Zoom Logo

ToIP - Governance Stack WG - Special Topics - Shared screen with speaker view
Drummond Reed
18:09
http://goodhealthpass.org/
CHARLES WALTON
18:49
=“Good Health Pass” - and it is global in nature.
Kaliya Identity Woman
23:22
there is no such thing as an “open source standard” there are open standards that are free to any one to implement - there is open source code and there are open source implementations of open standards. Please STOP conflating open source and open standards.
Thomas Cox
23:47
Thank you @Kaliya!
Daniel Bachenheimer
23:50
https://www.goodhealthpass.org/
Jim StClair
25:30
Well said @kaliya
Jeff Braswell
25:55
Fair point, Kaliya, this conflation happens from time to time, but it is not the end of the world :). And there may be a de facto “standard” for “open source” (see what I did there ? ) … called … GitHub :)
Paul Knowles
26:17
Will this deck be available for referencing? Some nice work here.
Scott Perry
26:45
I'll work with Paul on this
Kaliya Identity Woman
27:06
It is problematic when communicating about our industry and software in general to conflate them. It also communicates to the technically inclined that the speaker doesn’t necessarily know what they are talking about. But sure it doesn’t matter ;-)
Jeff Braswell
27:32
I agree that the clarification is important
Jim StClair
27:59
interoperability is problematic regardless what they provide
Thomas Cox
28:10
I'm with Kaliya - precision is our friend. I see too much self-inflicted chaos from people unwilling to take the time to be precise. It's work, and it also pays for itself.
Drummond Reed
28:13
Thus the rationale for the Good Health Pass Collaborative
Jim StClair
28:19
+1
Paul Knowles
28:27
I’m staying quiet re semantics. Not easy for me!
Riley Hughes
29:10
I love the candor in this presentation. Thank you David!
Alex Tweeddale
29:30
+1
Wenjing Chu
29:43
+1
Thomas Cox
29:59
Quite the Cambrian explosion of varied efforts.
Jim StClair
30:24
"Cambrian" LOL
Drummond Reed
30:29
Very helpful, thanks David
david
30:45
Thank you!
Paul Knowles
30:55
Thanks, David. Nice presentation.
Daniel Bachenheimer
31:28
thank you David - apart from the Good Health Pass initiative, did you see any organizations attempting to define a blueprint for interoperability?
Jeff Braswell
32:32
All the abbreviations for airports are “IATA codes”
Sumiran
33:05
David can you share the presentation ?
Jim StClair
33:26
That's what we said this morning - worst since 9/11
david
33:30
yep
david
33:30
https://www.slideshare.net/dpjanes/vaccination-passports-survey
Kaliya Identity Woman
34:34
Before publishing it on the web it would be great if you actually fixed the issue I raised about conflating open standards and open source.
Paul Knowles
34:53
Multi-language solution?
D Luchuk
35:56
Have a great session, all.
Riley Hughes
36:00
Andy, how is the “lab registry” hosted, governed, maintained, etc? Maybe we’ll get to that during the ‘governance’ portion of this meeting
david
36:46
I'll see if Slideshare lets me update it
Steve Magennis
37:34
Who provides IATA with the country entrance criteria?
david
37:47
Ah well that's a good question
Sumiran
38:01
Thanks David for sharing it
Thomas Cox
38:03
How can I get my "Cronies-R-Us" corrupt Lab listed in Timatic?
Thomas Cox
38:11
Asking for a friend
Daniel Bachenheimer
38:20
the airlines and they provide scores of updates DAILY
david
38:51
Why doesn't IATA or whomever publish a standard for where countries can publish their business rules for entries.
Andy Tobin
39:26
@Thomas you'd need to convince IATA that you are a legitimate lab and be approved by them to get on their list.
Thomas Cox
39:41
Cool thanks
Steve Magennis
40:16
does IATA then take on the liability for vetting a lab?
Jeff Braswell
40:21
Sounds like a worthwhile project. I’m curious how the accuracy or validity of the various lab tests are measured or validated. ( There are a large number of tests, all with different levels of confidence )
Andy Tobin
41:13
That's right Jedd. It's up to the destination country to set the rules for what test types (Lateral Flow etc etc) they will accept. They notify IATA who add it to their rules database.
Andy Tobin
41:19
*Jeff*
Jeff Braswell
41:29
Question for Lucy: How does this factor/figure with China (given the ban on Google in China) ?
Andy Tobin
41:44
@Steve I think so. I haven't seen their contract with test labs.
