To present various initiatives addressing global health credentials and their impact on governance.
| Time | Item | Lead | Notes |
| 5 min | Welcome Antitrust Policy Notice Introduction of Meeting Agenda | Scott Perry | |
| 10 min | Survey of Global Health Initiatives | David Janes | |
| 15 min | Introduction of Panelists and their Initiatives | Panelists | |
| 30 min | Panelist Discussion Q&A | Panelists |
Chat Notes
From Me to Everyone: 10:51 AM
Please acknowledge your attendance by entering your name in the meeting page: https://wiki.trustoverip.org/pages/viewpage.action?pageId=73196
From Drummond Reed to Everyone: 11:04 AM
http://goodhealthpass.org/
From CHARLES WALTON to Everyone: 11:05 AM
=“Good Health Pass” - and it is global in nature.
14:09:51 From Kaliya Identity Woman to Everyone : there is no such thing as an “open source standard” there are open standards that are free to any one to implement - there is open source code and there are open source implementations of open standards. Please STOP conflating open source and open standards.
14:10:16 From Thomas Cox to Everyone : Thank you @Kaliya!
14:10:19 From Daniel Bachenheimer to Everyone : https://www.goodhealthpass.org/
14:11:59 From Jim StClair to Everyone : Well said @kaliya
14:12:24 From Jeff Braswell to Everyone : Fair point, Kaliya, this conflation happens from time to time, but it is not the end of the world :). And there may be a de facto “standard” for “open source” (see what I did there ? ) … called … GitHub :)
14:12:46 From Paul Knowles to Everyone : Will this deck be available for referencing? Some nice work here.
14:13:14 From Scott Perry to Everyone : I'll work with Paul on this
14:13:35 From Kaliya Identity Woman to Everyone : It is problematic when communicating about our industry and software in general to conflate them. It also communicates to the technically inclined that the speaker doesn’t necessarily know what they are talking about. But sure it doesn’t matter ;-)
14:14:01 From Jeff Braswell to Everyone : I agree that the clarification is important
14:14:28 From Jim StClair to Everyone : interoperability is problematic regardless what they provide
14:14:40 From Thomas Cox to Everyone : I'm with Kaliya - precision is our friend. I see too much self-inflicted chaos from people unwilling to take the time to be precise. It's work, and it also pays for itself.
14:14:42 From Drummond Reed to Everyone : Thus the rationale for the Good Health Pass Collaborative
14:14:49 From Jim StClair to Everyone : +1
14:14:56 From Paul Knowles to Everyone : I’m staying quiet re semantics. Not easy for me!
14:15:39 From Riley Hughes to Everyone : I love the candor in this presentation. Thank you David!
14:15:59 From Alex Tweeddale to Everyone : +1
14:16:12 From Wenjing Chu to Everyone : +1
14:16:28 From Thomas Cox to Everyone : Quite the Cambrian explosion of varied efforts.
14:16:53 From Jim StClair to Everyone : "Cambrian" LOL
14:16:58 From Drummond Reed to Everyone : Very helpful, thanks David
14:17:15 From david to Everyone : Thank you!
14:17:24 From Paul Knowles to Everyone : Thanks, David. Nice presentation.
14:17:57 From Daniel Bachenheimer to Everyone : thank you David - apart from the Good Health Pass initiative, did you see any organizations attempting to define a blueprint for interoperability?
14:19:01 From Jeff Braswell to Everyone : All the abbreviations for airports are “IATA codes”
14:19:34 From Sumiran to Everyone : David can you share the presentation ?
14:19:55 From Jim StClair to Everyone : That's what we said this morning - worst since 9/11
14:19:59 From david to Everyone : yep
14:20:00 From david to Everyone : https://www.slideshare.net/dpjanes/vaccination-passports-survey
14:21:03 From Kaliya Identity Woman to Everyone : Before publishing it on the web it would be great if you actually fixed the issue I raised about conflating open standards and open source.
14:21:22 From Paul Knowles to Everyone : Multi-language solution?
14:22:26 From D Luchuk to Everyone : Have a great session, all.
14:22:30 From Riley Hughes to Everyone : Andy, how is the “lab registry” hosted, governed, maintained, etc? Maybe we’ll get to that during the ‘governance’ portion of this meeting
14:23:15 From david to Everyone : I'll see if Slideshare lets me update it
14:24:03 From Steve Magennis to Everyone : Who provides IATA with the country entrance criteria?
