16:16:13 RRSAgent has joined #auth-id 16:16:13 logging to https://www.w3.org/2018/12/10-auth-id-irc 16:16:20 Zakim has joined #auth-id 16:16:25 rrsagent, this meeting spans midnight 16:16:40 Meeting: Strong Authentication and Identity Workshop 16:27:59 Takashi has joined #auth-id 16:32:26 shigeya has joined #auth-id 16:33:15 burn has joined #auth-id 16:39:53 Jiewen has joined #auth-id 16:40:10 shigeya_ has joined #auth-id 16:41:50 achughes has joined #auth-id 16:42:08 shigeya has left #auth-id 16:45:29 shigeya has joined #auth-id 16:46:07 present+ 16:46:15 present- 16:46:27 present+ Manu_Sporny(remote) 16:46:32 rrsagent, make minutes 16:46:32 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 16:46:34 rrsagent, draft minutes 16:46:34 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 16:46:43 rrsagent, make logs member 16:46:47 present+ Shigeya Suzuki 16:46:51 rrsagent, draft minutes 16:46:51 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 16:47:16 present+ Shigeya_Suzuki 16:47:20 present- Shigeya 16:47:23 present- Suzuki 16:47:28 rrsagent, draft minutes 16:47:28 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 16:47:46 Agenda: https://www.w3.org/Security/strong-authentication-and-identity-workshop/schedule.html 16:47:48 rrsagent, draft minutes 16:47:48 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 16:48:27 Chair: Wendy_Seltzer 16:49:01 shigeya has joined #auth-id 16:51:51 present+ 16:52:28 present+ Dan_Burnett 16:52:29 Mathias has joined #auth-id 16:52:30 hober has joined #auth-id 16:53:02 jfontana has joined #auth-id 16:53:55 Guest11 has joined #auth-id 16:54:00 markus_sabadello has joined #auth-id 16:54:13 present +hober 16:54:28 present +jfontana 16:54:36 wseltzer: no audio yet... 16:54:56 s/wseltzer: no audio yet...// 16:55:00 tomj has joined #auth-id 16:55:08 ken has joined #auth-id 16:55:09 Jiewen has joined #auth-id 16:55:30 Craigspi has joined #auth-id 16:57:44 JoeAndrieu has joined #auth-id 16:58:44 Steven has joined #auth-id 16:59:05 scribe: manu 16:59:19 wseltzer: Hi, my name is Wendy Seltzer, W3C - glad to welcome you here. 16:59:33 wseltzer: Thank you to Tony Nadalin and Microsoft for hosting us. 17:00:05 wseltzer: We're looking forward to the next two days of discussion, brainstorming, and socializing around Strong Auth and Identity. 17:00:41 Tony N. covers location of emergency exists, bathrooms, and parking. Assistance help, medical emergencies help, etc. 17:00:46 rrsagent, draft minutes 17:00:46 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 17:00:52 marie_ has joined #auth-id 17:01:25 wseltzer: Very briefly, introducing the day and goals of the workshop at a high level - logistics, getting conversation going, etc. 17:01:51 shigeya__ has joined #auth-id 17:01:51 wseltzer: We use IRC for realtime minuting and discussion... to connect to the wifi - MSFT Guest and use the code on the board. 17:02:00 sanjay has joined #auth-id 17:02:00 auth-id has joined #auth-id 17:02:11 jeffh has joined #auth-id 17:02:13 will has joined #auth-id 17:02:21 present+ 17:02:24 :) 17:02:36 brentz has joined #auth-id 17:02:39 tony-tr has joined #auth-id 17:02:42 Steven-Google has joined #auth-id 17:02:50 kimhd has joined #auth-id 17:02:58 wseltzer: We are thrilled to have everyone here - just a quick intro to W3C - our goal is to lead Web to its full potential... we work on voluntary consensus standards. 17:03:10 krystian_czesak has joined #auth-id 17:03:25 auth-id has left #auth-id 17:03:26 wseltzer: We put workshops like this on to bring people together, lots of work is happening here and outside of W3C - if we can be a forum for conversation, great, if it happens elsewhere, great. 17:03:27 kenrb has joined #auth-id 17:03:38 wseltzer: We are not the exclusive endpoint of work, but one possible place to bring that work. 17:03:45 wseltzer: We are committed to Web for All. 17:03:45 present+ Brent_Zundel 17:03:46 Didier has joined #auth-id 17:04:04 i/scribe: manu/Topic: Introduction to Workshop/ 17:04:06 Douwe has joined #Auth-id 17:04:22 present+ 17:04:35 present+ 17:04:51 wseltzer: We operate under Royalty-Free patent policy - this workshop is not Recommendation track, contributions here ar enot yet contributions that are goverened by patent policy. Our goal is that specs should be implementatable RF wrt. patents / copyright, etc. 17:05:01 present+ 17:05:16 wseltzer: We are a member consortium, we depend on members to participate - hope to keep that infrastructural work going - 475 members from all sorts of places. 