Verifiable Claims Telecon
Minutes for 2017-05-02
- Agenda
- https://lists.w3.org/Archives/Public/public-credentials/2017Apr/0084.html
- Topics
- Resolutions
- Action Items
- Organizer
- Manu Sporny
- Scribe
- Dave Longley
- Present
- Dave Longley, Matt Stone, Manu Sporny, Christopher Allen, Gregg Kellogg, Matthew Larson, Adam Migus, Adam Lake, David I. Lehn, Rob Trainer, Joe Andrieu, Richard Varn, Kelly Cooper
- Audio Log
Dave Longley is scribing.
Matt Stone: Any newcomers that haven't introduced themselves yet?
Topic: Finalize CG Reports, hand-off to WG
Matt Stone: We've got some booking keeping and clean up to do for the WG. To get a crisp hand off point for the docs that are in flight right now (data model spec and use cases).
Matt Stone: When the WG begins we can inherit the CG's doc and we need a clear start for attribution and IPR, etc.
Matt Stone: There are some PRs going and we have some open issues. We need to figure out as a group where we declare that these are the docs that the WG should begin with.
Matt Stone: We probably want the WG to take over the docs at that point.
Manu Sporny: I can speak a bit to that.
Manu Sporny: Last night I went ahead and prepped two final CG docs, they don't have to be the actual final docs. We've pulled in everything but one final PR that doesn't have any IPR in it, it's a non-normative section.
Manu Sporny: At this point we can freeze the docs and ask for IPR commitments. Typically this group decides that we want to freeze the docs. Then there's an interface on the CG site that can say "these are the final specs" and the chairs can do that.
Manu Sporny: The group freezes the docs, the editors prep them, and then we wait a bit and then the chairs publish the docs through the CG site and we ask for anyone who has contributed content to the specs. That is anyone who has done PRs to the spec.
Manu Sporny: They must explicitly release IPR -- they've already implicitly done this, we are just gathering explicit ones. We're past the point where we should be that concerned where IPR slips into these docs that we don't want in there, but the final report is an explicit statement saying that content is released to W3C and their patent free policy, etc.
Manu Sporny: So we want the handoff to be really clean. The final CG specs are done, if anyone on the call believes that we get something else important into the speak they should speak up now or on the mailing list. If we don't hear from anyone, the chairs should publish the final reports and then we get commitments from everyone who contributed. Takes 2-4 weeks and I think we can get it done before the WG spins up.
Manu Sporny: Any questions?
Matt Stone: You did it for the both the data model and the use case doc?
Manu Sporny: Yes, I sent an email to the mailing list last night with the static doc locations, those are frozen, the files don't change.
Christopher Allen: The data document does not provide anything about signature formats or anything of that nature.
Manu Sporny: Yes, but to be clear, the WG can do whatever they want to these specs as long as it's in charter. The WG can decide to add/remove whatever from the specs.
Christopher Allen: The design spec wise, is that we say that the recommended signature formats are in a separate document or ?
Manu Sporny: That's up to the WG to decide. That's a conversation for them.
Manu Sporny: The charter says we have to recommend signature formats that we believe work with Verifiable Claims, so we'll do that in the WG.
Manu Sporny: That's my expectation.
Manu Sporny: Did that make sense?
Christopher Allen: Yes, I'd like to get the data format done and stylistically/architecture wise mention future signature mechanisms, specs, etc. We can decide that later as you said.
Christopher Allen: I'm at crypto this week and I've been talking about long term signatures, the only thing that satisfies that are hash signatures, which are huge. Things for marriage certs/college degrees, etc. I want to make sure we can talk about those things later.
Manu Sporny: Yes, we can. My expectation is that VC won't mandate that you must use, for example RSA, we'd allow the entity that's issuing the VC what algorithms/mechanisms work best for the types of claims they are issuing.
Christopher Allen: I think we need more than just that. It's one thing that you're talking about a claim that's renewable for a period of time but there may be sub cases where you have to talk about why you should use one signature over another.
Manu Sporny: Yes, like a signatures best practices document. Privacy considerations may also need its own document because it may take a lot more space than the data model itself. The same could be true for signature formats/best practices, etc. Typically the way this happens in the doc is that you put it in the main doc and it grows until it's unwieldy and the WG agrees to move it to a separate spec. The WG decides what to produce, the charter is only a guide for that, as long as the work is in scope you can produce more docs.
