Meeting Date & Time
This Task Force meets every Wednesday. There are two meetings to serve different time zones:
- NA/EU meeting: 08:00-09:00 PT / 16:00-17:00 UTC
- APAC meeting: 18:00-19:00 PT / 02:00-03:00 UTC
See the Calendar of ToIP Meetings for exact meeting dates, times and Zoom links.
Zoom Meeting Links / Recordings
- NA/EU Meeting: https://zoom.us/rec/share/kF9m3cYn6nhCUnJIy2Y9Awzwdu0n10wdmJxyuEXe5vrqx7v9o0Flqo_ej-aJkhI9.EMe_NWr3DrszG4GV
- APAC Meeting: https://zoom.us/j/96772881287?pwd=bzZUNXRhVUNzVjR2Z3B2cVVxc2ZUZz09
NOTE: These Zoom meeting links will be replaced by links to recordings of the meetings once they are available (usually by the end of the day of the meeting).
Attendees
NA/EU:
APAC:
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
3 min |
| Chairs |
|
2 min | Review of previous action items | Chairs | None |
25 mins | What VID types are needed first by implementers? | Chairs | This discussion will help us focus on the key requirements we need in the VID section of the Working Draft. Darrell O'Donnell observed that the process of deciding about the acceptability of a VID is a two-part question:
Sam Smith said that he wants to push receivers towards the most secure VIDs. He said that we should provide examples of the types and instances of VIDs that can prevent the most attacks. He said we are facing a tsunami of "edge attacks", and mentioned the HIPAA "Wall of Shame" showing how many breaches and the size of each. So "we are losing the battle" to protect HIPAA. That will capture all of OIDC and all of DNS. The list we compiled is:
Sam Smith noted that any ledger-based DID method can use the ledger to verify key state. But if keys are compromised, the ledger cannot confer that fact. Sam explained that a key compromise impersonation attack is now quite common. So any VID method that is based on the Web is susceptible to this attack. There is a link to the attack is in the SPAC white paper. Any protocol that is not signing messages is subject to this attack. Double-ratchet does not protect directly from the attack, but it does shorten the time window. KCI Attack:
FWIW - this might be a bit stale - I produced this 3 months ago as an object of conformity for verifiable identifiers. https://github.com/dgc-cgn/CAS-Digital-Trade-Documentation/blob/main/scheme/objects/obj-verifiable-identifier.md Whether to adopt a VID or not depends on Risk Analysis. If certain attacks are deemed low risk by a given eco-system, then that's their choice in terms of what VID types are acceptable. this paper might be better though https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf Wendy: Aren’t we talking about modularity and defense in depth? |
5 mins | What transport types are needed first by implementers? | Chairs | This discussion will help us focus on the key requirements we need in the transports section of the Working Draft. List:
|
Key rotation | APAC: We discussed that this issue has not yet been closed, but that an optional standard TSP control message providing notification of key rotation would handle it. | ||
Trust Registry TF | Darrell O'Donnell | Tomorrow will have mathieu showing a demo of a registry-of-registries model. The goal is still to have an implementer's draft before the end of March. | |
5 mins |
| Chairs | NO MEETING NEXT WEEK as Wenjing is traveling and we are going to give him time to move the Google doc to Spec-Up. |
Screenshots/Diagrams (numbered for reference in notes above)
#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
Decisions
- Sample Decision Item
Action Items
- Sample Action Item