11 November 2024

🎥 3'50": All action items from 21 October 2024 and 04 November 2024 completed (merged PRs) or accounted for in subsequent PRs in this agenda, except for:

🎥 5'43": Leonard announced that the ISO Technical Committee 171, Subcommittee 2, Working Group 13 has sent the C2PA specification version 2.1 through the fast track process at ISO, which will turn it into ISO 22144. The ISO standard for Content Credentials is expected to become official in April, assuming no issues arise.

🎥 8'30": Discussed PR #198: Revise introduction/scope section to talk about identity assertion as a framework.

The PR proposed rewriting the introduction of the identity assertion specification to describe it as a framework for using credentials to bind named actors to content. This change aims to encourage future extensions and implementations.

Nigel questioned the substantial difference between describing it as a framework rather than an assertion. Eric explained that the framework approach allows for future credential formats and implementations, making it more flexible and extensible.

Scott expressed concerns about the term “framework” and suggested rewording to be more clear.

ACTION: Eric agreed to refine the language and bring it back in a future meeting. Consider splitting document into the framework and separate documents with specific implementations. Also look for ways to introduce the identity assertion that doesn’t require deep knowledge of C2PA specification.

🎥 24'16": Discussed PR #199: Allow Verifiable credentials data model 1.1 to be used.

Eric submitted a pull request to allow the use of both verifiable credentials data model 1.1 and 2.0 in the identity assertion specification. This change was requested by a party uncomfortable with building on the 2.0 version.

Scott initially disagreed with down-leveling the specification but reconsidered after Eric explained that 2.0 is not yet ratified by W3C. Christian supported the inclusion of both versions to accommodate existing and emerging deployments.

ACTION (✅): Eric to merge PR #199.

🎥 29'44": Discussed PR #188: Add support for domain control validation (DCV) aka verified web site.

Since the last review, Eric update the PR to use meta tags instead of DNS records for domain control validation in the identity assertion specification. This change was based on feedback from creative professionals who found DNS entries inaccessible.

The proposed meta tags would include a suffix to disambiguate competing implementations and a random value generated by the identity claims aggregator. This value would be placed on the named actor’s site to verify control.

Discussion: Karen raised concerns about the security of using meta tags, noting that hacked sites could still display valid meta tags. Eric acknowledged the feedback and suggested pausing the PR to explore more secure alternatives. Peleus explained the security issues with both DNS and meta tags, noting that DNS requests are often sent in plain text and can be manipulated. He suggested exploring other secure methods for domain control validation.

ACTION: Eric to review feedback and revise proposal accordingly. Consider:

🎥 58'06": Discussed PR #200: Add disclaimer about copyright information in use cases.

ACTION (✅): Eric to merge PR.

🎥 59'15": Looking for volunteers or collaborators with expertise in:

🎥 1h02'31": Aside from issues flagged for 1.1 release and PRs being discussed today, what open issues / blockers / concerns do you have about the identity claims aggregation model being added in 1.1?

🎥 1h02'55": Reviewed the following two PRs, which both address an inconsistency between the schema and example for the training and data mining assertion:

ACTION (✅): Eric to merge PR #6 and close PR #5 without merging.

ACTION: Eric to follow up on feedback provided by Philippe on more concrete examples for how constrained might be defined.