IRC log of auth-id on 2018-12-10

Timestamps are in UTC.

16:16:13 [RRSAgent]
RRSAgent has joined #auth-id
16:16:13 [RRSAgent]
logging to
16:16:20 [Zakim]
Zakim has joined #auth-id
16:16:25 [wseltzer]
rrsagent, this meeting spans midnight
16:16:40 [wseltzer]
Meeting: Strong Authentication and Identity Workshop
16:27:59 [Takashi]
Takashi has joined #auth-id
16:32:26 [shigeya]
shigeya has joined #auth-id
16:33:15 [burn]
burn has joined #auth-id
16:39:53 [Jiewen]
Jiewen has joined #auth-id
16:40:10 [shigeya_]
shigeya_ has joined #auth-id
16:41:50 [achughes]
achughes has joined #auth-id
16:42:08 [shigeya]
shigeya has left #auth-id
16:45:29 [shigeya]
shigeya has joined #auth-id
16:46:07 [manu]
16:46:15 [manu]
16:46:27 [manu]
present+ Manu_Sporny(remote)
16:46:32 [manu]
rrsagent, make minutes
16:46:32 [RRSAgent]
I have made the request to generate manu
16:46:34 [manu]
rrsagent, draft minutes
16:46:34 [RRSAgent]
I have made the request to generate manu
16:46:43 [manu]
rrsagent, make logs member
16:46:47 [shigeya]
present+ Shigeya Suzuki
16:46:51 [manu]
rrsagent, draft minutes
16:46:51 [RRSAgent]
I have made the request to generate manu
16:47:16 [manu]
present+ Shigeya_Suzuki
16:47:20 [manu]
present- Shigeya
16:47:23 [manu]
present- Suzuki
16:47:28 [manu]
rrsagent, draft minutes
16:47:28 [RRSAgent]
I have made the request to generate manu
16:47:46 [manu]
16:47:48 [manu]
rrsagent, draft minutes
16:47:48 [RRSAgent]
I have made the request to generate manu
16:48:27 [manu]
Chair: Wendy_Seltzer
16:49:01 [shigeya]
shigeya has joined #auth-id
16:51:51 [achughes]
16:52:28 [burn]
present+ Dan_Burnett
16:52:29 [Mathias]
Mathias has joined #auth-id
16:52:30 [hober]
hober has joined #auth-id
16:53:02 [jfontana]
jfontana has joined #auth-id
16:53:55 [Guest11]
Guest11 has joined #auth-id
16:54:00 [markus_sabadello]
markus_sabadello has joined #auth-id
16:54:13 [hober]
present +hober
16:54:28 [jfontana]
present +jfontana
16:54:36 [manu]
wseltzer: no audio yet...
16:54:56 [manu]
s/wseltzer: no audio yet...//
16:55:00 [tomj]
tomj has joined #auth-id
16:55:08 [ken]
ken has joined #auth-id
16:55:09 [Jiewen]
Jiewen has joined #auth-id
16:55:30 [Craigspi]
Craigspi has joined #auth-id
16:57:44 [JoeAndrieu]
JoeAndrieu has joined #auth-id
16:58:44 [Steven]
Steven has joined #auth-id
16:59:05 [manu]
scribe: manu
16:59:19 [manu]
wseltzer: Hi, my name is Wendy Seltzer, W3C - glad to welcome you here.
16:59:33 [manu]
wseltzer: Thank you to Tony Nadalin and Microsoft for hosting us.
17:00:05 [manu]
wseltzer: We're looking forward to the next two days of discussion, brainstorming, and socializing around Strong Auth and Identity.
17:00:41 [manu]
Tony N. covers location of emergency exists, bathrooms, and parking. Assistance help, medical emergencies help, etc.
17:00:46 [manu]
rrsagent, draft minutes
17:00:46 [RRSAgent]
I have made the request to generate manu
17:00:52 [marie_]
marie_ has joined #auth-id
17:01:25 [manu]
wseltzer: Very briefly, introducing the day and goals of the workshop at a high level - logistics, getting conversation going, etc.
17:01:51 [shigeya__]
shigeya__ has joined #auth-id
17:01:51 [manu]
wseltzer: We use IRC for realtime minuting and discussion... to connect to the wifi - MSFT Guest and use the code on the board.
17:02:00 [sanjay]
sanjay has joined #auth-id
17:02:00 [auth-id]
auth-id has joined #auth-id
17:02:11 [jeffh]
jeffh has joined #auth-id
17:02:13 [will]
will has joined #auth-id
17:02:21 [jeffh]
17:02:24 [jeffh]
17:02:36 [brentz]
brentz has joined #auth-id
17:02:39 [tony-tr]
tony-tr has joined #auth-id
17:02:42 [Steven-Google]
Steven-Google has joined #auth-id
17:02:50 [kimhd]
kimhd has joined #auth-id
17:02:58 [manu]
wseltzer: We are thrilled to have everyone here - just a quick intro to W3C - our goal is to lead Web to its full potential... we work on voluntary consensus standards.
17:03:10 [krystian_czesak]
krystian_czesak has joined #auth-id
17:03:25 [auth-id]
auth-id has left #auth-id
17:03:26 [manu]
wseltzer: We put workshops like this on to bring people together, lots of work is happening here and outside of W3C - if we can be a forum for conversation, great, if it happens elsewhere, great.
17:03:27 [kenrb]
kenrb has joined #auth-id
17:03:38 [manu]
wseltzer: We are not the exclusive endpoint of work, but one possible place to bring that work.
17:03:45 [manu]
wseltzer: We are committed to Web for All.
17:03:45 [brentz]
present+ Brent_Zundel
17:03:46 [Didier]
Didier has joined #auth-id
17:04:04 [manu]
i/scribe: manu/Topic: Introduction to Workshop/
17:04:06 [Douwe]
Douwe has joined #Auth-id
17:04:22 [markus_sabadello]
17:04:35 [weiler]
17:04:51 [manu]
wseltzer: We operate under Royalty-Free patent policy - this workshop is not Recommendation track, contributions here ar enot yet contributions that are goverened by patent policy. Our goal is that specs should be implementatable RF wrt. patents / copyright, etc.
17:05:01 [aaronpk]
17:05:16 [manu]
wseltzer: We are a member consortium, we depend on members to participate - hope to keep that infrastructural work going - 475 members from all sorts of places.
17:05:21 [SarahSquire]
SarahSquire has joined #auth-id
17:05:53 [manu]
wseltzer: We operate workshops under a code of ethics and professional conduct - if anyone has an issue, find wseltzer or someone else in W3C Team. We want to make sure this environment enables everyone to feel safe, respected and heart.
17:06:03 [burn]
17:06:12 [manu]
wseltzer: We are working in difficult areas, standards work well for technical problem, good enough technical problem, and find a common resolution.
17:06:29 [manu]
wseltzer: This all depends on you and the broader community to make sure these things work effectively.
17:06:57 [kimhd]
17:07:13 [manu]
wseltzer: We want to hear from everyone - you have cards, on those cards, you can write down questions/comments/concerns - we will use those to fill into Q/A and discussion that follows... we will also have dots for voting, mark areas of particular interest/concern.
17:07:27 [will_]
will_ has joined #auth-id
17:07:59 [dwaite]
dwaite has joined #auth-id
17:08:02 [manu]
wseltzer: We will have breakout sessions where we are gathering in smaller groups... W3C process for consensus ... these are preliminary directions/ideas... feel free to toss out ideas, but don't worry that if you're not in a group that you're going to miss the opportunity to provide critical input.
17:08:09 [manu]
rrsagent, draft minutes
17:08:09 [RRSAgent]
I have made the request to generate manu
17:08:25 [manu]
wseltzer: Also another part of getting together is social - Tony has found us space in a nearby on campus restaurant.
17:08:50 [manu]
wseltzer: This is pay your own way, but pay your own way... ~$20 minimum - interested and expecting to come tonight?
17:08:57 [manu]
tony-tr: There is good beer/wine.
17:09:21 [manu]
wseltzer: Does anyone need a shuttle?
17:09:22 [aaronpk]
looks like all hands raised except a few
17:09:22 [kenrb]
almost everyone raised hands
17:09:28 [manu]
tony-tr: I'll get a couple of shuttles.
17:09:45 [manu]
Scribe notes roughly 60+ people raised their hands.
17:10:35 [manu]
wseltzer: You can make off the record statements... let us know if you want something to be off the record.
17:10:48 [Jim]
Jim has joined #auth-id
17:10:58 [John_Bradley]
John_Bradley has joined #auth-id
17:11:35 [manu]
wseltzer: We can do queue management via q+
17:12:03 [manu]
wseltzer: We can capture what's going on at workshop... everyone is capable of adding things to minutes.
17:12:05 [JoeAndrieu]
17:12:12 [burn]
17:12:22 [chrisboscolo]
chrisboscolo has joined #auth-id
17:12:38 [BartW]
BartW has joined #auth-id
17:12:52 [chrisboscolo]
sorry you can't be here in person, Manu!
17:12:53 [manu]
wseltzer: Thanks to the PC and Manu and the rest of the PC for putting all of this together.
17:12:58 [Karen]
Karen has joined #auth-id
17:13:32 [manu]
wseltzer: Thanks to Tony and Microsoft for hosting us here... our goal is to move things quickly. Please add slides to google slide deck.
17:13:54 [manu]
wseltzer: You can email me to put material on Google Slide deck...
17:15:23 [manu]
Kaliya: Hi, passed around cards to all of you - purpose of the workshop is to build mutual understanding across strong auth and identity projects, to do that, we're trying to gather as much input as possible.
17:15:35 [manu]
Kaliya: We want to find potential connections between your work and work being presented.
17:15:45 [manu]
Slide Directory for presentations --
17:16:06 [manu]
Kaliya: We want questions, concerns, connections that you're seeing - we'll collect them after each of 7 presentations, we want to get a sense of the room about each of these.
17:16:10 [Mitja]
Mitja has joined #auth-id
17:16:45 [manu]
Kaliya: Please put number on the card, and questions/concerns -- this can be made anonymously.
17:17:14 [manu]
Kaliya: We will collect them after each presentation.
17:17:19 [manu]
Topic: Understanding Verifiable Credentials
17:17:31 [manu]
burn: We are going to go through this quickly, this is a quick overview.
17:17:38 [manu]
burn: When we talk about VCs, what do we mean by that?
17:17:50 [manu]
17:18:05 [manu]
burn: There are all sorts of things we use today quite successfully - we wanted to duplicate that in an electronic form.
17:18:21 [manu]
burn: We would show age/drivers license -- we're switching to education credentials - diplomas for example.
17:18:59 [wseltzer]
rrsagent, draft minutes
17:18:59 [RRSAgent]
I have made the request to generate wseltzer
17:19:04 [manu]
burn: Diploma is interesting... I have PhD from Oregon, which was acquired by another school... that school doesn't exist anymore... that org might not exist anymore in any form... we want to make sure we cover use cases like that... we are interested in cryptographically verifiable credentials.
17:19:37 [manu]
burn: The work on VCs are just on a data model, not on protocol yet... issuer/verifier -- we don't define ecosystem normatively, but it's hard to talk about this w/o suggesting an ecosystem.
17:19:40 [manu]
Slide 3
17:20:06 [manu]
burn: When we talk about Verifiable credentials... issuer issues to holder... holder holds on to it... verifier asks for credential from holder.
17:20:35 [manu]
burn: In this model, a VC contains credential metadata, claims, and proofs... the identifiers can be cryptographically controllers, but issuers can also be identified.
17:20:44 [achughes]
burn: the verifier is the one seeking verification
17:20:46 [manu]
burn: What is a claim - one statement about a subject, Pat is over 21, for example.
17:21:11 [wseltzer]
i|welcome you here|-> Intro slides
17:21:33 [manu]
burn: Here's an example in JSON-LD Syntax... we are defining a data model, and showing how you can use different syntaxes...
17:22:29 [manu]
burn: At some point there is a realization of the syntax... the main thing I want you to see is that there is an ID for the credential, there is some type information... from perspective of user... they are just using ProofOfAgeCredential... etc... we have an issuer field, when it's issued, the part in red is the actual claim.
17:22:56 [manu]
burn: We used to call this a "claim"... now we call this the "credentialSubject" - the id represents the subject of the claim... the property is ageOver and the value is 21.