14:24:16 From david to Everyone : Ah well that's a good question
14:24:30 From Sumiran to Everyone : Thanks David for sharing it
14:24:32 From Thomas Cox to Everyone : How can I get my "Cronies-R-Us" corrupt Lab listed in Timatic?
14:24:40 From Thomas Cox to Everyone : Asking for a friend
14:24:49 From Daniel Bachenheimer to Everyone : the airlines and they provide scores of updates DAILY
14:25:20 From david to Everyone : Why doesn't IATA or whomever publish a standard for where countries can publish their business rules for entries.
14:25:56 From Andy Tobin to Everyone : @Thomas you'd need to convince IATA that you are a legitimate lab and be approved by them to get on their list.
14:26:10 From Thomas Cox to Everyone : Cool thanks
14:26:45 From Steve Magennis to Everyone : does IATA then take on the liability for vetting a lab?
14:26:51 From Jeff Braswell to Everyone : Sounds like a worthwhile project. I’m curious how the accuracy or validity of the various lab tests are measured or validated. ( There are a large number of tests, all with different levels of confidence )
14:27:42 From Andy Tobin to Everyone : That's right Jedd. It's up to the destination country to set the rules for what test types (Lateral Flow etc etc) they will accept. They notify IATA who add it to their rules database.
14:27:48 From Andy Tobin to Everyone : *Jeff*
14:27:58 From Jeff Braswell to Everyone : Question for Lucy: How does this factor/figure with China (given the ban on Google in China) ?
14:28:13 From Andy Tobin to Everyone : @Steve I think so. I haven't seen their contract with test labs.
14:29:16 From Jeff Braswell to Everyone : Thanks Andy — there are also variations in quality of application by different providers of the same test, however
14:29:17 From Andy Tobin to Everyone : @david - they do publish the country restrictions. You can see it here: https://www.iatatravelcentre.com/world.php
14:29:30 From Kaliya Identity Woman to Everyone : This is a paper about the flavors of VC and potential convergence https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/
14:29:35 From Riley Hughes to Everyone : Asking again in case I missed the answer or Andy missed the question: Andy, how is the “lab registry” hosted, governed, maintained, etc? Maybe we’ll get to that during the ‘governance’ portion of this meeting
14:29:45 From Jeff Braswell to Everyone : Overall problem of confidence in testing
14:30:27 From Andy Tobin to Everyone : @Riley - the lab registry is hosted by IATA. When new labs are approved, they are added to the verified issuer list (and get a public DID on the ledger).
14:30:49 From Thomas Cox to Everyone : So IATA is the authority that blesses labs...?
14:31:24 From Riley Hughes to Everyone : Do you know whether it is accessible to others? For example, could the night club down the road from the airport reference the registry to become a verifier *without* asking IATA for permission?
14:31:48 From Paul Knowles to Everyone : Andy .. GLEIF involvement?
14:31:48 From Jeff Braswell to Everyone : Not really, Thomas — they just record opinions of sovereigns
14:31:48 From david to Everyone : @Andy - I mean the other way: countries publish your rules, and you consume them
14:31:58 From david to Everyone : Thanks for that link tho
14:32:24 From Thomas Cox to Everyone : Ooooh, so if I can get a particular nation to bless my lab, I'm in?
14:32:51 From Andy Tobin to Everyone : @Riley - I very much doubt it Riley. Only accredited labs are allowed in as approved issuers. IATA will have a gatekeeping mechanism with rules for allowing a lab in.
14:33:05 From Jeff Braswell to Everyone : @Andy — that country, perhaps :)
14:33:45 From Andy Tobin to Everyone : More IATA Travel Pass info here: https://www.iata.org/en/programs/passenger/travel-pass/
14:33:46 From Riley Hughes to Everyone : Andy, I mean is that registry public to enable verifiers to reference it? As a night club, I just want to verify people’s recent COVID tests. I might want to reference the IATA registry instead of creating my own trusted list.
