Meeting minutes
VCWG Product and Wallet Vocabularies
Meeting Details
Participants List
Ingo_Wolf: health.
Ronald_Koenig: I
Carolynn_Bernier: Hi everyone.
Dr._Susanne_Guth-Orlowski: Hi there.
Carolynn_Bernier: Hi Susan. I believe this is the DPP day, right? a lot.
Dr._Susanne_Guth-Orlowski: I hope then I would be right too.
Carolynn_Bernier: Is Ted in call? I don't see him in the call. It would be interesting to identify motor vehicle wallet use cases related to DPP.
Carolynn_Bernier: I was wondering if there might be some electric battery passport use cases we could identify.
Dr._Susanne_Guth-Orlowski: So I've been working on an SAE standard on battery traceability data…
Ingo_Wolf: Okay.
Battery Passport Standard
Dr._Susanne_Guth-Orlowski: which is US focused I would say. I've put in all the attributes that we had from DIN spec 99100. So they're all in this SAE spec including identifier stuff on decentralized identifiers and verifiable credentials.
Dr._Susanne_Guth-Orlowski: So a lot of what we're doing in Europe is already in there.
Carolynn_Bernier: But this is for a battery passport standard,…
Carolynn_Bernier: right? an SAE version of the battery passport standard or…
Dr._Susanne_Guth-Orlowski: Yeah, it's battery traceability,…
Dr._Susanne_Guth-Orlowski: but they also I mean obviously with the requirements from the EU regulations, but then some US-based companies also did put some insurance stuff in there from other requirements that the US has Yeah.
Carolynn_Bernier: Here you're talking about the battery. But this battery specific stuff is it for the vehicle owner…
Phillip Long: Carsten made a list of wallet and DPP use cases, and there was in that list a battery use case described and I'm not sure that it's exactly what the relevance of it because I'm not sure whether in the short little description that was present it was focused as you just emphasized on what an individual owner of a vehicle should have in their wallet or… not but that might be a place to pick and choose the rows in that spreadsheet, which you might want to share on screen for people to notice.
Ingo_Wolf: Yes, I have it and…
Ingo_Wolf: I can share it…
Carolynn_Bernier: Can you share?
Ingo_Wolf: if you want.
Carolynn_Bernier: Yeah. No,…
Ingo_Wolf: Just a moment. So, let me know if I need to zoom in a little bit or if you can read it.
Carolynn_Bernier: cannot read it.
Ingo_Wolf: Yeah, just a moment.
Carolynn_Bernier: Does a car owner needs to know anything about the passport of the battery that is in his car? yes, Rogo.
Rigo_Wenning: This is when you sell your car. I think there's a lot of information that will be required technical inspection or so. and when you want to get rid of your car, I assume you also need lots of data. but I wanted to make the remark that Ivan made last time is I think more important than us suggesting I item by item we need to make sure that the combinability is in place.
Rigo_Wenning: That means our use case should be look there is the European and perhaps Ted knows about the Asian, the Japanese, the Chinese DPP data and maybe we need to work on categories on because a certain item is in a category or and of course the decision whether this is userfacing or whether a producer of a car has exclusive access to this will be subject to raging legal battles because it's already the case for all kinds of data that normal cars this modern spying cars they record lots of stuff and…
Carolynn_Bernier: Yeah. Yeah.
Rigo_Wenning: in the
Rigo_Wenning: they invoice to show you that data so there is a real litigation going on saying hey no no it's my car so I own the data versus the car manufacturer saying no no we have produced it we recorded shut up and…
Rigo_Wenning: pay so there is this going on so I would rather
Ingo_Wolf: My god.
Rigo_Wenning: expect the vehicle wallet to integrate also parts that were perhaps not produced in the US to combine into a vehicle wallet and…
Rigo_Wenning: that we should make sure that this is combinable and…
Rigo_Wenning: then of course we can suggest certain key points that we think are useful.
Ingo_Wolf: Good. s***. purple.
Carolynn_Bernier: what can we put in a vehicle wallet? your answer would be DPPs of parts. Right. Right.
Rigo_Wenning: parts DPPS all kinds of combinability DPPS because it's just linked data you just combine it together with your name space and
Carolynn_Bernier: But I would like to focus on specific use cases that have value. So here on line there are several lines that are specific to DPP. There's line 19 or point 18 battery second life and recycling transfer credential. We have EV export import trust. that's maybe for more for the vehicle and less for the battery.
Phillip Long: Please.
Carolynn_Bernier: I don't know if we actually go to say that there's a DPP for the vehicle. do we actually want to go that way?