17:23:31 [manu]
burn: There is a proof... the details don't matter... ther eis just a proof on there... we do have some suggestions on cryptographic proofs, but lots of this is flexible/variable.
17:23:59 [wseltzer]
s/ther eis/there is/
17:24:17 [manu]
burn: We also talk about presentations... issuer, holder, verifier - it's actually a verifiable presentation by holder to verifier... it's for multiple credentials, often about same subject... identifier, some metadata, claims or some whole credentials... main idea w/ presentation is something that holder can pull from multiple credentials.
17:24:24 [manu]
burn: What are verifiable credentials and what are they not?
17:24:34 [Pamela]
Pamela has joined #auth-id
17:24:34 [manu]
Slide 8
17:25:02 [manu]
burn: VCs allow an issuer provide a statement of fact... holders hold on to them, verifier can see if the statement hasn't been tampered with.
17:25:12 [manu]
burn: VCs don't represent verified truth... just who claimed what
17:25:14 [manu]
Slide 9
17:25:32 [manu]
burn: This work is being standardized right now in VCWG... in scope is data model and syntaxes...
17:25:47 [manu]
burn: We are looking at JSON-LD... and JWT...
17:26:06 [manu]
burn: We do not have browsers in scope... we do not define protocol... we don't address "Identity on the Web"... we're just providing VCs.
17:26:38 [manu]
burn: out of scope work could be chartered in future WG... Credentials CG is looking at these items...
17:26:59 [manu]
burn: We have a spec, we're tryign to wrap up ZKP and JWT support... we have done some Horizontal Review (non official... expecting CR very soon.
17:27:09 [manu]
burn: We have test suites, use cases... (slide 10)
17:27:21 [manu]
burn: If you are curious about use cases... take a look at use cases document...
17:27:53 [manu]
burn: Details of pictures are W3C Member Confidential... in commerce, there are governments, banks, large websites, usign VCs.
17:28:23 [manu]
burn: In trade, DHS, CBP, Canadian Provinces... importer, exporter, etc. are some target use cases... real adoption here.
17:28:27 [manu]
slide 13
17:28:35 [manu]
burn: Are there questions?
17:28:50 [wseltzer]
17:29:02 [wseltzer]
17:29:09 [manu]
@@@: If you are conerned w/ data model - some credential, over 21, you want to know if *I* am over 21...
17:29:18 [manu]
17:29:36 [manu]
burn: There is plenty of discussion around subject != holder.
17:29:58 [manu]
JoeAndrieu: Use Cases talk about that use case - we are looking at things that are out of scope in protocol... but important to get a holistic view of things.
17:30:23 [jillwill01]
jillwill01 has joined #auth-id
17:30:48 [manu]
burn: Anyone can make any claim about anything... if you look at the ID in red, that's a DID, this is where you may start seeing use for DIDs.
17:31:11 [manu]
burn: Control over the identifier is an interesting question we're going to hear about soon...
17:31:55 [manu]
tony: In looking at the current spec, it still looks like JSON-LD is the language, it looks like you're going to wrap regular JSOn or other types of JWTs/CWTs - get a little concerned... those get quite large, little concerned around size of expression.
17:32:16 [manu]
tony: We're not looking for just users making these statements, we're looking for devices... concerned around size of claims.
17:32:22 [manu]
burn: Is that a question or statement?
17:32:33 [jzcallahan]
jzcallahan has joined #auth-id
17:32:53 [manu]
burn: I'm not going to talk about the merits of one format of the other... as a Chair, we have been asking for feedback from others for the entire lifetime of WG... we do have people looking at other formats.
17:33:16 [manu]
burn: We do have folks that are looking to support other expression formats.
17:33:51 [manu]
Oliver: We have a pull request in for JWTs - we do have some shorter expression avoid duplication in JSON-LD... issuer could become iss field.
17:34:01 [manu]
q+ to note that we're trying to be agnostic.
17:34:07 [kimhd]
Minutes and PR:
17:34:32 [kimhd]
17:34:37 [Dalys]
Dalys has joined #Auth-id
17:34:40 [manu]
burn: We have welcomed participation, we would like more input... we'd like help wrapping up what we have... additional proposals to recharter.
17:35:01 [manu]
Sarah_Squire: Proposal in Ethereum community ERC725 - are you working w/ them.
17:35:30 [wseltzer]
17:35:34 [wseltzer]
ack manu
17:35:34 [Zakim]
manu, you wanted to note that we're trying to be agnostic.
17:36:33 [wseltzer]
manu: we're trying to be agnostic. Lots of experiments underway
17:36:40 [wseltzer]
... the model has proven to be flexible
17:36:53 [wseltzer]
... It's true that some formats have big payloads that won't work for small devices
17:37:04 [wseltzer]
... could be that cwt or jwt work at different layers of the stack
17:37:23 [wseltzer]
... and licensing has a bigger payload
17:37:29 [wseltzer]
... different tools in the toolbox
17:37:38 [John_Bradley]
John_Bradley has joined #auth-id
17:37:51 [manu]
wseltzer: Any further questions for Dan Burnett.
17:38:25 [manu]
wseltzer: We're building up modules, understanding different components that are available - different places that they might be useful. Think about incompatibilities... ways we can work together.
17:38:35 [manu]
Topic: Decentralized Identifiers
17:38:56 [manu]
Slides are here --
17:39:55 [manu]
kimhd: Hi, I'm Kim, CTO of Learning Machine - work in educational credentials... co-chair of W3C Credentials CG - also DIF Steering Committee.
17:40:21 [manu]
kimhd: What is a DID? It's a new type of URl that is globally unique, highly available, presistent, cryptographically verifiable, and doesn't require a centralized admin.
17:40:41 [Loqi]
Loqi has joined #auth-id
17:41:02 [manu]
kimhd: In education use cases, we want the recipient of a credential to be identified using a DID.
17:41:09 [manu]
kimhd: A DID is an identifier for a subject.
17:41:16 [wseltzer]
[slide 3]
17:41:25 [manu]
kimhd: here we have did:x:123 as the identifier for the subject.
17:41:44 [manu]
kimhd: What does a DID look like?
17:41:47 [manu]
slide 4
17:42:06 [manu]
kimhd: we have a scheme "did:", then "DID Method", then did specific string.
17:42:38 [manu]
kimhd: There are examples of what these look like at the bottom of the page...
17:43:05 [manu]
kimhd: Globally unique identifier - in many of these cases, you can self-create your identifier... prove that you control it, no central admin can take it away from you.
17:43:39 [manu]
kimhd: Each DID Method must specify a set of mechanisms - Create, Read, Update, Delete (aka revoke)
17:44:26 [wseltzer]
[slide 5]
17:44:46 [manu]
kimhd: One critical part - DIDs resolve to DID Documents - we have a Veres One identifier here - document it resolves to - contains authentication mechanisms, public key material, services...
17:45:17 [manu]
kimhd: markus_sabadello is goign to talk about that next... DID Resolver is retrieving DID Document.
17:45:27 [wseltzer]
[slide 6]
17:45:34 [manu]
kimhd: So, DIDs resolve to DID Documents... let's look at specific DID resolution process.
17:46:02 [manu]
kimhd: This is saying we're using the BTCR method spec, run it through the universal resolver, produces a DID Document.
17:46:48 [manu]
kimhd: identifier tells you which block, which transaction, to find the transaction in.
17:47:10 [manu]
kimhd: Resolver knows, per method spec, how to get information, how to return this thing.
17:47:25 [manu]
kimhd: so, DID Document has keys, authentication, services, signatures, timestamps.
17:47:35 [manu]
slide DID Document
17:48:09 [manu]
kimhd: This document has been incubated at RWoT and IIW, currently draft in W3C CCG, protocols and prototypes at DIF, there is a DID Method Registry, DID Auth, DID Resolver...
17:49:01 [manu]
kimhd: We'd like to discuss a DID Working Group at this Workshop.
17:49:17 [kenrb]
kenrb has joined #auth-id
17:49:22 [wseltzer]
ack nadalin
17:49:25 [wseltzer]
q+ hober
17:49:37 [manu]
tonyn: What do you expect to standardize?
17:50:05 [manu]
tonyn: There doesn't seem to be cross-blockchain interop... I need different DIDs on every blockchain... who is going to run the registry... concerned around transparency of resolvers...
17:50:31 [manu]
kimhd: Interop first - that's the big part... what's the content of the DID Document, that describes how interop is possible...
17:50:43 [manu]
kimhd: DID Auth, for example, needs that document....
17:51:38 [manu]
ChristopherA: There are a couple of different issues here - DID authenticates DID DOcument, strongly make claim about DID Document... that document can contain other key material from other places... including keys that are compatible with say a different blockchain w/ different proof formats, PGP keys in there, information that lets you allow you to leverage FIDO.
17:52:30 [manu]
ChristopherA: There are things like sigma proofs, ZKPs, private keys in one curve equivalent to private keys in antoehr group... it's premature to pick a method, maybe at some point the market will say there is one two or three that are dominate... but reality now is that there are multiple DID methods.
17:53:21 [manu]
kimhd: We are starting to categorize DID Methods.. BTCR and IPLD are ones where, if you are comfortable w/ using that technology, you can create them and use them in some way... depending on registry authentication, you can start using that now... truly self-sovereign identifiers, I create them, no one can take them away from me.
17:54:08 [manu]
kimhd: In other cases, private/permissioned blockchain, those enable different properties - for example Guardian models... batch registration of individuals... some depend on properties of the blockchain itself... which use cases argue for which... we don't do guidance yet, DIF may do that... W3C is not in that role.
17:54:38 [manu]
kimhd: People will have those questions... you don't want to use something on a blockchain that can't be rewritten... part of strength of it, something we're getting feedback on ecosystem.
17:54:55 [manu]
tony: Who is going to run the registry, how scalable is it, who would pick up the registry
17:55:00 [manu]
q+ to note registry is optional.
17:55:25 [manu]
ChristopherA: We are talking about the DID Registry - you can reserve the DID Method... not a DID Registry.
17:55:54 [manu]
ChristopherA: The requirements to have a proposal are very small... as you move up the scale of maturity, we will have requirements for what you have to do to do that.
17:56:07 [shigeya__]
17:56:29 [manu]
ChristopherA: We need to allow for innovation right now... there is nothing that says one has to support every DID method, for example... don't use BTCR unless you need technology.
17:56:35 [manu]
17:56:35 [manu]
17:56:50 [manu]
kimhd: We can come back to that - would like to focus on breadth
17:56:55 [tantek]
tantek has joined #auth-id
17:56:58 [manu]
Kaliya: This dynamic is also what these cards are for
17:57:20 [manu]
Kaliya: If you have thoughts/comments/questions - please write them down on paper right now.
17:57:43 [manu]
hober: Does the DID Method registry just let people know what an unregistered method is?
17:57:53 [wseltzer]
ack hober
17:58:07 [manu]
hober: Is it relatively straightforward to write simple JSON and hook into all of this?
17:58:17 [manu]
kimhd: Yes, we can look into examples.
17:59:06 [manu]
Pete: If I wanted to add a new DID, how do I get resolved?
17:59:08 [hober]
s/write simple/serve static/
18:00:01 [manu]
kimhd: There are different resolvers - which methods support they support is up to each resolver... part of value is that each DID method and how you perform its operations... write any resolver to note your test case... it's not going to be prescriptive.
18:00:21 [manu]
wseltzer: Thank you very much Kim... next up... Markus to talk about DID Auth...
18:00:31 [manu]
wseltzer: Keep questions and comments coming throughout two days here...
18:00:50 [manu]
Topic: Understanding DID Auth
18:01:08 [manu]
Slides --
18:01:08 [Loqi]
Slides has -1 karma over the last year
18:02:17 [manu]
Markus: Hi, working in CCG and DIF, and Sovrin... DID Auth is more of a concept rather than a spec... makes a lot of sense to have a concept... DPKI for DIDs... and what they enable.
18:02:26 [Mitja]
Mitja has joined #auth-id
18:02:55 [manu]
Markus: Using a DID Resolver to authenticate - you have DID, you have key material associated with that... control the identifier... not about proving we're over the age of XYZ, we just prove that we have control over a DID.
18:03:06 [martijnvdven]
martijnvdven has joined #auth-id
18:03:18 [manu]
Markus: We worked on a paper around Rebooting the Web of Trust... looked at DID Auth - Kim noted authentication.