14:33:49 From Jeff Braswell to Everyone : Unless there’s a general ban on the departure country
14:33:58 From david to Everyone : +1 Riley
14:34:25 From Steve Magennis to Everyone : @Riley, I can see a model where IATA provides Bob's Lab with a credential saying they are on the IATA list and that is bundled with a presented credential
14:35:02 From Andy Tobin to Everyone : @Riley - ahhh I see. They haven't got that far yet - it's airlines/airports only at the moment and they are hyper focused to that use case moving. Secondary use cases may come later (I can hear your mind working :-))
14:35:08 From Steve Magennis to Everyone : i.e. "I trust IATA" "I don't trust the lab"
14:35:41 From Riley Hughes to Everyone : 👍
14:35:48 From Jeff Braswell to Everyone : sorry, I meant @Thomas ! ( “that country, perhaps “)
14:36:31 From Andy Tobin to Everyone : @Paul - no GLEIF involvement at the moment. Good thinking though!
14:36:34 From Drummond Reed to Everyone : Bingo, Steve, that’s exactly what trust registries are for (I note that the label we currently use at Layer 4 of the ToIP stack diagram is “Member Directories”. I’m thinking we should change that to Trust Registries because that’s the term I’m hearing used the most for that role.
14:37:16 From Steve Magennis to Everyone : @Drummond, not a registry, but a bundle with a cred
14:37:45 From Riley Hughes to Everyone : Drummond, I guess my question for Andy about the ‘trust registry’ was really getting at whether there is a standard for doing this, or whether everyone is doing their own trusted registry?
14:37:59 From Steve Magennis to Everyone : in this case IATA would be in a registry, by not necessarily Bob's lab
14:38:05 From Steve Magennis to Everyone : by == but
14:38:06 From Drummond Reed to Everyone : @Steve, yes, I totally get that option and am a vigorous supporter of using VCs to communicate trusted status vs. just trust registries
14:38:23 From Andy Tobin to Everyone : IATA own the "trust registry" of certified and approved labs, and own the governance of the schemas etc.
14:38:43 From Drummond Reed to Everyone : @Riley, you are indeed asking the $64,000 question: how will trust registries interoperable worldwide for digital health passes?
14:38:59 From Drummond Reed to Everyone : The WHO Smart Vaccination Certificate Working Group is asking that very same question too
14:39:16 From david to Everyone : Pin that thought @Drummond!
14:39:28 From Steve Magennis to Everyone : That seems pretty low cost to answer that question :-)
14:39:29 From Chris Buchanan to Everyone : @drummond They will not be interoperable. We will need surveillance activities to keep them honest.
14:40:00 From Andy Tobin to Everyone : There's definitely room for a "verify the issuer" type of proof, where the issuer will have a cred from the governance authority (like IATA) that proves they are a valid issuer. All fairly simple credex tbh.
14:40:02 From Drummond Reed to Everyone : @Chris, I’m fascinated by that answer. “Surveillance activities”? I hope we get to talk about that on this call.
14:40:22 From Jeff Braswell to Everyone : Also, test results are very temporal. How long ago was the test conducted ? How long did it take to get the results ? What has happened in the meantime ?
14:40:32 From Chris Buchanan to Everyone : Random testing and reputation scores for vaccine credential issuers.
14:40:39 From Andy Tobin to Everyone : Yes, the "freshness" of the test result is a key criteria in the entry rules for a country.
14:40:41 From david to Everyone : Those types if rules are very locale driven
14:40:50 From Andy Tobin to Everyone : The test date/time is in the cred the lab issues.
14:41:13 From Drummond Reed to Everyone : @Jeff, the idea is that the credential only conveys the facts about the COVID-19 test. It’s the verifier that applies their policies about acceptance.
14:41:18 From Jeff Braswell to Everyone : @Andy, as it should !
14:41:33 From Thomas Cox to Everyone : If I'm reading the IATA website right, the destination country gets to define what labs it trusts, because they are the ones taking the risk by letting people in. That feels sensible to me.
14:41:48 From Chris Buchanan to Everyone : I think the only credentials that would be acceptable for other-than-daily use would be vaccination and anti-body.
14:42:02 From Drummond Reed to Everyone : +1
14:42:19 From Jeff Braswell to Everyone : @Drummond, understood — not knocking the application of the digital innovation , just thinking about the source problem
14:42:29 From Drummond Reed to Everyone : +1
14:42:38 From david to Everyone : It will be defined by location, and it may vary on where the test was done, what the nationality of the person is
14:42:50 From david to Everyone : There needs to be a very flexible rules system
14:43:08 From Drummond Reed to Everyone : Exactly. Acceptance policies can and will be highly contextual.
14:43:41 From david to Everyone : And what the age of the person is!
14:44:07 From david to Everyone : That's why I worry about highly centralized authorities. How do they keep up? What if they don't keep up?
