Meeting Date
The ToIP Trust Registry Task Force (TRTF) meets weekly twice every Thursday at the following times (to cover global time zones - see the Calendar of ToIP Meetings for full meeting info including Zoom links):
NA/EU 07:00-8:00 PT / 15:00-16:00 UTC
APAC 18:00-19:00 PT / 02:00-03:00 UTC
Zoom Meeting Link / Recording
NA/EU MEETING:
@David Poltorak
@Subhasis
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes | |
5 min |
| Chairs |
| |
5 min | Review of previous action items | Chairs | ||
15 mins | Issue/PR Review | @Dave Poltorak | Issue/PR Review https://docs.google.com/spreadsheets/d/1UTzCvFr8np652cnyt-WB3R3TjYjZdL0egw5wX5b5Pf0/edit?usp=sharing | |
10 mins | Previous TRTF Call Review | Andor | ||
10 mins | TRQP Common Data Model Work | Andor | https://gist.github.com/andorsk/3c1f1d869644d4d0c58f9cb3f78028b5 |
5 mins |
| Chairs |
Screenshots/Diagrams (numbered for reference in notes above)
- Motivations and Use Cases: Timing and Use Cases.
- Requirements:
- How do we fit the TRQP to fit the requirements.
- Is X Authorized Y to do Z.
- Drummond Reed: GAN Network Credentials. This fits to the model.
- For *Motivations and Use cases*, I think Is X authorized Y to do Z should be flexible enough for being able to do that kind of queries: https://verana-labs.github.io/decentralized-trust-spec/#tr-resol-verification-of-permission-in-decentralized-trust-registries
- so maybe we should add “in context C”
- Requirements:
- Interaction Pattern Documentation : Develop and include documentation on interaction patterns for working with a Trust Registry using TRQP. These guides should address common use cases and provide practical examples to facilitate integration.
- Abstract Data Model Formalization Introduce an abstract data model that serves as a foundation for formalizing implementations. This model will standardize core concepts and provide a consistent framework for compliant systems and variants.
- Needs a simple and clear way to traverse trust networks.
- Tim Bouma Context. Represented by an identifier. Signature is applied to context. Tuple.
- Fabrice Rochette: @Drummond Reed agree, that’s why we should keep it simple, and maybe focus on authorization queries first.
- Has Z granted Y to X.
- Drummond Reed: Context: Governance Framework. Authorization can expressed as an identifier in a way that other systems don't need to understand semantics.
- Tim Bouma : Simplicity of the spec
- Clean the OpenAPI Specification : Perform a comprehensive review and overhaul of the OpenAPI specification. Simplify and clean up the API endpoints to ensure accuracy, consistency, and ease of implementation.
- Incorporate Data Models into the Specification
- Blocked by Abstract Data Model Formalization but need to happen to bind spec to concrete data types.
- @Jesse and @Drummond +1
- Reference Implementation and Implementation Guide Create a reference implementation of the TRQP to serve as a baseline for community evaluation. Prioritize simplicity and clarity to make it an accessible resource for developers
- Learning tool.
- Antti Kettunen
- Trust List
- More refined authorization query.
- More complex ones people will customize their work.
- Drummond Reed:
- Trust List is a trivial form of the triple.
- Tim Bouma:
- Trust list lives in a context. Trust List can sign the context.
- Recursive property needs to be built into the Abstract Data Model.
- Antti Kettunen:
- Asset test can be given.
- Consolidation happens. Commission : List of Trusted Lists.
- Can we model the EU Trust Model using Data Model and Implementations
- Drummond Reed:
- Antti Kettunen might be able to help increase gradient to learn about requirements.
- TRQP needs to be accepted to the EU.
- Tim Bouma:
- Usually TL imply a hierarchical thing.
- Antti Kettunen:
- Where do we anchor this?
- Drummond Reed:
- Requirements to traverse the graph in a Authority neutral way.
- @Dave Poltorak:
- Layer above the trust establishment to communicate.
- How does data move across the trust graph using TRQP?
- Antti Kettunen:
- Doesn't matter how you implement your trust framework
- Common Data Model is requirement
- Conformance Test Kit: Develop a conformance test kit to establish clear criteria for TRQP compatibility. This tool will help implementers verify their adherence to the specification and improve interoperability across implementations.
- Tim Bouma: Whatever we do needs to be machine readable.
- Grant of rights.
- Improve the Review Process
Right now the review process is rough. We need it to be cleaner and have more formal reviewers/editors to the specification.- Prioritizing the changes / implementer feedback
- Editors:
- Volunteers:
- Fabrice Rochette
- @Dave Poltorak : PR Review Next week.
- Add Security and Privacy Considerations Introduce a dedicated section in the specification to outline security and privacy considerations. This section should detail potential attack surfaces using the TRQP.
- We should evaluate Unlinkability
- The whole point of a TR is for Linkability....but something to consider
Decisions
...
Notes:
Jesse Carter : TRQP and OIDF
Darrell O'Donnell : Do they fall into the specification itself.
Supporting material
@TODO: Folder
Focuses
Motivations : Spec and needs cleanup
Use Cases : Supporting material
Interaction Pattern Documentation : Supporting but informs spec. Non-normative.
Interaction Patterns: Other ecosystems.
2 interaction patterns:
How do I use the TRQP?
How do I support the TRQP, so what do I need?
Tim Bouma : For implementers, knowing how it is implemented in the context of building is really important to use it. Needs to internalize the model before implement it.
Antti Kettunen : More abstraction the more complexity. The model is simple, but complexity in interpreting it.
Implementers guide would be a document to help people to understand how to start to work the abstract data model.
@Subhasis :
Looking at it from an implementers side.
Really struggling on how to implement the specification on both sides.
Governance side : everything is governed as strings, not sure how to use it.
OIDF Side: Diagram with bridge to OIDF, not sure how to do it.
Implementers guide: Extremely important to support the statements being made.
Agreed. Critically important.
If someone is waiting for the implementation guide, might not be for them right now.
@Subhasis : Can be two separate documents, but specification without implementers guide is difficult to interpret.
@Dave Poltorak : What’s the state of the spec?
Darrell O'Donnell : On Implementers Draft
Jesse shared this document : https://docs.google.com/document/d/1E6lj8NdpNmScFKYMK3P9em1riJCx3c5H8y-lgqgwU4s/edit?usp=sharing
Drummond: Implementers leading to an implementers guide is a good thing
Tim Bouma : API first vs. Protocol first models.
Document isn’t the deliverable. Community is the deliverable.
Ecosystems are discovered out of band
DON’T assume you’re using the TRQP to “discover” new systems to trust (i.e. new EGFs). That is out-of-band.
DO assume that the EGFs that you are aware of create a simple web.
Bhutan :
Credential in bhutan
Member of EGF
Multi-hop question vs. discovery question
This is not a data modeling question.
This is a business question.
A lot of different questions, and clumping them.
with OID federation,
Do we have a common root?
Are you authorized to issue attestations?
Do we share a governance framework that governs this authorization
Do we have a common ancestor?
Multiple small questions
Drummond Reed It seems like we have two categories of queries: graph traversal queries (to get to the authoritative TR) and then authorization queries (once you have located the authoritative TR).
Antti Kettunen What about “provide me a certificate I can use to verify a signature”? Is that an authorisation query?
Drummond: Needs to be as general as we can.
TRTF Next Week
Validity status / revocation?
Screenshots/Diagrams (numbered for reference in notes above)
Decisions
Action Items
- Sample Action Item