18:04:10 [manu]
Markus: Authentication block points to public key - who has control of the DID? If you have public key information, you can know that anyone that has private key is authenticated.
18:04:19 [wseltzer]
[slide: DID Auth Example Architecture]
18:04:24 [manu]
Markus: This is one example for uPort - web page - mobile app authentication...
18:05:08 [manu]
Markus: With a mobile app, private key corresponding to DID, I can provide response to QRCode - post it back to web page... important, web page uses DID Resolver to find DID, then find public key, then verify that the signature on the authentication was signed correctly.
18:05:15 [manu]
Markus: This is just one of th epossible flows.
18:05:25 [wseltzer]
s/th epossible/the possible/
18:05:51 [manu]
Markus: We tried to analyze this stuff - different scenarios / different flows - there are many, so DID Auth isn't just one thing... it's a family of things that are being explored.
18:05:59 [elbowspeak]
elbowspeak has joined #auth-id
18:06:07 [manu]
Markus: There are many transports, HTTP, QR, etc....
18:06:43 [manu]
Markus: There are many more flows... observation - we were able to draw all of these flows where there are two parties... if we look at traditional models, we usually have 3 parties... but this one has 2.
18:07:11 [wseltzer]
[slide 7]
18:07:17 [manu]
Markus: I control a certain identifier - trust relying party - individual - all sorts of different transports...
18:07:20 [wseltzer]
[slide 8]
18:07:45 [manu]
Markus: There are also people that are using different data formats internally... we will reuse things, but as I said, DID Auth is not trying to come up w/ a new authentication protocol... but reuse where possible.
18:08:07 [kimhd]
kimhd has joined #auth-id
18:08:17 [manu]
Markus: I have seen JWTs... we can also see JSON-LD VCs... self-issued VC....
18:08:35 [manu]
Markus: We have been thinking a lot about OIDC + DID... also looking at WebAuthn + DID...
18:09:05 [wseltzer]
[slide 10]
18:09:27 [manu]
Markus: We've done some initial thinking - working w/ OpenID Connect protocol, where we use self-issued OpenID ... one way this could be done is to have personal openID connect provider... protocol could be used, similar with WebAuthn... FIDO... could reuse that.
18:10:06 [manu]
Markus: There are other experiments around DID-TLS, DID-based HTTP Signatures... DID-based PGP... using DIDs in SSH.
18:11:05 [sknebel]
sknebel has joined #auth-id
18:11:10 [wseltzer]
[slide 11]
18:11:23 [manu]
Markus: Some things to consider for the workshop - how would a DID Auth relate to VC exchange protocol?
18:12:06 [manu]
Markus: Other DID Auth principles... We may want to meet some principles, otherwise it's not DID Auth... for example, identifier stays the same... rotate keys, change service endpoints, change OID endpoints, authmethod, but we continue to always be able to prove control of the same identifier.
18:12:15 [manu]
wseltzer: Questions from the room?
18:12:29 [wseltzer]
q+ tonyn, ChristopherA, dirk
18:12:47 [oliver-terbu]
oliver-terbu has joined #auth-id
18:12:49 [dwaite]
dwaite has joined #auth-id
18:12:55 [manu]
JohnB: I may beat Tony to some of these questions ... In a number of the flows that you put up, potentially they are a step backwards from a security perspective because they're phishable... we need to make sure we're not going backwards from a security perspective.
18:13:23 [manu]
JohnB: I would even step back a bit further and question - is the use case for DID Auth actually authentication, or is it more appropriately proving presentment of VCs.
18:13:51 [manu]
JohnB: We do have pairwise privacy preserving WebAuthn... even Apple is deploying it... do we actually need to present correlatable claim, or should we look at the best mixture?
18:14:08 [manu]
JohnB: Some have said we need new authentication method when that may not be the best path.
18:14:47 [wseltzer]
q+ Daniel
18:14:58 [manu]
Markus: Lot of questions - let's keep the benefits of existing things... not be phishable... concept of DID Auth is that we have an identifier that cannot be taken away from me, I can rotate keys, I can rotate metadata out... I think OIDC or WebAuthn don't provide that out of the box.
18:15:49 [manu]
JohnB: The argument that you need to rotate credentials is making presumptions about how they're stored... I don't buy into the premise that a DID is required because you need to rotate private keys, not arguing that there are not use cases for DIDs, let's find the right use cases for them.
18:16:20 [manu]
JohnB: For purely pairwise pseudonymous auth, I don't believe a DID having a public key published is a requirement.
18:16:39 [manu]
q+ to agree with JohnB -- purely pairwise pseudonymous auth doesn't require DIDs - yep.
18:16:53 [manu]
18:16:57 [jillwill]
jillwill has joined #auth-id
18:18:17 [manu]
Daniel: A couple of things on the business side (from Microsoft perspective)... would love it if people used LinkedIn for everything (Microsoft property) - Universities didn't really want to sign up to single entities, because of corporate identifiers controlled by something other than University.
18:18:43 [manu]
Daniel: So, there is a strong business use case for DIDs... large entities that don't want other large entities to lock them in via identifiers.
18:19:42 [manu]
Daniel: There are also use cases around progressive trust... you start out pseudonymous, but then upgrade over time. For example, FIDO doesn't cover the use case for expressing services around DID Documents... granting access to my data storage service.
18:20:30 [manu]
Tony: I get concerned around methodology for DIDs... you don't actually know if person that created the key is doing the DID Auth itself... you can do this in FIDO... authenticators is a drvice that you control. I'm not seeing end to end comprehension of how you keep keys safe and to the actual creator of the keys. How do you prove that situation in DID Auth.
18:20:42 [burn]
ack tonyn
18:20:46 [burn]
ack ChristopherA
18:20:49 [wseltzer]
ack Daniel
18:20:58 [manu]
ChristopherA: I think part of the problem here, we're overinflating the use of keys, for simplicity purposes, you see DID Document up there - presuming that private key is in a file some place...
18:21:43 [manu]
ChristopherA: That is a gross simplifciation, we can keep separate keys... we don't call it a signature block, there might be a variety of different types of proof... for example, if I issue Verifiable Credential covering you for 1 million dollars... I want a higher spec of authenticator/proofs before I give you that verifiable claim.
18:21:49 [JoeAndrieu]
18:21:54 [manu]
q+ to note FIDO + DIDs are complementary.
18:22:55 [manu]
ChristopherA: DID Documents enable you to use all of this stuff... we need people that have experience with these systems. All the perils of mixing authn w/ authz... but at some point we need something like a DID DOcument... just because someone asks for a VC or other things, doens't mean I have to give it to them/comply... or they have to accept.
18:23:14 [wseltzer]
q+ oliver-terbu
18:23:23 [wseltzer]
ack dirk
18:23:27 [manu]
Dirk: Where do you see DID and DID Auth fit into the larger picture... I think I understand VCs... I want to prove my age, SSN, I thought DIDs were a means to an end...
18:23:40 [wseltzer]
zakim, close queue
18:23:40 [Zakim]
ok, wseltzer, the speaker queue is closed
18:24:10 [manu]
Dirk: One way I could do that, who are you?, I could provide DID and DID Auth, prove that's who I am... find something in DID Document, claim I'm over 21? Am I seeing that right... how is DID connected to VCs?
18:24:34 [manu]
Markus: We don't put VCs in public ledgers...
18:25:06 [manu]
Markus: DID Documents are for looking up key material and services.... not VCs.
18:25:19 [wseltzer]
18:25:27 [manu]
Markus: There are no claims in DID Document, only metadata required to verify VC material...
18:25:36 [manu]
Markus: DID Auth is just a high level concept so far...
18:25:45 [burn]
q+ to answer Dirk
18:25:51 [manu]
Markus: No assumptions about documents are in ledger, where keys are stored, where hardware wallets are... etc.
18:26:09 [manu]
wseltzer: We have a queue... and then break...
18:26:13 [kenrb]
kenrb has joined #auth-id
18:26:17 [wseltzer]
ack JoeAndrieu
18:26:24 [oliver-terbu]
present+ oliver_terbu
18:27:15 [wseltzer]
JoeAndrieu: None of these components yet is identity assurance
18:27:16 [weiler]
rrsagent, draft minutes
18:27:16 [RRSAgent]
I have made the request to generate weiler
18:27:29 [wseltzer]
... the proof that you are the person who can make these claims
18:27:32 [wseltzer]
manu: it's not either or
18:27:45 [wseltzer]
... we're trying to combine elements of the prior art
18:27:46 [wseltzer]
ack manu
18:27:46 [Zakim]
manu, you wanted to note FIDO + DIDs are complementary.
18:28:10 [wseltzer]
... authentication flow that takes FIDO key material into a DID doc and uses HW token to identify
18:28:11 [weiler]
manu: I hear in this discussion a perception of an either-or thing. the experiments going on right now .... there is an auth flow that takes a FIDO authenticator, puts the credentials in the DID document
18:28:41 [kimhd]
18:28:46 [oliver-terbu]
18:29:15 [manu]
JoeAndrieu: For VCs and DID and DID Auth - none of those is sufficient for identity assurance... whether the key is on a hard drive, or on a hardware authenticator, we can't prove that person controlling device is the person... it's a strong factor.
18:29:20 [weiler]
... There is a a lot of work around blending these models rather than picking one.
18:29:23 [oliver-terbu]
+1 manu
18:29:40 [manu]
markus_sabadello: We did quite a bit of work around blending models at IIW.
18:29:44 [manu]
rrsagent, make minutes.
18:29:44 [RRSAgent]
I'm logging. I don't understand 'make minutes.', manu. Try /msg RRSAgent help
18:29:48 [kenrb]
kenrb has joined #auth-id
18:29:53 [manu]
rrsagent, draft minutes
18:29:53 [RRSAgent]
I have made the request to generate manu
18:30:44 [manu]
Everyone takes a break, socializing, expect to get back into OpenID, JWT/CWT, etc. use cases.
18:30:52 [manu]
rrsagent, draft minutes
18:30:52 [RRSAgent]
I have made the request to generate manu
18:32:18 [wseltzer]
[break for 30min]
18:43:53 [elbowspeak]
elbowspeak has joined #auth-id
18:45:46 [Jiewen]
Jiewen has joined #auth-id
18:46:36 [kenrb]
kenrb has joined #auth-id
18:47:37 [Jim]
Jim has left #auth-id
18:48:36 [Jim_Masloski]
Jim_Masloski has joined #auth-id
18:51:43 [achughes]
achughes has joined #auth-id
18:55:18 [PindarHK]
PindarHK has joined #auth-id
18:57:48 [kenrb]
kenrb has joined #auth-id
19:02:56 [tony-tr]
tony-tr has joined #auth-id
19:03:22 [JoeAndrieu]
JoeAndrieu has joined #auth-id
19:03:36 [wseltzer]
topic: WebAuthn, CTAP
19:03:45 [Didier]
Didier has joined #auth-ID
19:03:45 [sanjay]
sanjay has joined #auth-id
19:04:18 [wseltzer]
-> Slides, Modern Authentication
19:04:40 [wseltzer]
[slide 2:: How Security Keys Work]
19:05:01 [jillwill]
jillwill has joined #auth-id
19:05:07 [wseltzer]
JohnFontana: presenting slides
19:05:18 [wseltzer]
[slide 3: Registration]
19:06:53 [wseltzer]
JohnFontana: FIDO2 is an umbrella term for WebAuthn and CTAP
19:07:01 [wseltzer]
... CTAP at FIDO, WebAuthn at W3C
19:07:02 [Mitja]
Mitja has joined #auth-id
19:07:08 [wseltzer]
[slide 4]
19:07:31 [wseltzer]
... CBOR is the CTAP data format
19:07:44 [wseltzer]
[slide 5: WebAuthn]
19:08:03 [wseltzer]
... create and get strong authentication
19:08:18 [wseltzer]
i/slide 2::/scribenick: wseltzer
19:08:51 [wseltzer]
[slide 6]
19:09:18 [jzcallahan]
jzcallahan has joined #auth-id
19:09:21 [wseltzer]
[slide 7]
19:09:42 [wseltzer]
... Thanks to Pam for this map
19:09:59 [Mitja]
Can you please reshare the link to the presentation?
19:10:03 [wseltzer]
[slide 8: state of state]
19:10:29 [Mitja]
thank you!