14:44:38 From Riley Hughes to Everyone : +1 to Andy’s comment - I’d take it further and say it’s only 10% technology. Everything else is governance, UX, implementation, training the employees, etc etc
14:44:47 From Riley Hughes to Everyone : At least in our experience
14:44:57 From Steve Magennis to Everyone : +100
14:45:03 From Jeff Braswell to Everyone : It begins to sound like the biometric and biological data referenced by IDs will eventually have health histories in general
14:45:08 From Chris Buchanan to Everyone : The ideal credential would not be a single credential, but a combined presentation based on the rule set the verifier presents. In other words, “prove to me that you have vaccine A1 and A2 and it’s less than 6 month old or you have an antibody test that is less than 3 months old”
14:46:21 From Kaliya Identity Woman to Everyone : Here is our memo - https://www.lfph.io/2021/02/04/verifiable-credentials-memo/
14:46:53 From Andy Tobin to Everyone : @Chris - yes exactly. It is vital to have two things: 1) Selective Disclosure, to only present the data pertinent to the transaction at hand and 2) compound proofs to enable you to combine data from multiple credentials together.
14:47:12 From Tony Rose to Everyone : right @chris, so a dynamic policy is presented as a proof request and the holder responds with a proof based on one or several credentials held
14:47:32 From Kaliya Identity Woman to Everyone : one of our community identified the opportunity in the Biden administration Eos and we coordinated input from the whole community and it was written in a week.
14:48:03 From Victoria Lemieux to Everyone : n case of compliance issues or need to provide evidence that a vaccination proof, etc was presented, how are you handling this? VCs are peer to peer and transactions are not captured on ledger. If captured on ledger, this is not privacy preserving.
14:48:10 From david to Everyone : You might find that really complex rules may be a high mountain to climb. e.g. Requiring combination of Vaccinations.
14:49:11 From Steve Magennis to Everyone : @david, I think a lot of this heavy lifting takes place in existing trust ecosystems - as it should be. It is really complex
14:49:19 From Chris Buchanan to Everyone : @David, yes. It’s a high mountain, but not as high as integrated governance.
14:49:28 From Andy Tobin to Everyone : @Victoria - good question. The relying party can (if regs permit) store the proof they receive from the passenger, and confirm that they verified it. This is a high standard of dat receipt confirmation.
14:49:28 From Victoria Lemieux to Everyone : +1 Steve
14:50:04 From Andy Tobin to Everyone : @Victoria - none of the credential exchange touches the ledger
14:50:28 From david to Everyone : But why not distributed governance @chris? e.g. why does the government of Canada care about any rules except their own.
14:50:31 From Victoria Lemieux to Everyone : @Andy, Yes, agreed, but need to make sure that this remains authentic and it’s difficult to tie back to legal identity if needed.
14:51:15 From Steve Magennis to Everyone : Club Trinsic, yeah!
14:51:32 From Jim StClair to Everyone : "Show me your papers"
14:51:39 From Jeff Braswell to Everyone : Spoofing ?
14:51:39 From david to Everyone : Well that is worry.
14:51:47 From Alex Tweeddale to Everyone : I see another UK gov U-turn on vaccine passports if the IATA stuff kicks off :D
14:51:56 From Chris Buchanan to Everyone : @David.. that’s my point. Integrated governance is not possible, therefore, we need to fulfill the promises of decentralized ID and climb the multi-credential integration issue.
14:53:03 From Jim StClair to Everyone : +1 Chris
14:53:46 From Victoria Lemieux to Everyone : . . . and all while preserving privacy
14:53:56 From Paul Knowles to Everyone : I’ll keep hammering the importance semantic harmonisation so that WHO can get real-time data insights on vaccine-related data.
14:54:01 From Chris Buchanan to Everyone : +1 to Andy and you also have to make the credential independently authenticatable.
14:54:20 From Jeff Braswell to Everyone : (There’s a hand up)
14:54:27 From Thomas Cox to Everyone : @Paul yes, please let's set up standard terminology! Otherwise all is chaos.
14:54:51 From Steve Magennis to Everyone : @Chris, the multi-credential integration issue is really based in the verification criteria (authority) issue
14:55:14 From Daniel Bachenheimer to Everyone : the IATA model, like the Commons Project, speaks to applying rules on behalf of governments that provide them and providing a RED / GREEN to the border guards upon arrival.... I doubt this would be accepted in many/most countries. At best, it could be used by airlines to determine OK to fly but NO GUARANTEE OF ADMISSION
14:55:45 From Victoria Lemieux to Everyone : Several issues to be sorted out: authority, accuracy, reliability, authenticity, usability, post facto compliance
14:55:53 From Chris Buchanan to Everyone : @Steve so we need to know the question format to answer properly?