Rigo_Wenning: You can't exclude that because the ultimate goal for the circular economy is that the car gets dismantled to totally and that requires that you have all the information you need to dismantle a car. Now we getting there is a thing I think it's from us the response should be that we insist on combinability meaning we expect things to be provided by lots of different companies and…
Rigo_Wenning: they should be combinable into something. so opened
Carolynn_Bernier: So we could have vehicle titles
Carolynn_Bernier: as verifiable credentials in the wallet. The title so I don't know if it's an ownership title. I don't know if it's the same thing. You have The car is registered with some registration authority. You could have insurance. So the car is indeed insured. So what you're saying, Rigo, is that we should propose a vehicle DPP use case for the vehicle wallet.
Rigo_Wenning: Which includes
Carolynn_Bernier: This is an individual driver's personal wallet, which yeah,…
Phillip Long: Yeah, I think if I might speak for a second, I think the lens on this is not the vehicle.
Ingo_Wolf: Just kidding.
Phillip Long: The lens on this is what does an individual…
Carolynn_Bernier: the owner.
Phillip Long: who is at the moment the ephemeral responsible party for that vehicle need to have and…
Carolynn_Bernier: Yeah. Yeah. Phillip Long:
Phillip Long: the things that have been listed so far in the vehicle wallet is the owner's driver's license, they have an age verification credential and…
Carolynn_Bernier: Mhm. Thank you.
Individual Driver Responsibilities
Phillip Long: A vehicle wallet could contain certifications related to environmental test that vehicles must pass in terms of emissions from the car. which obviously an EV would presumably pass. there is a check of the driving condition in terms of its engineering safety, but that's only applicable if the car has been in an accident rebuilt in some way.
Phillip Long: And those are things that the individual driver is responsible for and…
Phillip Long: if they are pulled over or otherwise checked to see whether or not they have the privileges satisfied to do the driving of that vehicle as an owner.
Carolynn_Bernier: and…
Carolynn_Bernier: the environmental performance test is the drivers responsible for
Phillip Long: The drivers responsible for seeing that that gets done. clearly that rule was put in place when vehicles were combustion engines and there are individual businesses throughout the state who are registered to be able to perform that test that have devices that connect onto the vehicle and im and convey it directly to what's called the BAR is an agency that collects that data about these tests and…
Carolynn_Bernier: So right now the data is connected to the license through some external Phillip Long:
Phillip Long: also makes it available to a DMV to connect to their license. That's right. DMVs actually have some extensive technology systems built so that both an individual can look up in a common location where all of the testing sites are for the various vehicles the and find out that they are legitimately able to per administer the test that the data when they take go to that particular location is collected and sent directly to this database at the BAR …
Ingo_Wolf: Shut up.
Phillip Long: which I forget what the acronyms stands for but …
Carolynn_Bernier: Mhm. I think …
Phillip Long: but I think it's the Bureau of Automotive Registration or something like that.
Carolynn_Bernier: I think this so Susanna has her hand up. I'll give her But What comes to me when you talk about an individual's an individual's wallet is that the individual's wallets can contain,…
Ingo_Wolf: Hey, come
Carolynn_Bernier: cred claims about the products that they own. So the credential object is the car.
Carolynn_Bernier: I'm making claims about a car,…
Carolynn_Bernier: but the holder of the credential is the owner, Not the car, right? Right.
Phillip Long: Right. That's correct.
Phillip Long: S such as car insurance being valid, for example. Right. That would be something that the individual would possess in their wallet and if they were pulled over and they needed to show that they have insurance then they would potentially have a credential in their wallet that verifies that and what that again there may already be systems in place where there is a website someone can go to. The difference is whether it's value added to be able to possess that in one's wallet
Carolynn_Bernier: You done?
Dr._Susanne_Guth-Orlowski: Yeah, thank so if we're concentrating on the personal wallet, what comes to my mind is the critical question of who owns of course also usage data of a battery. and that's something also with regards to GDPR that's been discussed in a couple of rounds. because on the one hand side I want to understand how the car is used especially as an insurance for example how often is this driven according to the rules how is the battery charged and discharged so…
Ingo_Wolf: Okay.
Dr._Susanne_Guth-Orlowski: but that's actually personal data and it underlies the G GDPR and it's worth protecting so it's a different form of personal data but I believe it might make sense to list it here.
Carolynn_Bernier: Thank you, Suzanne. Ro, you had your hand up.
Carolynn_Bernier: Did you
Rigo_Wenning: Yes.
Rigo_Wenning: I think what Philip described this kind of exhaust pollution test certificate will in the future be the battery life cycle certificate thing like that. And so I think when I said combinability I said look let's we have no expertise in this we are not domain experts we have to make sure that perhaps look with TED what information about certain security conditions certain consumption conditions
Rigo_Wenning: battery health status also should be in a wallet and this has two dimensions. The first dimension is it must be combinable with verifiable credentials. So that means we need to make sure that the thing is interoperable, meaning that the battery producers produce data that is importable into that wallet or…
Ingo_Wolf: Got you.