19:12:05 [wseltzer]
[slide 9]
19:12:18 [wseltzer]
TonyNad: IETF discussion of EAT
19:12:39 [wseltzer]
... device attestation about provenance, devices, ecosystem
19:13:02 [wseltzer]
... we use these attestations in WebAuthn and FIDO to understand key provenance and strength
19:13:05 [krystian_czesak]
krystian_czesak has joined #auth-id
19:13:18 [wseltzer]
... you may not want to accept authentication from weak device, TEE
19:13:43 [wseltzer]
... At Prague IETF will probably try to form a WG
19:13:52 [wseltzer]
... CWT, JWT for devices, compact
19:14:21 [wseltzer]
... looking to do in generic way
19:14:27 [ken]
ken has joined #auth-id
19:14:38 [wseltzer]
... data models for device, what type of device
19:14:44 [wseltzer]
... indirect and direct attestations
19:15:09 [wseltzer]
... want to be compatible with OAuth, JWT, CWT
19:15:17 [wseltzer]
... use existing verification libraries
19:15:51 [kimhd]
kimhd has joined #auth-id
19:15:54 [kimhd]
19:15:56 [ChristopherA]
19:15:59 [ChristopherA]
19:16:07 [ChristopherA]
Queue is closed
19:16:08 [wseltzer]
zakim, reopen queue
19:16:08 [Zakim]
ok, wseltzer, the speaker queue is open
19:16:11 [ChristopherA]
19:16:23 [wseltzer]
dirk: deliberately lightweight
19:16:34 [wseltzer]
... 2 party system: authenticator on client, relying party
19:16:53 [wseltzer]
... by design , the keypair I generate for e.g. Google, will never be known to Github
19:17:08 [wseltzer]
... roaming authenticators, keyfobs, will be single-factor
19:17:12 [oliver-terbu]
oliver-terbu has joined #auth-id
19:17:17 [oliver-terbu]
19:17:36 [wseltzer]
... second use case, bring touch ID, Windows Hello
19:17:38 [jeffh]
scribenick jeffh
19:17:43 [wseltzer]
... to the web platform
19:17:49 [manu]
scribenick: jeffh
19:17:54 [jeffh]
?: are there implecations on the challenge itself?
19:17:56 [ChristopherA]
19:17:58 [wseltzer]
ack oliver-terbu
19:18:07 [wseltzer]
19:18:08 [BartW]
BartW has joined #auth-id
19:18:15 [will]
will has joined #auth-id
19:18:37 [weiler]
19:18:55 [jeffh]
john_bradley: challenge is hashed, in clientdata you get orig back, ...
19:19:08 [wseltzer]
ack ChristopherA
19:19:20 [weiler]
19:19:48 [jeffh]
ChristopherA: how much of web stack are part of webauthn spec? can things that are not webservers leverage webauthn if they don't wanna leverage JS stacks?
19:19:48 [brentz]
ChristopherA: can things that aren't web servers leverage Web Authn?
19:20:12 [SarahSquire]
SarahSquire has joined #auth-id
19:20:17 [oliver-terbu]
19:20:20 [jeffh]
john_bradley: it depends, and OS platform can impl webauthn-like APIs
19:21:21 [ChristopherA]
q+ about How about additional key types, in particular secp256k1 used by bitcoin & ethereum
19:21:22 [wseltzer]
jeffh: WebAuthn spec defines protocol between authenticator and relying party
19:21:30 [jeffh]
...:are they webauthn-like? windows' platform webauthn api is
19:21:34 [ChristopherA]
q+ to How about additional key types, in particular secp256k1 used by bitcoin & ethereum
19:21:38 [wseltzer]
... it can pass through whatever stack is in the way
19:21:42 [wseltzer]
ack oliver-terbu
19:21:59 [jeffh]
?: who is issueing these EAT attstns? are they some kind of certifcation for the authnr itself?
19:22:15 [burn]
19:23:00 [jeffh]
john_bradley: at momement webauthn does not use eat attstn, we already have various attstn formats, can add EAT if its approp, can't have too many standards :)
19:23:23 [jeffh]
chris boscoe (?): what if authnr is loast and one needs to re-register?
19:23:59 [manu]
s/boscoe (?)/boscollo/
19:24:02 [jeffh]
john_bradley: that's RP specific, but thinking is that one has both roaming and platform authnrs and one can use either or to re-register at the RPs
19:24:15 [weiler]
19:24:25 [weiler]
ack \
19:24:27 [weiler]
19:24:32 [jeffh]
tonynad: webauthn wg working on this, one idea is to have a 'backup authnr' which allows one to re-reg
19:24:39 [burn]
ack ChristopherA
19:24:39 [Zakim]
ChristopherA, you wanted to How about additional key types, in particular secp256k1 used by bitcoin & ethereum
19:24:57 [markus_sabadello]
19:25:35 [jeffh]
christophera: i have need for tyupe of crypto that uses SECP-256 curve, how do we ensure how we get those key flavors supported?
19:25:42 [tantek]
tantek has joined #auth-id
19:26:03 [wseltzer]
19:26:10 [jeffh]
john_bradley: we already have alg agility in the protocol, plus Mike Jones will be talking about this in a few min....
19:26:31 [wseltzer]
ack weiler
19:26:32 [jeffh]
sam wieler: <missed question>
19:26:46 [jeffh]
john fontana: <mumble>
19:27:39 [wseltzer]
ack mark
19:27:41 [jeffh]
markus_sabadello: question wrt UX eg if one registers a DID rather than a public key, can leverage that in many ways.... thoughts?
19:27:55 [jeffh]
john_bradley: in priciple, yes, tho much to sort out there
19:28:18 [jeffh]
next speaker: Rae Hayward, fido
19:28:26 [wseltzer]
Topic: FIDO and Authenticators
19:28:38 [wseltzer]
[same slide deck]
19:29:15 [wseltzer]
[slide 12]
19:29:21 [jeffh]
Rae's slides are in the '05 - Day 1 - Understanding WebAuthn, CTAP, EAT, FIDO and Authenticators' deck
19:29:53 [dwaite]
dwaite has joined #auth-id
19:31:30 [wseltzer]
[slide 15]
19:32:30 [wseltzer]
Rae: ROE=restricted operating environment
19:36:31 [wseltzer]
[slide 19: Companion Programs]
19:36:35 [wseltzer]
[slide 20: Labs]
19:37:48 [wseltzer]
[slide 21: Expiration, derivative, and delta certification]
19:40:40 [jeffh]
pamela: if a RP wants to accept only authnrs of L3 certif, how do they do that?
19:40:58 [Steven]
Steven has joined #auth-id
19:41:20 [jeffh]
rae: the certif level will be in metadata, plus lists certified devices
19:42:58 [jeffh]
scott david: on the delta certif, when org learns cetif'd device is now different, what happens. e.g., pci "compensating controls", plus ecosystem feedback can be fed back into spec development -- what about FIDO's processes?
19:43:25 [jeffh]
rae: the security secretariat has processes to notice such things and feed info into working group....
19:43:50 [jeffh]
? qualcomm: can u tell which lab did orig certif? <missed rest>
19:44:14 [jeffh]
...: can determine provenance of the lab that performed certif?
19:44:43 [jeffh]
rae: no, that's not public info, do have internal mechs that would know this
19:44:52 [burn]
s/? qualcomm/PindarHK/
19:44:58 [burn]
19:45:27 [jeffh]
topic: und06 - Understanding JWT/CWT, OpenID, and Related Ecosystemerstanding
19:45:46 [jeffh]
Mike Jones presenting
19:46:00 [jeffh]
+ John_bradley
19:46:21 [wseltzer]
-> Slides
19:47:07 [wseltzer]
[slide 3]
19:47:36 [wseltzer]
selfissued: (Mike Jones) JSON Web Token
19:48:00 [jeffh]
[slide 4]
19:48:08 [tantek]
speaker: "JSON-LD requires canonicalization to RDF in order to sign" [interesting I didn't know that.]
19:48:52 [jeffh]
[slide 5]
19:49:05 [jeffh]
[slide 6]
19:49:35 [manu]
tantek -- well, no, that's not correct...
19:49:35 [Loqi]
tantek has -1 karma in this channel over the last year (82 in all channels)
19:50:35 [jeffh]
[slide 6]
19:50:40 [manu]
tantek: You can dump JSON-LD in a JWT w/o needing normalization/canonicalization.
19:50:49 [manu]
s/tantek: You/tantek, You/
19:51:33 [manu]
tantek, if you want to do LD-Proofs, then we have chosen that it's best to do RDF Graph Canonicalization (the benefit being that you can have the same signature expressed in a variety of different syntaxes w/o having to recanonicalize)... so you sign the information.
19:51:33 [jeffh]
[slide 9]
19:52:39 [jeffh]
[slide 10]
19:54:11 [jeffh]
[slide 11]
19:56:54 [wseltzer]
John_Bradley: extensible. There's a set of core statements, and others can be added
19:57:11 [jeffh]
[slide 12]
19:57:17 [wseltzer]
selfissued: New work. THose interested should talk to us and participate
19:57:45 [jeffh]
selfissued: specifically the CBOR web token (CWT)
19:57:54 [jeffh]
...: RFC 8392
19:58:07 [dlongley]
dlongley has joined #auth-id
19:58:48 [burn]
19:59:53 [wseltzer]
John_Bradley: complementary to webauthn, not competitive
20:00:09 [wseltzer]
... OpenID Connect is about federated claims and API access
20:00:21 [wseltzer]
... should probably use WebAuthn for authentication
20:00:57 [shigeya_]
shigeya_ has joined #auth-id
20:01:16 [wseltzer]
Chrisboscolo: how do relying parties learn about self-issued identifiers?
20:01:18 [jeffh]
? briscoe: wrt self-soverign is there way for an individ to assert that they are speaking for themselves?
20:01:35 [manu]
s/? briscoe/chris_boscolo/
20:02:54 [oliver-terbu]
20:03:00 [JoeAndrieu]
20:03:19 [jeffh]
?: aggregated claims? more about that?
20:03:32 [manu]
20:03:50 [wseltzer]
20:04:20 [jeffh]
selfissued: if you search for 'openid claim' you can find it
20:04:26 [jeffh]
...: see above
20:04:28 [wseltzer]
20:04:49 [wseltzer]
JsckCallahan: How does mobileconnect differ?
20:04:50 [jeffh]
?: what're differences between mobile connect and openid connect
20:05:11 [manu]
20:05:22 [manu]
20:06:16 [chirsboscolo]
chirsboscolo has joined #auth-id
20:06:16 [wseltzer]
20:06:27 [jeffh]
john_bradley: <describes nuanced facets of the relationship>
20:06:54 [jeffh]
self_issued: gsma certified their core impl with the openid connect certif suite
20:07:18 [markus_sabadello]
markus_sabadello has joined #auth-id
20:07:22 [wseltzer]
ack oliver
20:07:48 [jeffh]
oliver: w3c VC WG is working on JWT representation -- how <missed it> ?
20:07:50 [markus_sabadello]
20:08:02 [jeffh]
selfissued: that's stuff we can discuss
20:08:35 [jeffh]
joeandrieu: can i use my own crypto identifiers to make use of other's claims
20:08:46 [jeffh]
selfissued: sure, that's an aggregated claim....
20:08:54 [wseltzer]
q+ aaronpk
20:08:58 [wseltzer]
ack Joe
20:09:20 [jzcallahan]
20:09:26 [jzcallahan]
20:09:31 [jeffh]
john_bradley: the spec talks about how that's done syntactically, it is work for the reader as to how the relationships between the parties are actually arranged and maintained
20:10:10 [wseltzer]
ack next
20:10:10 [jeffh]
...: you'd use some sort of proof-of-possess to logically tie the claims together
20:10:40 [jeffh]
topic: Indie Auth: OAuth for the Open Web
20:10:50 [jeffh]
aaron Parecki
20:11:01 [jeffh]
[slide 13]
20:11:02 [wseltzer]
[slide 13 begins AaronPK's presentation]
20:11:05 [jeffh]
[slide 14]
20:11:09 [wseltzer]
ack aaronpk
20:12:34 [jeffh]
[slide 15]
20:12:39 [jeffh]
[slide 16]
20:13:04 [jeffh]
[slide 17, 18, 19]
20:13:29 [jeffh]
[slide 20]
20:13:46 [jeffh]
[slide 21, 22]
20:14:03 [jeffh]
[slide 23]
20:14:23 [jeffh]
[slide 24]
20:15:01 [jeffh]
[slide 25]
20:15:39 [wseltzer]
aaronpk: take OAuth and add constraints
20:15:55 [jeffh]
slide 26]
20:16:31 [jeffh]
[slide 27,28,29]
20:17:08 [jeffh]
[29, 30]
20:17:52 [jeffh]
[slide 31]
20:18:18 [markus_sabadello]
markus_sabadello has joined #auth-id
20:18:30 [jeffh]
pamela: how does client authn piece of this work?
