16 September 2024

ACTION: Eric to revise PR 162 to include some consideration of localization and possibly a definition of user-visible string. NOT DONE, CARRY OVER but new information that Eric can work with.

ACTION: Liviu and Eric to do further coding / research work to describe what the proof data structure should look like in this case. NOT DONE → WON’T DO based on subsequent decision of group.

ACTION: Pam to discuss CBOR signing proposal with Microsoft engineering team and report back next week. UPDATE: Christian conveyed no objection on behalf of Microsoft.

ACTION: Eric to explore whether we can reuse the COSE protected header mechanism for RFC 3161 timestamping in the VC approach. NO UPDATE, CARRY OVER

ACTION: Eli to submit a PR adding support for K-256 signatures in CAWG. Group to discuss once available. NOT DONE

ACTION (✅): Eli to submit a GitHub issue for the group to consider EIP-712 credentials as an autonomous signing mechanism. (See Issue #176: Consider implications of autonomous signing mechanisms, to be discussed later.)

ACTION: Jacques to submit a GitHub issue for the group to consider using domain-name based DIDs as an autonomous signing mechanism. NO UPDATE, CARRY OVER

We contemplated and decided not to include did:key as an acceptable DID method for identity claims aggregators.

Eric updated the workflow for verifiable presentations, detailing the process from presentation requests to the generation of asset-specific verifiable credentials by the identity claims aggregator.

Eric and Drummond emphasized the critical role of the identity claims aggregator in the ecosystem, responsible for verifying and replaying identity claims on asset-specific credentials.

Concerns were raised about the potential security risks associated with rogue identity claims aggregators, stressing the need for a trust list to distinguish trustworthy entities.

Review Mastodon and AT protocol (Bluesky) for proving control over a domain for social media purposes (Documentation for AT protocol technique)

Token in meta tag or DNS record

CA / Browser Forum guidelines for issuance and management of Extended Validation Certificates §3.2.2 covers assurance that a web site is controlled by the specific legal entity described in the cert

I believe the OpenID community long ago did a spec for "site claiming" so that a blog owner could prove control of a blog to an OpenID provider.

did:web may provide a mechanism for this, too

Significant questions about what trust ecosystems an identity claims aggregator will participate in when collecting credentials. (Probable answer: That’s implementation dependent and not to be specified here.)

Separately, there is the question of what trust ecosystem the asset-specific credentials issued bhy the identity claims aggregator should participate in. (Diverse opinions along the spectrum from CAWG should organize a identity claims aggregator-specific trust list to let the market of verifiers decide.)

Look into OpenID Connect for Identity Assurance spec as a possible vocabulary for expressing what has been learned about named actor through presentation requests.

A reminder that not all information contained in the VP should be replayed by the identity claims aggregator into the subsequent asset-specific credential.