2023-03-22 Meeting notes

Aronson, Marc

Yes

Chaudhury, Atef / Krishnaraj, Venkat

Yes

Davis, Peter

D'Agostino, Salvatore

Yes

Hodges, Gail

Jones, Thomas

Yes

Thoma, Andreas

Wunderlich, John

Yes

Williams, Christopher

Yes

Auld, Lorrayne

Balfanz, Dirk

Brudnicki, David

Dutta, Tim

Flanagan, Heather

Yes

Fleenor, Judith

Glasscock, Amy

Gropper, Adrian

Hughes, Andrew

Jordaan, Loffie

Yes

LeVasseur, Lisa

Lopez, Cristina Timon

Snell, Oliver

Stowell, Therese

Tamanini, Greg

Vachino, Maria

Whysel, Noreen

5 min.

• Start the meeting.

• Call to order.

• Approve minute

• Approve agenda

@John Wunderlich 

Called to order: 13:04

Quorum reached: Yes

Minutes to approve: Approved, no objections

https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/166002689

Introductions:

• New member - Jazzmine Dowtin, working for Idemia as their government relation associate.

0 min.

Open Tasks Review

All

45 min.

Draft Report

@John Wunderlich

Draft report: Google doc

• This is the framing document, not the final deliverable of recommendations.

• Purpose and Scope

  • diagram must be replaced with most current version (done). Would be helpful to have a legend that explains the different types of lines, arrows, colors.

• Reading this doc (and throughout)

  • Instead of “user” or “Hope” consider using “Holder” or “Verifier” as appropriate.

  • Need to reconsider the word “describe” in the definition of Holder. It says nothing about the binding to the device; perhaps we deal with that in the use case description. Perhaps “the natural person whose attributes are contained in a mobile credential.”

    • Is it ok that we’re touching on delegates? Where are they handled in the doc? The Holder and the Subject are distinct. The Holder has to control the device, even though that’s not part of the definition now.

• UC2 - reminder to see the conversation from last week (https://kantara.atlassian.net/wiki/spaces/PEMCP/pages/166002689 ). There is no verification that the Holder is the holding the device. There are different definitions of unattended, and if we’re referring to the ISO use case, it might take us in a different direction. Suggest to just remove the offending sentence entirely.

  • Regarding @PeterD (Deactivated) ‘s comment in the doc, will come back to it when he’s on the call.

• UC3 - if we’re deleting the previous in-person note, we should remove it from this as well.

• UC4, UC5 - consider replacing “mDL” with “mobile credential”. We need to be consistent throughout, though if we want to be specific, it’s not wrong in a use case.

• UC5 - “and use high levels of security”

  • might suggest an arrow between the Issuer and Verifier in the diagram? No, this is more like wallet providers talking to the OS.

• UC6 - ok

• Terms and Definitions

  • appropriate friction - a term we may want to come back to.

  • also a concerned with the use of “implied” consent.

    • To discuss on the next call. Please submit any written input for review before the call. Individuals are welcome to post to the PEMC blog, but please make sure it is clear they are writing as individuals, not on behalf of the PEMC WG.

5 min.

Government-issued Digital Credentials and the Privacy Landscape

@Heather Flanagan (Unlicensed)

Draft ready for a private comment period; public comment period to start the first week of April

5 min.

Other Business

NCCoE call for comment on the mDL - see . Comments due 31 March 2023. Even a mention that our work is underway would be helpful

Adjourn