Rigo_Wenning: into a secure verifiable credentials on the one hand and the second thing is that we address as a coordination point that we addressed Ted and says, "Hey, and what about looking at your organization…
Carolynn_Bernier: Covesa
Rigo_Wenning: which is I think con conve
Rigo_Wenning: conves why don't you put the question into Covesa because in Covesa they produce vehicles for the US and Europe and if they have only one format only one maybe they have to slightly adapt but if they have common categories and the is use case is hey the Europeans have already this and this and this why don't you take that and that then we have done also our work as in the charter as as global co coordination point and I think those two points are for me more important than detailed a list of things that should be in there.
Rigo_Wenning: Not precluding that we also send a list of those
Ingo_Wolf: Perfect.
Ivan_Herman: So I may be completely on the other I don't know how you would say that in English. if I have a car in the US which is electric car and these days the car is probably halfway Chinese. Isn't it possible that the battery is coming from China and therefore described using the DPP standard of China and that has to be combined with the DPP for god knows what other parts of the car which is a DPP variant for the US and in the same VC we have to have both the Chinese data and the car data and whatnot.
Ivan_Herman: and the question is can we do that if we can that's the proof of existence which is important now as I said I have no idea how these things work so how these VCs for cars are set up but they are built up out of constituent parts and all the constituent part have their own passport coming from the countries of origin so somewhere someone at some point has to combine these various DPP data and…
Ivan_Herman: that's where VC can come into play as a stronghold.
Carolynn_Bernier: No, not VC's link data.
Ivan_Herman: And VC you both for sure, Caroline. But then you build up a VC with a combination of the data which is expressed in link data. You put a VC around the link data,…
Ivan_Herman: so to say.
Carolynn_Bernier: Ivan, this is exactly…
Carolynn_Bernier: why we created this task force.
Carolynn_Bernier: the Chinese are working on their battery DPP standards and I don't know how the mutual recognition mechanisms will happen between the different states between China and the US or China and EU if EU will recognize the Chinese DPP standard or…
Carolynn_Bernier: will they require an EU DPP this is not certain for mandatory products right for No,…
Ivan_Herman: But that means I'm jumping you.
Ivan_Herman: I should not s No,…
Carolynn_Bernier: no, no, no. Go ahead.
Ivan_Herman: Susan is on the cube.
Dr._Susanne_Guth-Orlowski: You can close your discussion if you want and I come in after that.
Ivan_Herman: And then the California authorities have to fill in the holes that we do not know how they treat a car which comes from China. But the emphasis is the combination. that's the answer we can give to money.
Ivan_Herman: I don't think that we can give a detailed use case right now because we don't know them. or for example…
Carolynn_Bernier: So the use case is the import of a car with a Chinese DPP battery DPP or…
Carolynn_Bernier: a European battery DPP.
Ivan_Herman: which has to be combined with whatever is part of the car…
Ivan_Herman: which is I have no idea what batteries American electric cars use.
Ivan_Herman: So, I have no idea.
Dr._Susanne_Guth-Orlowski: Yeah. I think it's relevant to have this vehicle DPP and the data combination part because in the end all use case or a lot of use cases will work this way. I wanted to say that I've been talking to a lot of car manufacturers lately. and they have the duty to put several DJ passports out for the vehicle. There are hit by the tires DPP, the textiles D steel DPP, battery DPP.
Dr._Susanne_Guth-Orlowski: So they're very loudly thinking of having a vehicle DPP that then points to the DPPS of the components which I believe is what Ivan was thinking about as well and I believe that's the right way to go this linked data approach but you point from a car credential to the subcomponents credentials. So that's one thing that I wanted to mention that this is also already in the heads of the European car manufacturers. And the second thing I wanted to say is that we've been thinking about building the state of health of a car by adding state of health credentials in a regular fashion. So daily or weekly.
Dr._Susanne_Guth-Orlowski: you can issue the loading cycles and discharging cycles and negative events and so forth. also to a battery and maybe to a vehicle that then is another use case. So the state of health is definitely a use case.
Carolynn_Bernier: Ro your hand is up.
Rigo_Wenning: Yeah I have another point which is when you buy a car in Sweden Sweden has a fantastic system where there is a total tracking of the car. That means when you buy the car the car is 6 years old. You know how many kilometers it has run, how often it was repaired, how often it was in maintenance and all that history of a car. And this is very very important when you import cars, when you export cars, if you buy cars.
Carolynn_Bernier: how do vehicle wallets work with personal digital ID wallets? They have two wallets? They have one for their vehicle related things…
Phillip Long: No, no. there is the only digital ID that is available is the driver's license…
Carolynn_Bernier: which goes into a vehicle wallet.
Phillip Long: which goes into a vehicle wallet
Carolynn_Bernier: I see.
Carolynn_Bernier: So a vehicle wallet is equivalent to the EUDI wallet in Europe.
Carolynn_Bernier: the digital identity with your citizen card or…
Carolynn_Bernier: I right sure it is.
Phillip Long: with the exception that it is not limited to any particular vendors.