20:19:42 [jeffh]
aaronpk: clidents are all ident'd by URLs as well. instead of 'pre reg', it is just use the domain name
20:19:48 [markus_sabadello]
20:20:23 [jeffh]
...: taking the idea of 'public clients' and extending it to all clients
20:20:39 [jeffh]
markus_sabadello: it is not openid connect, it is oauth, why?
20:21:16 [jeffh]
aaronpk: this is solving smaller scoipe than OIDC -- is presenter of URL in control of url?
20:21:55 [jeffh]
...: wrt webfinger, we are using HTTP link-rels and so is more simple, dont see much use of webfinger in this
20:22:11 [jeffh]
kaliya: how is this diff than openid 1.0?
20:22:40 [tantek]
"OpenID [1.0] only solved half of that"
20:23:09 [wseltzer]
20:23:11 [wseltzer]
ack mar
20:23:36 [tantek]
"OpenID Connect went away from solving that problem [users bringing their own identity]"
20:23:45 [jeffh]
aaronpk: is pretty similar. openid connect drifted away. indieweb adds in api access tokens to orig openid ideas
20:23:57 [Mitja]
Mitja has joined #auth-id
20:25:28 [jeffh]
kaliya: what do after lunch, invite room to chime in on what all we've heard this morning... everyone gets a white card, question we want u to answer by end of lunch is: from where you sit, what do you want to see happen in terms of work in next 2..5 yrs; alternative question: what is the biggest concern you have wrt what you heard this morning?
20:26:13 [jeffh]
...: then we will get together in groups and sort through this, and boil it down and discuss in the entire group.
20:26:27 [jeffh]
...: your job for lunch is to answer one or both of the above questions
20:26:57 [jeffh]
...: only 30 min for lunch and question answering
20:27:55 [wseltzer]
21:02:33 [Jiewen]
Jiewen has joined #auth-id
21:11:57 [tantek]
rrsagent, make minutes
21:11:57 [RRSAgent]
I have made the request to generate tantek
21:14:39 [Karen]
Karen has joined #auth-id
21:17:56 [Karen]
Karen has joined #auth-id
21:18:55 [manu]
Topic: Breakout Sessions
21:19:23 [manu]
Kaliya: What you're going to do in the groups... briefly say who you are, read out your card to the group, ask clarifying questions.
21:20:22 [manu]
Kaliya: Talk about concerns, each person has two votes to give to two other cards... you're six people... you get to say "I think that idea is really important, or that concern is really important".
21:20:24 [manu]
Kaliya: 12 votes in each circle.
21:20:33 [manu]
i/Topic: Breakout Sessions/scribenick: manu/
21:20:39 [manu]
Kaliya: You don't vote for your own card. :)
21:21:23 [manu]
Kaliya: So, out of the six things, you get to pick your favorite.
21:21:29 [manu]
Kaliya: Don't vote twice for the same one.
21:21:51 [manu]
Kaliya: Someone else might share your concerns, keep that in mind.
21:21:57 [manu]
rrsagent, draft minutes
21:21:57 [RRSAgent]
I have made the request to generate manu
21:22:26 [manu]
Kaliya: You're going to be in a group of six, then discuss for 20 minutes, then scramble the room. talk to six new people, do the same thing... find out whose card had the most votes on it.
21:23:19 [manu]
Kaliya: The point here is to get group intelligence to work... I will track time, will check in with the groups... close computers completely, groups gather, etc.
21:23:34 [manu]
Kaliya: If you create new ideas, we'd love to hear about them. Write them down.
21:23:48 [manu]
Kaliya: Each card with a tally, any additional outputs, we're happy to receive them.
21:24:09 [manu]
Kaliya: If you came from the same company, you cannot be in the same group. Six people in a group.
21:24:38 [manu]
rrsagent, draft minutes
21:24:38 [RRSAgent]
I have made the request to generate manu
21:25:08 [manu]
Breakout sessions are forming... magic is happening.
22:27:41 [Karen]
Karen has joined #auth-id
22:27:48 [takashi]
takashi has joined #auth-id
22:28:52 [wseltzer]
Topic: Report-out from breakouts
22:29:44 [manu]
Kaliya: First segment, we'll hear all concerns... let's hear work items.
22:29:50 [manu]
rrsagent, make minutes
22:29:50 [RRSAgent]
I have made the request to generate manu
22:30:23 [manu]
achughes: Within next 2-5 years, in industry and psychology circles, identification and authentication are different things.
22:30:33 [manu]
achughes: Saying that you're doing authentication when you're doing identification is not useful for market clarity.
22:31:20 [manu]
JohnB: Separation of concerns - separate authentication and attribute provisioning ceremony so they're understandable.
22:31:38 [manu]
Kaliya: Any other cards that are similar to this?
22:31:43 [Zakim]
Zakim has left #auth-id
22:32:14 [Zakim]
Zakim has joined #auth-id
22:32:45 [manu]
Jill?: Privacy - do privacy by design - concerned that I didn't hear that.
22:32:59 [wseltzer]
22:33:19 [jzcallahan]
jzcallahan has joined #auth-id
22:33:42 [manu]
@@@: We brushed away identity assurance facility today -- what about end use case, verify identity -- how do you trust the identifiers, the exchanges?
22:34:28 [manu]
Dirk: I want my browser to know who I am, and responsibly surface that based on who I am.
22:34:45 [manu]
s/who I am/my instruction./
22:35:34 [manu]
Jiewen: Concern and work item - for web authentication - how do we provide for small parties, small providers - could we bridge OAuth and OpenID?
22:36:11 [wseltzer]
rrsagent, draft minutes
22:36:11 [RRSAgent]
I have made the request to generate wseltzer
22:36:37 [aaronpk]
s/my instruction.,/who I am/
22:36:44 [manu]
kimhd: Interop prototypes - educational credentials, I don't want to use a specific identity provider - think there is value in DIDs, enable people to have lifelong claims that they can prove control over... bootstrapping DIDs using WebAuthn or other identity solutions.
22:37:53 [manu]
@4@: I'd like to see relying parties have a much richer and more diverse set of federation/identities... get away from Signon with Google/Facebook/etc.
22:38:19 [manu]
@5@: Would like to take this not just for identity aspect, but for storage aspect as well.
22:38:32 [wseltzer]
22:38:40 [shigeya_]
shigeya_ has joined #auth-id
22:38:59 [achughes]
achughes has joined #auth-id
22:39:04 [manu]
Pam: Difference between having user be in one paradigm, or have a user choose between two paradigms... concerned we're going to the latter... discovery, registration, resolution, feel like we need to focus on these pieces.
22:39:11 [wseltzer]
rrsagent, make logs public
22:40:01 [manu]
@5@: Some of the conversations were going past each other - some people are operating in a different scenario... some want a peer-to-peer model, no parties involved in transaction that don't belong there... other people use existing systems, but very little that we own/control.
22:40:31 [manu]
... I'm not here with the view that we're going to try to extinguish those... would rather run things through both scenarios, see how they do... vs. zero sum trade off.
22:40:34 [BartW]
BartW has joined #auth-id
22:40:34 [wseltzer]
22:41:05 [manu]
ChristopherA: I'm wondering almost the reverse - where is the line? Aadhaar, social credit, etc... those are the biggest identity systems today.
22:41:07 [wseltzer]
ChristopherA: some places we don't want coexistence, e.g. social credit
22:41:15 [manu]
rrsagent, make minutes
22:41:15 [RRSAgent]
I have made the request to generate manu
22:42:13 [manu]
@6@: Hoping to see alignment for WebAuthn and DIDs.
22:42:22 [wseltzer]
22:42:52 [manu]
@6@: Would like to see alignment that gives unified experience for subject that is trying to authenticate.
22:43:06 [manu]
@7@: I'm concerned with conflict between two groups...
22:43:36 [aaronpk]
s/@7@/Will Abramson/
22:43:45 [manu]
Oliver: This isn't about WebAuthn and DIDs... don't reinvent the wheel... should we use mature standards like OpenID Connect and WebAuthn or something else?
22:43:57 [Jiewen]
Jiewen has joined #auth-id
22:44:05 [manu]
Markus: How can we align DIDs w/ stuff that works already such as WebAuthn and OpenID Connect
22:44:49 [manu]
@8@: I'd like to see industry adoption of DID-based identities...
22:45:17 [manu]
TonyN: Clarity on why DIDs need to be standardized...
22:45:24 [Jim_Masloski]
Jim_Masloski has joined #auth-id
22:45:41 [manu]
burn: Would like to see a DID WG formed at W3C.
22:46:20 [manu]
Jack: Usability of these systems... thinking about it from the user's perspective.
22:46:46 [manu]
Jack: Approaching it from the users perspective - registration, recovery, etc.
22:46:53 [manu]
@9@: Usability that doesn't suck :)
22:47:02 [wseltzer]
22:47:23 [manu]
@10@: More along the lines of what I didn't hear - how are these bound/linked to a known and real person, if at all?
22:47:25 [jzcallahan]
jzcallahan has joined #auth-id
22:47:34 [manu]
... consistency and trust in the bindings?
22:47:46 [manu]
Kaliya: That's close to identity assurance...
22:48:24 [manu]
@11@:: Selective, permissinless, delegation - want WebAuthn and FIDO to have support for allow people to have one of the credentials w/o entity saying no.
22:48:39 [weiler]
s/entity/relying party/
22:48:41 [wseltzer]
22:49:06 [manu]
@12@: I'd like to see OpenID Connect community working with Ethereum community - gamification and incentives... there is no financial incentive
22:49:08 [weiler]
I think solutions in this space will help improve backup and recovery, also.
22:49:15 [weiler]
s/@12@/Sarah Squire/
22:50:28 [manu]
@13@: Interested in seeing use cases clear - context of value propositions, use cases clear of sub data flows that are involved because each of those are gamable from use cases perspective.
22:50:38 [manu]
s/use cases/business model, legal, etc/
22:50:43 [wseltzer]
22:51:06 [manu]
@14@: My question was a meta question for the group - don't know how to place everything going on - what is framework for thinking about problem set and what does success look like?
22:51:19 [wseltzer]
22:51:36 [manu]
@15@: How do all of these building blocks work together?
22:51:52 [wseltzer]
22:52:34 [manu]
@16@: Tightly scoped, standards based efforts, interoperable pieces ... how do we find those?
22:52:53 [manu]
@17@: I'd like to see standards support for Decentralized Identity stack - we need multiple things in place for that to happen.
22:53:08 [manu]
JimM: Layering of ID management, different rules for that.
22:53:29 [manu]
@18@: Oftentimes in designs, there is a service that affects wallet, that should become clear, how wallets work.
22:54:08 [manu]
@19@: Ensure adoption among private, public, and across both domains.
22:54:37 [manu]
@20@: Remote authentication support for webauthn webauthz frameworks.
22:54:52 [manu]
@21@: Validating identity proofing, risk of synthetic IDs...
22:54:57 [BartW]
22:55:01 [manu]
... fabricated ID that someone creates...
22:55:13 [manu]
... online proofing vs. physical proofing.
22:55:25 [manu]
achughes: We should probably say "identity assurance"
22:56:00 [achughes]
achughes: The synthetic identity card should go with the ‘identity assurance’ card
22:56:01 [manu]
@22@: Other schemes, like GS1 ecosystem... GLNs, GTINs, LEIs.
22:56:23 [manu]
s/Other/Interop with other/
22:57:36 [manu]
@23@: Concerned to have centralized authorities onboard rather than blocking... centralized authorities are not always excited about decentralized solutions.
22:58:31 [manu]
Pindar: Scalability - at what scale are we talking about... we're doing things about Internet scale... also concerned about Know Your Machine...
22:58:52 [manu]
@24@: Adoption - will end users understand value proposition of DIDs, what they get?
22:59:34 [manu]
@25@: Interop from perspective of web developers - help browsers understand what APIs they should be understanding so developers can focus on clear stories so developers can focus on stuff that's not passwords or authn.
