12 August 2024
Attendees
-
Andreas Reich, TrustNXT
-
Andy Rosen
-
Carly Huitema, U of Guelph
-
Christian Paquin, Microsoft
-
Cole Davis, Switchchord
-
Daniel Zellmer, Noosphere Technologies
-
David Bigsby, Government of British Columbia
-
Eli Mallon, Aquareum
-
Eric Scouten, Adobe
-
Gavin Peacock, Adobe
-
Garrett Kinsman, Click Camera
-
Jesse Carter, CIRA
-
Karen Kilroy, FileBaby
-
Liviu Gheorghe, Adobe
-
Loren Hart, Noosphere Technologies
-
Michael Becker, Identity Praxis
-
Nigel Earnshaw, BBC
-
Paul England, Microsoft
-
Peleus Uhley, Adobe
-
Pia Blumenthal, Adobe
-
Richard W. Kroon, EIDR
-
Scott Perry, Digital Governance Institute
-
Slava Asipenko, Proof
-
Tim Cappalli, Okta
-
Will Kreth, HAND (Human & Digital) Identity
Notes
New members introduction
-
π₯ 1'16": Daniel Zellmer, Noosphere Technologies
-
π₯ 1'56": Eli Mallon, Aquareum
-
π₯ 2'53": Garrett Kinsman, Click Camera
Icons and branding in identity assertion
π₯ 5'45": Pia Blumenthal presented on the importance of iconography in CAWG UI displays, emphasizing the need for standard patterns for social media displays and verified statuses. The discussion also touched on the differentiation of verified statuses and the use of iconography to signal verified identity. The conversation explored how to differentiate between types of verified statuses, considering whether to use a single icon for all or to segment icons based on the type of identity being verified, such as individual or company. Discussion on using iconography to quickly orient viewers to the verification methods used, such as OAuth or two-factor authentication, and whether to inherit icons from social platforms to indicate different verification methods. Pia suggested the possibility of using icons or visualizations to indicate levels of trustworthiness, such as a star rating system, and the need for UX research to understand the best way to present this information.
Some of the discussion questions that were raised:
-
Would we actually have access to the techniques the ID provider used to verify the named actorβs identity?
-
Could we trust such signals if so?
-
What information is actually useful to the identity assertion consumer? (Do they really need to know about the user’s session security at the time?)
-
Should there be room for an individual/organizational branding or profile picture?
-
Any "levels of assurance" iconography should be separated from the user-entered name so as to prevent gaming the system using β emojis or similar.
-
Can we translate NIST, Kantara, or similar standards into user-comprehensible reporting on the strength of the identity signal?
-
How does this all apply when identifying pseudonomous or fictional characters?
ACTION: Tim to make an introduction for NIST or Kantara for Eric.
Review previous action items
π₯ 37'21": Quickly reviewed status on the following items, summarized below:
Identity assertion 1.x (VC edition)
-
Review PR #159: Rename
boundTotoc2paAssetand clarify some items. ACTION (β ): Eric to merge PR 159 as is. -
Review PR #162: Tweak wording of
provider.nameentry. ACTION: Eric to revise PR 162 to include some consideration of localization and possibly a definition of user-visible string. NOT DONE -
Review issue #160: Determine structure for
verifiedIdentities[?].proof. ACTION: Liviu and Eric to do further coding / research work to describe what theproofdata structure should look like in this case. NOT DONE -
Review issue #155: Write section on proofs. ACTION: Pam to discuss with Microsoft engineering team and report back next week. NO UPDATE, CARRY OVER
-
Review issue #64: Consider stronger timestamping mechanism than W3C VC requires. ACTION: Eric to explore whether we can reuse the COSE protected header mechanism for RFC 3161 timestamping in the VC approach. NOT DONE
-
Review issue #163: Does the approach taken in Β§8.1 change if issuer == named actor?. ACTION: Eric to reach out to Will Kreth to explore signature scenarios. IN PROGRESS
Review PR #166: Update all C2PA references to point to version 2.1
π₯ 38'41": Review PR #166: Update all C2PA references to point to version 2.1.
ACTION (β ): Eric to merge.
Review PR #165: Define identity assertion generator
π₯ 42'36": Review PR #165: Define identity assertion generator.
ACTION (β ): Eric to merge.
ACTION: Eric to add a new PR to define βidentity provider.β
Review PR #167: Define VC proofing mechanism
π₯ 44'33": Review PR #167: Define VC proofing mechanism.
ACTION: Eric to add clause limiting COSE signature algorithms to the same list used in C2PA.
ACTION: All members to review PR and flag any concerns with limiting to COSE signatures only.
Not merging this week. Will re-review in a week or two.
Review scope of training and data mining assertion
π₯ 48'47": Review PR#1: Add cawg.social_media entry.
Discussion only; no action this week. Compare to possible work being done on this front by JPEG Trust. Consider whether CAWG wants to step into this space, and if so, whether it merits a separate assertion from training and data mining.
Also, worth comparing this to existing IPTC work. See Expressing Trust and Credibility Information in IPTC Standards.
ACTION: Eric to relay comments from discussion into the PR chat.
Proposal: Define standard HTTP interface for identity assertion
π₯ 1h01'26": Eric proposed the idea of standardizing an HTTP interface protocol to issue CAWG identity assertions, which would allow for interoperability and ease of use across different service providers, enabling content producers to obtain signatures from their chosen identity provider. The proposal aims to facilitate a standardized method for content producers to interact with various identity providers, ensuring a consistent and reliable process for obtaining the necessary signatures for CAWG identity assertions.
ACTION: Eric to create a PR describing this standard HTTP interface.