Phillip Long: And I'm not sure that the EU wallet is available in that
Dr._Susanne_Guth-Orlowski: Yes. Yes, it is. Yeah. So you have one wallet that is being made available by the government and…
Carolynn_Bernier: Yes, it is.
Dr._Susanne_Guth-Orlowski: then you also private wallets are being accepted.
Ingo_Wolf: Yeah,…
Carolynn_Bernier: Similar to the Okay.
Phillip Long: Correct.
Carolynn_Bernier: All I was Thank you, Phillip, because this makes it much clearer the link between these two wallets. I think that I don't have access to this Google sheet.
Carolynn_Bernier: when Kirsten provides us access, I think we can all go there and add the few use cases we just discussed. I'm a bit confused because I thought that on the 15th of June, so last week, we had a meeting on DPP task force so I thought this meeting was for the wallets because we're trying to alternate each week.
Ingo_Wolf: this was also my expectation actually, but
Carolynn_Bernier: Yeah, but Karsten is nowhere to be seen.
Carolynn_Bernier: Yes.
Rigo_Wenning: Frankly I think this will not be the first confusion and not be the last so I don't believe so first of all wallets and DPPS in the context of verifiable credentials are very much related.
Carolynn_Bernier: We all agree.
Carolynn_Bernier: Yes. This but with Carson we tried to alternate…
Rigo_Wenning: and…
Carolynn_Bernier: but I don't know where his head is. the task force Thank you.
Rigo_Wenning: Ivan, I'm not subscribed to the mailing list so far.
Ivan_Herman: which one?
Rigo_Wenning: I don't know which one should I be subscribed to. Maybe we take that offline.
Ivan_Herman: S first question is Ro,…
Ivan_Herman: have you officially joined the working group? so you have to officially join the working group and…
Rigo_Wenning: No. Okay.
Ivan_Herman: And you have to add yourself or I can add you to the task force official list.
Rigo_Wenning: That's clear. Okay. I have nice few fitters.
Ivan_Herman: But be careful because you will get loads of other emails as well.
Ivan_Herman: But you are used to that. Yeah.
Carolynn_Bernier: …
Carolynn_Bernier: because carton Ksten is nowhere to be seen and I'm just going to take over his meeting. yes,…
Ingo_Wolf: Maybe a short remark.
Carolynn_Bernier: Ingo, please go ahead.
W3C Recognized Entities Specification
Ingo_Wolf: I talked to Carson this morning and we agreed on if there is interest in the group to talk about a draft that was recently released by W3C and it could be relevant for our topics and…
Ingo_Wolf: it's about verifiable credential recognized entities. so…
Carolynn_Bernier: Okay.
Ingo_Wolf: if the group is interested I had some short dive into and I can present four or five slides about this topic. otherwise feel free to take over Caroline.
Carolynn_Bernier: I no I think the topic of so just very briefly for the DP just summarizing the next steps for just the DPP work this week I'm meeting with Ivan who will help me create a template for the DPP note or use case or guidance document or however we want to call the document we will start writing together.
Carolynn_Bernier: I want to start to by focusing on the topic of why we want to bother issuing a DBP as a verifiable credential in the first place. Okay, I already have lots of content on this…
Carolynn_Bernier: but I want this to be the starting point for this document. So in the coming days you will receive from me a link to this the git hub repository for our work where you will be invited to contribute on this very topic of why I should bother issuing a DBP as a verifiable credential in the first That's the starting point. So next now to I'm done. It's over to you Ingo.
Ingo_Wolf: All right.
Ingo_Wolf: Thank then let me quickly share my screen and then I will guide you through. yes. So basically you might have been aware of that or not. there is specification at W3C called recognized entities and I wanted to understand where is it to be seen in a technical architecture and also how it is to be differentiated from other technologies where I just put one example here Zen
Ingo_Wolf: It's an authorization API at the open ID foundation and I wanted to understand the differences of both and let me shortly introduce it to you and feel free to interrupt me and questions are welcome. So I know alen from the open ID foundation activities as a standardization activity between a policy enforcement point and the policy decision point during the evaluation of an call authorization request and this allows for fine grain authorizations first of all and also
Ingo_Wolf: to standardize the protocol how these two components talk to each other and the difference to recognized entities and verify the credential recognized entities is another layer. they can be layered on top or let's say it's a different aspect that this specification addresses and it's about trust management and maybe that is responsible that is useful if we further continue our work here because what recognized entities is it's summarized
Ingo_Wolf: here it's a static data model that leads to verifiable recognition credential and this answers questions like is this issuer or verifier recognized to perform a certain action to issue or verify type x credentials. we know similar approaches at least in Europe already in the trust management that is specified in Etsy trust services list or in X509 PKI infrastructure or in MDL EAL or in the decentralized web of trust and what it makes what it enables or it's possible then to verify
Ingo_Wolf: those rec recognition credentials offline with the tools we have data integrity proofs and no call to the issuer at the time of verification. So this is as written here in published in May this year and yes Caroline of the credentials.