23:00:26 [manu]
@26@: Preserving privacy, let the user determine how that privacy is preserved.
23:00:35 [manu]
23:01:07 [manu]
rrsagent, draft minutes
23:01:07 [RRSAgent]
I have made the request to generate manu
23:01:23 [Karen]
Karen has joined #auth-id
23:19:18 [tantek]
tantek has joined #auth-id
23:29:22 [Karen]
[Break Ends]
23:29:33 [Karen]
scribenick: Karen
23:29:47 [Karen]
Topic: Market Verticals: Current and Future Challenges
23:31:34 [Karen]
Government Segment Speaker: Peter Watkins, Province of British Columbia
23:32:32 [kenrb]
kenrb has joined #auth-id
23:32:42 [Karen]
Peter: I am with the gov't of BC; I don't view myself representing a vertical, but a government
23:32:47 [burn]
burn has joined #auth-id
23:32:49 [Didier]
Didier has joined #auth-id
23:32:51 [jzcallahan]
jzcallahan has joined #auth-id
23:32:59 [Karen]
...I cannot speak on behalf of the gov't or other gov'ts but happy to bring my perspectives as a government guy
23:33:05 [Karen]
...first, you have to be precise
23:33:13 [Jiewen]
Jiewen has joined #auth-id
23:33:15 [Karen]
...In Canada, gov't can mean many things; different levels, peoples
23:33:22 [wseltzer]
-> Slides for the Market Verticals discussions
23:33:29 [Karen]
...indigenous peoples also act as own governments
23:33:38 [BartW]
BartW has joined #auth-id
23:33:43 [krystian_czesak]
krystian_czesak has joined #auth-id
23:33:46 [Karen]
...educational systems as well
23:33:56 [wseltzer]
[slide 5]
23:34:06 [Karen]
...We are small, 4 million, but we operate across a great number of areas [reads slides]
23:34:14 [Karen]
...and it's not an exhaustive list
23:34:21 [Karen]
...from and identity perspective, we operate at the base
23:34:36 [Karen]
...As it relates to the law; important to understand that context
23:34:42 [Karen]
...We register births and deaths
23:34:57 [Karen] don't exist or die until we say so [laughs]
23:35:01 [Karen]
...we run the corporate registry
23:35:03 [wseltzer]
"legally, you're not born until we say you're born."
23:35:09 [Karen]
...we create corporations, societies
23:35:23 [Karen]
...we have a whole set of laws, each of which created self-regulating bodies
23:35:32 [Karen]
...we say if you are a lawyer, doctor, nurse, accountant, etc.
23:35:39 [Karen]
...all of thes associations, affiliations, etc.
23:35:44 [Karen]
...and licenses and permits
23:36:01 [Karen] a car, commercial vehicle; dig a hole, inspect machinery, etc.
23:36:14 [Karen]
...we have gov't machinery, processes and policies
23:36:19 [Karen]
...we operate the land title searches
23:36:27 [Karen]
...who owns what land; very important function
23:36:35 [Karen]
...and we allow registration of liens
23:36:46 [Karen] a lot going on in our world for identity information
23:37:00 [wseltzer]
[slide 6]
23:37:05 [Karen]
[slide 6]
23:37:17 [kenrb]
kenrb has joined #auth-id
23:37:23 [Karen]
...We have a legacy system
23:37:35 [Karen] we looked for something to scale
23:37:50 [Karen]
...we invented a BC services card and a provincial identity management info program
23:37:58 [Karen]
...we leverage two things; the popularity of driving
23:38:05 [Karen]
...and we run one universal program, healthcare
23:38:21 [Karen]
...we created a drivers license and health care card combined
23:38:26 [Karen] card, one chip to authenticate
23:38:32 [Karen] personal information other than the chip number
23:38:48 [wseltzer]
s/one chip/one EMV chip/
23:38:49 [Karen] this point we have enrolled 4.3 million BC citizens; looking at a mobile app now
23:39:02 [Karen]
...we want people to be self0-deterministic; and do it digitally
23:39:06 [Karen] met John Jordan and team
23:39:13 [Karen]
...they are advance hyperledger service
23:39:33 [Karen]
...take corporate registration records and encoded them into @...set up for a digital platform
23:39:41 [Karen]
...So gov't perspective on strong authentication
23:39:47 [Karen]
...We are damned if we don't do it
23:39:57 [Karen]
...your land registry is tied to Google account?
23:39:58 [wseltzer]
[slide 7]
23:40:05 [Karen]
...we don't own, control or have accountability over that
23:40:09 [Karen] effective resource
23:40:26 [Karen]
...not clear to us what happens when things are lost, account recovery process is difficult
23:40:43 [burn]
23:40:43 [Karen]
...authentication tech can become a party to all of the transactions that unfold; we don't think that should happen that way
23:40:50 [Karen]
...public does not view they have much choise
23:41:14 [Karen]
...when we make our tech dependent upon others, they feel they are forced to adopt something; gets us on the wrong side
23:41:21 [Karen]
...If we do it, we're also damned
23:41:26 [Karen]
...but this is important technology
23:41:43 [Karen]
...our small province cannot defend against the threat model
23:41:48 [Karen] is frightening
23:41:57 [Karen]
...You don't interact with gov't as much as other entities
23:42:07 [Karen]
...every transaction can be spin through account recovery
23:42:17 [Karen]
...We don't like that our services would be party to the transactions
23:42:18 [wseltzer]
"every trqnsaction is a spin through the recovery flow"
23:42:30 [wseltzer]
23:42:36 [Karen]
...if we did verify your identity, we can remember you at our counter and restore our services
23:42:41 [Karen]
...but is that a bug or a feature
23:42:50 [Karen]
...our businesses are entwined globally
23:43:02 [Karen]
...we would not know how our own unique approach would scale
23:43:14 [Karen] don't sell provision it
23:43:20 [Karen]
...Lastly, there is a lending problem
23:43:35 [Karen] one has mounted an argument about your traffic ticket
23:43:42 [Karen]
...but if tied to benefits, then it's another story
23:44:15 [Karen]
[slide @] ...On identity information, there is Lou the person who wants to interact with digital; dialogue box
23:44:24 [wseltzer]
23:44:31 [Karen]
...dialogue box; we know we will get called
23:44:38 [Karen]
...information disclosure related to that
23:44:45 [Karen]
...that we don't have in the real world
23:44:56 [Karen]
...we are looking for an architecture that would operate more like real world
23:45:07 [Karen]
...last thing to bring is a sense of urgency
23:45:08 [wseltzer]
[slide 9]
23:45:24 [Karen]
...divide things into things that are less or super important
23:45:28 [Mitja]
Mitja has joined #auth-id
23:45:37 [Karen]
...super important we are stuck in old world on important things
23:45:48 [Karen] light up upper box, we need trustworthy ID
23:45:54 [Karen]
...and we need better technical solutions
23:45:56 [Karen]
...That is my talk
23:46:08 [Karen]
Wendy: Do we have some quick questions for Peter on that use case?
23:46:21 [Karen]
Pindar: You highlighted legal views
23:46:29 [Karen]
...for individuals and corporates
23:46:30 [wseltzer]
q+ ScottDavid
23:46:44 [Karen]
...have you talked about smart contracts?
23:46:47 [Karen]
Peter: I don't know
23:46:52 [wseltzer]
ack Scott
23:46:55 [Karen]
Scott: critical infrastructure
23:47:15 [Karen]
...often those are privately owned; have you run into arrangements with private infrastructure that will be more reliable?
23:47:29 [wseltzer]
q+ TonyNadalin
23:47:41 [Karen] different in other contexts, but any analogies used for critical infrastructure that could be used reliability for gov't
23:47:54 [Karen]
Peter: In BC, we see emergence of pan-Canadian trust framework
23:48:12 [Karen]'ts should be positioned as an effective regulator rather than a direct provider
23:48:17 [Karen] see that in financial services
23:48:29 [Mitja]
can the link to all presentations (no google drive) be shared? IRC seems to break after a while and I'm not able to see history
23:48:30 [Karen]
...but it is a mind bender to set up to regular identity providers
23:48:33 [Karen]
...that is my opinion
23:48:40 [Karen]
Scott: Maybe look at insurance which is a risk issue
23:49:01 [Karen]
Gregory: How much would be regulation v. standardization and endorsement
23:49:14 [Karen] mentioned the pan-Canadian trust framework, I am here representing DIACC
23:49:24 [Karen]
Peter: Payment industry did a summary on payment
23:49:27 [wseltzer]
q- Tony
23:49:44 [Karen]
...they discovered self regulating would be better; way better for the industry to take over; far better way to go
23:50:00 [Karen]
Pam: you are unique in that you have an ecosystem adopt your services
23:50:15 [Karen] does it work that Police services adopt anything different, such as the drivers' licenses
23:50:21 [Karen] did you get people to buy in?
23:50:30 [Karen]
Peter: not a large digital component; just starting this year
23:50:33 [Karen], social services
23:50:44 [Karen]
...without the services card, they have gone done the road as far as they can go
23:50:48 [Karen]
...light bulb is going on
23:50:55 [Karen]
...and they recognize they need the services card
23:51:05 [Karen]
...I think you will see services card adoption
23:51:11 [Karen]
...I started work on this in 2007
23:51:18 [Karen]
...program started officially in 2013
23:51:24 [Karen] in renewal cycle
23:51:26 [Karen]
...have to go long
23:51:36 [Karen] cannot push the public to this; you will get on the wrong side of PR
23:51:51 [Karen]
...we used the natural expiration rate of the drivers' licenses; just waited it out
23:51:56 [Karen]
Wendy: Thanks so much Peter
23:52:03 [Karen] up is Allen Brown to talk about healthcare
23:52:23 [Karen]
Speaker: Allen Brown
23:52:31 [Karen]
Topic: Health Care IDology
23:52:43 [Karen]
Allen: my personal interest is ID with respect to digital contracts
23:52:58 [Karen]
...Manu knows I worked on healthcare and life sciences systems and asked me talk about that in this space
23:53:02 [Karen]
...start with an anecdote
23:53:16 [Karen] Microsoft I worked five years for the @ solutions group
23:53:24 [Karen] 2009 there was a NATO delegation
23:53:25 [wseltzer]
23:53:32 [Karen]
...those of us interested in healthcare invited us
23:53:42 [Karen]
...delegation was lead by an assistant secretary general of NATO
23:53:50 [Karen] another life he was a trauma surgeon
23:54:01 [Karen]
...his remit included field hospitals
23:54:14 [Karen] time of Afganistan there were only 7 hospitals
23:54:28 [Karen]
...most NATO military orgs medical services are integrated with national health services
23:54:40 [Karen]
...and field hospitals are meant to be the health services
23:54:47 [Karen] there were 7 field hospitals
23:54:53 [wseltzer]
23:55:08 [Karen]
...Secy General went on to talk about two Dutch marines and two American operating in squads
23:55:25 [Karen]
...interoperations were walking over from one tent to another
23:55:42 [Karen]
...Afganistan had 1200 operational aircraft that knows how to broadcast communications
23:55:50 [Karen]
...but you could not do this for Marines was a standing joke
23:56:08 [Karen]
...I want to specifically talk about a system we developed at Microsoft called Malga
23:56:17 [Karen] have lots of patient data and you want to assemble a data cube
23:56:27 [Karen] have a single view of everything about the patient
23:56:39 [Karen] doing that you quickly come up against lots of issues about identity
23:56:44 [Karen]
...I will talk about four of them
23:57:04 [Karen]
...while Amalga was meant to extract data about patients from electronic medical systems as well as from real time feeds
23:57:16 [Karen]
...extract EMR, many systems are oriented around payments
23:57:22 [Karen]
...have to go through payer who was paying for this
23:57:31 [Karen]
...or else it is difficult to extract certain kinds of data
23:57:41 [Karen]
...have to extract the payer first to get to the diagnosis
23:57:48 [Karen]
...Identity for providers is obvious
23:57:54 [Karen]
...give them access to patient information
23:58:00 [Karen]
...but something else goes on here
23:58:07 [Karen]
...much patient data is subject to interpretation
23:58:18 [Karen] need to know who the interpreter is
23:58:22 [Karen] is the data itself
23:58:44 [Karen]
...Amalga had origins in system done at George Washington School of Medicine and Life Sciences
23:58:56 [Karen]
...because of its geo location in Washington DC
23:59:03 [Karen] has access to many kinds of patients
23:59:29 [Karen] CATScan file was originated at one hospital and passed to another
23:59:38 [Karen]
...need to make sure it's same patient and scan
23:59:47 [Karen]
...Amalga collecting data from many sources
00:00:03 [Karen]
...and identities of patients were different; mechanism to coalesce identities is needed
00:00:25 [Karen]
...Patients who are largely treated through emergency rooms, and each ER visit generates a new ID
00:00:53 [Karen]
...I created for them an inference system to assemble IDs into a single individual
00:01:00 [Karen]
...that is story and the state of affairs as of 2016
00:01:11 [Karen] the best of my knowledge, this situation has not changed
00:01:18 [Karen] I hope folks in this room can fix this problem
00:01:24 [Karen]
Wendy: We have a challenge in front of us
00:01:28 [Karen]
...any questions for Allen?
