The GSWG meets bi-weekly on Thursdays at 11:00-12:00 PT / 18:00-19:00 UTC. Check the ToIP Calendar for meeting dates.
Understand the opportunity to create a governance framework for dual-stack interoperability.
| Time | Agenda Item | Lead | Notes |
| 5 min |
| Chairs |
|
| 5 mins | Review of action items from previous meeting | Chairs | |
| 5 mins | Announcements | TF Leads | News or events of interest to Governance Stack WG members: Scott Perry published a blog about 'How Do Humans Trust', (it received 2,700 views on LinkedIn and many positive feedback).
|
| 10 mins | Governance takeaways from Bhutan’s presentation on NFID given at Ecosystem Foundry WG | Drummond | Jacques von Benecke, the CTO of Druk Holdings and Investments (DHI), the company in-charge implementing Bhutan's National Foundational Id or NFID, gave their first ever public presentation, the recording of the talk can be accessed at the Ecosystem Foundry WG link. Drummond Reed got involved in the project fairly early on and that the switch over to SSI was due to the Drummond's book which was picked by Jacques and his team. He explains that Bhutan skipped federated Ids and went straight to SSI and it was similar to how developing countries skipped over conventional telecom systems and leapfrogged straight into mobile. He mentioned how Bhutan took governance seriously and drafted a National Digital Identity Act to root their project in law. Although the act has not been passed yet, it is in Parliament, and they hope it will be passed in the next session. Although, the National Digital Identity Act was drafted with the help of outside experts, the act is meant to provide a legal framework for digital identity in the country and ensure governance and regulation of the system. The act follows the Meta model, which designates a governing authority and an administering body, with the administering body responsible for implementing policies and frameworks. The act also includes a public review period and follows many of the recommendations made by Drummond and other SSI experts. Scott Perry discussed his work with Bhutan on governance, compliance, and accreditation. He mentioned that they have already made decisions on their technical stack and that they need to figure out what rules they want to hold themselves accountable to. Scott notes that the ecosystems of digital trust and identity will require some kind of oversight governance rules and trust assurance schemes, but there are still interoperability issues associated with it. He also said that there is still work to be done on the governance structure, and there are many rules that need to be established. Neil Thomson was concerned that if the government does not keep a copy of the credential, then how will they check it for expiry or updates in the future. Drummond explained that the credential issuer will have the underlying data, but once issued, the data is given to the holder, and they will not track the usage of that credential. He clarified that the selective disclosure and privacy features are important, and the financial format is the non-credit one that supports not just selective disclosure but also zero-knowledge proof-based disclosure. |
| 10 mins | Takeaways from Steering Committee Call - Viky Manila presentation | Drummond, Scott | Drummond Reed and Scott Perry provided takeaways from the Steering Committee Call where Viky Manaila presented on eIDAS-2. Viky gave a presentation on the state of play of the European digital identity Wallets initiative under eIDAS-2 and the governance around it, specifically trust services. initiative, and one of the primary reasons she is involved is that she sees ToIP as the primary place where the hard problems on interoperability as a whole are being worked. She believes the Trust Spanning Protocol will be essential to interoperability between wallets. The governance of the initiative will largely be in the regulation, with member states and industry-specific frameworks working within that overall ecosystem. The role of trust services is significant, and Viky works for a trust service provider in Italy. |
| 15 mins | Creating two new TFs | Scott | Scott Perry explored the creation of two task forces: 1) Museum Pass TF and 2) Credential Issuer Governance TF. Carly Huitema mentioned about GATF structuring their work into a series of documents:
The Museum Pass use-case can help in shaping the requirements and specification, perhaps expanding this further with the help of other from the Ecosystem Foundry. Carly mentioned these components could be developed mapped into the four levels of governance for the ToIP Stack. Credential Issuer TF Scott Perry stated that the group needs to focus on use cases with governance applicability and identify how they apply to the Trust over IP stack. He mentioned the need to consolidate thinking on a model case similar to Contoso and Microsoft, which demonstrated governance concepts. He also stated that requirements for issuers of X.509 certificates is similar to VC issuers and he had previously worked on X.509 issuer governance model three years ago. Scott mentions that the same categories used to issue X.509 certificates are also applicable in verifying credentials. Scott will lead the Credential Issuer TF and he needs volunteers to work on the Museum Pass use case. Neil Thomson mentioned the challenges of person-to-person exchange of credentials in SSI. Neil raises some use cases related to workflows where Bob calls Alice, and they need to exchange verifiable credentials and trust each other's identities and wallets. He also highlighted that SSI is different from the P2B2P model of OpenID Connect, and there are unique challenges to two people trusting each other, and perhaps this can be explored here. Museum TF Savita Farooqui has already done some work on this use-case but is constrained for time. Savita would like to see volunteers get involved so it doesn't end up just being her own idea. Scott Perry indicated he would post both these TFs on the Slack channel to attract volunteers and will go ahead if there are sufficient interest. |
| 5 mins | Any other business | ||
| 5 mins |
| Chairs |
Provided with ChatGPT and Grammarly assistance
Scott Perry reflected on his journey in the field of digital identity and how he came to be involved in the work being done by the organization. He mentions his initial concerns about the scalability of traditional X 509 certificates and the challenges he faced trying to get his certificate provisioned within a PKI network. He then recounts how he was introduced to Timothy Ruff, which led him to Drummond and the organization's work on self-sovereign identity.
