Versions Compared

Old Version 2

changes.mady.by.user Todd Gehrke

Saved on

compared with

New Version 3

changes.mady.by.user Todd Gehrke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Marcos Allende Lopez (LACChain/IADB), 
  • Stephan Baur (Kaiser Permanente), 
  • RJ Reiser (Liquid Avatar Tech)
  • Sid Mishra
  • Steve Megennis
  • Marcos Loiez
  • Sankarshan Mukhopadhyay
  • Drummond Reed
  • Julian Ranger
  • Savita Farooqi
  • Scott Perry
  • Kaliya Young

Agenda Items

TimeItemWho
2 minWelcome & Antitrust Policy NoticeChair & PM
5 minIntroductionsChair & PM
5 minBackgrounderChair
+Open DiscussionGroup
2 minWrap upChair & PM


Meeting Notes

  1. [Darrell] Anti-trust and membership policy introduction
  2. [Todd] Work at this group and GHP was reflected in conversations at the WHO call of 31Mar
  3. Key interoperability questions - [Darrell] some opening remarks on the topic of trust registries as a solution and where they fit in (are they a solution or a challenge?)
    1. Is there a way to establish transitive trust between different parts of the GHP digital trust ecosystem
      1. [Todd] establishing a globally scalable, jurisdiction specific registry is a challenge eg. X.509 trust registries - how do we work with those?
      2. [Darrell] analogy of lanes/queues to describe the nub of the issue
      3. [Julian] ‘who is being registered in these registry’ - assumption is people making the tests and vaccines (this massive trust registry is impossible) a short term solution is that the people who provide the trust (the app providers) provide it directly when presenting credentials.

...

  1. [Drummond] If we agree about: 1) multiple roots of trust, 2) each root of trust has a governance framework, then 3) is that we need a common protocol for an issuer to locate and query a trust registry using metadata from the governance framework.
  2. [Todd] ‘verifying the holder’ is a part of the Identity Binding WG; contents of the credential is also out of scope for this WG. Agreement on the discrete questions would help make progress - we are still talking ‘big picture’ in the discussions. It is time to focus on the questions we are trying to solve.
    1. [Scott] Todd raises a challenge in the fact that every individual working group wants to solve all problems.  It is up to Todd and leaders to keep us focused on our unique challenges to solve
  3. [Stephen Baur] Just a point from the issuer perspective: the # of registries becomes an issue when large and issuers need to “register” with each separately.
    1. suggest to formulate what “registering” means, like quality processes and audits of the issuer. One big concern: if the private keys are leaked trust vanishes quickly
  4. [Savita] using the framework of ‘necessary’ and ‘sufficient’ may be a way to find the direction and focus of the work output - ‘what is the verifier looking for’
    1. [Stephan] suggest to keep focus on registries of issuers and leave verifier to a separate concern.
    2. [Drummond] Marcos proposed that verifiers need 3 standard items: 1) is the issuer authorized, 2) what is the issuer’s public key for verifying the credential, 3) how do I check if the credential is revoked.
  5. [Drummond] Proposal: delegate the question of whether a governance framework supports “verifying the verifier” to the governance authorities for the governance frameworks.
  6. [Drummond responding to Julian] there exist interdependencies between different drafting groups. There’s a meeting of Credential formats and exchange protocols coming up and so there is yet no clear answer is it ‘just W3C VCs etc’
  1. [Steve Magennis] https://docs.google.com/document/d/140GMHlrVw7UdjD1RSoklL5cEfQxUNWd_O8__1rVpZ8c/edit see below
  2. [Drummond] Creating a document to have key/specific questions up for answering. Each member goes in to provide detail/links/thoughts to the approaches to the questions. To get a collective view of the key questions and preliminary thought about the answers.
    1. [Todd] document of key questions https://docs.google.com/document/d/1mVZ5pRGBhb7VK5pSPsaZwaDo9hRjlZiQmCdggknP4ec/edit#heading=h.bqnrtc8kz7hb 
  3. [Kaliya] - what are the other systems doing - the “closed loop” (Wave1)

...

From 30 MAR 2021 meeting - input from Marcos:

What form can practical trusted registries take?

-   Centralized

-   Decentralized (Permissioned, Permissionless, Federated)

-   Other?

Which information is necessary to register in a trusted registry by an issuer when a verifiable credential is issued?

-   Hash of the content

-   Status of the credential

-   Link to the issuer (DID + digital signature)

-   Link to the subject

Which information is necessary to verify against a trusted registry when they are presented to verifiers?

-   The issuer as an authorized entity

-   The status of the credential

-   The content/claims of the credential

Who is responsible for defining or maintaining lists of entities authorized to be issuers of specific verifiable credentials in specific contexts or jurisdictions (i.e., the laboratories authorized to issue certificates of COVID-19 tests in Honduras)

How do we specify in the verifiable credential the trusted registry where the proofs are registered?

How do we establish a standard for both centralized and decentralized registries to store and make available the proofs in a way that is common to everyone, so once the verifier figures out the trusted ledger to be checked and the access point to it (which should be able to do directly from the credential), the protocol to accomplish verification is standardized


Steve Magennis: I believe items 5-11 below is where our focus needs to be and where we can offer real value. Items 1-4 are deep, complex issues that need to be resolved well in advance of the actual act of verification. These decisions will almost certainly be fluid and driven by a complicated mix of policy makers, corporate lawyers, industry advocates, public health professionals and public opinion.

...