Skip to content

2023 10 04 Meeting Notes

Jump to bottom
Tim Cappalli edited this page Oct 5, 2023 · 1 revision

2023-10-04 (B Call)

Reminders:

WICG member: https://www.w3.org/community/wicg/

W3C Code of Ethics and Professional Conduct: https://www.w3.org/Consortium/cepc/

Organizer: Tim Cappalli

Scribe: Sam Goto, Rick Byers

Agenda

  • Intros
  • Administrivia
  • Goals of this workstream
    • Balance of technical discussions, use cases, privacy, and policy
  • TPAC recap
  • IIW Planning
  • AOB

Notes

Slack channel https://app.slack.com/client/T010EGK9PQE/C05UG0EJUDB/thread/C05UG0EJUDB-1696345193.147579

Intros

  • Tim Cappalli: Microsoft, engaged in browser APIs (WebAuthn, FedCM, SAA) and FIDO
  • Rick Byers: works on chrome,
  • Sam Goto: chrome too, works with Rick
  • Lee Campbell: works on FIDO stuff, on the Android team
  • Helen: works with Lee on Android too
  • David: David Zeuthen, works at Google on the Android team, member of ISO working on mDLs, maintains on open source libraries, works with several teams at Google
  • Gareth: I work on Google Wallet, attends ISO meetings
  • Michael Jones: Mike Jones, works on a number of identity and security standards, OAuth, OpenID Connect, JWT, several things in the W3C: WebCrypto, WebAuthn, and Verifiable Credentials
  • Kristina: Microsoft, works W3C WGs, SD-JWTs, IETF, mDoc related things in ISO, OpenID4VC in the OIDF, interoperability profiles, working with product teams, verified identity product
  • Tess: works at Apple, manages the Webkit standards team
  • Hicham: works at Apple, Identity, part of the ISO group too, mDL
  • Nick Doty: center for democracy and technology, privacy and security, co-chair of the privacy interest group
  • Brian Campbell: works on a lot of identity standards, “old fashion” identity standards, OAuth, OpenID Connect, SD-JWT, interested in this area happening in different bodies