17:05:21 SarahSquire has joined #auth-id 17:05:53 wseltzer: We operate workshops under a code of ethics and professional conduct - if anyone has an issue, find wseltzer or someone else in W3C Team. We want to make sure this environment enables everyone to feel safe, respected and heart. 17:06:03 s/heart/heard/ 17:06:12 wseltzer: We are working in difficult areas, standards work well for technical problem, good enough technical problem, and find a common resolution. 17:06:29 wseltzer: This all depends on you and the broader community to make sure these things work effectively. 17:06:57 present+ 17:07:13 wseltzer: We want to hear from everyone - you have cards, on those cards, you can write down questions/comments/concerns - we will use those to fill into Q/A and discussion that follows... we will also have dots for voting, mark areas of particular interest/concern. 17:07:27 will_ has joined #auth-id 17:07:59 dwaite has joined #auth-id 17:08:02 wseltzer: We will have breakout sessions where we are gathering in smaller groups... W3C process for consensus ... these are preliminary directions/ideas... feel free to toss out ideas, but don't worry that if you're not in a group that you're going to miss the opportunity to provide critical input. 17:08:09 rrsagent, draft minutes 17:08:09 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 17:08:25 wseltzer: Also another part of getting together is social - Tony has found us space in a nearby on campus restaurant. 17:08:50 wseltzer: This is pay your own way, but pay your own way... ~$20 minimum - interested and expecting to come tonight? 17:08:57 tony-tr: There is good beer/wine. 17:09:21 wseltzer: Does anyone need a shuttle? 17:09:22 looks like all hands raised except a few 17:09:22 almost everyone raised hands 17:09:28 tony-tr: I'll get a couple of shuttles. 17:09:45 Scribe notes roughly 60+ people raised their hands. 17:10:35 wseltzer: You can make off the record statements... let us know if you want something to be off the record. 17:10:48 Jim has joined #auth-id 17:10:58 John_Bradley has joined #auth-id 17:11:35 wseltzer: We can do queue management via q+ 17:12:03 wseltzer: We can capture what's going on at workshop... everyone is capable of adding things to minutes. 17:12:05 present+ 17:12:12 q? 17:12:22 chrisboscolo has joined #auth-id 17:12:38 BartW has joined #auth-id 17:12:52 sorry you can't be here in person, Manu! 17:12:53 wseltzer: Thanks to the PC and Manu and the rest of the PC for putting all of this together. 17:12:58 Karen has joined #auth-id 17:13:32 wseltzer: Thanks to Tony and Microsoft for hosting us here... our goal is to move things quickly. Please add slides to google slide deck. 17:13:54 wseltzer: You can email me to put material on Google Slide deck... 17:15:23 Kaliya: Hi, passed around cards to all of you - purpose of the workshop is to build mutual understanding across strong auth and identity projects, to do that, we're trying to gather as much input as possible. 17:15:35 Kaliya: We want to find potential connections between your work and work being presented. 17:15:45 Slide Directory for presentations -- https://drive.google.com/drive/folders/1Oldmw0i1NKhJJwKflG4X9egqP6LLySA2 17:16:06 Kaliya: We want questions, concerns, connections that you're seeing - we'll collect them after each of 7 presentations, we want to get a sense of the room about each of these. 17:16:10 Mitja has joined #auth-id 17:16:45 Kaliya: Please put number on the card, and questions/concerns -- this can be made anonymously. 17:17:14 Kaliya: We will collect them after each presentation. 17:17:19 Topic: Understanding Verifiable Credentials 17:17:31 burn: We are going to go through this quickly, this is a quick overview. 