16:03:14 <RRSAgent> RRSAgent has joined #vcwg-special
16:03:18 <RRSAgent> logging to https://www.w3.org/2023/02/07-vcwg-special-irc
16:03:18 <kristina> kristina has joined #vcwg-special
16:03:19 <kristina> present+
16:03:22 <brentz> zakim, start the meeting
16:03:22 <Zakim> RRSAgent, make logs Public
16:03:24 <Zakim> please title this meeting ("meeting: ..."), brentz
16:03:31 <JoeAndrieu> JoeAndrieu has joined #vcwg-special
16:03:40 <cabernet> present+
16:03:43 <Will> Will has joined #vcwg-special
16:03:53 <brentz> meeting: VCWG Special Topic Call
16:04:00 <brentz> chair: kristina
16:04:25 <JoeAndrieu> present+
16:05:15 <brentz> scribe+
16:05:30 <manu> present+
16:05:34 <samsmith> samsmith has joined #vcwg-special
16:05:38 <bumblefudge_> bumblefudge_ has joined #vcwg-special
16:05:41 <kristina> Topic: use-cases document
16:05:44 <kristina> https://github.com/w3c/vc-use-cases/issues/
16:05:47 <rgrant> present+
16:05:48 <manu> present+ abernethy
16:05:50 <brentz> kristina: Special Topic today is Implementation Guide and Use Cases document
16:05:51 <manu> present+ rgrant
16:05:56 <manu> present+ caballero
16:05:58 <kristina> https://github.com/w3c/vc-use-cases/pulls
16:06:00 <brentz> present+
16:06:01 <manu> present+ kaliya
16:06:05 <Kerri_Lemoie> Kerri_Lemoie has joined #vcwg-special
16:06:06 <manu> present+ Lemoie
16:06:08 <manu> present+ Long
16:06:11 <brentz> ... there are three open PRs
16:06:19 <manu> present+ SamSmith
16:06:25 <manu> present+ Abramson
16:06:30 <brentz> ... The holder Binding PR has three approvals, it was opened last week.
16:06:39 <manu> q+ on holder binding PR
16:06:44 <brentz> ... do we want to have more discussion, or are we good here?
16:06:46 <kristina> q?
16:07:17 <brentz> JoeAndrieu: I can chime in. Kevin Dean and I have been looking at the structure of the document, but we haven't looked at these PRs.
16:07:27 <brentz> kristina: so we need editor review to merge these?
16:07:41 <brentz> JoeAndrieu: yes, I can look at them.
16:07:50 <dlongley> present+
16:08:05 <brentz> kristina: that would be good so we can move on these topics
16:08:25 <brentz> JoeAndrieu: can we set up codeowners in this repo? that's why we weren't notified I think
16:08:34 <brentz> kristina: yes, let's work on that offline
16:08:47 <brentz> JoeAndrieu: we can certainly tag all of these for Kevin and I to review
16:08:49 <kristina> ack manu
16:08:49 <Zakim> manu, you wanted to comment on holder binding PR
16:08:50 <kristina> q?
16:09:10 <brentz> manu: at a high level, we should have some holder binding use cases. I don't think this use case is realistic.
16:09:31 <brentz> ... we think doing holder binding as part of age verification is problematic.
16:09:45 <brentz> ... we should use a different use case that is far more realistic.
16:10:03 <brentz> ... we have deliberately avoided holder binding in this use case, and this says the opposite.
16:10:24 <brentz> ... maybe we can change it to something else. I'll add those comments to the PR
16:10:39 <brentz> kristina: I think we need codeowners to look at the PRs, so let's look at issues.
16:10:41 <jer> jer has joined #vcwg-special
16:10:48 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/132
16:11:37 <Orie_> Orie_ has joined #vcwg-special
16:11:42 <Orie_> present+
16:11:45 <brentz> so have an issue - use cases that requires holder binding
16:11:47 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/128
16:11:49 <kristina> PR exists
16:12:00 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/126
16:12:03 <kristina> PR needed
16:12:12 <brentz> JoeAndrieu: definitely
16:12:16 <identitywoman> identitywoman has joined #vcwg-special
16:12:27 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/125
16:12:27 <decentralgabe> decentralgabe has joined #vcwg-special
16:12:32 <decentralgabe> present+
16:12:53 <kristina> q?
