2019-10-30
- Vipin Bharathan to update the paper, bring it into github before "11/13/2019"
- Vipin Bharathan send out github procedures for inviting maintainers.
Agenda
- Antitrust Policy and introductions - VB
- Identity WG Implementer call - report -
- Meeting Notes 2019-10-24 Identity WG Implementers Call Daniel Bluhmor Richard Esplin or anyone who was on the call
- Discuss IDWG paper & Implementor's WG
- A github repo was created under hyperledger for IDWG; Let us discuss the governance of it. This is mostly to house our paper, we will also create more outputs from our group. Ideas are welcome.
- Reframing data protection @Elizabeth Reneiris
- Report on IIW Nathan George David Huseby Daniel Hardman or anyone who was there
- ID2020: What happened and why is it important Vipin Bharathan
- Kiva - current status. After the UNGA- any one from Kiva (Matt Raffel or Camilo Parra )
- Implementing metrics from Chaoss... DCIWG- let us discuss.
- Progress of Identity Working Group paper. Further comments by Brent Zundel
- Aadhaar section-look at reworked areas
- Paper collaboration - Marta Piekarska-Geater, kellycooper.2ds, Sze wong
- A talk by Kim Cameron in the offing.
Attendees
dlt.nyc | vip@dlt.nyc | |
kellycooper.2ds | Independent | kellycooper.2ds@gmail.com |
Ajay Jadhav | AyanWorks | ajay@ayanworks.com |
Gowri | ||
Marvin Berstecher | esatus AG | m.berstecher@esatus.com |
Nitin | gio | |
Santanu Mukherjee | ||
Sumit Kumar | Cap gemini | |
Todd Gehrke | Luxoft | |
Kaliya Young |
Recordings:
Meeting Minutes:
Introductions
Implementer Call: Projects, Groups, and SIG report out on Identity-related topics. Shared Identity paper.
Identity paper: Moving to GitHub. Identify specific changes other than 'this doesn't look good'. Need details. Repo is created. Maintainers needed. If not maintainer, please create a Pull request if you have a GitHub user ID.
- Otherwise, please send comments to maintainers. There are unresolved issues on the paper.
- We need to make a conscious effort to address areas-> particularly, PII on the blockchain (deprecated)
- and tension between people with current or new solutions which may not be in production yet.
- One aspect to debate is ideas such as Aadhaar. The tension needs to be addressed in the paper, ie privacy is a basic right. Aadhaar has over a billion users. We have many systems that handle identity. How do we progressively go toward a better system, in the blockchain world and elsewhere?
Given below is the edited and structured version of the call
Kaliya:
Problems with Aadhaar & solutions:
- state as provider of certain root credentials (Birth certificates, Passports etc.)
- Issuer (Govt of india) also become IDP, IDPs see every time credential is used ("Phone Home")
- People should be able to present credentials without IDP knowing, without authoritative sources knowing
- In western democracies there has been pushback against govt providing digital IDP services, but has relegated to Google & Facebook etc. with OpenIDConnect
- SSI is a solution since through VC working group we establish open standards for credentials
Vipin:
- Western countries (at least the US) has the same problem due to centralization of IDPs in commercial interests (Facebook, Google, LinkedIn) etc.
Nitin:
- Complexity of problem that needs to be solved in India because of mix of people
- Santanu brings in the problem of illiterate people to buttress this argument- Vipin says it is the edge interaction that can make this bad, since the middlemen disrespect and mistreat the poor users.
- Aadhaar is extremely useful due to its use in widescale PDS (public delivery system) for food, cuts out middlemen, fraud- Upheld by the supreme court of India
- Kaliya, Vipin and others concur.
Kaliya
- Aadhar as a model was written many years ago, but we need to move towards a model which is more decentralized; this is where verifiable credentials come in
- Verifiable credentials WG in W3C is defining the standards around creation of credentials, any authority can create credentials with cryptographic proofs that can reside in the users digital wallet and can be shown to relying parties without involving the issuers
A frame may be to talk about the centralized systems and to not frame it as 'there's an issue with centralized identity models, state-issued or commercial'. This is what's happening in the world today, either one isn't great. They're not good for people that there's a limited choice in who I trust to manage my identity.
Vipin
- The VC standard is a meta standard; fixing language, format etc. allowing for programs to make sense of data in credential issued by anyone
- How do we go from here to there (i.e. from centralized systems that leak data ("phone home") to decentralization, what is the path for adoption?
- Are there systems at scale for SSI
Nitin:
- Aadhaar does not track use case, it is a log; it used to track location of edge device, now that is not being tracked as well. Some changes for the better.
Ajay
- AyanWorks created a usecase where an offline Aadhaar XML file can be downloaded in the mobile app using a standard OTP Authentication process, and based on the attributes in the XML file, the App creates a self-attested Verifiable Credentials (VC) which could be presented as a cryptographic proof of Aadhaar derived Identity. The relying party (verifier) can very well verify whether this Aadhaar derived VC is really issued by UIDAI or not.