17:17:38 burn: When we talk about VCs, what do we mean by that? 17:17:50 Slides: https://docs.google.com/presentation/d/11hm-ajsLzroPmA-BcC2TryqAhKsF3jZ_wxHDnyUi_pg/edit 17:18:05 burn: There are all sorts of things we use today quite successfully - we wanted to duplicate that in an electronic form. 17:18:21 burn: We would show age/drivers license -- we're switching to education credentials - diplomas for example. 17:18:59 rrsagent, draft minutes 17:18:59 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html wseltzer 17:19:04 burn: Diploma is interesting... I have PhD from Oregon, which was acquired by another school... that school doesn't exist anymore... that org might not exist anymore in any form... we want to make sure we cover use cases like that... we are interested in cryptographically verifiable credentials. 17:19:37 burn: The work on VCs are just on a data model, not on protocol yet... issuer/verifier -- we don't define ecosystem normatively, but it's hard to talk about this w/o suggesting an ecosystem. 17:19:40 Slide 3 17:20:06 burn: When we talk about Verifiable credentials... issuer issues to holder... holder holds on to it... verifier asks for credential from holder. 17:20:35 burn: In this model, a VC contains credential metadata, claims, and proofs... the identifiers can be cryptographically controllers, but issuers can also be identified. 17:20:44 burn: the verifier is the one seeking verification 17:20:46 burn: What is a claim - one statement about a subject, Pat is over 21, for example. 17:21:11 i|welcome you here|-> https://docs.google.com/presentation/d/1U5ArEC6lyZ5AS3UYiaKrO-fcXJuCcbE2A7JTjIGaKQA/edit?usp=sharing Intro slides 17:21:33 burn: Here's an example in JSON-LD Syntax... we are defining a data model, and showing how you can use different syntaxes... 17:22:29 burn: At some point there is a realization of the syntax... the main thing I want you to see is that there is an ID for the credential, there is some type information... from perspective of user... they are just using ProofOfAgeCredential... etc... we have an issuer field, when it's issued, the part in red is the actual claim. 17:22:56 burn: We used to call this a "claim"... now we call this the "credentialSubject" - the id represents the subject of the claim... the property is ageOver and the value is 21. 17:23:31 burn: There is a proof... the details don't matter... ther eis just a proof on there... we do have some suggestions on cryptographic proofs, but lots of this is flexible/variable. 17:23:59 s/ther eis/there is/ 17:24:17 burn: We also talk about presentations... issuer, holder, verifier - it's actually a verifiable presentation by holder to verifier... it's for multiple credentials, often about same subject... identifier, some metadata, claims or some whole credentials... main idea w/ presentation is something that holder can pull from multiple credentials. 17:24:24 burn: What are verifiable credentials and what are they not? 17:24:34 Pamela has joined #auth-id 17:24:34 Slide 8 17:25:02 burn: VCs allow an issuer provide a statement of fact... holders hold on to them, verifier can see if the statement hasn't been tampered with. 17:25:12 burn: VCs don't represent verified truth... just who claimed what 17:25:14 Slide 9 17:25:32 burn: This work is being standardized right now in VCWG... in scope is data model and syntaxes... 17:25:47 burn: We are looking at JSON-LD... and JWT... 17:26:06 burn: We do not have browsers in scope... we do not define protocol... we don't address "Identity on the Web"... we're just providing VCs. 17:26:38 burn: out of scope work could be chartered in future WG... Credentials CG is looking at these items... 17:26:59 burn: We have a spec, we're tryign to wrap up ZKP and JWT support... we have done some Horizontal Review (non official... expecting CR very soon. 17:27:09 burn: We have test suites, use cases... (slide 10) 17:27:21 burn: If you are curious about use cases... take a look at use cases document... 17:27:53 burn: Details of pictures are W3C Member Confidential... in commerce, there are governments, banks, large websites, usign VCs. 17:28:23 burn: In trade, DHS, CBP, Canadian Provinces... importer, exporter, etc. are some target use cases... real adoption here. 17:28:27 slide 13 17:28:35 burn: Are there questions? 