00:01:54 [Karen]
Scott: economic challenges inherent...providers don't want to share patients
00:02:10 [Karen] there a threshold; how to get over the economic disincentives
00:02:16 [Karen]
Allen: I don't see how it can improve
00:02:22 [Karen] amount of tech will fix the problem
00:02:41 [Karen]
Pindar: some kinds of data you want people to see, but not change it
00:02:45 [Karen]
Allen: not change the data
00:02:52 [Karen]'s about the five different IDs
00:03:13 [Karen]
...with IDs you want to infer they are equal and do in a probabilistic fashion
00:03:16 [Karen] set may be higher
00:03:23 [wseltzer]
00:03:23 [Karen] you associate data, not change data
00:03:42 [Karen]
Mathias: how do you handle privacy?
00:03:56 [Karen]
...different providers and data; how do you handle privacy?
00:04:05 [Karen]
Allen: I am hearing more problems [laughs]
00:04:16 [Karen]
Wendy: thank you very much for that presentation
00:04:46 [Karen] up is Jim Maslowski
00:04:55 [Karen]
Speaker: Jim Mislowski
00:05:05 [Karen]
...I work with DHS
00:05:12 [elbowspeak]
elbowspeak has joined #auth-id
00:05:16 [Karen]
...we were developing proof of concept for certificates of origin
00:05:21 [wseltzer]
00:05:23 [Karen]
...doing input process
00:05:37 [Karen]
...a group was tasked with process
00:05:43 [wseltzer]
[slide 12 from group deck]
00:05:53 [Karen]
...brought in different people, US Customs, trade people, customs brokers, importers
00:06:01 [Karen]
...parties responsible for capturing and setting the information
00:06:11 [Karen]
...sat down to figure out how to do this on a distributed ledger
00:06:20 [Karen]
...We were in a room for a day and a half to outline our taskst
00:06:28 [Karen] to target this process
00:06:40 [Karen]
...we started with 35 ideas and narrowed down to 5-6 simplistic ideas
00:07:02 [Karen]
...we found out who the actors were, what you would need who would help develop the process
00:07:09 [Karen]
...Looking at import and export processes
00:07:28 [Karen] was an eye opener for the group to see how to capture that information, how it comes to you, and what the legal requirements are
00:07:33 [Karen]
...we had the legal group with us
00:07:53 [Karen]
...always interesting when we say we want to capture x but legal says it's against the law to do so
00:08:07 [Karen]
...we went in knowing it would be a challenge and a work-in-progress proof of concept
00:08:11 [Karen]
...when we got through ti
00:08:21 [Karen]
...I have put a transportation document up on the screen
00:08:25 [wseltzer]
[slide 13]
00:08:33 [Karen]
...we focused on the verifiable credentials and ID management
00:08:43 [Karen] to verify who was making claim and capture that information
00:08:50 [Karen]
...this happens to be a load of light bulbs
00:09:01 [Karen]
...certain data a gov't makes available, certain information stays private
00:09:20 [Karen]
...had to figure out how to make a legal, compliant distributed ledger that improves the supply chain
00:09:29 [Karen]
...too agnostic approach
00:09:35 [Karen]
00:09:49 [wseltzer]
00:10:08 [Karen]
...look at number of parties needing access to the system; we used DIDs to identify the brokers, suppliers, US customers, and used Verifiable Credentials
00:10:27 [Karen]
...with distributed ledger we could identity products coming in, the provenance
00:10:42 [Karen]
...communication between agency and supplier
00:10:52 [Karen] chain side, we could get supplier into the front end
00:11:01 [Karen]
...supplier certified
00:11:21 [Karen]
...we added to transaction that crossed border, ID who owned, who is responsible, so then US Customs could ask questions on it
00:11:31 [Karen]
...we provided supporting documentation
00:11:35 [Karen] a valid pre-trade claim
00:11:40 [Karen]
...from that standpoint it went well
00:11:55 [Karen]
...Biggest challenge was taking into consideration the legal side
00:12:03 [Karen]
...hard to grab the information the way the laws are written
00:12:20 [Karen]
...we were able to take advantage of the distributed ledger to make these claims
00:12:37 [Karen]
...Looking at clusters of information; does that org exists and is it an importer
00:12:47 [Karen] do you certify this is a load of lumber, or an automobile
00:13:07 [Karen] all hinged on the DIDs, Verifiable Credentials and have a process to capture the information and the proof
00:13:15 [Karen]
...there was significant time savings on these requests
00:13:27 [Karen]
...for example, where is the T-shirt manufacturer
00:13:31 [Karen] invoice, one sku
00:13:49 [Karen] claim differential rate; they would supply a pallet worth of documentation
00:14:02 [Karen]
...with this process they could make the claim with info that was on the ledger
00:14:07 [Karen]
...a huge advantage
00:14:12 [Karen]
...I liked it
00:14:24 [Karen]
.,..from a trade standpoint, we look forward to see what W3C does for DIDs
00:14:31 [Karen]
...we think it's a neat way to go
00:14:34 [Karen]
Wendy: thank you
00:14:46 [Karen]
Joe: What were some of the legal requirements?
00:15:14 [Karen]
Jim: parties to the transaction for example
00:15:43 [Karen]
...done in DIDs and Verifiable Credentials; participation from brokers, suppliers
00:16:09 [Karen]
Markus: what DID method did you use and what ledger?
00:16:21 [Karen]
Jim: I am a customs broker; I think it was a @ blockchain
00:16:33 [Karen]
Markus: but you used real DIDs
00:16:46 [Karen]
Jim: we had IBM participating with Walmart
00:17:10 [Karen]
...we used customs data, transactions that were current and processed them through this system
00:17:10 [manu]
s/Jim: we had IBM participating with Walmart//
00:17:14 [Karen]
...took real data
00:17:21 [Karen]
...each data posted
00:17:26 [kimhd]
kimhd has joined #auth-id
00:17:29 [Karen]
...US customs used blockchain
00:17:33 [Karen]
...supplied response back to us
00:17:45 [Karen]
...I used my software, retailer used its own
00:18:03 [Karen]
Ken: from chain of custody
00:18:12 [Karen]
...regulations require signatures of taking custody
00:18:15 [wseltzer]
00:18:17 [Karen]
...any thought of using other forms
00:18:24 [Karen] states we needed a signature
00:18:30 [Karen]
...lawyers said we needed a signature
00:18:35 [Karen]
...we had supplier go online to application
00:18:38 [wseltzer]
00:18:44 [Karen]
...they certified who they were
00:18:49 [Karen]
Jack: how did they do that?
00:19:09 [Karen]
Jim: we filled in the appropriate information; electronic signature
00:19:13 [Karen]
...certified by the individual
00:19:17 [Karen] level, the same way
00:19:25 [Karen]
...importer; the broker made the claim
00:19:32 [Karen]
...I am FedEx or UPS
00:19:36 [Karen]
Wendy: Tony and Pindar
00:19:45 [Karen]
TonY: how did you deal with @
00:19:53 [aaronpk]
00:20:07 [Karen]
...with blockchain, can you say how you dealt with the errors
00:20:10 [Karen]
...that need to be fixed
00:20:28 [Karen]
Jim: we talked about the two meetings with the 35 ideas; narrowed down to 5 scenarios
00:20:34 [Karen]
...and we talked about the correction process
00:20:44 [Karen]
...public data was not as granular so you would not see the erros
00:20:48 [Karen]
00:20:55 [Karen]
...but you could make a private correction
00:21:02 [Karen]
...and post to the ledger as an amendment
00:21:14 [Karen]
Pindar: Was there only one customs involved here?
00:21:25 [gannan]
gannan has joined #auth-id
00:21:28 [Karen]
Jim: just one; NAFTA province of origin, one lifecycle
00:21:44 [Karen]
Speaker: Scott David
00:21:50 [Karen]
Wendy: we have 10 mintues
00:22:10 [Karen]
Topic: Law and DIDs
00:22:16 [Karen]
Scott: slides will be available
00:22:17 [kenrb]
kenrb has joined #auth-id
00:22:39 [Karen]
...we learned about "some other guy did it" defense
00:22:51 [Karen]
...all attorneys talk about mild and wild law
00:23:02 [wseltzer]
[starts at slide 15 of shared deck]
00:23:07 [Karen]
...mild is driving and looking forward through windshield
00:23:15 [Karen]
...most data practices are about data practices
00:23:20 [Karen]
...that is old stuff, going back 50 years
00:23:24 [Karen]
...authorities are past
00:23:29 [Karen]
...old notions of authority
00:23:44 [Karen]
...concepts of what we did in the past
00:23:53 [Karen]
...but we did not have the same problems, different in kind
00:23:56 [wseltzer]
"the problem is that in the past we didn't have a lot of these problems"
00:24:00 [Karen]
...problems are now more about risk
00:24:07 [Karen] to de-risk these new propositions
00:24:29 [Karen]
...notion of identity is locust of duty and liability and rights and value drive identity
00:24:42 [Karen]
...some solutions don't always work
00:24:56 [Karen]
...Now looking at Wild Law -- being asked to speculate
00:24:59 [Karen]
...the nature of the challenge
00:25:10 [wseltzer]
caption: "and by tomorrow, I'll need a list of specific unknown risks that we'll encounter with this project"
00:25:21 [Karen]
...Moore's law resulted in increase in interaction volumes and densities
00:25:38 [Karen]
...when trying to de-risk at time of exponential increase, it's very difficult
00:25:44 [Karen]
...more push to interoperability
00:25:52 [Karen]
...comparison slide
00:26:06 [wseltzer]
[slide 21]
00:26:07 [Karen] products, economic products and services
00:26:21 [Karen]
...structure the product to de-risk certain behaviors
00:26:26 [Karen]
...will open up new markets and products
00:26:33 [Karen]
...authority is future opportunity
00:26:45 [Karen]
...old value was cost limitation
00:26:59 [Karen]
...being in a cost center is not a great place to be; you want to be in a profit center
00:27:04 [Karen]
...want to be selling things
00:27:11 [Karen]
...advocating that in terms of DIDs
00:27:17 [Karen]
...Identity not so much a node thing
00:27:32 [Karen] comes back to relationship with community; efficiecny; ability to measure nodes
00:27:42 [Karen]
...Identities are key
00:28:05 [Karen]
...Talk about the trends that will affect the measurements
00:28:25 [Karen]
...problem of de-risk things but we don't know what the terms are and their definitions
00:28:34 [Karen]
...Sic Hunt Draones
00:28:42 [Karen]
00:28:53 [Karen]
...Talk about the 13 global risk trends
00:29:00 [Karen]
...Secrecy is Dead
00:29:24 [Karen] are seaking insights; but there is also intrusion
00:29:39 [Karen]
...distributed info architectures render hierarchies blind
00:30:07 [Karen]
...same people who go on Facebook are connected and yet the CEO is blind about thins
00:30:13 [Karen]
....Soverignty of Complexity
00:30:37 [Karen]
...Socio-Technical systems force non-technical variables into ssecurity design
00:30:49 [Karen]
...look at risk not just in the lab, but also in the context of the entire system
00:30:58 [Karen]
...Informaiton Democratization Collapses Scale
00:31:06 [Karen]
...controls can be done by crossing over among elements
00:31:12 [Karen]
...stopping at a traffic light
00:31:26 [Karen], legal and technical elements can get adjusted
00:31:32 [Karen]
...Data tech is "dual use"
00:31:48 [Karen]
...constraining data is an old law
00:31:56 [Karen]
...people are data producers
00:32:15 [Karen]
...used to have institutional support for data producers
00:32:28 [Karen]
...Big Data insights invert critical analysis
00:33:05 [Karen] genetics they are finding ocean organisms; but fewer pathways involved; we don't have to treat each one as unique
00:33:12 [Karen]
...Synthetic intelligence is sharing ideas
00:33:28 [Karen]
...Internet is not a public park; it is a privately operated commercial space
00:33:34 [Karen]
...Internet is not a public park
00:33:39 [Karen]
...Data is not Information
00:33:58 [wseltzer]
"meaning security"
00:33:59 [Karen]
...educate into meaning security
00:34:19 [Karen]
...question of bureaucracies
00:34:24 [Karen]
...AAAA threats
00:34:35 [Karen]
...attacks, accidents, and acts of nature
00:34:42 [Karen]
...different vectors of attack
00:34:50 [kenrb]
kenrb has joined #auth-id
00:34:53 [Karen]
...if you don't know nature of system you cannot deal with it as well
00:34:57 [Karen]
...AI is between here and here
00:35:02 [Karen]
...that's it
00:35:05 [Karen]
...Good luck
00:35:19 [Karen]
Wendy: any questions to following that lightening talk?
