2023-01-24 DMRWG Meeting Notes
Meeting Date
The DMRWG meets bi-weekly on Tuesdays at 12:00-13:00 PT / 16:00-17:00 UTC. Check the ToIP Calendar for meeting dates.
Zoom Meeting Link / Recording
Attendees
Main Goal of this Meeting
Modify the mandate of the Data Modelling & Representation WG to cover the Data, Authentic Data/Provenance Chains and Data Governance aspects of ToIP, its projects, working groups and task forces.
The immediate task is looking at the Data Requirements of the ToIP Trust Registry TTF
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
5 min |
| Chairs |
|
5 mins | Review of action items from the previous meeting | Chairs | |
5 mins | Announcements | TF Leads | News or events of interest to Governance Stack WG members: |
20 mins | Data Requirements | Chair | What are the Data requirements of Trust Registries?
Some specifics from the discussion: - What evidence (and critieria) are required to be admitted to a given registry (KYR - Know Your Registrant) DR. Mattia Zago - PhD in CyberScience - working from Italy on cyber security working with/for [Monokee](https://monokee.com/en/homepage/)[mattia.zago@monokee.com](mailto:mattia.zago@monokee.com). Monokee is building an orchestrator for identity access management. - It is a data store (with various APIs) which contains and manages entries for SSI Entities (organizations, people, things) which are considered trustworthy based on criteria defined by the ecosystem (e.g., law society, health care). Criteria includes Similarly, a Data Registry is about Data stores or Data access interfaces, for which the data content meets data credibility and traceability criteria for a given data hub's purpose within an ecosystem (e.g., health records for pharma research). Associated with a Data Registry Registrant would be verifiability of the data producer (entity responsible for collecting, processing and publishing the data) and (data) governance steward ([Wikipedia](https://en.wikipedia.org/wiki/Data_steward)) What information is in a Trust Registry vs the Object listed in the Registry : - A link, reference or SAID is stored in the Registry for each object. To put in ToIP terms, a Register is like (in concept) to a LDAP server (and its' protocol), which includes Active Directory, were in both cases, these directory servers are authorities of trusted data on network components and users as trusted entities from an Authentication and Authorization perspective. What is new is the use of a cryptographic signing on the object's data, plus an audit trail and connection of both data processing and governance which are traceable to cryptographic and governance roots of trust. Comment: Mattia if it's like LDAP, then there can be private data for individuals (as users in a User Registry) Response: A key difference between LDAP and an SSI Registry is that - in the case of an individual (User) a) The Registry will contain a list of User objects, where access to data within the User object is via the User Objects interface. This is in contrast to LDAP having personal data within the LDAP records themselves. b) The Registry is a list of SSI and Data objects that have passed a series of requirements, specified by the Ecosystem that defines the trust criteria for objects of that class (e.g., Users, Issuers, Verifiers, ...). It also provides interface(s) to validate the trust/proof audit trail Another question - (which will not be answered here) - is how will ToIPs view of a Trust/Verifiable Data Registry differ from those being developed elsewhere? That includes the (messaging protocol) and how ToIP will interoperate with other technologies What determines trust? I is likely built on Verifiable Credentials and/or processes very similar to Verifiable Credentials that may involve a combination of KYC/E (Know Your Customer/Etity) governance and technical techniques (crypto signing), which are specified by each Ecosystem and may be an Out Of Band (OOB) process. Ultimately, this is likely a "business" validation process vs. a (purely) technical one. Mattia - which is like a Certification authority - get a "green sticker" for your website if your - have to go through a business validation process to be issued an SSL Certificate Neil: an example of a business process to issue an Identifier is the [GLEIF VLEI project.](https://www.gleif.org/en/vlei/introducing-the-verifiable-lei-vlei). the GLEIF organzation issues a verifiable Legal Entity Identfier, which a cryptographically verifiable Legal Entity Identifier which is globally unique number, which requires meeting business accreditation criteria. Expectation of if I put my ID in a Trust Registry how do you avoid exposing personal information Catalogs of DIDs (or verifiable identifier) - those identifiers Partitioning of functionality of data access between TR and Trusted Entity. Discussions on ToIP GitHub (you will need a GitHub account) Governance will be "centralized' in that an ecosystem will defined the rules/accreditation on what objects can be listed in a Trust Registry Trust registries themselves will be distributed (replications) and will interact with each other by inter-registry trust protocols, rules and accreditation - so they are decentralized. Example. A Canadian Trust Registry may list entities that it lists based on a entry that was accredited by an EU registry. [Continuum Loop Blogs](https://www.continuumloop.com/blog/) - PodCasts and videos [eIDAS view on Trust Registries](https://sgmconsultingservices.com/wp-content/uploads/2022/04/Comments-on-ARF-Document-April-15-2022.pdf) suggest (in a eIDAS Wallet ARF - Architecture and Reference Framework suggests that a trust registry can be for multiple roles, including Verifier, Holder and Issuer. And frankly that could extend to any component, including an executable (e.g., selective disclosure processing toy |
15 mins | Working relationships with other ToIP Task Forces and Working Groups | Chair | It's becoming clear that the big topics for ToIP WG/TFs in 2023, like Trust Registries and Trust Spanning Protocol, will need companion Governance TFs to provide Governance as a first-class deliverable (ToIP is a dual tech/gov stack). Given that a Trust Registry is a specialization of a Data Registry, which will have very high standards of verifiability, having the Data WG focus on this is a priority. |
5 mins | Any other business | ||
5 mins |
| Chairs |
Screenshots/Diagrams (numbered for reference in notes above)
#1
Decisions
- Sample Decision Item
Action Items
- Sample Action Item