Scott Perry expressed his emotional connection to the impact of the organization's work on the citizens of Bhutan, and how it can transform their economy and stature in the global economy. He concludes, passing the floor to Drummond to recap the presentation.
Drummond Reed discussed the success of the Trusted IP Stack and mentioned that he enjoyed working closely with Scott on this project. He hoped that it would make a big difference. He brought in Scott early on because Scott was one of the people that he had reached out to. Drummond then spoke about Bhutan's switch to SSI, triggered by a talk led by Jacques, the CTO of DHI in Bhutan. Bhutan had been going in a classic Federation direction, but they realized they could leapfrog and go straight to SSI.
Drummond compared Bhutan's switch to SSI to how developing countries skipped over conventional telecom systems and went straight to mobile. Bhutan was taking a risk in going directly to SSI, but they wanted to root it in law. They asked for help to draft a National Digital Identity Act, which is currently in Parliament. It was introduced in December but did not pass in the first session. The next session is in April.
Drummond mentioned that the recent public presentation by Bhutan was the first one they had ever done. He flagged it for the group because Bhutan had taken governance seriously and wanted the National Digital Identity Act to be rooted in law. He thought it was an excellent example for the rest of the world.
Scott Perry mentioned that he is under an NDA with Bhutan, and Bhutan said his and the firm names. He provided Jacques with a roadmap to governance, compliance, and accreditation. The effort also involves the Digital Governance Council and the accreditation work that Tim Bouma is doing.
Scott said that they are going to figure things out, and, in any organization or ecosystem that is producing this type of activity, this is just the first, but they think that there will be tons of these coming up. Bhutan moved forward quickly with technology and decided to control some risks. They have already considered governance and put some requirements in their technology stack.
Scott emphasized that some oversight governance rules and trust assurance schemes will follow digital trust and identity ecosystems. They have not figured out everything yet, but the process is becoming clear, and it emphasizes the work they need to do. There are a lot of interoperability issues associated with it. What are the rules? Everybody's got their own set of rules.
--> 00:33:54.490
Neil Thomson noted the presentation; it was mentioned that the Verifiable Credentials project does not keep any data. According to Neil, once the credentials are created, they are stored in someone's wallet, and there is no copy. He expressed concern about how this process would affect updates or renewals of the credentials, particularly if the government does not have a copy of the credentials. He asked how the government would check for the expiry of the credentials.
Drummond Reed responded that this is a persistent misconception about verifiable credentials. He explained that the issuer of the credential would have the underlying data. The data would be given to the holder of the credential, and the government would keep a record of when the credential was issued. He stated that once the credential was issued in the wallet, the government did not need to track the usage of the credential. He further explained that the project uses the Hyperledger's architecture, which is based on the Aries codebase.
Drummond Reed stated that the project emphasizes privacy and selective disclosure. He added that the project would also use zero-knowledge proof-based disclosure.
Neil Thomson expressed his understanding of Drummond's explanation and emphasized that he was concerned about the renewal process of the credential.
Dan Bachenheimer highlighted the importance of metrics like Aadhaar in establishing uniqueness within the population. He mentioned that these metrics were primarily used for de-duplication, evident in India, where all 1.3 billion residents were enrolled to create a unique 12-digit Aadhaar number.
Dan talked about Aadhaar and how Bangalore International Airports Limited used it to establish uniqueness and get core identity credentials in a decentralized digital identity wallet. He noted that in Bhutan, Aadhaar was also used to create a unique identity credential, which allowed for the inclusion of other credentials in the wallet.
Scott Perry expressed his interest in the airport's use of Aadhaar and acknowledged that this was an emerging technology he did not have enough information about. He noted that biometrics were also being used to get everyone to produce their biometrics and that this was a significant development to keep in mind.
