Zoom Logo

Trust Architecture Task Force - Shared screen with speaker view
Dan Bachenheimer (Accenture)
11:18
today's minutes [thanks Drummond] are here: https://wiki.trustoverip.org/display/HOME/2022-01-20+TATF+Meeting+Notes
Bart S
25:24
Can we (or have we already) visualize the 'where KERI fits' in terms of jobs-to-be-done across an identity journey? Ie - most of the conversations to date are very technical, and less focused on arguments as to why people should get behind this.
Darrell O
26:49
I’m definitely going to need that visualization.
Drummond Reed
29:53
Great questions — we will get to them
Drummond Reed
30:03
DanB, I see you on the queue
Daniel Hardman
32:27
Big +1 from me to Sam’s observation about latent accountability
Daniel Hardman
33:05
We should cover Bart’s question
Antti Kettunen
33:09
Currently frameworks (like EU) recognize binding to a trusted device, but not to an identifier. This is also a pattern that repeats elsewhere (I think). Would this cause challenges?
Darrell O
33:21
as a recovering developer/architect I am tempted to call this “lazy accountability” but I know it’s an incorrect term
Tim Bouma
33:28
agree+ - this is similar to publishing a statement in a gazette or classifieds
Bart S
33:46
well my audio is borked then
Bart S
33:50
sorry :)
Dan Bachenheimer (Accenture)
34:05
EU has proposed to use an identifier in every transaction! we (INATBA) screamed bloody murder
Adrian Gropper
34:57
Does an authorization server live in the message or reputation layer?
Darrell.odonnell`s Sembly Agent
35:15
Hi, this is Darrell.odonnell`s Sembly Agent. This meeting is being recorded. Want your own agent? Please visit www.sembly.ai
Tim Bouma
35:35
Perhaps identity is not the ultimate goal - rather it is about reputation/authenticity - identity is just a means to an end
Darrell O
35:42
apparently my AI agent (Sembly) does transcription - and sells itself
Samuel Smith
36:16
+1 @TB reputation is the end goal
Bart S
37:21
I can follow you, but can we simplify and align it with existing terms (proofing, binding, exhanging, authenticating, etc). I'm happy to contribute to that
Bart S
38:02
for me what's confusing is we're using KERI as 'protocol', 'principles', 'method', etc.. I think we need to be more precise on that
Dan Bachenheimer (Accenture)
38:14
@Antti - I said every transaction, to be fair Article 11a calls for a “unique and persistent identifier” to be included in the minimum data set “to identify the user ... in those cases where identification of the user is required by law”
Darrell O
38:30
@Bart - are you saying we are KERIing too much?
Bart S
38:59
well, in the beginning we said we shouldn't overestimate what KERI could do.. and now we're seeing it can do a lot..
Antti Kettunen
39:19
@Dan I don’t think it’s the same identifier as DID is. I believe it refers to more unique personal ID type of identifier.
Darrell O
41:23
@Bart - I agree - methinks we’ll end up splitting where things get applies and what the names are (e.g. KERI / ACDC is promoting a new credential format that may need a new name)
Vikas Malhotra
41:33
+1 Authenticity, (which is derived from verification) is very important.
Bart S
41:51
hahahahahaha
Bart S
42:13
remember Daniel: small words, and big numbers are the key to success :)
Darrell O
42:17
@Antti @Dan I am guessing the law can support “This identifier is me too”
Tim Bouma
43:04
+1 I like this two layer model - I describe as Institutional Trust and Technical Trust.
Tim Bouma
43:37
This is spot on.
Shermineh Salehi Esmati
43:49
Changed or exchanged?
Bart S
44:02
so what does it compare to in terms of category?
Jan Lindquist
44:26
Daniel mentioned that not all DID Methods are compatable with KERI. Is there a list of what would be the requirements for a DID Method to work with KERI?