Carolynn_Bernier: I actually think that the second point on the left is incorrect. I think that the question is this issuer verifier recognized to perform an action? I think is this holder of the credential recognized by the issuer to perform an action.
Phil_Archer: It can be both.
Carolynn_Bernier: Can you elaborate on that?
Ingo_Wolf: Are you sure?
Recognized Entities Credential Use
Phil_Archer: Yeah, it's mostly recognizing the issuer. It's about so you have a credential that says your product is organic. where did it come from? who said who accredited the orization who issued the certificate that said your carbon footprint is whatever it is. so it is primarily working up the chain until you get to a route of trust.
Phil_Archer: You could potentially go down and say this person I'm issuing credential to I guess it always works in two directions this holder is recognized by somebody else to be child friendly or whatever it may be but those certifications is the main usage of this and go I don't know if you're aware but that recognized entities document was created by another task force within this working group. So all people behind it are there. It was talked about somewhat detail at the face toface the other day. not only is the document there, there's also man has done a lot of work on the threat model for it as well. So there's quite a lot of work gone into it. There's still more to do. our own use case here at GS1 is one of the use cases that needs to be put into that. and UNP is another important use case.
Phil_Archer: So a lot of people in the group are looking at this bit of work. the bad news for you is that particular task force meets at 1000 p.m.
Ivan_Herman: Yuck.
Phil_Archer: on a Tuesday night your time.
Carolynn_Bernier: That's the Australian lobby.
Carolynn_Bernier: I think my gosh.
Phil_Archer: Yeah. the Australians…
Ingo_Wolf: All right. No.
Phil_Archer: who have it first in their morning while the Americans are having their afternoon. So I go to that meeting, then I go to bed.
Carolynn_Bernier: Phil Phil, just so that we agree I understand the holder is being recognized to do an action by an issuer and…
Carolynn_Bernier: it doesn't say anything about the issuer.
Phil_Archer: It is mostly about the issuer.
Phil_Archer: Is the issuer recognized as an authority on the subject about which they have issued a credential to whoever. So is this organization so the think about u a certification sorry conformance assessment bodies cabs so there are loads and loads of conformant assessments bodies and they will and you pay them and they check that your processes meet certain guidelines or standards set by other people. somebody else, usually a national service of some kind, usually an offshoot, not quite close to government, will be the one that issues that accredits the conformance assessment body. So in the UK, if you want to have an organic certification on your food product, then you get that from an organization called the soil association. Who the hell are they? No one's ever heard of them.
Phil_Archer: They get their accreditation from an organization called the United Kingdom Accredititation Service which is close to government and they give their accreditation to all sorts of conformance bodies and the UK accredititation services itself a member of a global organization called ISAC and so there's a chain all the way up which is me measured which is matched of course by the GS1 system where you get your GIN that comes that you show yourself that you do based on a license that you got from GS1 Germany. Who the hell are GS1 Germany? they come from GS1 global office and so on. So those chains are really what recognized entities about. Slight difference in emphasis from Steve Capel who is working on Here is a list of people who we recognize are we recognize their ability to issue credentials for certain things.
Phil_Archer: same kind of thing.
Phil_Archer: But it is mostly about the issuer who is recognized to perform to issue the kind of credential that they issue rather than the holder.
Carolynn_Bernier: No,…
Carolynn_Bernier: I disagree with what you just said, but I think it's a terminology issue, Phil. it's the issuer of another credential that is the holder of this recognized entity credential. Phillip.
Phil_Archer: I guess you could say it that way.
Phil_Archer: It's either way it's why should I take any notice of this credential? What is it about this credential or about me that somebody might choose to put trust in me?
Phillip Long: Another way that might be helpful in the US at least, this has been a topic of interest to universities. And the question in this case is this credential issued by this university something that is in fact recognized and can be demonstrated to be from that university. The holder is whoever the individual is that received it.
Ingo_Wolf: There you go.
Phillip Long: But the credential in question is issued by this university and this particular registry or entity recognition system is holding information about that issuer and might have in it. For example, a credential from an authoritative body like either the government or an accrediting agency that says yes, they are licensed to or…
Ingo_Wolf: That's
Phillip Long: have passed whatever requirements are present for them to be able to issue credentials for a balora.
Carolynn_Bernier: Yes. So the registry or…
Carolynn_Bernier: the university's wallet holds this credential,…
Carolynn_Bernier: this recognized entity credential.
Phillip Long: The institution has data than in the form of a verifiable credential in the registry that documents their legitimacy for making that credential issuance.
Carolynn_Bernier: Yes, but this is just where is the credential stored?
Carolynn_Bernier: Is it in a registry or is it an institutional wallet? Right.
Carolynn_Bernier: It's just a matter of where you All right.
