07 October 2024

Attendees

  • Andreas Reich, TrustNXT

  • Andy Rosen, Sequence Key

  • Claudiu Cismaru, Adobe

  • David Bigsby, Government of British Columbia

  • Eli Mallon, Aquareum

  • Eric Scouten, Adobe

  • Gavin Peacock, Adobe

  • Hans Granqvist, Noosphere

  • Karen Kilroy, FileBaby

  • Konrad Bleyer-Simon, Global Media Registry

  • Loren Hart, Noosphere Technologies

  • Nigel Earnshaw, BBC

  • Pamela Dingle, Microsoft

  • Peleus Uhley, Adobe

  • Richard W. Kroon, EIDR

  • Scott Perry, Digital Governance Institute

  • Steven Milstein, Trust Over IP Foundation

  • Tim Cappalli, Okta

  • Utkarsh Sharma, Vlinder

Notes

New members introduction

  • πŸŽ₯ 1'11": Claudiu Cismaru, Adobe

Trust Over IP discussion

πŸŽ₯ 2'25": Steven Milstein from Trust Over IP Foundation’s AI and Metaverse Task Force joined us and introduced ToIP’s Trust Spanning Protocol and discussed the idea of a potential integration with C2PA and/or CAWG.

Eric and Steven highlighted the differences between C2PA and Trust Spanning Protocol. C2PA and CAWG focus on content and metadata embedding within digital media file formats, while Trust Spanning Protocol is more about secure point-to-point communication and identity verification.

Steven discussed the potential for C2PA to use the Trust Spanning Protocol in its workflow, suggesting that it could help in the adoption of C2PA by providing a secure messaging layer.

Eric acknowledged the challenges of widespread adoption of decentralized identity, noting that it is not yet sufficiently widespread for CAWG to adopt it fully. He emphasized the need to follow trends and advocate for adoption when the time is right.

Steven and Eric discussed the importance of governance in decentralized identity, with Steven noting that governance is about relationships and trust rather than just technology. Eric added that CAWG aims to support evolving identity technologies within its framework.

Review previous action items

πŸŽ₯ 18'25": Briefly reviewed the following action items from last week. Most of these translated into PRs that we discussed later.

  • ACTION: Eric to propose additional language explaining the identity claims aggregator model. Feedback received before and during the meeting suggests it is not sufficiently clear yet. NOT DONE

  • ACTION: Eric to propose a PR that suggests other identity types (non cawg.) should follow reverse domain syntax. DONE

  • ACTION: Eric to review potential domain control verification methods with UX and product management to determine suitability. IN PROGRESS

  • ACTION: Eric to propose a PR deleting the proof section. DONE

  • ACTION: Eric to propose a PR with RFC 3161 in COSE signature for identity claims aggregation model.

PR #190: Consolidate wording about cawg. labels

ACTION (βœ…): Eric to merge PR.

PR #191: Remove proof entry from verifiedIdentities\[n\] structure

ACTION (βœ…): Eric to merge PR.

PR #192: Add option to use RFC 3161 timestamp in ICA COSE signature

ACTION (βœ…): Eric to merge PR.

PR #187: Add support for verified presentations

Inclusion: Eric discussed the inclusion of verified presentations in the identity assertion, explaining that this would allow for the inclusion of credentials such as driver’s licenses and professional accreditations.

Sensitive Information: The group discussed concerns about sensitive information being included in the verified presentations. Tim suggested providing guidance on what should be redacted to prevent the inadvertent sharing of private information.

Proof Request: David raised the point that the information included in the verified presentation is driven by the proof request from the claims aggregator. He suggested that the spec should call out what information is requested and how it should be handled.

Trust and Governance: Pamela emphasized the importance of distinguishing between protocol implementation and trust framework governance. She suggested that considerations should be included in the spec, but the governance rules should be defined elsewhere.

ACTION: Eric to call subgroup meeting to refine the proposal.

Discussion about trust infrastructure

πŸŽ₯ 46'38": Nigel raised concerns about the trust infrastructure for identity claims aggregators (ICAs), questioning how to ensure that ICAs are credible and trustworthy.

Eric acknowledged the need for a governance process to ensure the credibility of ICAs. He mentioned that there are ongoing discussions about establishing a trust infrastructure for ICAs.

PR #188: Add support for domain control validation (DCV) aka verified web site

Eric discussed the methods for verifying control over a web domain, including DNS text records and meta tags, and the potential challenges of using these techniques.

ACTION (underway): Eric working with Adobe product management to understand consumer viability of these techniques.

ACTION: Eric to explore how to avoid collision between DNS tags from multiple vendors.

Issue #53: Explore questions of anonymized credentials and how they might be expressed in the standard

Is this relevant for ICA model or should it be considered as part of a future 1.x enhancement?

ACTION: Eric to call meeting with BC representatives including Stephen Curran, Lindsay Walker (who originally raised the issue), and potentially Will Kreth to discuss further.

Issue #32: Levels of assurance for subject credentials?

Scott shared a link to eIDAS Levels of Assurance.

Important concepts:

  • ICA will need to state the level of assurance it ascribes to the identity claim that it has received and is relaying.

  • eIDAS does a good job of describing the level of confidence in the claimed identity.