Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Meeting Date

  •  

Recording

  • This meeting was recorded on Zoom. View the recording here

Attendees

Main Goal of this Meeting

TBD

Agenda Items and Notes (including all relevant links)

TimeAgenda ItemLeadNotes
5 min
  • Start recording
  • Welcome & antitrust notice
  • Introduction of new members
  • Agenda review
Chairs
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
  • New Members:
10 minsCheckTrustRegistryDarrell O'Donnell
  • We concluded that this should return the same info as CheckIssuer and CheckVerifier
  • If the host TR wishes to keep private the existence of a trust relationship with another TR, then it simply does not list that information in its own TR.
10 minsGetOfflineFile
  • Darrell O'Donnell explained that this option makes offline sync and verification possible while keeping the API very simple.
10 minsX.509 CertificatesAll
  • We discussed what the EU is currently listing in its Trust List entries
  • They are currently using entire base64 encoded X.509 certificates to identify issuers.
    • Drummond Reednoted that this works, but it is a very large, unwieldy identifier from a TR standpoint
    • Jim StClair pointed out the benefit of having a validity check on the entire X.509 cert.
  • Marie Wallace pointed out that the EU's X.509 certificate does not contain a human-friendly identifier (or legal identifier) of the issuer.
    • This makes it difficult to display any human-friendly information about the issuer
    • This is different than Excelsior Pass where the identifier is a DID that resolves to a DID document that contains or has a pointer to the legal identifier of the issuer
  • Italy example - https://github.com/AgID/eidas-italian-node/blob/master/examples/full-sp-metadata.xml
  • Issac said that the TRAIN project in the EU does have an example of how to locate the trust list from a domain name using a Subject Alternative Name in the X.509 cert.
    • TRAIN is already working with GCCN on this.
  • Daniel Bachenheimer explained how Smart Health Cards deal with X.509 keys: https://spec.smarthealth.cards/
    • Drummond Reed noted that this is essentially the same technique as the did:web: method, just without publishing a DID.
    • Marie Wallace pointed out that the SMART Health Card registry listing process does provide a very simple check of the legitimacy of the issuer organization—and a binding to a human-readable name of the issuer organization.
    • Marie Wallace noted that some issuers are not being compliant with the SMART Health Card data model
10 minsReview of our specs (TR Protocol TSS and OpenAPI)Darrell O'Donnell
  • Darrell asked if the current API was complete or more work is needed.
  • What we need is more eyes on the protocol spec and the OpenAPI doc.
  • Having them reviewed by GCCN to see if they meet all their requirements is a clear next step.
  • Marie Wallace explained that IBM is still reviewing all the different TR approaches out there to determine what is really needed and what IBM should be implementing.
    • Marie said that there is a risk of oversimplification AND a risk of overcomplication. So the solution needs to be a Goldilocks zone.
  • Darrell said that MedCreds is also at the review stage.
  • Savita Farooqui asked Marie Wallace about how verification works for Excelsior Pass and whether this an OpenAPI.
  • Daniel Bachenheimer pointed out the link to documentation for Path Check's universal verifier app: https://github.com/Path-Check/universal-verifier-app 
5 mins
  • Review decisions/action items
  • Planning for next meeting 
Chairs
  • Darrell will be on vacation next week - do we want to skip next week's meeting? No conclusion yet - we will take that question to Slack.

Decisions

  • As of this point in time, pending review, the TR API will consist of four calls: CheckIssuer, CheckVerifier, CheckRegistry, GetOfflineFile

Action Items


  • No labels