17:28:50 q? 17:29:02 dirk_balfanz 17:29:09 @@@: If you are conerned w/ data model - some credential, over 21, you want to know if *I* am over 21... 17:29:18 s/@@@/dirk_balfanz/ 17:29:36 burn: There is plenty of discussion around subject != holder. 17:29:58 JoeAndrieu: Use Cases talk about that use case - we are looking at things that are out of scope in protocol... but important to get a holistic view of things. 17:30:23 jillwill01 has joined #auth-id 17:30:48 burn: Anyone can make any claim about anything... if you look at the ID in red, that's a DID, this is where you may start seeing use for DIDs. 17:31:11 burn: Control over the identifier is an interesting question we're going to hear about soon... 17:31:55 tony: In looking at the current spec, it still looks like JSON-LD is the language, it looks like you're going to wrap regular JSOn or other types of JWTs/CWTs - get a little concerned... those get quite large, little concerned around size of expression. 17:32:16 tony: We're not looking for just users making these statements, we're looking for devices... concerned around size of claims. 17:32:22 burn: Is that a question or statement? 17:32:33 jzcallahan has joined #auth-id 17:32:53 burn: I'm not going to talk about the merits of one format of the other... as a Chair, we have been asking for feedback from others for the entire lifetime of WG... we do have people looking at other formats. 17:33:16 burn: We do have folks that are looking to support other expression formats. 17:33:51 Oliver: We have a pull request in for JWTs - we do have some shorter expression avoid duplication in JSON-LD... issuer could become iss field. 17:34:01 q+ to note that we're trying to be agnostic. 17:34:07 Minutes and PR: https://www.w3.org/2018/11/19-vcwg-minutes.html 17:34:32 https://github.com/w3c/vc-data-model/pull/267 17:34:37 Dalys has joined #Auth-id 17:34:40 burn: We have welcomed participation, we would like more input... we'd like help wrapping up what we have... additional proposals to recharter. 17:35:01 Sarah_Squire: Proposal in Ethereum community ERC725 - are you working w/ them. 17:35:30 q? 17:35:34 ack manu 17:35:34 manu, you wanted to note that we're trying to be agnostic. 17:36:33 manu: we're trying to be agnostic. Lots of experiments underway 17:36:40 ... the model has proven to be flexible 17:36:53 ... It's true that some formats have big payloads that won't work for small devices 17:37:04 ... could be that cwt or jwt work at different layers of the stack 17:37:23 ... and licensing has a bigger payload 17:37:29 ... different tools in the toolbox 17:37:38 John_Bradley has joined #auth-id 17:37:51 wseltzer: Any further questions for Dan Burnett. 17:38:25 wseltzer: We're building up modules, understanding different components that are available - different places that they might be useful. Think about incompatibilities... ways we can work together. 17:38:35 Topic: Decentralized Identifiers 17:38:56 Slides are here -- https://docs.google.com/presentation/d/1BX8r1KoxvJSQIX3PtAOzOawirwBYyze9QlyIaAbBRrM/edit 17:39:55 kimhd: Hi, I'm Kim, CTO of Learning Machine - work in educational credentials... co-chair of W3C Credentials CG - also DIF Steering Committee. 17:40:21 kimhd: What is a DID? It's a new type of URl that is globally unique, highly available, presistent, cryptographically verifiable, and doesn't require a centralized admin. 17:40:41 Loqi has joined #auth-id 17:41:02 kimhd: In education use cases, we want the recipient of a credential to be identified using a DID. 17:41:09 kimhd: A DID is an identifier for a subject. 17:41:16 [slide 3] 17:41:25 kimhd: here we have did:x:123 as the identifier for the subject. 17:41:44 kimhd: What does a DID look like? 17:41:47 slide 4 17:42:06 kimhd: we have a scheme "did:", then "DID Method", then did specific string. 17:42:38 kimhd: There are examples of what these look like at the bottom of the page... 17:43:05 kimhd: Globally unique identifier - in many of these cases, you can self-create your identifier... prove that you control it, no central admin can take it away from you. 17:43:39 kimhd: Each DID Method must specify a set of mechanisms - Create, Read, Update, Delete (aka revoke) 17:44:26 [slide 5] 17:44:46 kimhd: One critical part - DIDs resolve to DID Documents - we have a Veres One identifier here - document it resolves to - contains authentication mechanisms, public key material, services... 