Jeff Braswell
42:47
Thanks Andy — there are also variations in quality of application by different providers of the same test, however
Andy Tobin
42:47
@david - they do publish the country restrictions. You can see it here: https://www.iatatravelcentre.com/world.php
Kaliya Identity Woman
43:01
This is a paper about the flavors of VC and potential convergence https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/
Riley Hughes
43:06
Asking again in case I missed the answer or Andy missed the question: Andy, how is the “lab registry” hosted, governed, maintained, etc? Maybe we’ll get to that during the ‘governance’ portion of this meeting
Jeff Braswell
43:16
Overall problem of confidence in testing
Andy Tobin
43:58
@Riley - the lab registry is hosted by IATA. When new labs are approved, they are added to the verified issuer list (and get a public DID on the ledger).
Thomas Cox
44:20
So IATA is the authority that blesses labs...?
Riley Hughes
44:55
Do you know whether it is accessible to others? For example, could the night club down the road from the airport reference the registry to become a verifier *without* asking IATA for permission?
Paul Knowles
45:18
Andy .. GLEIF involvement?
Jeff Braswell
45:18
Not really, Thomas — they just record opinions of sovereigns
david
45:19
@Andy - I mean the other way: countries publish your rules, and you consume them
david
45:29
Thanks for that link tho
Thomas Cox
45:55
Ooooh, so if I can get a particular nation to bless my lab, I'm in?
Andy Tobin
46:21
@Riley - I very much doubt it Riley. Only accredited labs are allowed in as approved issuers. IATA will have a gatekeeping mechanism with rules for allowing a lab in.
Jeff Braswell
46:36
@Andy — that country, perhaps :)
Andy Tobin
47:15
More IATA Travel Pass info here: https://www.iata.org/en/programs/passenger/travel-pass/
Riley Hughes
47:17
Andy, I mean is that registry public to enable verifiers to reference it? As a night club, I just want to verify people’s recent COVID tests. I might want to reference the IATA registry instead of creating my own trusted list.
Jeff Braswell
47:19
Unless there’s a general ban on the departure country
david
47:29
+1 Riley
Steve Magennis
47:55
@Riley, I can see a model where IATA provides Bob's Lab with a credential saying they are on the IATA list and that is bundled with a presented credential
Andy Tobin
48:33
@Riley - ahhh I see. They haven't got that far yet - it's airlines/airports only at the moment and they are hyper focused to that use case moving. Secondary use cases may come later (I can hear your mind working :-))
Steve Magennis
48:39
i.e. "I trust IATA" "I don't trust the lab"
Riley Hughes
49:12
👍
Jeff Braswell
49:19
sorry, I meant @Thomas ! ( “that country, perhaps “)
Andy Tobin
50:02
@Paul - no GLEIF involvement at the moment. Good thinking though!
Drummond Reed
50:04
Bingo, Steve, that’s exactly what trust registries are for (I note that the label we currently use at Layer 4 of the ToIP stack diagram is “Member Directories”. I’m thinking we should change that to Trust Registries because that’s the term I’m hearing used the most for that role.
Steve Magennis
50:46
@Drummond, not a registry, but a bundle with a cred
Riley Hughes
51:16
Drummond, I guess my question for Andy about the ‘trust registry’ was really getting at whether there is a standard for doing this, or whether everyone is doing their own trusted registry?
Steve Magennis
51:30
in this case IATA would be in a registry, by not necessarily Bob's lab
Steve Magennis
51:36
by == but
Drummond Reed
51:37
@Steve, yes, I totally get that option and am a vigorous supporter of using VCs to communicate trusted status vs. just trust registries
Andy Tobin
51:54
IATA own the "trust registry" of certified and approved labs, and own the governance of the schemas etc.
Drummond Reed
52:13
@Riley, you are indeed asking the $64,000 question: how will trust registries interoperable worldwide for digital health passes?
Drummond Reed
52:30
The WHO Smart Vaccination Certificate Working Group is asking that very same question too
david
52:47
Pin that thought @Drummond!
Steve Magennis
52:59
That seems pretty low cost to answer that question :-)
Chris Buchanan
53:00
@drummond They will not be interoperable. We will need surveillance activities to keep them honest.
Andy Tobin
53:31
There's definitely room for a "verify the issuer" type of proof, where the issuer will have a cred from the governance authority (like IATA) that proves they are a valid issuer. All fairly simple credex tbh.
Drummond Reed
53:33
@Chris, I’m fascinated by that answer. “Surveillance activities”? I hope we get to talk about that on this call.
Jeff Braswell
53:53
Also, test results are very temporal. How long ago was the test conducted ? How long did it take to get the results ? What has happened in the meantime ?
Chris Buchanan
54:03
Random testing and reputation scores for vaccine credential issuers.