Dan Bachenheimer (Accenture)
45:12
@Antti - correct... they seem to be stuck on centralized, National ID constructs... we reminded them of DIDs and how they should be allowed by the legislation
Darrell O
45:19
@Jan - I think we (by we I mean the selfish we - “somebody else”) should create a “KERI-compatible DID” rubrid
Adrian Gropper
45:54
Does an authorization server live in the message or reputation layer?
Bart S
46:01
works for me, we can keep the chat separate :D
Jan Lindquist
46:28
@Darrel, agree but where is the work for a KERI-compatible DID rubrid?
Darrell O
46:43
@Jan - it’s yours if you want it!
Jan Lindquist
47:15
haha. ow so somebody has to do the work...
The Agent Masquerading as Daniel Hardman
47:53
@Adrian: an authorisation server usually purports to authenticate a *person*, not just a key. The *basis* for authenticating the person might be something as primitive as a password — but is often more (e.g., MFA). So it resides at the human trust level, I think — not the cryptographic trust level.
The Agent Masquerading as Daniel Hardman
49:12
The challenge with authorisation servers, in general, is that they often conflate these two layers. I think that works for many common cases, but as an architectural foundation, I think it’s a mistake. These two layers change for different reasons and under different circumstances, and conflating them introduces unnecessary complexity and fragility.
Bart S
49:24
@Daniel - how would you describe KERI, in this format: In the category of X, KERI is a better option because of Y
Bart S
50:59
(or better: in the category of X, KERI is a better option than Y because of Z)
Adrian Gropper
51:11
q+ to ask about agency and delegation as a fundamental
The Agent Masquerading as Daniel Hardman
51:29
@Bart: In the category of technologies that establish cryptographic trust (which includes DID methods, TLS, OIDC/OAuth2, and various other authentication schemes), KERI is a better alternative because (the 3 benefits I mentioned) are delivered in a way that is self-certifying, post-quantum secure, friendly to best practice key rotation, resistant to side channel attacked, etc.
Henk van Cann
52:00
@Jan & @Darell : I could assist creating a KERI-compatible DID rubric
The Agent Masquerading as Daniel Hardman
52:26
Or, to say it more simply: KERI gives (the 3 benefits) with better security.
Bart S
52:41
I'm looking for something in between :)
Tim Bouma
52:45
agree+ with Sam - no need to have centralized identifiers - the big trap that legislation gets into is being too prescriptive and reduces optionality
Jan Lindquist
53:16
@Henk Great! This will help ensure DID methods can be compatable. Unsure all the requirements.
Dan Bachenheimer (Accenture)
54:44
huge KERI advantage - portability
The Agent Masquerading as Daniel Hardman
54:53
@Henk and @Jan et al.: To create a rubric-based eval of did:keri, go to https://w3c.github.io/did-rubric/ and answer all the questions about did:keri. If you want, you can submit your answers as a PR — or you can simply do a writeup that’s published elsewhere.
Savita Farooqui
55:50
Same issue in California - thinking about identity as "single, central identity"
The Agent Masquerading as Daniel Hardman
55:58
Here is an example of a “rubric question” you can answer: https://w3c.github.io/did-rubric/#question-10
Henk van Cann
56:00
@Daniel : will do, after next week’s KERI meeting
Stephen Curran
56:54
Is there anything written about how that portability can manifest? How does that solve the wallet on a new device problem?
Tim Bouma
58:05
The most important aspect is to ensure that the requirements are properly framed in a simple context.
Bart S
58:09
+1 think 'portability' as a blanket term is somewhat difficult to state objectively as a benefit (though I hear where it would come from)
Antti Kettunen
58:32
To be fair the EU national unique identifiers are good and work where government registries are trusted and data is exchanged by Government officials only, with consent. But in a citizen-centric wallet environment, DIDs work much better. I don’t control my personal national ID, but I can control DIDs. They solve different problems, so Two different things.
Isaac Henderson
01:00:28
+1 @Antti
Tim Bouma
01:00:42
Agree+ with the secure attribution layer model.
Dan Bachenheimer (Accenture)
01:03:00
@Antti - yes, agree for Nationa ID they require "Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request in those cases where identification of the user is required by law." and we asked [effectively] that DIDs be supported as well