17:45:17 kimhd: markus_sabadello is goign to talk about that next... DID Resolver is retrieving DID Document. 17:45:27 [slide 6] 17:45:34 kimhd: So, DIDs resolve to DID Documents... let's look at specific DID resolution process. 17:46:02 kimhd: This is saying we're using the BTCR method spec, run it through the universal resolver, produces a DID Document. 17:46:48 kimhd: identifier tells you which block, which transaction, to find the transaction in. 17:47:10 kimhd: Resolver knows, per method spec, how to get information, how to return this thing. 17:47:25 kimhd: so, DID Document has keys, authentication, services, signatures, timestamps. 17:47:35 slide DID Document 17:48:09 kimhd: This document has been incubated at RWoT and IIW, currently draft in W3C CCG, protocols and prototypes at DIF, there is a DID Method Registry, DID Auth, DID Resolver... 17:49:01 kimhd: We'd like to discuss a DID Working Group at this Workshop. 17:49:17 kenrb has joined #auth-id 17:49:22 ack nadalin 17:49:25 q+ hober 17:49:37 tonyn: What do you expect to standardize? 17:50:05 tonyn: There doesn't seem to be cross-blockchain interop... I need different DIDs on every blockchain... who is going to run the registry... concerned around transparency of resolvers... 17:50:31 kimhd: Interop first - that's the big part... what's the content of the DID Document, that describes how interop is possible... 17:50:43 kimhd: DID Auth, for example, needs that document.... 17:51:38 ChristopherA: There are a couple of different issues here - DID authenticates DID DOcument, strongly make claim about DID Document... that document can contain other key material from other places... including keys that are compatible with say a different blockchain w/ different proof formats, PGP keys in there, information that lets you allow you to leverage FIDO. 17:52:30 ChristopherA: There are things like sigma proofs, ZKPs, private keys in one curve equivalent to private keys in antoehr group... it's premature to pick a method, maybe at some point the market will say there is one two or three that are dominate... but reality now is that there are multiple DID methods. 17:53:21 kimhd: We are starting to categorize DID Methods.. BTCR and IPLD are ones where, if you are comfortable w/ using that technology, you can create them and use them in some way... depending on registry authentication, you can start using that now... truly self-sovereign identifiers, I create them, no one can take them away from me. 17:54:08 kimhd: In other cases, private/permissioned blockchain, those enable different properties - for example Guardian models... batch registration of individuals... some depend on properties of the blockchain itself... which use cases argue for which... we don't do guidance yet, DIF may do that... W3C is not in that role. 17:54:38 kimhd: People will have those questions... you don't want to use something on a blockchain that can't be rewritten... part of strength of it, something we're getting feedback on ecosystem. 17:54:55 tony: Who is going to run the registry, how scalable is it, who would pick up the registry 17:55:00 q+ to note registry is optional. 17:55:25 ChristopherA: We are talking about the DID Registry - you can reserve the DID Method... not a DID Registry. 17:55:54 ChristopherA: The requirements to have a proposal are very small... as you move up the scale of maturity, we will have requirements for what you have to do to do that. 17:56:07 BTCR DID Method https://w3c-ccg.github.io/didm-btcr/ 17:56:29 ChristopherA: We need to allow for innovation right now... there is nothing that says one has to support every DID method, for example... don't use BTCR unless you need technology. 17:56:35 q- 17:56:35 q? 17:56:50 kimhd: We can come back to that - would like to focus on breadth 17:56:55 tantek has joined #auth-id 17:56:58 Kaliya: This dynamic is also what these cards are for 17:57:20 Kaliya: If you have thoughts/comments/questions - please write them down on paper right now. 17:57:43 hober: Does the DID Method registry just let people know what an unregistered method is? 17:57:53 ack hober 17:58:07 hober: Is it relatively straightforward to write simple JSON and hook into all of this? 17:58:17 kimhd: Yes, we can look into examples. 