Andy Tobin
54:10
Yes, the "freshness" of the test result is a key criteria in the entry rules for a country.
david
54:11
Those types if rules are very locale driven
Andy Tobin
54:21
The test date/time is in the cred the lab issues.
Drummond Reed
54:44
@Jeff, the idea is that the credential only conveys the facts about the COVID-19 test. It’s the verifier that applies their policies about acceptance.
Jeff Braswell
54:49
@Andy, as it should !
Thomas Cox
55:04
If I'm reading the IATA website right, the destination country gets to define what labs it trusts, because they are the ones taking the risk by letting people in. That feels sensible to me.
Chris Buchanan
55:19
I think the only credentials that would be acceptable for other-than-daily use would be vaccination and anti-body.
Drummond Reed
55:33
+1
Jeff Braswell
55:50
@Drummond, understood — not knocking the application of the digital innovation , just thinking about the source problem
Drummond Reed
56:00
+1
david
56:09
It will be defined by location, and it may vary on where the test was done, what the nationality of the person is
david
56:21
There needs to be a very flexible rules system
Drummond Reed
56:39
Exactly. Acceptance policies can and will be highly contextual.
david
57:12
And what the age of the person is!
david
57:38
That's why I worry about highly centralized authorities. How do they keep up? What if they don't keep up?
Riley Hughes
58:09
+1 to Andy’s comment - I’d take it further and say it’s only 10% technology. Everything else is governance, UX, implementation, training the employees, etc etc
Riley Hughes
58:18
At least in our experience
Steve Magennis
58:28
+100
Jeff Braswell
58:34
It begins to sound like the biometric and biological data referenced by IDs will eventually have health histories in general
Chris Buchanan
58:39
The ideal credential would not be a single credential, but a combined presentation based on the rule set the verifier presents. In other words, “prove to me that you have vaccine A1 and A2 and it’s less than 6 month old or you have an antibody test that is less than 3 months old”
Kaliya Identity Woman
59:52
Here is our memo - https://www.lfph.io/2021/02/04/verifiable-credentials-memo/
Andy Tobin
01:00:24
@Chris - yes exactly. It is vital to have two things: 1) Selective Disclosure, to only present the data pertinent to the transaction at hand and 2) compound proofs to enable you to combine data from multiple credentials together.
Tony Rose
01:00:43
right @chris, so a dynamic policy is presented as a proof request and the holder responds with a proof based on one or several credentials held
Kaliya Identity Woman
01:01:03
one of our community identified the opportunity in the Biden administration Eos and we coordinated input from the whole community and it was written in a week.
Victoria Lemieux
01:01:34
n case of compliance issues or need to provide evidence that a vaccination proof, etc was presented, how are you handling this? VCs are peer to peer and transactions are not captured on ledger. If captured on ledger, this is not privacy preserving.
david
01:01:41
You might find that really complex rules may be a high mountain to climb. e.g. Requiring combination of Vaccinations.
Steve Magennis
01:02:42
@david, I think a lot of this heavy lifting takes place in existing trust ecosystems - as it should be. It is really complex
Chris Buchanan
01:02:50
@David, yes. It’s a high mountain, but not as high as integrated governance.
Andy Tobin
01:02:59
@Victoria - good question. The relying party can (if regs permit) store the proof they receive from the passenger, and confirm that they verified it. This is a high standard of dat receipt confirmation.
Victoria Lemieux
01:02:59
+1 Steve
Andy Tobin
01:03:35
@Victoria - none of the credential exchange touches the ledger
david
01:03:59
But why not distributed governance @chris? e.g. why does the government of Canada care about any rules except their own.
Victoria Lemieux
01:04:02
@Andy, Yes, agreed, but need to make sure that this remains authentic and it’s difficult to tie back to legal identity if needed.
Steve Magennis
01:04:46
Club Trinsic, yeah!
Jim StClair
01:05:03
"Show me your papers"
Jeff Braswell
01:05:09
Spoofing ?
david
01:05:10
Well that is worry.
Alex Tweeddale
01:05:18
I see another UK gov U-turn on vaccine passports if the IATA stuff kicks off :D
Chris Buchanan
01:05:27
@David.. that’s my point. Integrated governance is not possible, therefore, we need to fulfill the promises of decentralized ID and climb the multi-credential integration issue.
Jim StClair
01:06:34
+1 Chris
Victoria Lemieux
01:07:17
. . . and all while preserving privacy
Paul Knowles
01:07:27
I’ll keep hammering the importance semantic harmonisation so that WHO can get real-time data insights on vaccine-related data.
Chris Buchanan
01:07:32
+1 to Andy and you also have to make the credential independently authenticatable.
Jeff Braswell
01:07:51
(There’s a hand up)
Thomas Cox
01:07:58
@Paul yes, please let's set up standard terminology! Otherwise all is chaos.
