06 May 2024

Attendees

  • Andy Parsons, Adobe

  • Andy Rosen

  • Christian Paquin, Microsoft

  • Drummond Reed, Gen Digital

  • Eric Scouten, Adobe

  • Jesse Carter, CIRA

  • Judith Fleenor, Trust Over IP Foundation

  • Lindsay Walker, Starling Labs

  • Loren Hart, Noosphere Technologies

  • Lorie Groth, Digicert

  • Nigel Earnshaw, BBC

  • Pamela Dingle, Microsoft

  • Patrick Boehler, independent consultant

  • Paul England, Microsoft

  • Peleus Uhley, Adobe

  • Scott Perry, Schellman

  • Truman Esmond, Partnership for Insurance Information

  • Will Kreth, HAND (Human & Digital) Identity

  • Yondon Fu, Livepeer

Agenda

5 min: Start meeting

  • Start recording

  • Welcome and community specification license reminder

  • Agenda review and call for agenda items

5 min: New members introduction

Two new members this meeting:

  • 🎥 2'02": Pamela Dingle, Microsoft

  • 🎥 2'18": Yondon Fu, Livepeer

30 min: Review claim/claim-generator PR

🎥 2'47": See PR #103.

Changes made since last week’s first draft:

  • SHA-256 is no longer hard-coded. Updated to add an alg parameter and match the C2PA’s list of recognized hash algorithms.

  • Proofreading suggestions from Christian and Paul.

Open issues:

  • How to allow multiple identity assertions to use these protections?

    • Zeroing out other identity assertions?

    • Compute identity assertions in sequence?

    • Allow only “last” identity assertion to use claim hash protection?

  • Do we need the full cert chain or can we simplify to end-entity cert only?

  • OK to close #96 without merging?

…​

🎥 7'12": Long discussion of potential challenges with multiple identity assertions employing the expected claim/claim generator protections.

ACTION (✅): Eric to split out the sig_type change from PRs 96 and 104. DONE: See new PR #105.

ACTION: Eric to revise PR 104 to allow identity assertion signer to add expected signer_payload or signing credentials.

ACTION: Eric to revise PR 99 to describe the adversarial claim generator attack. Include the trust-bubbles discussion shown in the meeting at 🎥 39'34".

15 min: Proposal: Declare implementer’s draft

🎥 50'26": See PR #104 which will allow implementers to proceed using the core structure of the identity assertion while non-structural details are resolved.

This is a heads-up discussion. I would like to move for merging this PR in the next meeting on 20 May. If the idea of locking the core structure of the identity assertion causes heartache, please speak up within these two weeks.

Discussion, but no resolution.

15 min: Review trust model PR

🎥 1h01'32": See PR #99.

No new action items.

10 min: Endorsement assertion ready to approve?

🎥 1h09'36": Those who are interested in the endorsement, please re-review the latest draft, which includes changes approved last week.

I’d like to move for approval of 1.0 final specification in next meeting (20 May).

5 min: Closing and review

Invitation to subsequent meetings, which will typically be on Mondays.

Reminder that next week’s meeting (13 May) is cancelled due to an internal Adobe event.