<stonematt> Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2018Aug/0008.html
DavidC is scribe
<manu> scribe: DavidC
<burn> scribenick: DavidC
<stonematt> https://github.com/w3c/vc-data-model/issues?utf8=✓&q=is%3Aissue+is%3Aopen+no%3Aassignee
issue #224 mike-lodder will take this
<stonematt> https://github.com/w3c/vc-data-model/issues/224
Intro from Brent who works for Evernym
issue #224. ClareNelson asked Dan to clarify some of the terms, and is happy to contribute to this
<Zakim> ClareNelson, you wanted to discuss 224
<dlongley> +1 to notion that there are many different ZKP models
<manu> +1, some of the incoming changes seem to be focused on CL-style ZKPs.
<Zakim> manu, you wanted to get mike-lodder setup
kaz will add mike-lodder and ClareNelson to the github group
<stonematt> https://docs.google.com/spreadsheets/d/1aYodpYXQg_C9zn3HcNQoMN2A_ESsArJaA4jl3x0cahE/edit#gid=1978211400
Can attendees please add their names to the attendees tab
The TPAC registration procedures will not automatically say who is attending which meetings
google doc was originally read only, and now it seems to be unavailable to most people
<burn> matt is fixing
but it is working now. Thanks matt
Need to decide which external groups we should liaise with
We need to determine order of priority and time to meet with them
Existing issues and PRs is already a discussion topic, so no need to list individual items
<burn> rrsgaent, draft minutes
Allen_Brown is giving a presentation on use of VCs in B2B commerce. We should attend that at the TPAC
<Zakim> manu, you wanted to note TAG ... maybe?
Manu suggests a place in the TAG to publicise the use of VCs, decentralised IDs, and the whole eco-system
ClareNelson suggests an interactive session to discuss trust model, security model, tamper resistance etc.
So that when the security group review the data model they will understand the threat model
Unfortunately ClareNelson wont be present at the TPAC so leading this session would not be optimal
There has been no activity on the PING list this last week
<inserted> kaz points out that we can use wednesday breakout as well for our joint discussion if needed
<burn> good point about using Wednesday breakout time if our schedule is full or difficult to coordinate with others
Please add your suggested topics for TPAC to the google doc by the end of this week
<Zakim> manu, you wanted to suggest some focus areas for PING
Manu would like DavidC to bring PING up to speed on our trust model and privacy sections
<burn> davidc: willing to act as liaison. Plan to encourage them to focus on data model issues and a reminder that anything protocol-related is out of scope for this document.
because PING's view was that our model was so broad that they could not focus on any one thing
The privacy concerns really come into focus when protocols are defined.
Has PING reviewed a pure data model before?
PING could focus on one use case, e.g. a privacy enabled one, and see if the data model can support it
Is the data model compatible with the security model for the web
<burn> matt: do you need anything else DavidC?
<burn> davidc: their main concern was the single-origin policy. That is not fundamental to our data model, but our diagram shows such a flow, going from issuer to holder to verifier
<burn> ... this is fundamental to our ecosystem
<burn> davidc: i don't see how we comply with that (responding to dlongley's comment)
<burn> ... I think we violate same origin policy
<manu> dlongley: There are plenty of examples where data is stored on one website and it is sent to another website. Case in point is the Web Payments WG's work.
<manu> dlongley: For example, payment request is made by merchant website, payment request sent to digital wallet website, data is sent from digital wallet back to merchant. This is all implemented in browsers -- that flow is exactly the same as the web payments API.
<manu> DavidC: That's great, that's a really nice example.
<burn> davidc: that example is good. if that example is not compliant then the whole world is not compliant
<manu> No, is TODAY... that's exactly the way it works today.
<mike-lodder> Same-Origin does have its issues still as cookies enable both cross-site attacks and third-party tracking
<mike-lodder> Here is a good paper about that https://wholeftopenthecookiejar.eu/static/tpc-paper.pdf
<stonematt> Topic PR Review
<stonematt> https://github.com/w3c/vc-data-model/pulls
<Zakim> manu, you wanted to summarize PR reviews...
Manu. We have made good progress on incorporating PRs this last week
Still an issue with ZKPs. We need to ensure our document is generic rather than one ZKP method specific
Refresh service feature is stuck at the moment
<stonematt> https://github.com/w3c/vc-data-model/pull/210
We need to either add to advance feature section marked at risk, or not include it
Manu wont be available for September calls due to business tasks. We need to arrange a different way of working to address outstanding PRs during this period
Lovesh will update his current PRs with images that conform to existing standard
<mike-lodder> Manu: I'm okay making ZKP's more general to account for the various methods to accomplish it, the main issue is that it be accounted for
<Zakim> manu, you wanted to explain current thinking around wrt. privacy considerations section and how to balance the language.
<dlongley> maybe "see privacy consideration" links? ... or is that overkill?
Manu. Nearly every section has privacy concerns. We would like to address these in the Privacy Section rather than in each section
This would lead to duplication and repitition.
Manu. The spec should cater for any technology that can improve privacy, such as ZKPs.
stonematt has agreed to update the refresh service text and update the PR
<mike-lodder> That's fine with me
<manu> +1 to refreshService going in the Advanced Concepts section...
DavidC will review the existing text in refresh to see if addresses his two concerns of privacy violation and its a protocol issue