DID WG Telco — Minutes

Date: 2021-09-07

See also the Agenda and the IRC Log

Attendees

Present: Daniel Burnett, Ivan Herman, Charles Lehner, Shigeya Suzuki, Brent Zundel, Drummond Reed, Kaliya Young, Ted Thibodeau Jr., Manu Sporny, Orie Steele, Markus Sabadello, David Waite, Pamela Dingle, Juan Caballero, Joe Andrieu, Daniel Buchner

Regrets:

Guests: Deborah Shands, Jeremie Miller

Chair: Daniel Burnett

Scribe(s): Kaliya Young

Content:

1. Agenda Review, Introductions

2. DID Rubric Status

Daniel Burnett: next item is giving status.

Daniel Burnett: https://github.com/w3c/did-rubric/issues

2.1. Initial draft of proposed Registry process (pr did-rubric#49)

See github pull request did-rubric#49.

Daniel Burnett: main point is to convert DID rubric to a registry - this is an issue that is out
… before the existing group charter ends - important to get done before we shift to a maintenance charter.

Drummond Reed: more in-depth and complex

Markus Sabadello: I misunderstood this proposal at first - it is just one part of it - just about adding additional criteria - I like it

Ivan Herman: I read it this morning - important to have it done as quickly as possible - so put in DID new charter that this will turn into an official registry document.

Drummond Reed: +1 to Ivan’s point – we want to include this in the new charter

Ted Thibodeau Jr.: I had started going over this with a fine tooth comb and made a stack of suggestions - I didn’t quite understand how things were flowing as documents - main author should go through my comments and then I can do - they have been sitting there for 5 days

Daniel Burnett: If he wants this to get in he needs to be very responsive to comments

3. DID Spec status update

Daniel Burnett: as I think most of you know the W3C Advisory committee voted - we have had some comments and three formal objections.
… the chairs and team contact and editors have been talking with W3C leadership - we don’t know what is going to happen. The chairs at this point believe that none of these objections will mean it can’t be publish as a recommendation.
… if it is delayed the existing working group charter will get extended.
… we may need to modify the new charter based on the objections.

Ivan Herman: I was sick last week but Philip did pick up my role and i’m grateful for that he is talking to the objectors later this week - something should come out of that

Manu Sporny: do you want me to prep the document itself - we do have to create a final document and pull it.
… general question is timing

Brent Zundel: will there be editorial feedback based on the objections?
… it seems much will be into the rubric or the implementation guide

Daniel Burnett: will process the que but keep short

Ivan Herman: not generate a final status thing - just take care of the outstanding editorial PRs

Brent Zundel: +1

4. SRI Review of DID Spec

Ivan Herman: See Slides of the presentation

Ivan Herman: See Security & Privacy Assessment criteria

Brent Zundel: would you like to give a brief introduction and then go into review

Deborah Shands: we do a lot of research of government entities
… my group does some research in cybersecurity
… my customer Anil John - asked me to review the DID and come up with security and privacy criteria for DID methods - I was able to spend about 100 hours on this (normally it would take a long time)
… approach to developing the requirements - they are in the document at the back of the slides.
… I did a little bit of a job from the perspective of a government agency that wanted to create a high value credential and apply that to a DID. What characteristics apply that to a DID - so a government agency can apply that to a DID.
… sketched an approach for a security and privacy approach - to illuminate to the customer - that were not garden variety issues.
… authentication, authorization, login, identity verification etc. these are garden variety
… I looked at version 1.0 core architecture document - I knew nothing about implementation. I had opportunity to discuss some of the entities funded by Anil.
… if you are going to do security - well established “system security engineering” two called out Common Criteria - protection profiles - specifications for security for national security - a bunch of international agreements to accept assessments of multiple laboratories that are accredited.
… these are established for products. These are established for functional requirements.
… NIST is thinking about standards for systems not just products - integration, deployment procedures - examples of places for developing criteria.
… we have had decades of systems security engineering
… we don’t have - a lot in a similar vein around privacy
… found introduction to privacy engineering by NIST - maps to fair information practices and principles - they are adopted in various international contexts - (re-written some times).
… abstracted up
… approach to developing a criteria - small examples
… define the system -
… I focused on the standard - if you develop criteria against which your system will be evaluated.
… realistic threats - identity fraud was the one I identified.
… define security objectives to address realistic threats.
… separate security requirements from the objectives - what parts addressed by rest of the environment
… supported by a vast array of things - and list assumptions of how you rely on those things.
… define privacy objectives and requirements - abstraction above fair information practices and principles
… typically when you get a working group collaborating together you get a common criteria protection protocols - based on a standard.
… different classes of technology infrastructure that you are assuming - you could develop different criteria - then sub-set to work collaboratively to develop these types of standards. The standards are young you are still developing them they are very security critical.
… then your system is evaluated by others - fair play different users - government agencies - may choose on criteria that you don’t appreciate.
… example criteria assessment
… Blue - government agency should they create a passport - is the DID good enough from a security and privacy perspective - is the DID method strong enough for a digital passport?
… could be verified during on boarding
… green is good - is a DID document authentic - check a hash volume
… brown think about supporting but not in specification.
… Red is bad - outside of the technical space and really impossible to verify by looking at DID method software and services
… looked at list
… conclusion - work together to develop a really security profile
… position what needed to be dealt with - existing common criteria protection profiles - related to DID method type systems

Daniel Buchner: in the red green brown - red is meant to indicate subjectivity?

