sticky wicket)

dlongley: Respond to use case that we're talking about - authority that's issuing a credential to a number of universities, universities issue their own credentials.
... In process of verifying student's credential, if you don't trust issuer, you can dereference issuer to discover credentials about the issuer. You could then discover that the issuer has a credential from an authority that you trust. you can dereference identifiers to find more information. Also works well wrt. CG, putting public credentials on blockchains, or find services to find credentials. I expect use case can be discovered via identifiers, whether

or not you should trust credential at bottom of tree.

<Zakim> manu, you wanted to note that some of these are object capabilities use cases, not verifiable credential use cases.

<cwebber> manu: delegation was mentioned a couple of times... I agree with what dlongley said in that we have a very cool and flexible discoverability mechanism. Typically people do it through very rigid trust frameworks today. the data model we have enables far more dynamic trust models, and you don't even need federation for some value of "federation"

<cwebber> manu: but there's this concept in linked data called "follow your nose", if you're not sure of the info you got you follow your nose to those links so you can get a more educated information to what you do. equivalent to picking up the phone and calling a reference to see if someone's a good employee at previous job, etc. I think that's a powerful idea

<cwebber> manu: also I wanted to point out we're talking about delegation, because we could easily throw verifiable credentials at that problem but we're also working on object capabilities but that may be a better fit to do this

JoeAndrieu: I do think object capabilities may be a good way to deal w/ authority.
... We could do it w/ dereferencing, authority may not be publicly listed, issuer publishes everything, or verifier needs to check all their trusted sources. For small use cases, not difficult, but if explit mention is in data model, it makes verifier's job easier.

stonematt: We're at time, top of the hour, time to adjourn.

<dlongley> it's hard to list the authority explicitly -- you still have to dereference it

<JoeAndrieu> cheers

Summary of Action Items

[NEW] ACTION: Manu to create 3 new advanced concepts sections - subject != holder, multisubject, data islands
 

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/02/20 17:01:20 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.152  of Date: 2017/02/06 11:04:15  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/is/does/
Succeeded: s/my my/, but my/
Succeeded: s/Open Access/Open Athens/
Present: Benjamin_Young Dan_Burnett Dave_Longley David_Chadwick Gregg_Kellogg Joe_Andrieu Liam_Quin Manu_Sporny Matt_Stone Richard_Varn Ted_Thibodeau Tzviya_Siegman
Found Scribe: manu
Inferring ScribeNick: manu
Found ScribeNick: cwebber
Found Scribe: manu
Inferring ScribeNick: manu
Found ScribeNick: cwebber
Found ScribeNick: manu
ScribeNicks: manu, cwebber
Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2018Feb/0015.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: manu

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]