2024-06-04 KERI/ACDC Meeting Notes

Zoom Meeting Link / Recording

Attendees

Sam Smith Philip Feairheller Kevin Griffin @ari argoud Rodolfo Miranda Henk van Cann Kent Bull Lance Byrd Steven Milstein Ruth Choueka Sai Ranjit @Rubel Edyta P Nuttawut Kongsuwan @Khagesh Sharma Mark Scott Joseph Lee Hunsaker @Erick Pacheco Pedraza

Agenda Items and Notes (including all relevant links)

TimeAgenda ItemLeadNotes
5 min
  • Start recording
  • Welcome & antitrust notice
  • Introduction of new members
  • Agenda review
Chairs
  • Antitrust Policy Notice: Attendees are reminded to adhere to the meeting agenda and not participate in activities prohibited under antitrust and competition laws. Only members of ToIP who have signed the necessary agreements are permitted to participate in this activity beyond an observer role.
  • New Members:
5 minsReview of action items from previous meetingChairs

Added new action item for Kevin Griffin to update the New Discussion Items on the main wiki page

5 minsAnnouncementsTF Leads

News or events of interest to members:

5 mins

Reports

Open
  • Specifications
    • CESR - Sam Smith pushed changes with RFC 2119 changes (MUST/SHALL).  Please Review!
    • KERI and ACDC Spec 2119 specs on their way
  • KERIpy
    • Kevin Griffin  
      • Bug fixes / rename issues
      • Updated the Dockerfile to fix issue with Alpine
      • Updates for ReadTheDocs
      • Started working on upgrades to databases in basing
    • Philip Feairheller 
      • PR coming with externalized payloads of EXN messages as attachments
  • KERIA


25 minsDiscussionOpen
  • FIDO2 Integration
    • Likely resulting from conversations around did:tdw
    • did:tdw using just pre-rotation does not protect you against "dead attacks"... compromised stale key or malicious controller
      • The only thing that protects against dead attacks is control over the URL that publishes the did doc
        • This means that did:tdw is no more secure than existing web infrastructure. 
      • The mechanism to protect against dead attacks is provided by KERI with Witnesses and Watchers and anchored data.
    • The conversation led to "isn't it better to use some of KERI to get more secure PKI" and provide more adoptability
      • Conclusion:  If you want simple PKI that is more adoptable, why not just use FIDO2?
    • FIDO2 signs data and therefore is more secure than TLS that uses encryption for authentication
      • The weakness of FIDO2 is key rotation.
    • KERI solves the following hard problem:
      • "Can I maintain control over a persistent identifier despite key compromise"
      • This assumes key compromise.
        • If you don't care about key compromise (assumes PKI is strong enough) than you don't need KERI
    • Henk van Cann - Some folks may want to make the trade off of assuming PKI is "enough"
      • Sam Smith for standards bodies that are creating specifications for "Trust", making this assumption means that you are forcing this assumption on everyone that wants to use this spec.
  • Mini-Conference on first day (June 18th) at DICE in Zürich
    • Proposal from Henk van Cann 
    • 1. Answers to questions from EU Digital identity service providers tendering ARF: https://github.com/WebOfTrust/WOT-terms/issues/159 ; who: Henk after curation

      2. KERI Suite introduction: vision, team, code, governance, implementation ; who: Henk

      3. How to get started with education about the KERI Suite ; who: Henk

      4. Why has KERI been build the way it is?  ; who: Henk (hopefully Sam there to correct)

      5. KERI’s Killer Security features and scalability; who : Sam?

  • Kent Bull is there any use for using a DID Doc with KERI?
    • Could a DID Doc be used to communicate information about issues or verifiers?
    • Sam Smith only makes sense to use DID Doc in the context of standard DID resolution.  


5 minsAny other businessOpen
5 mins
  • Review decisions/action items
  • Planning for next meeting 
Chairs
  • Kevin Griffin add action items to top level Wiki page
    • Topics for discussion
      • User Experience
        • OOBI exchanges
      • Watcher Network
      • Fido2 integration
      • Where to store rotation keys?  From meeting chat:

        "we don’t have a recommendation about storing and generating pre-rotation keys. If we are generating and storing pre-rotation keys on same system that is generating signing keys, and if an attacker can compromise signing keys, the attacker can very easily compromise rotation keys as well"

      • Sam how would we explain the fact that even when not using a Blockchain system keri still introduces other components such as jurors and watchers to solve the duplicity detection problem that just appears because of the need of more than just the principal of the entitiy? IMHO it seems like we still need to trust others to avoid bad actors. What is more to make it more available we are still using components to expose the KELs of entities. Meanwhile blockchains solves it inherently at the expense of ledger locking.