16:13:25 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/124
16:13:31 <brentz> section 4 diagram
16:14:10 <brentz> JoeAndrieu: I proposed at TPAC that we get rid of it. There are use cases that require referring to a VC in a definitive way, and that is underspecified. A VC may not have an ID.
16:14:21 <manu> q+ to note "how to amend".
16:14:47 <kristina> ack manu
16:14:47 <Zakim> manu, you wanted to note "how to amend".
16:14:49 <brentz> ... There is a desire to amend things. you can't amend something that is signed, but issuing an amended VC that links to the VC being amended could be possible, but maybe we get rid of it.
16:15:04 <brentz> manu: the data model currenlty supports amending today
16:15:21 <brentz> ... the way you amend attributes about the subject is to re-issue.
16:15:53 <JoeAndrieu> q+ to say amending isn't stating new attributes about the subject
16:16:01 <brentz> ... but what happens if you want to amend the whole credential, you can add the previous credential as one of the credential subjects of a new credential
16:16:19 <brentz> ... changing what a previous VC says is troubling and much harder to do.
16:16:21 <przemek> przemek has joined #vcwg-special
16:16:26 <kristina> ack JoeAndrieu
16:16:26 <Zakim> JoeAndrieu, you wanted to say amending isn't stating new attributes about the subject
16:17:02 <brentz> JoeAndrieu: the first one, that's one way to interpret amending, I think it's just another statement. but the second method, including or referencing a VC to amend it is valid.
16:17:14 <manu> q+ to note how we might want to speak against the pattern?
16:17:17 <Orie_> Note the "extendsCredential" property of https://w3c-ccg.github.io/traceability-vocab/#GS1KeyCredential
16:17:36 <brentz> ... I don't thik we have any language that uses that pattern. There is a desire to amend, and coming up with a way to sdo that in the implementation guide would be good
16:17:38 <Orie_> For the meeting notes: https://ref.gs1.org/gs1/vc
16:17:39 <Phil-ASU> q+
16:17:48 <bumblefudge_> +1
16:17:50 <kristina> ack manu
16:17:50 <Zakim> manu, you wanted to note how we might want to speak against the pattern?
16:17:54 <bumblefudge_> to implementation guide rather than noramtive
16:18:40 <brentz> manu: one thing that we may want to consider is speaking against certain types of amending because of the technical difficulty
16:19:36 <JoeAndrieu> q+ to comment on dispute
16:19:47 <brentz> ... changing a previously issued VC in the right way could be very complex. Maybe we add language about re-issuing, that would be best, but issuing a credential that changes another one is harder. We should tell people this is a fraught path before they go too far.
16:19:54 <kristina> ack Phil-ASU
16:19:54 <JoeAndrieu> ack Phil-ASU
16:20:21 <manu> q+ to bring up example of "extend lifetime of credentials"
16:20:22 <brentz> Phil-ASU: I agree with Manu. Is this a back door for amending an expiry or revocation? Is there a circumstance where re-=issuing is not viable?
16:20:33 <brentz> JoeAndrieu:
16:21:08 <brentz> The best example I can think of is if you have a VC that is entered into an official record, but you needed to amend it. You can make a new VC that says I'm amending that thing and enter that into the record.
16:21:27 <brentz> ... the ability to dispute is much broader. Amending is the same issuer.
16:21:57 <Phil-ASU> restricting amending to the original issuer makes sense.
16:22:36 <brentz> ... typos could be an easy amend, MS instead of BS degree. This is an interesting use case because it introduces a new party to the pantheon. not necessarily the issuer, holder, verifier, or even subject. I don't want to advocate for a dispute action, just wanted to point out it is different from amending.
16:22:52 <brentz> ... It is confusing and we should add language to help that confusion.
16:22:53 <kristina> q?
16:23:02 <kristina> ack JoeAndrieu
16:23:02 <Zakim> JoeAndrieu, you wanted to comment on dispute
16:23:05 <kristina> ack manu
16:23:05 <Zakim> manu, you wanted to bring up example of "extend lifetime of credentials"
16:23:44 <Kerri_Lemoie> q+
16:24:08 <Phil-ASU> Anthony Camilleri
16:24:11 <kristina> ack Kerri_Lemoie
16:24:15 <brentz> manu: +1 Joe and Phil. Something came up yesterday in VC-EDU. One of the use cases was they wanted the wallet providers to extend the lifetime of issued credentials. The VC would be issued, then wanted the wallet provider to add something to the diploma that would refresh it for the next 40 years. Maybe we can get the person who spoke about that involed.