17:59:06 Pete: If I wanted to add a new DID, how do I get resolved? 17:59:08 s/write simple/serve static/ 18:00:01 kimhd: There are different resolvers - which methods support they support is up to each resolver... part of value is that each DID method and how you perform its operations... write any resolver to note your test case... it's not going to be prescriptive. 18:00:21 wseltzer: Thank you very much Kim... next up... Markus to talk about DID Auth... 18:00:31 wseltzer: Keep questions and comments coming throughout two days here... 18:00:50 Topic: Understanding DID Auth 18:01:08 Slides -- https://docs.google.com/presentation/d/1TSMW5hckaaaybpV9OVeNbWO1QE_OsMP3Pc3GovAfvjw/edit 18:01:08 Slides has -1 karma over the last year 18:02:17 Markus: Hi, working in CCG and DIF, and Sovrin... DID Auth is more of a concept rather than a spec... makes a lot of sense to have a concept... DPKI for DIDs... and what they enable. 18:02:26 Mitja has joined #auth-id 18:02:55 Markus: Using a DID Resolver to authenticate - you have DID, you have key material associated with that... control the identifier... not about proving we're over the age of XYZ, we just prove that we have control over a DID. 18:03:06 martijnvdven has joined #auth-id 18:03:18 Markus: We worked on a paper around Rebooting the Web of Trust... looked at DID Auth - Kim noted authentication. 18:04:10 Markus: Authentication block points to public key - who has control of the DID? If you have public key information, you can know that anyone that has private key is authenticated. 18:04:19 [slide: DID Auth Example Architecture] 18:04:24 Markus: This is one example for uPort - web page - mobile app authentication... 18:05:08 Markus: With a mobile app, private key corresponding to DID, I can provide response to QRCode - post it back to web page... important, web page uses DID Resolver to find DID, then find public key, then verify that the signature on the authentication was signed correctly. 18:05:15 Markus: This is just one of th epossible flows. 18:05:25 s/th epossible/the possible/ 18:05:51 Markus: We tried to analyze this stuff - different scenarios / different flows - there are many, so DID Auth isn't just one thing... it's a family of things that are being explored. 18:05:59 elbowspeak has joined #auth-id 18:06:07 Markus: There are many transports, HTTP, QR, etc.... 18:06:43 Markus: There are many more flows... observation - we were able to draw all of these flows where there are two parties... if we look at traditional models, we usually have 3 parties... but this one has 2. 18:07:11 [slide 7] 18:07:17 Markus: I control a certain identifier - trust relying party - individual - all sorts of different transports... 18:07:20 [slide 8] 18:07:45 Markus: There are also people that are using different data formats internally... we will reuse things, but as I said, DID Auth is not trying to come up w/ a new authentication protocol... but reuse where possible. 18:08:07 kimhd has joined #auth-id 18:08:17 Markus: I have seen JWTs... we can also see JSON-LD VCs... self-issued VC.... 18:08:35 Markus: We have been thinking a lot about OIDC + DID... also looking at WebAuthn + DID... 18:09:05 [slide 10] 18:09:27 Markus: We've done some initial thinking - working w/ OpenID Connect protocol, where we use self-issued OpenID ... one way this could be done is to have personal openID connect provider... protocol could be used, similar with WebAuthn... FIDO... could reuse that. 18:10:06 Markus: There are other experiments around DID-TLS, DID-based HTTP Signatures... DID-based PGP... using DIDs in SSH. 18:11:05 sknebel has joined #auth-id 18:11:10 [slide 11] 18:11:23 Markus: Some things to consider for the workshop - how would a DID Auth relate to VC exchange protocol? 18:12:06 Markus: Other DID Auth principles... We may want to meet some principles, otherwise it's not DID Auth... for example, identifier stays the same... rotate keys, change service endpoints, change OID endpoints, authmethod, but we continue to always be able to prove control of the same identifier. 