00:35:43 [Karen]
Mike: Which was the attack and which was the act of nature?
00:35:54 [Karen]
Speaker: John Fontana
00:36:27 [burn]
s/here and here/attack and act of nature/
00:36:33 [Mitja]
Mitja has joined #auth-id
00:36:41 [Karen]
Topic: The Enterprise
00:36:51 [Karen]
John: I spent 25 years as a tech journalist
00:37:06 [Karen]
...saw this directory, saw a lot about identity
00:37:08 [Mitja]
Can someone please share the google drive link to the presentations?
00:37:09 [Karen]
...I covered security
00:37:27 [Karen]
...I recorded every conversation because everyone spoke in acronyms and numbers
00:37:32 [Karen]
...then I got off security beat
00:37:38 [Karen]
...and started to cover directories and messaging
00:37:52 [Karen]
...I went to conference in Philadephia; sessions on X509
00:38:01 [Karen]
...other side were LDAP guys yelling at each other
00:38:17 [Karen]
...replication issues on the LDAP side, X509 is dead; they are still both around
00:38:27 [Karen]
...directories started to take on a persona
00:38:35 [Karen]
...I got sent to Burton Group conferences
00:38:42 [Karen]
...talked about directories for three days
00:39:06 [Karen]
...then I heard talk about directories and Pam stood up and said 'you're full of it'
00:39:08 [Karen] I talked to her
00:39:26 [Karen]
...All these big companies dictated the reference architecture that the Burton Group would build
00:39:37 [Karen]
...and every year they would carve out time for me to talk to them
00:39:45 [Karen] gave me the lay of the land to cover this stuff
00:39:57 [Karen] the time, Novell, Netscape had directories
00:40:01 [Karen]
...those were hot topics
00:40:16 [Karen]
...asked about multiple forests
00:40:21 [Karen]
...Microsoft gave an hour lecture
00:40:26 [Karen]
...I identified myself
00:40:38 [Karen]
...and asked about 'what about multiple forests'
00:40:57 [Karen] the lede of my story was 'if you want to go to hell, talk about multiple forests'
00:41:06 [Karen] a call from the product manager who was not happy
00:41:13 [Karen]
...that morphed into the Liberty Alliance
00:41:19 [Karen]
...that was in 2001
00:41:25 [Karen]
...remember the WSStar stuff
00:41:30 [Karen]
...where I met Tony from IBM
00:41:51 [Karen]
...he explained passport, infocards, what has morphed into azure infrastructure
00:41:56 [Karen]
...Kim Cameron
00:42:01 [Karen]
...loss of identity
00:42:04 [Karen]
...talking about directoy
00:42:09 [Karen]
...hooked onto SAML
00:42:23 [Karen]
...became popular; Andre Duran, CEO of Ping
00:42:35 [Karen]
...he gave nice 45 minutes talk about SAML
00:42:51 [Karen]
...he said he had no clue what he was talking about...
00:42:57 [Karen]
...Since 2010
00:43:14 [Karen]
...I had column on ZDNET on data breaches and how that was falling apart
00:43:23 [Karen] breaches is a tired story; same things keep happening
00:43:30 [Karen]
...I wrote down all of the things I covered
00:43:39 [Karen]
...groupware, collaboration,
00:43:52 [Karen]
...I've seen a lot of water under the bridge
00:43:56 [Karen]
...these iterations on these technologies
00:44:01 [Karen]
...nothing seems to go away
00:44:07 [Karen]
...some things rise to the top
00:44:26 [Karen]
...a testament to what folks in this room do; it takes a lot of time
00:44:40 [Karen]
...wild ride from an LDAP directory to where we are now, and how much has been accomplished
00:44:47 [Karen]
...great things going on in this space
00:44:55 [Karen]
...closest we are working on standards
00:45:01 [Karen]
...thank everybody for their hard work
00:45:11 [Karen]
...hope this will be a milestone for what we have today
00:45:12 [Karen]
...thank you
00:45:21 [Karen]
Wendy: thanks a lot, John
00:45:32 [Karen]
...hard to follow that with an agenda bashing session for tomorrow
00:45:50 [Karen]
Tony: what do you see as trends there? you have seen things fail and succeed
00:45:54 [Karen] must see trends come
00:45:58 [Karen]
John: I talked today in our group
00:46:05 [Karen]
...there is a purity when you are developing the specs
00:46:11 [Karen]
...people in room see the challenge
00:46:14 [Karen]
...get something going
00:46:24 [Karen]
...then bring in the business strategy piece and things go wonky
00:46:36 [Karen]
...hard to drive the spec down to the finishing point
00:46:41 [Karen]
...from experience, that is best avoided
00:46:51 [Karen]
...can be detrimental and leave you with ragged edges
00:47:07 [Karen]
...boils down to the commitment of the people involved before the business guys come in
00:47:21 [Karen]
Pindar: what advice you have to this group based on their experience
00:47:36 [Karen]
...I am hearing you say get the tech work done and keep business people at bay
00:47:41 [Karen]
John: it boils down to hard work
00:47:53 [Karen] kids PTA, bunch of people but only 3 do all the work
00:48:13 [Karen] a volunteer environment, it is difficult to get the people to do the work, and motivate them to do it
00:48:16 [Karen] is difficult
00:48:20 [Karen]
Pam: I would add one thing
00:48:36 [Karen]
...from stuff I have seen; ambiguity is your enemy
00:48:48 [Karen]
...if people want to make things more ambiguous, walk away
00:48:53 [Karen]
John: we talked about scoping
00:48:58 [Karen]
...and let things get out of hand
00:49:03 [Karen]
...FIDO is an example
00:49:09 [Karen]
...has a definable thing to do
00:49:13 [Karen]
...nut is pretty simple
00:49:18 [Karen]
Wendy: fantastic
00:49:24 [Karen]
...if you have other comments to write on cards
00:49:27 [Karen]
...please do
00:49:40 [Karen]
...we have been gathering the cards and clustering them to think about what else to discuss
00:49:43 [Karen]
...John, thank you
00:49:47 [Karen]
00:49:53 [Karen]
...that brings us to the end of the day
00:49:58 [Karen]
...we had scheduled some agenda bashing
00:50:07 [Karen]
...looking over tomorrow's agenda
00:50:13 [Karen]
...we hope you will generate more ideas
00:50:27 [Karen]
...and as we talk over dinner and dream tonight, write them down and share them tomorrow morning
00:50:31 [Karen]
...and we will look at these clusters
00:50:41 [Karen]
...and see if we are capturing the high points of what we should discuss
00:50:45 [SarahSquire]
SarahSquire has joined #auth-id
00:50:49 [Karen]
...and what do you want to take away from this meeting tomorrow
00:50:58 [Karen]
...we will get a sense of a heat map of the group's interests
00:51:05 [Karen]
...tomorrow we will vote with red and green dots
00:51:16 [Karen]
...if you are motivated, concerned, frightened, want to work on an idea
00:51:22 [Karen]
...what is it we want to drive our energies toward
00:51:25 [Karen]
...Some of that
00:51:35 [Karen]
...and a survey of current work; avoid mistakes and mindfields
00:51:37 [kenrb]
kenrb has joined #auth-id
00:51:38 [Karen]
...breakout sessions
00:51:48 [Karen]
...At W3C we have incubation and spec development
00:52:06 [Karen]
...many members want to see fleshed out ideas for specs before moving to working group
00:52:14 [Karen]
...we have heard form different Community Groups
00:52:24 [Karen]
...see what is ready to move to WG, what is ready for incubation
00:52:29 [Karen]
...come back to more discussion of that
00:52:39 [Karen]
...any warnings or concerns; anything that makes you jump up
00:52:56 [Karen]
...what are your biggest fears about this tech, interop, breakage, warnings we should be hearing
00:53:19 [Karen]
...Agenda also includes discussion on different cultural and economic perspectives
00:53:31 [Karen]
...we hear a lot of Western and first world perspectives
00:53:35 [manu]
q+ to note that sarah was supposed to speak after john...
00:53:44 [Karen]
...we need to hear from other regions and other perspectives there
00:54:00 [Karen]
...we have some roadmaps for some future looking into DIDs and Verifiable Claims
00:54:02 [manu]
00:54:03 [Karen]
00:54:09 [Karen]
...where folks from browsers
00:54:17 [Karen]
...where identity intersects with their work
00:54:26 [Karen]
...where should we all be going inside and outside of W3C
00:54:35 [Karen] help lead the web to its full potential
00:54:40 [Karen]
...If there is something you don't see
00:54:46 [Karen]
...should it out now, write it down on a card
00:54:51 [Karen]
...I am emphasizing the cards
00:55:08 [Karen]
...we want to hear from people who are not participating in the Q&A; we want to hear from everyone in the room
00:55:17 [Karen]
...Whether or not we do or do not hear more questions
00:55:27 [Karen]
...regarding dinner, we have 6:30pm reservations
00:55:33 [Karen]
...Tony, anything about logistics about shuttles?
00:55:40 [Karen]
Tony: We will have to order shuttle
00:56:12 [Karen]
Tony: the restaurant is called The Boardwalk
00:56:34 [Karen]
Tony: as far as agenda is concerned
00:56:44 [Karen]
...I would like to see more use cases presented
00:56:56 [Karen]
...@ submitted one to list that I would like to see presented
00:57:04 [Karen]
...I think Mary had some work to do
00:57:09 [Karen]
Mary: some time tomorrow
00:57:14 [Karen]
Wendy: thank you
00:57:25 [aaronpk]
is it "Boardwalk by Maria Hines"?
00:57:39 [Karen]
Wendy: anything else for general discussion?
00:57:42 [Karen]
...Thank you everyone
00:57:50 [Karen]
...Thank you, Manu for scribing remotely
00:57:56 [Karen]
...and Jeff and Karen for scribing
00:58:04 [Karen]
...and all who have shared in the discussions
00:58:10 [Karen]
...look forward to a great second day
00:58:13 [Karen]
00:58:18 [Karen]
rrsagent, draft minutes
00:58:18 [RRSAgent]
I have made the request to generate Karen
01:10:08 [gannan]
gannan has joined #auth-id
02:56:43 [gannan]
gannan has joined #auth-id
02:57:27 [gannan]
gannan has joined #auth-id
03:17:56 [gannan]
gannan has joined #auth-id
03:18:13 [gannan]
gannan has left #auth-id
04:28:17 [Jiewen]
Jiewen has joined #auth-id
04:53:13 [kenrb]
kenrb has joined #auth-id
04:54:46 [jzcallahan]
jzcallahan has joined #auth-id
07:44:09 [kenrb]
kenrb has joined #auth-id
08:11:12 [Zakim]
Zakim has left #auth-id
09:01:23 [kenrb]
kenrb has joined #auth-id
11:03:26 [jzcallahan]
jzcallahan has joined #auth-id
13:25:32 [kenrb]
kenrb has joined #auth-id
13:26:35 [kenrb]
kenrb has joined #auth-id
14:08:25 [kenrb]
kenrb has joined #auth-id
15:57:36 [gannan]
gannan has joined #auth-id
16:13:37 [kenrb]
kenrb has joined #auth-id
16:38:40 [Zakim]
Zakim has joined #auth-id
16:38:47 [wseltzer]
rrsagent, bye
16:38:47 [RRSAgent]
I see no action items