Given Below is the unedited free form text of the call created by Kelly in realtime:
Kaliya: Need to separate out some concerns. One is it's widely accepted practice for local authorities to issue birth certificates, and that ends up being the basis for other documents states issue to citizens, such as identity cards and passports. India created such an identity system. Aadhaar and Singapore systems see everywhere a person uses that identity. 'Phone home' architectures cause issues; yes there's a role for governments to authenticate things such as births. Does that mean the 'state' should be an identity provider? No, in government or with companies (Google). People should be able to act without authoritative sources knowing.
Vipin: Lack of large-scale identity providers opens up for Google, Facebook, etc. to step in as a commercial interest. Caused tremendous problems. SSI is the answer because when you present credentials, do not need to notify the issuer of that presentation.
Nitin: India is complex, difficult to compare a western country to India. Aadhaar addresses a major use case the Supreme Court upheld is government benefits. There is a widescale PDS (public description system) for food; one of the biggest sufferings is people living below the poverty line. Once they move from villages to cities, they do not have those benefits.
Vipin: No one is questioning the usefulness of Aadhaar.
Kaliya: Spent seven weeks in India to understand Aadhaar. A good system for India's current stage of development, ten years ago when developed, good decisions. If the centralization model continues into the future, it doesn't necessarily align with what I understand to be the values of the world's largest democracy. Not about critiquing the past.
Nitin: Agree, needs to go toward decentralization. But Identity needs to be derived from Aadhaar. Then, can use a new focus to utilize. For a new model, it needs to come out of government control. Supreme Court is looking at usage and public benefit. The evolution of decentralization has been restricted and this is the model that has to change.
Vipin: Not roses in the U.S. either; companies like Google and FB have tremendous centralization of issuance architecture. OpenID Connect....
Kaliya: A frame may be to talk about the centralized systems and to not frame it as 'there's an issue with centralized identity models, state-issued or commercial'. This is what's happening in the world today, either one isn't great. They're not good for people that there's a limited choice in who I trust to manage my identity.
Vipin: How do we get to where we want to get to?
Ajay: Whether Aadhaar tracks identities.. if a citizen presents it is tracked.
Nitin: Doesn't track.. use case is not tracked. But still, there is a centralized audit.
Kaliya: Each terminal that authentication happens has an identifier.
Nitin: Each location is tracked but not at the ID level. Earlier there were coordinates, no longer. Restricted tracking. A possibility you can correlate.
Ajay: Uses - offline Aadhaar XML available for every citizen (on website). Can get 'my' data for my wallet. Self-attested. Aadhaar based authentication. Credential in my mobile is created offline with this XML tool. Once the credential is in my wallet, I can prove to a relying party, this is my identity.
Nitin: to Kaliya - struggle, if we create anonymous identity, perhaps via Aadhaar. At a point of service, I can't present myself as me.
Kaliya: No one talked about anonymous anything. Confusion. One of the SSIs proposed the capacity, if one chooses, to have derived subattributes (over 18, resident of district x) ZPK work in sovereign Hyperledger Indy ecosystem. If we want to have a conversation about the past, how can we get from where we are not to a cool future, States that currently, issue credentials shift to issuing verifiable credentials into people's wallets. Then people use that credential for whatever they want, in a decentralized world.
Vipin: Consider a paper driver's license. Phone home is only when there is an issue such as pulled over by police, but not with a merchant. Different levels of access. How can we have something similar in a digital context?
Nitin: India has a digital locker, DigiLocker
Kaliya: It's not decentralized. This is where language gets into the way. Around decentralized identity, the terms mean any institution can issue any credential to any people it wants. Once issued into the digital wallets that they control. There's an ecosystem possible you don't get from a centralized provider, whether commercial or governmental.
Nitin: This credential would be derived from the base credential of Aadhaar.
Kaliya: Verifiable means it's cryptographically signed, it does not mean it comes from one particular resource. ie University can issue verifiable credentials into their wallet. The local salad shop can issue a verifiable credential every time someone buys a salad. The broad data format that can apply to a vast range of use cases. Think about how to get out of particular use cases. University may want an official government card when you enroll but the salad shop won't care.
Nitin: Standardized format...
Kaliya: Yes, W3.org. Used across the ecosystem.
Vipin: Buying chai in a shop, nonstandard, but 'I' follow w3 credential group proposal. A program that reads that will be able to make sense of that, to a certain extent. Conundrum, all of these systems, how do we propose a way to transition to this new way of doing things. Sounds great, but no one does this today at scale?
Kaliya: Emergence - this year will be big for production deployments. There have been large scale pilots. British government 1.2m credentials. Kaliya received white papers she can post.
Vipin: Difference between 1m and 1b - if you have a running system, how to maintain it?
Santanu: Problem is not 1m or 1b - the issue is literacy. Ajay mentioned - the level of acceptance within India, if I'm literate I know digital valid. If not, I know this is a paper; but to make usage of that to downtrodden people is a challenge for the India context. All of the framework, whatever we have, is acceptable and applied easily. Other people have a different context in mind. If a traveler moves from an urban area to rural, information needs to be conveyed. That information should be kept in such a way, usage can be implemented.