Drummond summarized the presentation made by Viky Manaila, Trust Services Director for Intesi Group eIDAS2.0, to the Steering Committee 2023-03-22.
Drummond explained that Vicki had presented on EID2 and the state of play of the European digital identity wallets initiative, explicitly focusing on the governance aspect of trust services. She discussed the associated trust services, requirements, expected outcomes, and the infrastructure around them.
Drummond highlighted that one of the reasons Vicki is active in the group is because she sees Trust over IP as the primary place where the complex problems on interoperability as a whole are being worked out. During the Q&A session, Drummond asked Vicki what the most valuable thing that could help with adopting the ideas was, to which she replied, Trust Spanning Protocol.
The discussion then moved to the governance aspect of the initiative. Drummond explained that he thinks the regulation will be the overarching governance structure, and the member states and industries will have specific governance frameworks that will work within that ecosystem.
Vicki, who works for a trust service provider in Italy, also explained the role of trust services, their existing technical infrastructure for trust lists today, and many regulations around them.
Drummond inquired about our trust registry protocol, and Vicki expressed hope that it could be moved towards and adopted.
Scott Perry expressed his opinions on the Trust Services Framework, stating that many are personal. He noted that the good thing about it is that it has the government's endorsement. He expressed confidence that the government would put something out and oversee and regulate it.
Scott mentioned that in the past, he had seen other regulations, such as GDPR, come out like a freight train. They do it their way and get potentially over-regulated. He cited about 20 standards of this trust services framework and mentioned that he is an expert in analyzing the trust services provider rules. He noted that it is a complicated process.
Scott highlighted that the most significant challenge is that the framework is restrictive. He pointed out that one has to be assigned to an accreditation body in one of the member states to be a conformance body. He said that it does not matter whether you are qualified or not. Scott pointed out that it takes away some of the best minds and firms that can participate in the framework.
Scott stated that they are dealing with services that are being discriminated against based on residency status, and it does not make sense. He added that they want the best breed serving in a particular locality, but that is their choice. He mentioned that he thinks it is a fallacy in that specific strategy.
Scott addressed Neil's question, stating that the whole ecosystem is not in the EU. It is a global ecosystem, and they have to treat it globally. He noted that they must have global standards and cooperation globally around recognizing different accreditation, trust, assurance schemes, and global standards. Scott emphasized that they were far from there.
Scott stated that the Trust Services Framework is the first stage, and he does not blame them for moving and trying to get their house in order. However, it is going to be difficult. He pointed out that no interoperability or mutual recognition scheme is associated with their organization.
Scott Perry requested Carly Huitema to share the Governance Development Kit document and discuss the main topics being scoped out. Scott also expressed his interest in leading the discussion on how to organize the group's efforts toward building out the vision.
Carly then presented the Governance Development Kit document, split into four separate documents. She explained that it is a governance development kit parallel to a software development kit. The document includes requirements, use cases, and a specific use guide.
Carly mentioned that the Trust over IP implementation is included in the document. There is a need to thoroughly fill out the use cases, including those in the ecosystem boundary working groups. She also mentioned the museum pass use case as a possible example.
Carly discussed the meeting notes, which included sorting out the components into the four levels of governance of the Trust of IP Stack. The group also discussed filling in the Governance Development Kit document blanks, breaking it down to initially the "must" statements, then possibly the "should" statements. Carly also mentioned using the use cases to drive requirements but not exclusively, and developing a mental model for it.
Neil Thomson mentioned that he was thinking of several use cases, one about person-to-person direct contact. He said the same model from OpenID Connect, which is P2P. To P right, whereas t Trust over IP, and the whole SSI is talking about person direct contact. He mentioned the challenges in trusting identities and wallets, exchanging verifiable credentials, and understanding what each wants from a conversation or an interaction.
Savita Farooqui mentioned that Museum passes the classic issue or Holder Verifier just triangle.
Neil Thomson volunteered to lead the new P2P. He mentioned that there is a unique case. The remarkable thing that differs from the issuer, or holder, the verifiers, in most cases presumed to be a bank or some other service, right? So the interaction is not, but directly between 2 people. Neil mentioned the unique challenges between 2 people trusting each other.
Scott Perry mentioned that there was another document that Sabid and I worked on, that did not include P. Twop. He said that there needs to be enough risk to require governance processes to take place. If there is enough risk, one use case can apply to many tenants within trust over IP.
Publicise the Museum Pass TF and Credential Issuer TF on Slack and invite others to participate