30 September 2024

Attendees

  • Andy Rosen, Sequence Key

  • Clement Hecquet, Digimarc

  • Daniel Zellmer, Noosphere Technologies

  • Eric Scouten, Adobe

  • Gavin Peacock, Adobe

  • Hans Granqvist, Noosphere

  • Jesse Carter, CIRA

  • John Collomosse, Adobe

  • Konrad Bleyer-Simon, Global Media Registry

  • Liviu Gheorghe, Adobe

  • Loren Hart, Noosphere Technologies

  • Pamela Dingle, Microsoft

  • Peleus Uhley, Adobe

  • Scott Perry, Digital Governance Institute

  • Slava Asipenko, Proof

Notes

New members introduction

  • 🎥 1'36": Hans Granqvist, Noosphere

Previous action items

🎥 2'10": Reviewed action items from previous meeting:

  • ACTION: Eric to explore whether we can reuse the COSE protected header mechanism for RFC 3161 timestamping in the VC approach. → Discussed later in meeting.

  • ACTION: Eli to submit a PR adding support for K-256 signatures in CAWG. Group to discuss once available. NO UPDATE Transitioned to GitHub issue #189.

  • ACTION: Jacques to submit a GitHub issue for the group to consider using domain-name based DIDs as an autonomous signing mechanism. UPDATE Feedback provided in PR #188; see below.

  • ACTION (✅): Several PRs called for in previous meeting. See discussion below.

PR #187: Add support for verified presentations

🎥 4'00": Discussed PR #187: Add support for verified presentations.

Opened discussion on this part of the identity claims aggregator model.

ACTION: Eric to propose additional language explaining the identity claims aggregator model. Feedback received before and during the meeting suggests it is not sufficiently clear yet.

Leaving this PR open for further discussion in future meetings. Open questions:

  • Are there methods available to us to prove to the identity assertion consumer that the identity claims aggregator actually received and validated the VP as claimed?

  • What obligations does the ICA have with regard to right to be forgotten and similar?

  • What safeguards need to be in place to ensure that private or personally-identifying information is not inadvertently made public by the identity claims aggregator?

  • Does the ICA have an obligation to forget or renew the retained VP as of a specific date?

  • How can/should we convey the strengths and weaknesses of the credential? What levels of assurance can we convey?

PR #162: Tweak wording of provider.name entry

🎥 35'47": Discussed PR #162: Tweak wording of provider.name entry.

Since previous discussion, we’ve added localization support.

ACTION (✅): Eric to merge PR 162.

PR #185: Remove affiliation from identity claims aggregation model

🎥 38'14": Discussed PR #185: Remove affiliation from identity claims aggregation model.

Discussion points:

  • Not all affiliations can be expressed via Verifiable Presentation (for example, Dun and Bradstreet or GS1 number).

ACTION: Eric to propose a PR that suggests other identity types (non cawg.) should follow reverse domain syntax.

ACTION (✅): Eric to close PR 185 as withdrawn.

PR #188: Add support for domain control validation (DCV) aka verified web site

🎥 46'42": Discussed PR #188: Add support for domain control validation (DCV) aka verified web site.

Discussion points:

  • In addition to DNS TXT records, there are other mechanisms that should be considered (did:tdw and such), but …​ those are autonomous signing mechanisms and potentially incompatible with the identity claims aggregation model.

  • DNS TXT record may not be accessible to some users. Consider also meta tag in HTML?

ACTION: Eric to review potential domain control verification methods with UX and product management to determine suitability.

Issue #53: Explore questions of anonymized credentials and how they might be expressed in the standard

🎥 55'40": Discussed issue #53: Explore questions of anonymized credentials and how they might be expressed in the standard.

Leave open: Relevant experts not here today.

Issue #41: Privacy when verifying VCs

🎥 57'31": Discussed issue #41: Privacy when verifying VCs.

ACTION (✅): Issue closed as no longer relevant. (Identity claims aggregation model addresses this.)

Issue #37: VC expiration before validation?

🎥 1h00'37": Discussed issue #37: VC expiration before validation?

ACTION (✅): Issue closed as no longer relevant. (Identity claims aggregation model addresses this.)

Issue #33: When to verify credentials?

🎥 1h01'33": Discussed issue #33: When to verify credentials?

This is related to an issue I flagged in #187 regarding end-user verifiability of the verified presentation.

ACTION (✅): Issue closed as no longer relevant. (Identity claims aggregation model addresses this.)

Issue #160: Determine structure for verifiedIdentities[?\].proof

🎥 1h02'40": Discussed issue #160: Determine structure for verifiedIdentities[?].proof.

We don’t have a clear examle for how proof would be used in this context. Removing for now with the understanding that we may bring it back later once we have more experience.

ACTION (✅): Issue closed.

ACTION: Eric to propose a PR deleting the proof section.

Issue #64: Consider stronger timestamping mechanism than W3C VC requires

🎥 1h05'16": Discussed issue #64: Consider stronger timestamping mechanism than W3C VC requires

General sense that the spec should have provision for an RFC 3161 timestamp.

ACTION: Eric to propose a PR with RFC 3161 in COSE signature for identity claims aggregation model.