/**Chat:
Question is about acceptability A Govt Institute provided credential will be acceptable but provided by a private inst may not
From Kaliya Identity Woman to Everyone: 09:43 AM
anyone can issue a credential to anyone for any reason using these formats how you “determine” trust is a whole set of challenges - that also are needing to be addressed and this is where trust frameworks come from Is this the question our white paper needs to answer? I think we just need to talk about Centralized systems and how they are working.
From Ajay Jadhav to Everyone: 09:43 AM
Nitin, the point is not about private inst issuing a Govt credential. It's about the standardization of the data format of the credential..
From Kaliya Identity Woman to Everyone: 09:44 AM
You also have Kiva who just created virtual digital wallets for like the whole country of Siera Leone
From Ajay Jadhav to Everyone: 09:44 AM
If, Govt adopts the standard, it will force everyone to align to those standards... Link to W3C VC - https://www.w3.org/TR/vc-use-cases/
From Vipin Bharathan to Everyone: 09:44 AM
I have been trying to get Matthew Davie from KIVA to report on current status
From Kaliya Identity Woman to Everyone: 09:44 AM
Yes Guardianship and Delegation for folks who are not digitally capable is a whole set of issues that also must be addressed
From Kaliya Identity Woman to Everyone: 09:46 AM
Yes Guardianship and Delegation for folks who are not digitally capable is a whole set of issues that also must be addressed http://www.spaceman.id actually has a text controlled agent working - they showed it at IW IIW
**/
Vipin: Some of the issues are friction in edge devices. For Aadhaar - terminal used to verify biometrics. Also people in charge. Dismissive of poor people. Where is SSI being practiced at scale? BC government is one. Are there other use cases? GDPR is bellwether. How is SSI doing in Europe?
Marvin: We are trying to get a lot of people from different key countries to work together to get standards. Great potential to meet.
**/ Chat:
From Kaliya Identity Woman to Everyone: 09:48 AM
https://blockchain.enterprisesecuritymag.com/cxoinsight/blockchain-a-us-customs-and-border-protection-perspective-nid-1055-cid-56.html
https://www.cbp.gov/sites/default/files/assets/documents/2019-Oct/Final-NAFTA-CAFTA-Report.pdf
https://www.erienewsnow.com/story/40994526/digital-bazaar-collaborates-with-gs1-us-securekey-and-tradelens-on-global-standards-for-organizational-identity https://markets.businessinsider.com/news/stocks/digital-bazaar-welcomes-tradelens-as-key-organizational-identity-blockchain-technology-participant-improved-business-efficiency-and-identity-security-1028512559
https://www.prnewswire.com/news-releases/digital-bazaar-and-securekey-join-forces-to-develop-global-standards-for-organizational-identity-300919434.html
https://www.prnewswire.com/news-releases/digital-bazaar-and-gs1-us-collaborate-on-a-new-proof-of-concept-exploring-the-intersection-of-organizational-identity-and-blockchain-technology-300923178.html
From Ajay Jadhav to Everyone: 09:53 AM
In my knowledge, following the implementations of BCGov & Ontario, the Alberta Credential Ecosystem (ACE) lead by ATB Financials is also building an SSI-based solution for people in Alberta
From Kaliya Identity Woman to Everyone: 09:56 AM
https://hackmd.io/HkJOQk_aQOKe-UHAJcz1zg
**/
Kaliya: Significant behind the scenes implementations; only now information is coming out (above links). If I'm reading the call right, we agree SSI and emerging standards "decentralized". The contrast between emerging work (Hyperledger Aries, Ursa, Indy) and w3 (digital bazaar). Difference between centralized, ie, (what is) and to look to the future.
Vipin: What is better is probably something like SSI.
Kaliya: Does the paper need to recommend or identify.
Vipin: Framing of what is happening in Hyperledger. We can say what we see potential in. At the same time, need to discuss efforts being taken in order to get there from here. Most of Hyperledger - permissioned ledger - still using LDAP. Writing hundreds of PoCs. A paper is a point in time, we keep moving. How do we then address? Different angles or updates?
Vipin: Elizabeth Renieris thesis. We are focusing on the wrong thing - data. We should turn it around and start with privacy. Talking about data distances us from the real problem; privacy is what we're trying to solve. How do we implement that? https://medium.com/@hackylawyER
Vipin: Indy Semantics group presented on Aries-related consent.
Nitin: There is a centralized entity under India's centralized bank. They have given license to aid consent electors to provide financial information. For all financial institutions, if they want to take data for any user, they need to use this mechanism and get signed consent. There's a sequence, a number of times you can access data, etc. Nitin can do a presentation on this. Telecom service providers implement blockchain to store consent, but more domain-specific for telecom. In production. Use blockchain to store consent from their subscribers. Not part of Aadhaar.