Administrivia

  • Tim: A and B call. This is the B call - APAC friendly. A call next week.
  • Tim: trying to use slack for general discussions.
  • Tim: meeting notes turn into github files after meetings for later reference.
  • Tim: Google meet seems like a reasonable starting point, in case anyone has any other preference, just LMK
  • Tim: result of the discussion that happened at TPAC, notes available, original plan was to merge this with the FedCM WG – but FedCG is much farther along in incubation, and this work is a lot less mature than that, so we figured it would be useful to have this discussion in a CG rather than a WG
  • Tim: the goal of the workstream is to try to answer the open questions that came up at IIW, FIDO TF, TPAC, etc. Start looking at these different use cases. Some of the focus has been on mdocs before because that has been a hot topic for governments, etc. But we know we want to support VCs too.
  • Tim: there are a couple of proposals floating around, one of them being incubated in platforms.
  • Tim: Rick brings a lot of questions in his presentation.
  • Tim: We are trying to have these conversations in public and openly, as opposed to behind closed doors.
  • Nick: do we think there is a broader group of people from a wider range of affiliation?
  • Tim: yeah, in general that is indeed the hope and we need help getting the word out. We could use help folks spreading the word.
  • David Z: some issuers of credentials may be interested in joining as well. This hasn’t been advertised very widely, so hopefully we’ll see more folks join.
  • Brian C: that might explain why we got some ramblings from people that were in Europe and had a hard time joining the meeting.
  • Mike Jones: I second Brian’s point, heard similar concerns.
  • Rick: maybe we should just redo the doodle pool to gather more input on the time.
  • Rick: note on incubation, I agree that we want to include a lot of voices, but incubation often happens in small groups, it is pretty common for incubation to happen with a small group of people that can iterate things quickly. TPAC Recap
  • Rick: main things I heard. The first class of concerns are on the policy side: what does it mean to bring high assurance identity to the web. Nick has spent a lot of time in the space. At a high level, I’d like the TAG to do some research here on this space, and I think it would be a mistake to over-focus on a specific solution, i’d really like to have the TAG form an opinion on high assurance identity on the web, and try to find some principles around it.
  • Nick: I do think it is important to look at cross cutting matters, finding principles on presentation on the web, the TAG may be interested, the PING is meeting tomorrow, enough interest from privacy and human rights, around concerns and principles. I know it is early, but I’m also hearing the feedback that “it is already late, there is a lot of deployment, a lot of regulatory requirements”, doesn’t seem like a “we can ignore this now” but more of a “we need a lot of attention now”.
  • RIck: the other big class of concerns I heard at TPAC was around Open-ness, making sure there is room for players with different opinions. We heard a lot of feedback that when we started with mdocs only it raised a lot of concerns. Android and Chrome so far have been convinced that we want to be format agnostic. Folks particularly concerned about losing the engineering side of things and becoming a political, would be great to have the group align on a set of principles, being credential agnostic, supporting multiple credential formats, multi wallet. I gave a talk at the CCG at TPAC and got overall a great set of reactions.
  • Tim: how do we want to go about this?
  • Rick: I think it is broader than privacy, but at the same time I certainly feel a lot of urgency. We are going to origin trial sometime soon. We feel a lot of pressure coming from eIDAS and urgency in trying to inform it. Shipping a v0, fine to involve breaking changes.
  • Lee: it would be good to align on the principles or properties of this API.is it going to be format agnostic? Is it going to be multi wallet? Trying to capture them and try to converge on them.
  • Lee: someone could draft them up and trying to look at them.
  • Tim: this was a similar set up we with the FedID CG.
  • Tim: we do need folks to help with use cases. Questions we'd like to get answered in the next few weeks
  • Sam: Concrete example of tension we're feeling - multiple times from Apple. How does this relate to authentication mechanisms like passkeys and federation. Do we think of these things as completely different things or are they related? Will they happen at the same UI/time or different UI/times? One of the tensions we feel that has consequences on API design
  • Lee: right, that seems like we could capture that as use cases that we’d like to support. There is a camp of folks that think that “we should never use this for sign-in” and another camp that says “it should”, including things that show up in regulation. Should an IC be in the same UI as a passkey? Or should these be very different things?
  • Sam: Rick mentioned a few. Do we want to be format agnostic (support VC as well as mdoc, ePassport, etc.) or do we expect only one to exist? Multi-format is one of the tensions. Even "format" is confusing - what is an SD-JWT? Is it possible to have a VC encoded with CBOR? Need to invest in the vocabulary / terminology. Another tension is how does this relate to passkeys and federation. Another tension is multi-wallets - support a large diversity of wallets or do we expect users to have one wallet at a time. These aren't well thought out because we don't know what the questions are. This group would be a good one to talk about the relationship between different moving parts - OpenID4VP for example. Are they complementary, different layers etc.
  • Sam: Lots of tension on query languages, in the vicinity of presentation exchange. Do we like presentation exchange? Do we need to make query languages extensible?
  • Kristina: Another topic is the scope of the API - one of the big problems where the help from the browser/OS is the selection of the wallet. Android said they didn't want custom URL schemes to be used, understandable. So for wallet selection, how does the request get into the correct wallet. Regardless of the credential format and the protocol. At the same time, sometimes the discussion on the API seems to be talking about inventing an entirely new protocol. Those can exist together, but we should be clear what we're talking about. If this API is designed to provide a wallet selection (and cross-device security is another one), other protocols would keep using the dangerous protocols.
  • Tim: covered under this question?
  • Kristina: No, not specific to OpenID4P, applies to any protocol.
  • Nick: even in API discussions would be good to discuss abuse mitigation. If they get abused (as I'm confident they well), how can we design an API such that a UA can help protect the user from innapoprirate requests, or understand who is asking, or enable reporting usage. Need significant hooks in the API to make it possible to prevent what I think will be substantial abuse of the API.
  • Tim: Other big questions?
  • Lee: Is it wallet selection or credential selection? How much role does the browser and platform play in this transaction? Could be a pretty dumb pipe, or could take a much more active role in mediating the interaction. Maybe, as Nick was saying, it needs to add some friction or maybe even vet who is using it. Open questions on how involved it should be
  • Sam: Maybe good to talk about the shared sense of urgency and timelines. Rick mentioned pressure on regulation we're seeing from around broad deployment. Might be good to have experts (e.g. on eiDAS) come talk with / explain to us. Would like to understand sense of urgency elsewhere eg. Tess for Safari? If this is time boxed, it is likely we are going to have to make compromises, and if so, which?
  • Tess: Can't share future roadmaps. But can discuss sense of urgency from ISO side of things.
  • Hicham: Yes, one of the problems we had from ISO we needed to be able to point to something. Want to be able to point to standards track. Regulation timelines is also something we should look at, so we can have a decent chance of this work being accepted as a way to present identity documents.
  • Sam: The other side of things I'd suggest going over as a group - bigger picture of the API from a lifecycle perspective. We've been over-focused on presentation, but haven't discussed provisioning. Manu from CCG brought up web wallets, not sure if that's in scope? I think our focus here is presentation, but how does this fit holistically into the lifecycle of the product?
  • Lee: Do we want to consider issuance as part of this discussion in the short term? I'd vote no for now (Several thumbs up). I'd like to consider cross-device presentment though. I'd like it to be agnostic to the caller, we might not have to spec the protocol.
  • David: +1 to focus on presentation. Provisioning is really hairy, especially for real-world identity.
  • Tim: Will create issue for each of these questions, will take us weeks to work through. I'll tag them with agenda+, please suggest improvements. IIW planning
  • Tim: IIW Next week
  • Lee: Could talk about the sessions we hope to propose
  • Sam: Think i could be useful to have a session dedicated to android specifically. Lots of interesting aspects to that architecture. Would be wonderful if we could find an iOS engineer who could compare and contrast, or Windows engineer. Lee can do the Android part, but if someone would like to describe how Windows / iOS thinks about that space - would be helpful.
  • Sam: Then, Rick can't make IIW unfortunately due to Canadian Thanksgiving, but I can give an overview of our proposed web browser API and go over it.
  • Sam: Also thought it would be constructive to have a session with Hicham, David, etc. on how ISO folks see the space of browser APIs. If we could have something comparable for that for verifiable credentials that would be wonderful. Maybe Manu or Kristina, or Anil from DHS?
  • Sam: Figured we could also have a session on query languages. DIF? Folks
  • Sam: Maybe constructive to have Thorsten and Kristina talk about OpenID4VP and how it relates to browser APIs. Perhaps also CHAPI folks from CCG.
  • Kristina: Yep. We do OpenID4VP sessions every IIW. For VC we can give updates on data model v2 vs. v1 and stuff like that. Overall looks good.
  • Sam: Other idea that occurred to us perhaps was to work with the open wallet foundation and the folks at spruce, get their thoughts on what requirements they'd have for browser and OS APIs. Both Chrome and Android now have a prototype where anyone who wanted to could flip a flag and give it a try. Would be game for setting up a demo booth where we can prototype.
  • Lee: Thought we'd come out with a prototype so folks could bikeshed about it. In Android builds now, in Chrome Canary. If anyone wants to prototype anything and puts together and end-to-end flow, we'd be game.
  • David: Needles to say we'd bug all of you for demos as much as we can
  • Kristina: There's an OWF workshop the day before IIW. Might be a good chance.
  • David: Yes but unfortunately I'll miss the first half.
  • Tim: Sam are you going to run point to wrangle folks Tuesday morning?
  • Sam: I can. Maybe we kick of a github issue or use these meeting notes to try to figure out who is interested.
  • Tim: Can we do a github issue?
  • Sam: Yes. Please let me know if anyone wants to volunteer.