18:12:15 wseltzer: Questions from the room? 18:12:29 q+ tonyn, ChristopherA, dirk 18:12:47 oliver-terbu has joined #auth-id 18:12:49 dwaite has joined #auth-id 18:12:55 JohnB: I may beat Tony to some of these questions ... In a number of the flows that you put up, potentially they are a step backwards from a security perspective because they're phishable... we need to make sure we're not going backwards from a security perspective. 18:13:23 JohnB: I would even step back a bit further and question - is the use case for DID Auth actually authentication, or is it more appropriately proving presentment of VCs. 18:13:51 JohnB: We do have pairwise privacy preserving WebAuthn... even Apple is deploying it... do we actually need to present correlatable claim, or should we look at the best mixture? 18:14:08 JohnB: Some have said we need new authentication method when that may not be the best path. 18:14:47 q+ Daniel 18:14:58 Markus: Lot of questions - let's keep the benefits of existing things... not be phishable... concept of DID Auth is that we have an identifier that cannot be taken away from me, I can rotate keys, I can rotate metadata out... I think OIDC or WebAuthn don't provide that out of the box. 18:15:49 JohnB: The argument that you need to rotate credentials is making presumptions about how they're stored... I don't buy into the premise that a DID is required because you need to rotate private keys, not arguing that there are not use cases for DIDs, let's find the right use cases for them. 18:16:20 JohnB: For purely pairwise pseudonymous auth, I don't believe a DID having a public key published is a requirement. 18:16:39 q+ to agree with JohnB -- purely pairwise pseudonymous auth doesn't require DIDs - yep. 18:16:53 q- 18:16:57 jillwill has joined #auth-id 18:18:17 Daniel: A couple of things on the business side (from Microsoft perspective)... would love it if people used LinkedIn for everything (Microsoft property) - Universities didn't really want to sign up to single entities, because of corporate identifiers controlled by something other than University. 18:18:43 Daniel: So, there is a strong business use case for DIDs... large entities that don't want other large entities to lock them in via identifiers. 18:19:42 Daniel: There are also use cases around progressive trust... you start out pseudonymous, but then upgrade over time. For example, FIDO doesn't cover the use case for expressing services around DID Documents... granting access to my data storage service. 18:20:30 Tony: I get concerned around methodology for DIDs... you don't actually know if person that created the key is doing the DID Auth itself... you can do this in FIDO... authenticators is a drvice that you control. I'm not seeing end to end comprehension of how you keep keys safe and to the actual creator of the keys. How do you prove that situation in DID Auth. 18:20:42 ack tonyn 18:20:46 ack ChristopherA 18:20:49 ack Daniel 18:20:58 ChristopherA: I think part of the problem here, we're overinflating the use of keys, for simplicity purposes, you see DID Document up there - presuming that private key is in a file some place... 18:21:43 ChristopherA: That is a gross simplifciation, we can keep separate keys... we don't call it a signature block, there might be a variety of different types of proof... for example, if I issue Verifiable Credential covering you for 1 million dollars... I want a higher spec of authenticator/proofs before I give you that verifiable claim. 18:21:49 q+ 18:21:54 q+ to note FIDO + DIDs are complementary. 18:22:55 ChristopherA: DID Documents enable you to use all of this stuff... we need people that have experience with these systems. All the perils of mixing authn w/ authz... but at some point we need something like a DID DOcument... just because someone asks for a VC or other things, doens't mean I have to give it to them/comply... or they have to accept. 