16:24:50 <brentz> Kerri_Lemoie: His name was ???? We shoudl talk to him. This is how they want to make sure the cache hasn't expired. We should talk to them more about it.
16:25:02 <manu> s/????/Anthony Camilleri/
16:25:03 <bumblefudge_> new tracking issue
16:25:08 <bumblefudge_> for future use-case
16:25:20 <bumblefudge_> (and Anthony's use case sounds more like `refreshService` than `amend` to me?)
16:25:26 <brentz> kristina: in terms of this issue, could we remove amend claim from the diagram, but add some lanaguage about the considerations we've just discussed?
16:25:32 <brentz> ... what do we do about this diagram
16:25:57 <manu> +1 to remove, and keep another issue around to document stuff around "amending"
16:26:03 <dlongley> +1 to remove
16:26:05 <brentz> JoeAndrieu: I support removing, but we should put a proposal and put it in the minutes. It starts off on the wrong foot because you don't amend data integrity proofs.
16:26:08 <Kerri_Lemoie> name from EU Anthony Camilleri: https://github.com/anthonycamilleri
16:26:08 <manu> q+
16:26:17 <manu> q-
16:26:24 <brentz> kristina: any objections to removing, while opening another issue about disputes, etc.?
16:26:25 <manu> +1 to remove and new issue
16:26:42 <brentz> ... I see +1 to remove and no objections.
16:26:55 <brentz> ... we need multiple issues, for amending, disputing, etc.
16:27:04 <brentz> manu: I'll do amending
16:27:12 <brentz> JoeAndrieu: I'll do disputing
16:27:19 <brentz> Kerri_Lemoie: I'll do the education use case
16:27:45 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/122
16:27:46 <brentz> kristina: things like terminology not defined, should we go one by one?
16:28:06 <brentz> JoeAndrieu: are there a bunch of things not defined?
16:28:16 <brentz> ... that's in the diagram, but not explained.
16:28:39 <brentz> ... We could add that to terminology. It's terminology we borrowed from the web.
16:28:41 <bumblefudge_> funny, i was just reading an article about agency being underdefined by robin berjon :D
16:28:47 <brentz> kristina: I think basic definitions would work.
16:28:51 <brentz> JoeAndrieu: assign that to me
16:29:10 <brentz> kristina: skipping typo.
16:29:15 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/109
16:29:30 <manu> q+
16:29:41 <brentz> kristina: which diagram does this involve?
16:29:49 <brentz> ... the needs map.
16:30:19 <brentz> ... in section 3? user needs?
16:30:28 <brentz> JoeAndrieu: not sure what needs to be updated there.
16:30:51 <brentz> JoeAndrieu: if that diagram is out of sync with the following text, but it looks like a general review
16:30:58 <brentz> kristina: this is from 2019
16:31:12 <brentz> JoeAndrieu: not clear if this identifies specific issues.
16:31:22 <brentz> kristina: do we need to update or cabn we close?
16:31:34 <brentz> JoeAndrieu: let's mark pending close and ask Matt
16:31:52 <brentz> kristina: I'll mark pending close
16:31:53 <kristina> ack manu
16:32:09 <brentz> manu: just cross linking to the terminology discussions, but I'm fine with this being closed.
16:32:26 <brentz> ... we're talking terminology in the main use case
16:32:36 <brentz> kristina: maybe we need an issue to align terminology
16:32:46 <brentz> manu: unless this is actionable, we should close it
16:33:05 <brentz> ... an open issue to always keep the terminology in sync will never close
16:33:14 <manu> +1 to depending on Kevin, rather than a Github issue :P
16:33:24 <brentz> JoeAndrieu: Kevin has been closely reviewing the Use Cases document and I think we'll catch things.
16:33:35 <brentz> kristina: let's close it in a week or so
16:33:38 <kristina> subtopic: https://github.com/w3c/vc-use-cases/issues/107
16:33:43 <brentz> kristina: Is this outdated?
16:33:55 <brentz> ... need to review editor author section?
16:34:40 <brentz> JoeAndrieu: I don't think it is. As opposed to how we handle the normative specs, who should be an editor or author, this is somewhat leftover. I don't have a good sense of how we should change this.