Phillip Long: It has to be something that's available to the public to access…
Phillip Long: because it is a statement about the capability of that organiz of the organizations claiming to be able to do this thing this issuance process and the credential that they are generating from it. Is that something that is possible to trace as Phil Archer mentioned to by some mechanism to give it legitimacy? Phil, did I get that right from your perspective?
Carolynn_Bernier: Okay.
Phil_Archer: Yeah. Yeah.
Phil_Archer: Absolutely. Yeah. Yeah.
Carolynn_Bernier: So, I think we're all on the same page. Thanks, Eno. Please continue.
Ingo_Wolf: I think that's was already…
Carolynn_Bernier: Okay.
Ingo_Wolf: what I wanted to say. so an overview on how to understand this recognized entities and…
Ingo_Wolf: how it differentiates from fine grand authorization access management on the transport layer. Let's say this. Ivan, you have another remark.
Ivan_Herman: two actually one is that I know this is the way it's formulated in the specification itself I disagree with that formulation it's not a new data model it is and…
Ivan_Herman: it is very important for us to realize that this is using our own dog food so to It is a verifiable credential for something that we need and I was also responsible for messaging around this whole set of technologies.
Ingo_Wolf: All right. Thanks.
Ivan_Herman: I want to emphasize that we are issuing verifiable credentials for our own purposes as well. there is no new data model.
Ivan_Herman: is just the same data model with specific vocabulary which is related to the recognization purpose. So yeah, the other thing that it is not yet fully in the standard or the draft but I believe it is already partially there in the credentials that you issue for an issuer you can add relevance to other systems.
Ivan_Herman: So the X five or whatever number it is, you can add your reference to the X blah blah information about you as well. So it's not like it is totally separated from all the other system that are out there. But you can also bind it to other existing systems which have similar goals. I don't know about the open ID thing that you referred to whether it is already there…
Ingo_Wolf: All right.
Ivan_Herman: but that was explicitly said at the facetoface meeting that they tried to make it yeah I think it was fine no thank you so it is explicitly said that they don't want to create an isolated thing
Ivan_Herman: There. Yeah.
Carolynn_Bernier: I…
Carolynn_Bernier: if I recall from the face toface meeting one of the criticism that Steve had about this recognized entity credential is that it's a top-down approach to linking identity. So one issuer creates a credential that recognizes a holder and the holder can create credentials that for their own things like an accredititation body creates a credential for a test lab and a test lab can create product test result certific certificates which can be linked to a DPP.
Carolynn_Bernier: So it's kind of like a top down but if you start from the DPP and you want to go up the chain and…
Carolynn_Bernier: and figure out who is the accredititation body for that lab to which you have access in terms of the report. this was under discussion because it was not clear that you could do it using this approach. Ian No,…
Ivan_Herman: Yes, I remember that discussion and…
Ivan_Herman: I also remember that acknowledgment that this is important to have and actually here is a perfect example where the best thing to do is to raise an issue in their repository. this is necessary. Sorry, Caroline, that back to you.
Ingo_Wolf: Thank you.
Ivan_Herman: But Okay.
Carolynn_Bernier: no, Miss Steve will take care of it because that's his pet peeve. So, I'm totally certain that Steve will take care of this…
Ivan_Herman: Okay. Yeah,…
Carolynn_Bernier: because otherwise and…
Ivan_Herman: it hasn't happened yet.
Carolynn_Bernier: in the DPP world, this happens all the time. You only have the DPP. How do you go back to the root of trust?
Ivan_Herman: Caroline, I don't think you have to convince anyone.
Carolynn_Bernier: You can't …
Ivan_Herman: We are all convinced that this is necessary.
Ivan_Herman: And I think actually to be fair the other task force is also understanding that this is necessary. It just has to be followed up and this is the reason of raising an issue that nobody would ever forget it.
Ingo_Wolf: Get out of my neighbor.
Carolynn_Bernier: okay. …
Ivan_Herman: That's why it's important to raise the issue. So if Steve hasn't done it yet, then it may be the perfect opportunity for your first issue in a GitHub repository.
Carolynn_Bernier: I need So we'll do that on Wednesday together.
Ivan_Herman: Sorry. Sorry. Yeah, that's exactly…
Carolynn_Bernier: You want?
Ivan_Herman: what I want…
Carolynn_Bernier: All right.
Ivan_Herman: why I said that
Carolynn_Bernier: Thank I don't have anything else to say other than everybody will receive a link in the coming days with the maybe Philillip since we have four minutes left you can speak rather than Right.
Phillip Long: I was just following up on Ivan's comment. It is a hierarchical approach in some sense, but the root node is not specified. Anybody can decide that they want to be an issuer of u an entity credential with described capabilities. And so the community can take that as being a reasonable route of trust or not. and as a consequence,…
Ingo_Wolf: Come on.
