Zoom Meeting Link / Recording
Attendees
Sam Smith Philip Feairheller Kevin Griffin @ari argoud Rodolfo Miranda Henk van Cann Kent Bull Lance Byrd Steven Milstein Ruth Choueka Sai Ranjit @Rubel Edyta P Nuttawut Kongsuwan @Khagesh Sharma Mark Scott Joseph Lee Hunsaker @Erick Pacheco Pedraza
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
5 min | - Start recording
- Welcome & antitrust notice
- Introduction of new members
- Agenda review
| Chairs | - Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
- New Members:
|
5 mins | Review of action items from previous meeting | Chairs | Added new action item for Kevin Griffin to update the New Discussion Items on the main wiki page |
5 mins | Announcements | TF Leads | News or events of interest to members: - European Identity Conference is this week
- Identity Week next week
- DICE is in 2 weeks
- Henk van Cann - ToIP Terminology Breakthrough
|
5 mins | Reports | Open | - Specifications
- CESR - Sam Smith pushed changes with RFC 2119 changes (MUST/SHALL). Please Review!
- KERI and ACDC Spec 2119 specs on their way
- KERIpy
- Kevin Griffin
- Bug fixes / rename issues
- Updated the Dockerfile to fix issue with Alpine
- Updates for ReadTheDocs
- Started working on upgrades to databases in basing
- Philip Feairheller
- PR coming with externalized payloads of EXN messages as attachments
- KERIA
|
25 mins | Discussion | Open | - FIDO2 Integration
- Likely resulting from conversations around did:tdw
- did:tdw using just pre-rotation does not protect you against "dead attacks"... compromised stale key or malicious controller
- The only thing that protects against dead attacks is control over the URL that publishes the did doc
- This means that did:tdw is no more secure than existing web infrastructure.
- The mechanism to protect against dead attacks is provided by KERI with Witnesses and Watchers and anchored data.
- The conversation led to "isn't it better to use some of KERI to get more secure PKI" and provide more adoptability
- Conclusion: If you want simple PKI that is more adoptable, why not just use FIDO2?
- FIDO2 signs data and therefore is more secure than TLS that uses encryption for authentication
- The weakness of FIDO2 is key rotation.
- KERI solves the following hard problem:
- "Can I maintain control over a persistent identifier despite key compromise"
- This assumes key compromise.
- If you don't care about key compromise (assumes PKI is strong enough) than you don't need KERI
- Henk van Cann - Some folks may want to make the trade off of assuming PKI is "enough"
- Sam Smith for standards bodies that are creating specifications for "Trust", making this assumption means that you are forcing this assumption on everyone that wants to use this spec.
- Mini-Conference on first day (June 18th) at DICE in Zürich
- Proposal from Henk van Cann
1. Answers to questions from EU Digital identity service providers tendering ARF: https://github.com/WebOfTrust/WOT-terms/issues/159 ; who: Henk after curation 2. KERI Suite introduction: vision, team, code, governance, implementation ; who: Henk 3. How to get started with education about the KERI Suite ; who: Henk 4. Why has KERI been build the way it is? ; who: Henk (hopefully Sam there to correct) 5. KERI’s Killer Security features and scalability; who : Sam?
- Kent Bull is there any use for using a DID Doc with KERI?
- Could a DID Doc be used to communicate information about issues or verifiers?
- Sam Smith only makes sense to use DID Doc in the context of standard DID resolution.
|
5 mins | Any other business | Open |
|
5 mins | - Review decisions/action items
- Planning for next meeting
| Chairs | - Kevin Griffin add action items to top level Wiki page
- Topics for discussion
- User Experience
- Watcher Network
- Fido2 integration
- Where to store rotation keys? From meeting chat:
"we don’t have a recommendation about storing and generating pre-rotation keys. If we are generating and storing pre-rotation keys on same system that is generating signing keys, and if an attacker can compromise signing keys, the attacker can very easily compromise rotation keys as well"
|