16:34:49 <manu> q+
16:34:59 <brentz> ... the new version editors is just Kevin and me
16:35:07 <kristina> ack manu
16:35:10 <steve_mccown> steve_mccown has joined #vcwg-special
16:35:12 <brentz> ... I defer toManu for how to clean it up
16:35:42 <brentz> manu: we have people on here who haven't been involved in years. We can add the version they worked on next to their names.
16:36:11 <brentz> ... I need to change the respec so we can list all the people who have been involved without it taking up a whole page.
16:36:38 <brentz> ... It is important to acknowledge all of the people who have contributed, but it should be easier to read.
16:36:48 <brentz> kristina: can I assign you?
16:36:58 <brentz> manu: yes, I have a similar action on vc data model
16:37:42 <brentz> kristina: Joe, can you give a quick look to see if any of these should be discussed, or we can shift to other doc?
16:37:50 <kristina> https://github.com/w3c/vc-use-cases/issues
16:38:00 <brentz> ... people, take a look at the issues to see if there's anything folks want to talk about
16:38:01 <manu> q+
16:38:06 <kristina> ack manu
16:38:30 <brentz> manu: we have a number of VC systems going into production, it would be good to list them in the use cases doc.
16:38:40 <brentz> ... whatever public gossip we can talk about
16:39:00 <brentz> JoeAndrieu: we are going to put out a call for input, new short use cases, extant use cases
16:39:29 <brentz> ... we do want to have a section that is current uses of VCs. It will be short. a way to look at signals of market adoption for the technology
16:39:38 <brentz> kristina: that sounds like a great next step
16:40:02 <brentz> JoeAndrieu:  not sure how much time is set aside in the F2F, but the call will probably go out after that.
16:40:16 <brentz> kristina:  we can take some time during F2F
16:40:25 <kristina> topic: vc-imp-guide
16:40:26 <brentz> ... and mark some issues as pending close if they are outdated
16:40:29 <kristina> https://github.com/w3c/vc-imp-guide/issues
16:40:40 <manu> q+
16:40:46 <kristina> ack manu
16:40:49 <brentz> kristina: Manu, there are 4 issues from May 2022, will you go through those?
16:40:59 <brentz> manu: yes
16:41:36 <brentz> ... just as a heads up, the implementation guide has typically been the place where we put things that are important for implementors to know, or where we put disagreements.
16:41:52 <brentz> ... we ask each side to write up an opionion and put those side by side.
16:42:08 <brentz> ... it's een a good way to handle disagreements in the past
16:42:08 <kristina> subtopic: https://github.com/w3c/vc-imp-guide/issues/67
16:42:46 <brentz> manu: this issue has to do with a compormise with Australia's digital drivers license. The app wasn't even checking the digitasl signtature
16:43:20 <brentz> ... the app was showing a QR code that wasn't signed. This was to add language to say make sure you've actually checked a digital signature.
16:43:27 <kristina> q?
16:43:36 <kristina> q+
16:43:44 <brentz> ... next steps here is prettyy straightofrward - add guidance to actually check digital signatures.
16:43:59 <kristina> ack kristina
16:44:00 <brentz> kristina: that australia implementation made some waves, it would be good to add this.
16:44:02 <Phil-ASU> Isn't best practice the QR code should have a signature?
16:44:13 <manu> Yes, but it's mroe difficult to do than it sounds :)
16:44:25 <kristina> subtopic: https://github.com/w3c/vc-imp-guide/issues/66
16:44:35 <brentz> kristina: verifier must not trust indicators on apps they do not control
16:44:39 <manu> q+
16:44:48 <kristina> ack manu
16:45:20 <brentz> manu: people were being trained to look for visual indicators that the proper app was being used.
16:45:34 <brentz> ... it's fairly easy to throw an app together that looks right.
16:46:04 <brentz> ... we should say - do not look for indicators in the application that the proper app is being used. This should be used in conjunction with other checks.
16:46:12 <bumblefudge_> @orie_ i think you mixed up your [] and () in that demo link
16:46:14 <brentz> ... digital signatures really should always be checked.
16:46:26 <brentz> kristina: what are the visual indicators?
16:46:48 <brentz> manu: those could be a tilt sensor that produces a hologram. but given enough time and money you can recreate that.
16:47:36 <brentz> ... we want people to think that as long as the biometric is being checked you need to make sure you received that portrait inside of a secured mechanism
16:47:45 <brentz> ... can't just receive the payload.
