...
- NA/EU meeting: 08:00-09:00 PT / 16:00-17:00 UTC
- APAC meeting: 18:00-19:00 PT / 02:00-03:00 UTC
See the Calendar of ToIP Meetings for exact meeting dates, times and Zoom links.
Zoom Meeting Links / Recordings
- NA/EU Meeting: https://zoom.us/j/97402960831?pwd=dVdYRWNOOEE3a3ZpQXVLM1h5VFpUQT09APAC Meeting: https://zoom.us/j/96772881287?pwd=bzZUNXRhVUNzVjR2Z3B2cVVxc2ZUZz09rec/share/kF9m3cYn6nhCUnJIy2Y9Awzwdu0n10wdmJxyuEXe5vrqx7v9o0Flqo_ej-aJkhI9.EMe_NWr3DrszG4GV
- APAC Meeting: No recording available (we recorded the meeting to the Zoom cloud, but it did not return a link.)
NOTE: These Zoom meeting links will be replaced by links to recordings of the meetings once they are available (usually by the end of the day of the meeting).
...
NA/EU:
APAC:
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
3 min |
| Chairs |
|
2 min | Review of previous action items | Chairs | None |
25 mins | What VID types are needed first by implementers? | Chairs | This discussion will help us focus on the key requirements we need in the VID section of the Working Draft. Darrell O'Donnell observed that the process of deciding about the acceptability of a VID is a two-part question:
Sam Smith said that he wants to push receivers towards the most secure VIDs. Sam Smith He said that we should provide examples of the types and instances of VIDs that can prevent the most attacks. We He said we are facing a tsunami of "edge attacks". Sam , and mentioned the HIPAA "Wall of Shame" showing how many breaches and the size of each. So "we are losing the battle" to protect HIPAA. That will capture all of OIDC and all of DNS. The list we compiled is:
Sam Smith noted that any ledger-based DID method can use the ledger to verify key state. But if keys are compromised, the ledger cannot confer that fact. Sam explained that a key compromise impersonation attack is now quite common. So any VID method that is based on the Web is susceptible to this attack. There is a link to the attack is in the SPAC white paper. Any protocol that is not signing messages is subject to this attack. Double-ratchet does not protect directly from the attack, but it does shorten the time window. KCI Attack:
FWIW - this might be a bit stale - I produced this 3 months ago as an object of conformity for verifiable identifiers. https://github.com/dgc-cgn/CAS-Digital-Trade-Documentation/blob/main/scheme/objects/obj-verifiable-identifier.md Whether to adopt a VID or not depends on Risk Analysis. Darrell O'Donnell: If certain attacks are deemed low risk by a given eco-system, then that's their choice in terms of what VID types are acceptable. This paper was recommended: https:// www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf Wendy: Aren’t we talking about modularity and defense in depth? |
5 mins | What transport types are needed first by implementers? | Chairs | This discussion will help us focus on the key requirements we need in the transports section of the Working Draft. List:
|
Key rotation | APAC: We discussed that this issue has not yet been closed, but that an optional standard TSP control message providing notification of key rotation would handle it. | ||
Trust Registry TF | Darrell O'Donnell | Tomorrow will have mathieu showing a demo of a registry-of-registries model. The goal is still to have an implementer's draft before the end of March. | |
5 mins |
| Chairs |
Screenshots/Diagrams (numbered for reference in notes above)
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
Decisions
...
NO MEETING NEXT WEEK as Wenjing is traveling and we are going to give him time to move the Google doc to Spec-Up. |
Decisions
- None
Action Items
- Sample Action ItemNone