Phillip Long: it's not limited to something that has to be done and initiated by for example a federal or governmental entity or agency. there could be one of difference of these kinds of entity registries for different business verticals where the community in that particular business vertical are the domain knowledge experts and they get together and…
Carolynn_Bernier: Is that
Phillip Long: form some sort of association to support this recognition of capability for their members. That's
Dr._Susanne_Guth-Orlowski: Yeah and it's something that we also already looked at with the global battery alliance and international trade center in the operational trials of where the GBA accredits their members for correctly calculating the carbon footprint of a battery for example. so that is also possible. and I am not as good as maybe others to introduce topics in the call. So I would like to share this link in the chat.
Access Control for DPP Data
Dr._Susanne_Guth-Orlowski: It's something I wrote last week. and it is relevant for access control in the context of the passports where we have two different user groups which are the governmental side with the European Commission and market surveillance authorities and the actors of legitimate interests for example repairers and so forth who need access to controlled DPP data. So it's really a mixture between our two topics DPP and wallet. and I would like to hear any response or reaction that you might have to the idea of organizing orchestrating this access control based on registers that are already there for example for companies and their access to control data based on the NA code.
Dr._Susanne_Guth-Orlowski: the NAS code describes the nature of a business of a company and it's unique across all European countries already and the other one is the registered market authorities and if we can build it then we probably can also solve the access control to digital product passports and I've already talked to the bundes for who's lishure and it's access on the business registry in a lot of countries and they're already issuing all credentials with a n code for example.
Ingo_Wolf: Hallelujah. off. Yeah.
Dr._Susanne_Guth-Orlowski: So it seems to be maybe a good approach. Yeah any reaction from your side is welcome and let's discuss this
Carolynn_Bernier: I think that my recent talks with the European market surveillance alliance from me several member states they fully understand the need for a business wallet at least for market surveillance access to control data to DPP.
Carolynn_Bernier: So this is completely in the radar Suzanne. but this is a slightly different topic than the persons with legitimate interests which is much more complicated. for example for the market surveillance authorities the issue the credentials issuing system could be ICFMS directly.
Carolynn_Bernier: So ICS SMS is the system that market surveillance authorities use in Europe to report on a report on non-compliant products and it's an easier problem to solve than the problem you're talking about which is business registries which I hear in Germany is very complicated topic.
Dr._Susanne_Guth-Orlowski: It's just so many different authorities, but everyone has a code and…
Carolynn_Bernier: Yeah. Yeah.
Dr._Susanne_Guth-Orlowski: duties related to it. So maybe it's not so complicated.
Carolynn_Bernier: Is it a centralized code? Who issues these codes? Dr. Susanne Guth-Orlowski:
Dr._Susanne_Guth-Orlowski: The nace codes, you mean? it is well…
Carolynn_Bernier: It's not an issuance. There's no identifier issued.
Ingo_Wolf: Hello.
Dr._Susanne_Guth-Orlowski: if you issue a business wallet owner ID data credential then it's already part of that
Carolynn_Bernier: Yeah, I see.
Carolynn_Bernier: I No, I think for the complicated topic for access control using wallets for DBP, is the need to combine credentials in order to really authenticate yourself…
Carolynn_Bernier: because a single credential will not suffice. I'm not sure.
Dr._Susanne_Guth-Orlowski: Yeah. Yeah.
Dr._Susanne_Guth-Orlowski: And that's another idea that they can do. But if I talk to and they already put this NAS code into the identity credential anyway. So we might not even have to do so anything to make it work that way.
Carolynn_Bernier: You may need to have the employee I credential presented at the same time as the organization credential in order to be authorized to access the sensitive data. I'm not sure a single credential would suffice. Maybe Rigo you have an idea on this.
Ivan_Herman: Guys, I'm sorry,…
Rigo_Wenning: Just quickly don't underestimate so…
Ivan_Herman: but we have a different call coming up.
Carolynn_Bernier: Okay. Thanks Rio.
Rigo_Wenning: if you have the exact approach with the policy decision point I organized in 2010 a workshop…
Ingo_Wolf: Come on. Cheers.
Rigo_Wenning: where we tried to put link data into that it works somewhat but it's not working well and frankly it will get you into a GDPR disaster because then for every call you have to call the policy decision point which is centralized and so The Simona we have discussions with the EU with the commission and Simona and Ivan they made a very good presentation.
Rigo_Wenning: We can look at this. But I wanted to note and perhaps for Ingo and Susanna that one of the really really beautiful things about verifiable credentials is that you can put one verifiable credential into another verifiable credential and…
Ingo_Wolf: Here we
Rigo_Wenning: that you can't do that with the PDP approach. not really so you may have a federal identity that recognizes the lender identity that recognizes the town the hundreds register validity and…
Ingo_Wolf: b****. Wow.
Rigo_Wenning: then the hundreds register can then issue whatever they want. so I think
Rigo_Wenning: kind of putting them into a Russian puppet is maybe an option you have.
Rigo_Wenning: And this is different using and this is not possible using the classical stuff as far as I know, but I'm not the ultimate Press.
