Recording
Attendees
Sam Smith Philip Feairheller Lance Byrd Rodolfo Miranda Charles Lanahan Petteri Stenius Henk van Cann Ed Eykholt Randy Warshaw Ruth Choueka Kevin Griffin @Daniel Lenksjö Cole Davis Arshdeep Singh Ajay Jadhav Mark Scott Judith Fleenor Trent Larson
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
5 min | - Start recording
- Welcome & antitrust notice
- Introduction of new members
- Agenda review
| Chairs | - Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
- New Members:
|
5 mins | Review of action items from previous meeting | Chairs | - Sam Smith to create a semantic naming document in the code - call it NAMING.md and check it in. (Almost done)
- Philip Feairheller to add rotation script demo and "How to create IPEX message to perform a "presentation"" to dev meeting agenda
- Philip Feairheller to follow up with Karla from GLEIF on updates to vLEI EGF to account for QVI partial rotation.
|
5 mins | Announcements | TF Leads | News or events of interest to members: |
5 mins | Reports | Open | - KERIpy / ACDC
- Trust Spanning Protocol / SPAC
- Signify/KERIA
- Looks like we will be naming the protocol between a client and the server "Signify"
- Outstanding PR for performing GRANT with chained credentials
- CESR
- Draft of proposed codes for CESR 1.1 almost complete.
- Review new code proposal next week
- Specifications:
- More PRs inbound for the ACDC, KERI and CESR specifications
- KERISSE
|
25 mins | Discussion | Open | - Why KERI is more resistant to phishing than other authentication mechanisms
- "No Shared Secrets"
- Phishing is an attack BECAUSE of shared secrets
- To gain access to remote systems with shared secrets, you become trained to share your secret to gain access. That opens you up to Phishing.
- Passwords, OIDC Bearer Tokens (MGM/Okta compromise), VPN Configurations or Portals that use client side certificates.
- Key Compromise Impersonation Attack - In DHKE, any attacker that gains access to a client-side private key can impersonate a server and man-in-the-middle any other client.
- How is KERI different: KERI has no Shared Secrets.
- Access and authentication are based on signing.
- FIDO not using shared secrets, but no rotation solution. So you can attack passkeys when they rotate their keys.
- How vLEIs can delegate authority instead of simply specifying "role"
- vLEI specifies a role but is not specific about what authority goes along with that role... how is authority expressed?
- How does a verifier understand semantically what is being expressed?
- The vLEI does not answer either of these questions because the semantics are use case specific.
- There must be an ecosystem EGF to define these semantics
- There is no way to define a universal meaning
- Context is King.
- How does AID delegation relate / differ to ACDC delegation?
|
5 mins | Any other business | Open |
|
5 mins | - Review decisions/action items
- Planning for next meeting
| Chairs | - Philip Feairheller to add rotation script demo and "How to create IPEX message to perform a "presentation"" to dev meeting agenda
- Philip Feairheller to follow up with Karla from GLEIF on updates to vLEI EGF to account for QVI partial rotation.
|