Matt Stone: Ok, thanks, Manu for the overview and what to expect. Can we take down some actions to make sure we get this done over the next 2 weeks?
Manu Sporny: Yes, first, the proposal is to publish the two links that I sent out last night as the final report. The chairs need to put forward a proposal and we should +1/-1 on the call today and we can proceed as long as there are no objections. We need to do the same on the mailing list and give people a week to object. If there are no objections after that the chairs can publish them as the final reports on the CG site.
Manu Sporny: Verifiable Claims Use Cases (CG Final Report) - https://opencreds.github.io/vc-use-cases/CGFR/2017-05-01/
Manu Sporny: Verifiable Claims Data Model and Representations (CG Final Report) - https://opencreds.github.io/vc-data-model/CGFR/2017-05-01/
Matt Stone: Should we just let this hang as uncommitted? The remaining PR https://github.com/opencreds/vc-data-model/pull/38
Manu Sporny: Because there's no IPR in it we don't need to be that concerned about it.
Manu Sporny: The suggestion is, let's just wait and pull it into the document later.
Christopher Allen: I'd prefer to wait on the PR.
Manu Sporny: We're going to give ownership of the repo over to the WG.
Manu Sporny: So it should be really clean.
Dave Longley: +1 To that then.
PROPOSAL: Publish 2017-05-01 drafts as Final Reports. Gather feedback until this coming Friday, and publish final specifications if no objections.
Gregg Kellogg: +1
Dave Longley: +1
Matt Stone: +1
Manu Sporny: +1
Matthew Larson: +1
Adam Migus: +1
Adam Lake: +1
Christopher Allen: +1
RESOLUTION: Publish 2017-05-01 drafts as Final Reports. Gather feedback until this coming Friday, and publish final specifications if no objections.
ACTION: Chairs to send resolution to the mailing list inviting objections if there are any.
Matt Stone: Can you track down the committers?
Manu Sporny: Yes, I can work with the chairs offline to walk through the process, we will send direct emails to each one of the committers to sign off on the IP
ACTION: Manu to work with Chairs to get sign-off on IPR for specs.
Christopher Allen: Could I ask if the trip reports could be swapped with the next item in the agenda?
Matt Stone: Sure.
Matt Stone: One more thing before we move onto the next item in the agenda. This is just a validation of what Manu mentioned earlier. Since the WG will take ownership of the repo, all the issues and discussions will follow as well. So there's nothing we have to do with those as well?
Manu Sporny: The three repositories end up being handed over to the W3C organization.
Manu Sporny: Right now it's in the opencreds organization and it will be handed to W3C, all the issues, teams, etc. will automatically move over.
Dave Longley: CG continues to work on things? Protocol things? In open creds space? [scribe assist by Manu Sporny]
Manu Sporny: Correct, slight wrench in there. We may want to spin down the opencreds repo and use the VC CG repo instead.
Dave Longley: +1 To that
Matt Stone: +1 To using the new name
Manu Sporny: We should use the new name so people don't get confused.
Manu Sporny: Opencreds is 3 years old or so.
Gregg Kellogg: The repo or the organization?
Manu Sporny: The organization, the VC CG organization.
Matt Stone: In the W3C, there is an opencreds page there where we're all listed as members, is there some naming/branding we need to do?
Gregg Kellogg: https://github.com/w3c-vc
Manu Sporny: The naming on the W3C side is Verifiable Claims, the WG. It's confused right now ... there's opencreds, VC CG and VC WG, the CG needs to decide what name to use going forward.
Manu Sporny: The discussion should be around "Should we be called the Credentials CG or rebrand to the Verifiable Claims CG" there are pluses and minuses.
Christopher Allen: Will the groups start splitting? I'd like to see the CG be a little broader.
Matt Stone: Broader than Credentials?
Christopher Allen: I just mean not tie explicitly to the WG, there are things that the CG can do that VCWG can't do, so untying them a bit is useful.
Matt Stone: +1 To ChristopherA
Manu Sporny: +1 To that, the CG is going to deal with everything the WG can't deal with right now or isn't chartered to take on. So things like protocol, decentralized identifiers.