16:47:59 <brentz> kristina: what is the line between vc data model security considerations and this?
16:48:22 <brentz> manu:  this is at the application layer. the data model should support these mechanisms, but this is many layers above.
16:48:43 <brentz> ... physical systems that protect the interatcion is what moves it into the implementation guide.
16:48:46 <kristina> there is disputes section in the imp-guide btw.. https://www.w3.org/TR/vc-imp-guide/#disputes
16:48:54 <brentz> ... it is a but of a gray area.
16:49:08 <brentz> kristina: would be good to have a securty section in the implementation guide
16:49:15 <steve_mccown> q+
16:49:16 <brentz> manu: +1
16:49:39 <Phil-ASU> +1 security implications in the implementation guide
16:49:39 <kristina> subtopic: https://github.com/w3c/vc-imp-guide/issues/65
16:49:55 <brentz> kristina: related to another issue, make sure credential storage is encrypted using entropy from strong sources.
16:50:03 <kristina> +1 to "security implications"  term
16:50:53 <brentz> manu: one of the reasons compromise of the australian DL was possible, they were just using a 4 digit pin to encrypt the data in the app. decryption was easy so modification was easy. they legitimate app could be made to show whatever the atteckers wanted.
16:51:05 <kristina> q?
16:51:10 <brentz> ... this would be implementation guidance for wallet vendors to not do that.
16:51:20 <brentz> ... 256 bit key vs 4 digit pin
16:51:26 <kristina> ack steve_mccown
16:51:32 <brentz> ... apps need to be protected in legit ways
16:52:12 <brentz> steve_mccown: I have a lot of background in this area. Manu, you mention something. I wonder what the solution is. We shouldn't train people to look for indicators inside the app.
16:52:25 <manu> q+
16:52:52 <brentz> ... form an ordinary user perspective, what should they look for. they open their app and open a credential fro the government. Everything that displays on the screen can be forged, what can they do instead?
16:52:54 <kristina> ack manu
16:53:59 <brentz> manu: we don't have a compltete answer. It depends on the use. If the individual is working for an organisation andd their job is to receive credentilas, they need to always use the proper app. In a retail environment, trust the PoS system, not the thing the customer has. In theory your app is trusted.
16:54:40 <brentz> ... the other question is harder, how can you know the app itself can be trusted? Ifs the app store trustable? Is there some supply chain integrity controls?
16:54:44 <dlongley> +1 ... you have to use your own trusted apps and devices -- never rely on someone else's ... establishing trust in your own apps and devices is a harder problem.
16:54:51 <brentz> ... that is a much harder problem.
16:55:09 <brentz> ... we are depending on the people checking the credentials to determine legitimacy
16:55:14 <brentz> ... not the users
16:55:25 <brentz> steve_mccown: I volunteer to help write those things up
16:56:03 <brentz> ... This issius is going to get bigger. the EU has sued apple to allow alternative app stores.
16:56:15 <brentz> ... all of the goodness of android may be coming to apple.
16:57:12 <brentz> ... I can also hold private keys outside of an enclave. We are moving into a world where it is fairly reasonable to download the government app for the vetted app store, but that might be harder moving forward.
16:57:29 <brentz> ... what is the average user to do. what can we tell them?
16:58:06 <brentz> kristina: we are a bit over time. This is what is happening in Use cases and Implementation Guide. Please go through these before the face to face.
16:58:16 <brentz> ... please review the holder binding PRs.
16:58:27 <brentz> ... see everyone tomorrw tomorrow at this same time.
16:58:44 <brentz> zakim, close the meeting
16:58:44 <Zakim> I don't understand 'close the meeting', brentz
16:58:50 <brentz> zakim, end the meeting
16:58:50 <Zakim> As of this point the attendees have been kristina, cabernet, JoeAndrieu, manu, rgrant, abernethy, caballero, brentz, kaliya, Lemoie, Long, SamSmith, Abramson, dlongley, Orie_,
16:58:53 <Zakim> ... decentralgabe
16:58:53 <Zakim> RRSAgent, please draft minutes
16:58:55 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/07-vcwg-special-minutes.html Zakim
16:59:03 <Zakim> I am happy to have been of service, brentz; please remember to excuse RRSAgent.  Goodbye
16:59:03 <Zakim> Zakim has left #vcwg-special
16:59:08 <brentz> rrsagent, bye
16:59:08 <RRSAgent> I see no action items