Wrap up

  • Tim: Let's plan not to meet next week due to concerns about Europe and IIW. I'll plan to send out another doodle and hopefully we'll get folks to respond. We need everyone's help to spread the world. I will create issues for discussion points.
  • David: So next meeting is Monday?
  • Tim: No, this same slot in two weeks.
  • David: Then every week but alternating?
  • Tim: Yes, with new time for north america that's more europe friendly

Questions for future discussions

  • Relationship between these identity credentials, passkeys, and federation
  • Risk for persistent/global identifiers
  • Sign in vs claims transfer
  • IC in the same UI as a passkey? Good idea or bad idea?
  • Do we expect VCs and mDocs to coexist or one or the other (multi-format). Are there others?
  • Multi wallet support or not?
  • Wallet selectors vs credential selectors?
  • Tension between different moving parts such as browser APIs vs OpenID4VP vs other protocols. Mutually exclusive or complementary?
  • Common vocab/terminology needed (encoding, formats, schemes, etc)
  • Query languages (e.g. presentation exchange or something else), extensibility
  • Scope: help from client for wallet selection, role of UA and platforms, cross-device
  • Abuse preventions and mitigations
  • Timelines for interested orgs (urgency, etc)
  • Bigger picture of the API: presentation, issuance, web wallet interactions, etc

Attendees

  • Rick Byers, Google Chrome
  • Nick Doty, Center for Democracy & Technology
  • Tim Cappalli, Microsoft Identity
  • Helen QIn, Google / Android
  • Lee Campbell, Google / Android
  • Hicham Lozi, Apple
  • Sam Goto, Google Chrome
  • David Zeuthen, Google / Android
  • Gareth Oliver, Google / Wallet
  • Brian Campbell, Ping Identity
  • Loffie Jordaan, AAMVA
Clone this wiki locally