Deborah Shands: no it was not be a subjective
… the approach by next door - they send a post card to your physical address - you have to go type that into - a minimal external process - it is not subjective it is outside the technical process.

Daniel Buchner: trying to understand the difference with the green
… distinction - thirty voters - mathematical

Deborah Shands: it is quite likely that a government agency will only accept a thing that is mathematically based
… there is another group at SRI working on the cryptography
… I have not assessed these things based on if they are subjective or not

Manu Sporny: this is really fantastic stuff thanks for putting it together and sharing with th group - some of them have seen your research for the first time here.
… the group developed some security and privacy considerations
… we also developed some criteria for the DID rubric.
… I think some of the things that you highlighted I don’t think that they are in any of the document. This has produced different types of criteria.
… I think what you have developed will likely belong in the specification itself.
… how concrete does it need to be.
… talk about the concrete implications give governments or large enterprises something to look at.
… sit down and steel yourself - and go look at some of the criteria protection profiles - look at how gory the details are for the process they go through.

Kaliya Young: sorry last line was deborah

Deborah Shands: look at the in-depth work that is done to really look at how they approach it
… look at what happens if there is something that could go wrong - they are going to be very nit picky
… make peace with the level of details that are needed - there are going to be operational assertions and proofs.

Daniel Burnett: one more question and then go into one detail.

Charles Cunningham: I was wondering about considerations of DIDs for issuers of verifiable credentials - I wondered about that (focus on DIDs as subject of credentials).

Deborah Shands: my focus was on the systems that generate and issue DIDs
… was asked to look at wallets recently - I have been crawling through wallets
… They can look at DID method implementation they can poke and discuss - software for DID methods
… are they good enough - apply passport credentials to DID.
… if I get a passport credential and decided to get a new wallet - the government agency doesn’t get to pick what wallet I put the credential into - how those credentials are managed those who are subjects of credentials or hold credentials on behalf of others - that is something else.

Drummond Reed: Deborah’s point is profoundly true. But I do expect there to be security standards for wallets.

Daniel Burnett: in our world a passport is not a DID it is more like a credential -

Orie Steele: Imagine issuing a passport to an identifier that is bound to a physical hardware wallet, then not being able to change wallets….

Deborah Shands: so a government agency - if I provide a DID this is my identifier - I want a passport credential asserted with me as a subject - sorry that DID was not generated by a DID method that we think is good enough.
… strictly focused on dids and did methods
… one of the recommendations that I made around access control and access policy
… you have a number of controllers that can manage a DID document - there are controllers that are not mentioned. Recommend that you can list all the modifiers that can change the did document
… it seems to me that any of the did controllers can modify any of the elements of a did document.

Daniel Burnett: I disagree with identifying controllers. Circular because now how do you identify them?

Deborah Shands: it seems appropriate - to define the extent of a specific did controller over - limited scope of impact.
… develop minimalist policy access language - identify which did controllers are permitted to do what to the document.
… it is a pain in the neck - a number of DID controllers can have full access to the document - this could be a real problem.

Markus Sabadello: thanks deborah for the presentation - this question of access control this varies a lot between different did methods - would your recomendation to require this in the DID core - or do you think it is acceptable to add it to the rubric and then the government could choose a did method that they want
… where you should enforce this

Deborah Shands: enforcement is always on implementation - your method will have a controller policy

Drummond Reed: Access control policy for DID methods is DID method specific.

Deborah Shands: to show you are serious about the security end of things - requiring there is a security policy with these types of things - specifying this at a high level seems like it is important in this type of thing - split this up into subsets - different styles of technology implementation

Manu Sporny: We should definitely follow up with Deborah

Manu Sporny: Figure out how we continue to collaborate on this type of work – it’s important.

Daniel Burnett: I think there a lot of great opportunities for discussion/collaboration

Deborah Shands: there is e-mail we can meet again - happy to do that.

Daniel Burnett: folks are welcome to communicate with you individually

Orie Steele: Thanks deborah!

Deborah Shands: it is a pleasure - fascinating technology space

Kaliya Young: Thanks Deborah!

Ted Thibodeau Jr.: Orie – your muted actions above should be inline comments!