20 February 2024

Meeting recording

Attendees

Aditya Khurjekar, Prove
Andy Parsons, Adobe
Andy Rosen
Chris Staines, Arkeytyp
Christian Paquin, Microsoft
Edmond Cunningham, Arkeytyp
Eric Scouten, Adobe
Frank _, Verus
Gavin Peacock, Adobe
Jeremiah Wagstaff, Transmute
John Collomosse, Adobe
Lorie Groth, Digicert
Michael Klein, Adobe
Nick Lyons, Arkeytyp
Nick Ritchie, BBC
Orie Steele, Transmute
Peter Carrescia, Confirm Identity
Pia Blumenthal, Adobe
Riley Hughes, Trinsic
Stu Vaeth, Mastercard
Will Kreth, HAND (Human & Digital) Identity
Wynne Kim, HAND (Human & Digital) Identity

Agenda

5 min: Start meeting

Start recording
Welcome and community specification license reminder
Agenda review and call for agenda items

20 min: Introductions / why we’re here

Round-table discussion: Attendees describe their affiliations and what they are hoping to accomplish through the CAWG.

🎥 2'29": Some of the common themes were:

AI provenance
Identity wallets
Identity proofing system — link to content
Metaverse ID
SSI
Trust framework
Standards with VCs
Healthcare identity
Talent identity (media, entertainment, sports)
Supply chain, especially software supply chain

5 min: Motion to approve draft status

As per Community Specification License process §4: Specification development process, I submit the existing identity assertion specification as a candidate draft and move to promote that document from pre-draft to draft status.

4.1. Pre-Draft. Any Participant may submit a proposed initial draft document as a candidate Draft Specification of that Working Group. The Maintainer will designate each submission as a “Pre-Draft” document.

4.2. Draft. Each Pre-Draft document of a Working Group must first be Approved to become a “Draft Specification.” Once the Working Group approves a document as a Draft Specification, the Draft Specification becomes the basis for all going forward work on that specification.

— Community Specification License :: Governance Policy

🎥 15'37": Briefly discussed motion to promote to draft status.

DECISION: Current draft approved as draft.

15 min: Open discussion: Issues that need to be addressed

Open call for new issues to be raised and discussed. Limit to 1-2 min per issue; we’ll file a GitHub issue if unable to come to a quick conclusion.

🎥 19'04": Eric started at with a quick overview of the C2PA data model and the proposed identity assertion.

🎥 23'24": Orie mentioned that the identity assertion has some conceptual similarities to software bill of material (SBOM) formats. Example SBOM in SPDX format: https://github.com/microsoft/sbom-tool/blob/main/samples/manifest.spdx.json

🎥 31'49": Concern raised about privacy implications of publishing, selective disclosure, JWT (Add to existing issue #41: Privacy when verifying VCs). ACTION: Eric Scouten to call together a smaller working group on privacy and invite Christian, Nick Lyons, Orie, and Jeremiah. Orie noted (via chat) that there are some limitations on privacy that come from building on top of verifiable credentials, depending on how you define the credential format.

🎥 36'04": Brief discussion about Sony’s proposed distributed ledger system for tracking volatile things like release windows, multiple types of info, related to movie releases and that this indicates that both ownership and identity are subject to change. Group decided not to pursue this topic for now.

🎥 38'51": Christian Paquin mentioned that there are some proposals for simplifying identity models. There was a general sentiment in the group that "lightweight" expression of ownership using ZKP was desirable.

Orie mentioned that IETF and related orgs are trying to simplify digital credentials. This is to some extent at odds with W3C VC extensibility model. Read up on IETF "spice" working group, which is a proposal within the IETF to charter a group to simplify digital credentials based on JOSE, COSE, and X.509.

🎥 41'43": Chris Steele and Nick Lyons mention Verus, a DNS name space alternative, not resolved by ICANN. "Non-collision identity domain space with sub domains, transferable (referenced by private key IDS) can be traded on chain and solve the transfer of ownership in a trustless way."

🎥 41'43": Orie issues a quick reminder that internationalization should always be on our minds when addressing identity. Unicode offers lots of vectors for abuse (e.g. similar looking names may not be exact string or binary matches).

🎥 48'22": Discussion on ways to participate outside of the meeting. Group requests e-mail list and Slack/Discord channel. Majority prefers Slack over Discord.

ACTION: Issue #42: Add a Slack or Discord channel for this group

ACTION: Issue #43: Create an e-mail list for this group’s discussions

40 min: Review and prioritize TO DO items in existing draft specifications

Items flagged as “major”

These items are likely to take extra time and attention. Looking for members willing to advise or draft responses to these issues that I’ve flagged as “major”:

Issue #16: Determine whether to use VC or VP for signature

🎥 50'09": General sense was that VPs are intended for ephemeral, one-off use cases and C2PA manifests are intended for more persistent broadcast usage. General sense that VCs are more appropriate for this use case. There was some discussion about replay attacks (which were a design flaw in the C2PA 1.x creative work assertion), but the new design of the identity assertion should prevent that.

ACTION (Issue #16: Determine whether to use VC or VP for signature): Eric to propose a PR that removes VC vs VP as a discussion item.

ACTION (Issue #44: Review presentation with key binding) discussed by Orie in meeting. Eric to follow up with Orie, Christian, and Riley.

Issue #34: Consider targeting VC 2.0 data model?

🎥 78'20": VC 2.0 is in candidate recommendation 1, but is likely to change before it becomes frozen. Not sure if the changes would affect anything we might depend upon.

ACTION (Issue #34: Consider targeting VC 2.0 data model?): Orie will ask around for more details.

Carry over for next meeting

🎥 80'35": We ran out of time and did not address the remaining items.

If time permits, review Other open issues.

5 min: Closing and review

Invitation to subsequent meetings, which will typically be on Mondays.

Decisions

Pre-draft of Identity assertion promoted to draft status.

Action items

Issue #41: Privacy when verifying VCs – Eric to call subgroup meeting.
Issue #42: Add a Slack or Discord channel for this group
Issue #43: Create an e-mail list for this group’s discussions
Issue #16: Determine whether to use VC or VP for signature – Eric to propose a PR that removes VC vs VP as a discussion item.
Issue #44: Review presentation with key binding – discussed by Orie in meeting. Eric to follow up with Orie, Christian, and Riley.