Manu Sporny: The things we know we need for a good healthy ecosystem but we weren't able to charter the WG to do yet.
Dave Longley: +1
Christopher Allen: I'd almost like to see it be Credentials Infrastructure or something like that that covers the entirety of the problem, but it's not a topic for today.
Matt Stone: We probably need an agenda item for next week that is scheduled for CG calls and how we're going to keep the broader discussion alive and have the WG start to focus. We'll want someone on the CG side to take a chair role and keep those driving forward.
Christopher Allen: Who is the current chair?
Matt Stone: It's Richard and I.
Matt Stone: We'll be moving to the WG, can't do both.
Christopher Allen: I'd be interested in talking about that, can take it offline.
Matt Stone: Let's do the next agenda item. Next up is trip reports.
Topic: Trip Reports
Christopher Allen: I wanted to report the last couple of weeks... Manu did you report last week since Rebooting?
Manu Sporny: No, this is the first call I've been able to join.
Christopher Allen: Why don't you start out and I'll close.
Manu Sporny: Ok, sounds good. A couple of events that happened before RWoT (Rebooting Web of Trust), I'll cover those first. We went to IETF to move the signature stuff forward, that has to do with Koblitz signatures that bitcoiners/ether people are using. It had to do with signing HTTP messages, etc. We met with a number of people at IETF, we met with the X-chairs of the JOSE working group, Jim Schaad, we met with folks that were involved with JWS and JWT, specifically, John Bradley from Ping Identity and Mike Jones from MS. We tried to figure out a way to harmonize the work at IETF and the work at VC. The good news is that we came out of it with a pretty solid harmonization strategy.
Manu Sporny: The reason we couldn't use JWTs still stands, but we can do a variant of JWS. By doing that, we get to reuse all of the security analysis that has gone into JWS. The challenge that we had before IETF was going to be a fairly 6mo-2yr security review on our signatures even though they don't fundamentally do anything new... you have to go through IETF process, then you get your stuff through. If we can reuse JWS we get to skip 2 years of work. I sat down with John Bradley and Mike Jones and came up with something with JWS that we believe will work for the VC community, the signature doesn't change all that much, just the signature value. We pay a penalty of around 20 bytes per signature, which isn't nearly as bad as before where docs were going to double in size each time you added signatures. That was unworkable. The new format allows us to only add an additional 20 bytes now.
Manu Sporny: That's all really great news because it means that we can continue on, there's harmony between IETF and W3C on the signature stuff, we skip politics and time.
Manu Sporny: We had the theory down at IETF and when we met at RWoT ... and a number of people joined us and wanted to do implementation. We had Kim Hamilton from MIT/blockcerts.
Manu Sporny: Kim did the implementation in JavaScript, BigCHainDB implementation in python (missed one more)
Manu Sporny: We came in with an idea for how to do it from IETF and we left RWoT with 3 interoperable implementations. It all seemed to work nicely. It also opened the door to do Koblitz signatures using the same mechanism.
Manu Sporny: The signature stuff became really aligned and all good news.
Manu Sporny: Other things happened at RWot around decentralized key management and authentication. We still don't have fully interop implementations of DID specs, but DB and Evernym have committed to that. Christopher Allen can speak to people working on the bitcoin/ethereum specs that are related. The community seems to be working really well together, actually generating code, shipping products, really good, Christopher go ahead, please cover anything I missed.
Christopher Allen: We made real progress on a particular reconciliation with real code in three languages. The DID specs are moving forward, bitcoin and ethereum ones getting mature to match the Sovrin one. Other interesting work, around articulating reputation and other types of issues. Lots of higher level issues to continue. We're going to have another RWoT in October in Boston. First week of October. If people are interested in participating. Part of the reason why it was scheduled then was to fit in with 3 other conferences in Paris, security and privacy, eurocrypt, and privacy on the blockchain workshop. Those all went very well and CFRG meeting. We mentioned that we've got a secp256k1 spec, talked about advantages, got some reluctance to open up the political can of worms they've had in the past which is understandable, but the more important thing was that after this meeting Jim Schaad, who is the editor for the JOSE standards said that if there's a reasonable spec for secp256k1 as an internet draft that he's more than willing with his editor powers to add that as an acceptable cipher suite to JOSE without requiring a full CFRG review and a chair of CFRG said that was acceptable to him. That would let us bring in communities that use this alternative curve. I'm at Eurocrypt this week and since we're talking about educational use cases and the institution I worked with doesn't even exist made me realize long term signatures are important. I've been doing research into hash signatures which are inefficient and slow but crypto experts believe it's a strong long term tech (quantum resistant, etc.) it's a great way to have a long term sig. It's 43k per signature, which is significant but it may be worth the extra effort to have something last that long.