Steve Magennis
01:08:22
@Chris, the multi-credential integration issue is really based in the verification criteria (authority) issue
Daniel Bachenheimer
01:08:45
the IATA model, like the Commons Project, speaks to applying rules on behalf of governments that provide them and providing a RED / GREEN to the border guards upon arrival.... I doubt this would be accepted in many/most countries. At best, it could be used by airlines to determine OK to fly but NO GUARANTEE OF ADMISSION
Victoria Lemieux
01:09:15
Several issues to be sorted out: authority, accuracy, reliability, authenticity, usability, post facto compliance
Chris Buchanan
01:09:24
@Steve so we need to know the question format to answer properly?
Steve Magennis
01:09:25
@daniel +1
Steve Magennis
01:09:45
@Chris - it helps :-)
Riley Hughes
01:09:55
Does IATA already have a governance framework? Is that gov’ce framework published anywhere?
Thomas Cox
01:10:02
(@Paul you might mean something deeper than 'terminology' when you say 'semantic harmonization')
Andy Tobin
01:10:03
@Daniel that is the case with any air travel. It is the responsibility of the airline not to board you if you don't have the docs to get in. But that check is not a guarantee that you will be allowed in when you arrive. These policies already exist.
Jeff Braswell
01:10:15
Firesign Theatre: “Welcome to Turkey. May I see your passport please”
Daniel Bachenheimer
01:10:58
@Andy - yes agree... but this is a new layer and travelers need extra clarity
Chris Buchanan
01:10:59
@Steve - the good news is that the solution space for the questions is limited and it may be that wallet technology be developed to handle a standard query language (presentation requests)
Paul Knowles
01:11:00
Yes, semantic harmonisation … I’ll cut and paste something. One sec.
Drummond Reed
01:12:04
@Riley - IATA is developing a ToIP Layer 4 ecosystem governance framework, but they have not published it yet.
Chris Buchanan
01:12:14
@Daniel - Everyone needs to include the assessment in the visa process prior to travel. I could see countries issuing health visas as a result… makes more sense than a health passport anyway.
Drummond Reed
01:12:36
Good point Chris
Kaliya Identity Woman
01:12:46
read the paper - https://www.lfph.io/2021/02/11/cci-verifiable-credentials-flavors-and-interoperability-paper/ also good news the SVIP test suite for JSON-LD ZKP with BBS+ will be live and public mid -march :)
Steve Magennis
01:12:56
@Chris, agreed. Scoping the solution space will inform the required solution complexity
Chris Buchanan
01:12:58
The nice thing is that the VISA could work for the airline too.
Chris Buchanan
01:13:13
Funny if you need a re-entry visa… LOL
Jim StClair
01:13:14
Yes, good paper @Kaliya
Drummond Reed
01:13:20
+1
Tony Rose
01:13:24
+1 Kaliya
david
01:13:28
I respectfully don't believe it's early days
Riley Hughes
01:13:29
Yes thanks to Kaliya for the paper. Fantastic.
Steve Magennis
01:13:46
Great session. Thanks!!
Lucy Yang
01:13:48
We always refer to Email when talking about interoperability. My outlook calendar is still not working with Gmail calendar.
Daniel Bachenheimer
01:13:57
@chris - absolutely.... when I got my Russian visa I went to the govt web site and followed the govt rules and the govt issued the visa... NOT CVS!!!!
Paul Knowles
01:14:02
Cut and paste ain’t working. Re semantic harmonisation, feel free to ping me an email and I can reveal the problem space and the resolution. paul.knowles@humancolossus.org
Jim StClair
01:14:08
I have to jump, Scott, thanks!
Sumiran
01:14:15
This was a good session, thanks Scott for organizing it.
david
01:14:17
@Andy Tobin - specifically that's it's just a layer, but there's lots of problems above that
Jeff Braswell
01:14:30
Another meeting calls — thanks for the interesting discussion and information.
Victor Syntez
01:14:57
thank you for the meeting!
Chris Buchanan
01:15:21
@Andy - I have trouble explaining it to engineers and developers… much less laypeople
Andy Tobin
01:15:40
@Chris just say "it's a technical trust tunnel" :-)
Chris Buchanan
01:15:48
:)
Riley Hughes
01:16:10
Thanks for organizing Scott.
Lucy Yang
01:16:11
Thanks everyone!
Riley Hughes
01:16:17
Thanks to the panelists as well.
Victoria Lemieux
01:16:23
Thanks everyone! Great initiatives!
Paul Knowles
01:16:26
Thanks, Scott.
Alex Tweeddale
01:16:27
Thanks guys! Really interesting discussion