14:55:54 From Steve Magennis to Everyone : @daniel +1
14:56:14 From Steve Magennis to Everyone : @Chris - it helps :-)
14:56:24 From Riley Hughes to Everyone : Does IATA already have a governance framework? Is that gov’ce framework published anywhere?
14:56:31 From Thomas Cox to Everyone : (@Paul you might mean something deeper than 'terminology' when you say 'semantic harmonization')
14:56:32 From Andy Tobin to Everyone : @Daniel that is the case with any air travel. It is the responsibility of the airline not to board you if you don't have the docs to get in. But that check is not a guarantee that you will be allowed in when you arrive. These policies already exist.
14:56:44 From Jeff Braswell to Everyone : Firesign Theatre: “Welcome to Turkey. May I see your passport please”
14:57:27 From Daniel Bachenheimer to Everyone : @Andy - yes agree... but this is a new layer and travelers need extra clarity
14:57:28 From Chris Buchanan to Everyone : @Steve - the good news is that the solution space for the questions is limited and it may be that wallet technology be developed to handle a standard query language (presentation requests)
14:57:29 From Paul Knowles to Everyone : Yes, semantic harmonisation … I’ll cut and paste something. One sec.
14:58:33 From Drummond Reed to Everyone : @Riley - IATA is developing a ToIP Layer 4 ecosystem governance framework, but they have not published it yet.
14:58:43 From Chris Buchanan to Everyone : @Daniel - Everyone needs to include the assessment in the visa process prior to travel. I could see countries issuing health visas as a result… makes more sense than a health passport anyway.
14:59:05 From Drummond Reed to Everyone : Good point Chris
14:59:16 From Kaliya Identity Woman to Everyone : read the paper - https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/ also good news the SVIP test suite for JSON-LD ZKP with BBS+ will be live and public mid -march :)
14:59:25 From Steve Magennis to Everyone : @Chris, agreed. Scoping the solution space will inform the required solution complexity
14:59:27 From Chris Buchanan to Everyone : The nice thing is that the VISA could work for the airline too.
14:59:43 From Chris Buchanan to Everyone : Funny if you need a re-entry visa… LOL
14:59:43 From Jim StClair to Everyone : Yes, good paper @Kaliya
14:59:49 From Drummond Reed to Everyone : +1
14:59:53 From Tony Rose to Everyone : +1 Kaliya
14:59:57 From david to Everyone : I respectfully don't believe it's early days
14:59:59 From Riley Hughes to Everyone : Yes thanks to Kaliya for the paper. Fantastic.
15:00:15 From Steve Magennis to Everyone : Great session. Thanks!!
15:00:18 From Lucy Yang to Everyone : We always refer to Email when talking about interoperability. My outlook calendar is still not working with Gmail calendar.
15:00:26 From Daniel Bachenheimer to Everyone : @chris - absolutely.... when I got my Russian visa I went to the govt web site and followed the govt rules and the govt issued the visa... NOT CVS!!!!
15:00:31 From Paul Knowles to Everyone : Cut and paste ain’t working. Re semantic harmonisation, feel free to ping me an email and I can reveal the problem space and the resolution. paul.knowles@humancolossus.org
15:00:37 From Jim StClair to Everyone : I have to jump, Scott, thanks!
15:00:44 From Sumiran to Everyone : This was a good session, thanks Scott for organizing it.
15:00:46 From david to Everyone : @Andy Tobin - specifically that's it's just a layer, but there's lots of problems above that
15:00:59 From Jeff Braswell to Everyone : Another meeting calls — thanks for the interesting discussion and information.
15:01:26 From Victor Syntez to Everyone : thank you for the meeting!
15:01:50 From Chris Buchanan to Everyone : @Andy - I have trouble explaining it to engineers and developers… much less laypeople
15:02:09 From Andy Tobin to Everyone : @Chris just say "it's a technical trust tunnel" :-)
15:02:17 From Chris Buchanan to Everyone : :)
15:02:39 From Riley Hughes to Everyone : Thanks for organizing Scott.
15:02:40 From Lucy Yang to Everyone : Thanks everyone!