18:23:14 q+ oliver-terbu 18:23:23 ack dirk 18:23:27 Dirk: Where do you see DID and DID Auth fit into the larger picture... I think I understand VCs... I want to prove my age, SSN, I thought DIDs were a means to an end... 18:23:40 zakim, close queue 18:23:40 ok, wseltzer, the speaker queue is closed 18:24:10 Dirk: One way I could do that, who are you?, I could provide DID and DID Auth, prove that's who I am... find something in DID Document, claim I'm over 21? Am I seeing that right... how is DID connected to VCs? 18:24:34 Markus: We don't put VCs in public ledgers... 18:25:06 Markus: DID Documents are for looking up key material and services.... not VCs. 18:25:19 q? 18:25:27 Markus: There are no claims in DID Document, only metadata required to verify VC material... 18:25:36 Markus: DID Auth is just a high level concept so far... 18:25:45 q+ to answer Dirk 18:25:51 Markus: No assumptions about documents are in ledger, where keys are stored, where hardware wallets are... etc. 18:26:09 wseltzer: We have a queue... and then break... 18:26:13 kenrb has joined #auth-id 18:26:17 ack JoeAndrieu 18:26:24 present+ oliver_terbu 18:27:15 JoeAndrieu: None of these components yet is identity assurance 18:27:16 rrsagent, draft minutes 18:27:16 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html weiler 18:27:29 ... the proof that you are the person who can make these claims 18:27:32 manu: it's not either or 18:27:45 ... we're trying to combine elements of the prior art 18:27:46 ack manu 18:27:46 manu, you wanted to note FIDO + DIDs are complementary. 18:28:10 ... authentication flow that takes FIDO key material into a DID doc and uses HW token to identify 18:28:11 manu: I hear in this discussion a perception of an either-or thing. the experiments going on right now .... there is an auth flow that takes a FIDO authenticator, puts the credentials in the DID document 18:28:41 q? 18:28:46 q- 18:29:15 JoeAndrieu: For VCs and DID and DID Auth - none of those is sufficient for identity assurance... whether the key is on a hard drive, or on a hardware authenticator, we can't prove that person controlling device is the person... it's a strong factor. 18:29:20 ... There is a a lot of work around blending these models rather than picking one. 18:29:23 +1 manu 18:29:40 markus_sabadello: We did quite a bit of work around blending models at IIW. 18:29:44 rrsagent, make minutes. 18:29:44 I'm logging. I don't understand 'make minutes.', manu. Try /msg RRSAgent help 18:29:48 kenrb has joined #auth-id 18:29:53 rrsagent, draft minutes 18:29:53 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 18:30:44 Everyone takes a break, socializing, expect to get back into OpenID, JWT/CWT, etc. use cases. 18:30:52 rrsagent, draft minutes 18:30:52 I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu 18:32:18 [break for 30min] 18:43:53 elbowspeak has joined #auth-id 18:45:46 Jiewen has joined #auth-id 18:46:36 kenrb has joined #auth-id 18:47:37 Jim has left #auth-id 18:48:36 Jim_Masloski has joined #auth-id 18:51:43 achughes has joined #auth-id 18:55:18 PindarHK has joined #auth-id 18:57:48 kenrb has joined #auth-id 19:02:56 tony-tr has joined #auth-id 19:03:22 JoeAndrieu has joined #auth-id 19:03:36 topic: WebAuthn, CTAP 19:03:45 Didier has joined #auth-ID 19:03:45 sanjay has joined #auth-id 19:04:18 -> https://docs.google.com/presentation/d/1fiMFAw397cb2UPvywN4zCHCZtz_1tQsR0A6f5rpzoKw/edit?usp=sharing Slides, Modern Authentication 19:04:40 [slide 2:: How Security Keys Work] 19:05:01 jillwill has joined #auth-id 19:05:07 JohnFontana: presenting slides 19:05:18 [slide 3: Registration] 19:06:53 JohnFontana: FIDO2 is an umbrella term for WebAuthn and CTAP 19:07:01 ... CTAP at FIDO, WebAuthn at W3C 19:07:02 Mitja has joined #auth-id 19:07:08 [slide 4] 19:07:31 ... CBOR is the CTAP data format 19:07:44 [slide 5: WebAuthn] 19:08:03 ... create and get strong authentication 19:08:18 i/slide 2::/scribenick: wseltzer 19:08:51 [slide 6] 19:09:18 jzcallahan has joined #auth-id 19:09:21 [slide 7] 19:09:42 ... Thanks to Pam for this map 19:09:59 Can you please reshare the link to the presentation? 19:10:03 [slide 8: state of state] 19:10:29 thank you! 19:12:05 [slide 9] 19:12:18 TonyNad: IETF discussion of EAT 19:12:39 ... device attestation about provenance, devices, ecosystem 19:13:02 ... we use these attestations in WebAuthn and FIDO to understand key provenance and strength 19:13:05