Christopher Allen: If anyone has any questions they can talk to manu or myself.
Manu Sporny: Wanted to follow up on hash based signatures. We met with a Canadian company working on hash based signatures and they are very interested in working with the VC group to get that sort of signature in. There's interest in that space, we can't necessarily move quickly on it but keep it in the back of our minds, especially because we've got a company packed with post quantum cryptoggraphers. It's useful multiple decades out, long lasting stuff.
Christopher Allen: Definitely says something as a requirement for our docs and the future, there's a big difference between a claim that you can get reissued ... claims that have short expiration dates, etc. and these long term claims, interesting from privacy and security point of view.
Matt Stone: That was a great update, both of you guys, thank you very much. Pretty exciting activity going on out there? Any more questions or comments on trip reports?
No other comments
Matt Stone: So, WG membership is the next topic.
Topic: Working Group Membership
Matt Stone: Everyone should have gotten a notice that the WG was created, if you want to participate please join. The first meeting will be the 16th of May. Call in information will be in the invitation to members of the WG, you need to join the WG to get the call in details, etc.
Matt Stone: It's W3C member only.
Matt Stone: We'll then be resuming work on the data model and use cases and so on when we get together next.
Topic: Suggestions for next week
Matt Stone: There are a couple of action items to finish up the docs from the CG, we'll do an update on that and make sure that's wrapped up. Any other topics we need to keep in mind for the agenda next week?
Manu Sporny: I'm wondering if we want to start ... there are a number of people who will be on the WG call, I'm wondering if we should do some preplanning on the topics we want to cover first. There's a question around when we'll have a F2F meeting if we'll have one in the summer, there are terminology issues we should tackle up front, we'll need to bring people online pretty quickly once the WG starts up, we'll want to understand what docs we want to publish and we should have another discussion on that. We may want to have some discussions before the WG starts up to prime these discussions.
Manu Sporny: We may want to have a discussion about that next week.
Manu Sporny: We to come up with topics to get into the WG to be ready to discuss.
Christopher Allen: I'd like to see a new kick off for the CG. The WG is going to kick off on its own. Starting fresh sort of (new kickoff) with the CG would be great. There's a broader issue of decentralized identity we'd like to have a place to discuss/post reports, etc. and come up with new docs.
Christopher Allen: There may be things that are in the decentralized identity community that don't belong in the WG or VC.
Matt Stone: Yeah, I think accepting a narrowed charter for the WG was fine given that the CG would keep working and feeding into a new WG/new charter in the future. So the CG keeps working on the next set of ideas.
Matt Stone: One of the things we were talking about on the chair calls as a matter of convenience, it would be nice if the CG and WG calls were back to back. So many of us are participating in both, if we need to slide extra time in the CG or WG we may have flexibility to do that.
Christopher Allen: Maybe that's just an agenda item and maybe the CG can have a longer meeting once a month on the same day as VC. Does the CG, with its new goals need to meet weekly, etc.?
Manu Sporny: The other thing, I've been hearing this second hand was to put the calls back-to-back, the other upside that I heard was that it would time box the CG call if it was 30 minutes before the WG, we'd see a bunch of people leave at the 30 minute mark. Two one-hour calls back to back is asking a lot, but a 30 min CG call directly before/after the WG is a pretty good idea. Everyone's just there and they've blocked the time out. The benefit for having it before is there's a hard stop, whereas after the call it can expand. If the chairs are diligent and it's 30 minutes only, to mop up after the WG, then that might work. With the possibility to extend if we really need that time.
Christopher Allen: Please not before :)
Matt Stone: We could change the WG start time to half-past if we don't want to go earlier.
Christopher Allen: +1 On that
Matt Stone: I'd rather not go earlier than what we're currently scheduled.
Matt Stone: Any more input?
Matt Stone: On next week.
No other input.
Matt Stone: That concludes our meeting for the day.