2023-03-15 Meeting notes

Aronson, Marc

Yes

Chaudhury, Atef / Krishnaraj, Venkat

Yes

Davis, Peter

D'Agostino, Salvatore

Hodges, Gail

Yes

Jones, Thomas

Yes

Thoma, Andreas

Yes

Wunderlich, John

Yes

Williams, Christopher

Yes

Auld, Lorrayne

Balfanz, Dirk

Brudnicki, David

Dutta, Tim

Flanagan, Heather

Yes

Fleenor, Judith

Glasscock, Amy

Gropper, Adrian

Hughes, Andrew

Jordaan, Loffie

Yes

LeVasseur, Lisa

Lopez, Cristina Timon

Snell, Oliver

Stowell, Therese

Tamanini, Greg

Vachino, Maria

Whysel, Noreen

5 min.

• Start the meeting.

• Call to order.

• Approve minute

• Approve agenda

@John Wunderlich 

Called to order: 13:04

Quorum reached: Yes

Minutes to approve: approved

https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/151683073 https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/158138369

0 min.

Open Tasks Review

All

15 min.

Workgroup Charter Update

@John Wunderlich

Two final changes - see PEMC WG Charter 2023 v8

• Minor wording changes in background (replace “Relying Party” with “Verifiers” and add “privacy” to concepts IAM systems and practitioners must pay attention to)

• regarding a question of “On this diagram - why do we need to mention ‘Wallet’? Can it just be app?  Same for Verifier / Reader, can we just mention verifier?”

  • John did it this way to encompass the expectations of different stakeholders who use both terms. For our purposes, they serve the same function.

  • consensus is to remove “verifier” from Verifier / Reader in the green box (lower right)

  • regarding Wallet / App, that is how it’s used by AAMVA; general consensus is to use “App”

• Provider/Vendor - why don’t they match on both sides? It’s not always a vendor relationship with the Holder, where it more likely is with the Issuer and Verifier. General consensus is to leave this as is.

• Suggest we also update the graphic to include a Terms and Conditions box between the Issuer and the Provider (Provider accepts terms from the Issuer; some of these things may be passed on to the Holder, others may not)

  • Note the Provider may have relationships with every entity in this diagram

  • Perhaps we need a text box linked off from the Issuer indicating it may have constraints as a result of terms from Providers and Verifiers

  • In practice, there should be dotted lines between Issuers and Providers; there are starting to be contracts between Issuers and Providers, but the space is not mature.

    • Is there regulation about how id’s can be used? how is all this enabled in terms of law and regulation? It all depends on legal frameworks. The law is especially patchy (i.e., not all use cases are covered)

  • The issue may be more nuanced that might not be captured by a text box for the diagram.

  • Note that while we do not specifically discuss laws and contracts, we are not lawyers but we must recognize that contractual relationships can introduce patterns to watch for.

Motion to approve the charter modulo the changes as discussed today (specifically: replace “Relying Party” with “Verifiers” and add “privacy” to concepts IAM systems and practitioners must pay attention to; update the diagram to change Wallet / App to App, Verifier / Reader to Reader; update the graphic to replicate what’s between Provider and Holder in between Provider and Issuer; move all dates by one quarter) - APPROVED

30 min.

Draft Report

@John Wunderlich

Draft report: Google doc

Why is this limited to in-person?

• That has been done to limit the scope and help get this early document out sooner. Also, the ISO spec is not ready for remote use cases either. Perhaps rephrase as in-person use cases, both attended and unattended (who is responsible for making a match between the data and the person; use case 2 could support something like a kiosk that the person must physically use). Can we call out the scope where the verification could be done the device rather than a person on the other side? Suggest making the point in use case 2 that the verifier could be a person or a device.

  • we do not have a technical standard for doing use case 2, and unlikely to have one any time soon. If we want to limit to what we have now, then use case 2 might be premature.

  • is this about privacy or about standards? What about what’s coming into the marketplace now? Are we writing to what humans need, what things might look like in the future, or tying to standards? If we’re working to any mobile credentials, then we need to reflect broader use cases.

  • The user’s device is performing the verification and the match in the first sentence in UC2. Something like a Stripe device can do that, but there are limitations to what companies are allowed to put financial apps on phones. If the verifier needs to know about the hardware being presented, that’s a privacy concern. It trusts the bits based on the issuance, not on the device, and yet it is difficult to imagine where a verifier can ignore the device itself when verifying information. If the issuer has done that device verification, though, will the verifier need to do more?

  • This question of how much we suggest compliance with current standards is not part of the use case; it may come later.

  • Fundamental difference when it comes to who is doing the verification of the person. Proposed change is to remove the notion of biometric identification from the first half of the UC2.

5 min.

Government-issued Digital Credentials and the Privacy Landscape

@Heather Flanagan (Unlicensed)

Draft ready for a private comment period; public comment period to start (hopefully) later this month.

5 min.

Other Business

None

Adjourn