Carolynn_Bernier: So there's the Russian puppet approach and…
Carolynn_Bernier: then there's the bundling of VC's approach. So I don't know technologically which is best approach to but I can't imagine that there will not be a stack of credentials you will have to present in order to be authenticated for access you as a human but acting as in the name of your organization accessing some sensitive data somewhere. How do you present all of this all at once to get access? Right? You see…
Dr._Susanne_Guth-Orlowski: Do we really need the person who's acting on behalf of a company it makes everything so complicated so I just left it
Carolynn_Bernier: what I mean? That's a very good question. It's a know. I don't know how this is the question.
Carolynn_Bernier: I don't know when a market surveillance authority does some investigation the name of the person who's performing this investigation is registered in the investigation itself for legal reasons. I don't know. This is a question.
Rigo_Wenning: for the company wallets. this is all registered. That means if you have you in the company register that and what they try is to produce those company registries. and company registries are an invention of the first world war to exclude companies from the enemy country who would still do business with you. which is the sad part about this hundista thingy. there you don't have to the question of whether the natural person is involved or…
Ingo_Wolf: s*. Shoot.
Rigo_Wenning: is not really an issue because those persons able to represent the legal person are registered in the register anyway.
Rigo_Wenning: So it's then only a matter about a selective disclosure.
Rigo_Wenning: Do you want to disclose that or is it sufficient that the register knows that you are entitled to this is
Carolynn_Bernier: You mean every single employee no…
Carolynn_Bernier: who is authorized to act in behalf of a legal person is known to the registry.
Dr._Susanne_Guth-Orlowski: No, no, no, no, no, no, no, no. but in the registry, you have the people that are in charge of the company and that can represent the company.
Carolynn_Bernier: But most likely they delegate that activity to some other low-level person.
Dr._Susanne_Guth-Orlowski: Those people
Rigo_Wenning: And here you have your chain again.
Rigo_Wenning: If they delegate signing authority if you get into a formal for example in front of a noty it's not sufficient. then you need to have the representative that is authorized to represent the legal person which is the person that Susanna mentioned. so there is again a chaining going on and putting things inside each other.
Rigo_Wenning: So we could imagine for example that some of those legal authorities people then delegate authority and you can still make and doing that in a PDP has the issue of having a flat tree which is not verifying you just get a flat table and…
Rigo_Wenning: saying this person has authorized it but you don't know why then you need additional metadata and so on. You can mimic that but it's more complex.
Dr._Susanne_Guth-Orlowski: But I don't see the requirement written down anywhere…
Dr._Susanne_Guth-Orlowski: where identify the person who did something in the name of a company a legal entity for example is registering the DPP at the registry full stop. you don't have all this company internal chaining to the outside
Rigo_Wenning: Susanna, it's not a legal requirement, but it starts as soon as you have abuse. and the court said, "Yeah, but you said it, right?" And then people want to have a proof that and then somebody says, "No, I never said it." …
Rigo_Wenning: and then you need evidence in front of a court saying, "Yeah, but he did it." Right? and that's where this training comes on.
Dr._Susanne_Guth-Orlowski: Yeah, I understand fully.
Dr._Susanne_Guth-Orlowski: Rio, the question is do we need to solve that today for DPSPs with verify credentials?
Rigo_Wenning: I think so because of the secret company information. So if you talk to Kolin and Kolin talks to Mishla, they're very nervous about very nervous. so for kind of not really critical information. Yeah, I think we all agree that this should be totally dirt. But the more we advance in DPP and dismantling and recycling the more we will need very sensitive information and then it starts going so this is again just checking that in case we get there we don't have to reinvent the entire thing to overcome an obstacle.
Dr._Susanne_Guth-Orlowski: So, we could probably discuss another hour on this, but maybe we do it next time. So, we're already 10 minutes late. But it's an important discussion I think and it would be great to have a regulator in the room that tells us where the borders are of our system because at the moment with the borders of our system are being enlarged.
Dr._Susanne_Guth-Orlowski: Yeah.
Carolynn_Bernier: Yeah. I think the regulator is not there yet.
Ingo_Wolf: church. What's up?
Carolynn_Bernier: So if you ask him, they will not be able to help you. They don't know yet.
Dr._Susanne_Guth-Orlowski: Yeah, as always, I know we have to tell them…
Rigo_Wenning: That's the unknown.
Dr._Susanne_Guth-Orlowski: what they should think and do. Yeah,…
Rigo_Wenning: Yeah, that's the unknowns.
Rigo_Wenning: So have to invent our own
Dr._Susanne_Guth-Orlowski: that's what we do, For the last five years.
Carolynn_Bernier: We have Thank you. Ciao.
Ingo_Wolf: Thank you.
Ingo_Wolf: Have a nice evening. Meeting ended after 01:11:59 👋 This editable transcript was computer generated and might contain errors. People can also change the text after it was created.