1A/ ToIP and Digital Trust Ecosystems

From IIW

ToIP and Digital Trust Ecosystems


Tuesday 1A

Convener: John Jordan, Dave Luchuck, Karl Kneis

Notes-taker: Sankarshan


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Link to Trust over IP whitepaper: https://trustoverip.org/wp-content/uploads/sites/98/2020/05/toip_introduction_050520.pdf [Karl] Welcome notes - to share the Trust over IP Foundation story. Introductions for John Jordan, ED of ToIP

[John Jordan] Note of thanks for the organizers of IIW31. ToIP was launched a week after the IIW30 and started out with 27 member organizations. Growth to 160+ members - working and collaborating for interoperable digital trust. It has been a busy 6 months for the ToIP Foundation (a JDF under The Linux Foundation). We have 6 Working Groups - the engine of the Foundation. The examples we’ll discuss are not hypothetical - these originate from members of the ToIP working on using VCs based on open standards and implementing in their ecosystem “The Trust Triangle”. The credentials have to work inside their own trust domains and across trust domains - how can a group of organizations make use of credentials originating from another domain. Our goal is making people’s lives easier and more secure. We want people to be able to use the internet to do business and in their personal lives and feel confident in doing so - without fear and impediments.

John shares anecdotes from his interactions with the nursing staff.

[David Luchuk] Introduction - focus of his roles. Introducing the “dual stack” at ToIP The stack provides us with a model for ecosystems of credentials to emerge. [Karl] The Ecosystem Foundry Working Group has attracted many businesses across industries seeking to get together to focus on interoperability and success in real life use cases.

Introduction to the members from the EFWG

[Gena Morgan / GS1] - currently identifying a few use cases for PoC efforts. Looking for feedback on these use cases from experts in SSI, DIDs and VCs

[John Court] So currently I assume there is no protection around proving who minted an RFID ?

[Timothy Ruff] FYI KERI addresses proving who minted an ID. Curious if GS1 is looking into KERI?

[Charles Walton / Mastercard] https://idservice.com/ - identity inclusion was quite causal to the lack of financial inclusion. Digital payments are led by identity - ID and authentication are core topics to types of payments. Identity is pivotal. Mastercard is a platform for the bank partners - the digital identity service being rolled out works cross borders. Placing the individual at the center of the digital interaction - privacy is preserved. Transparency and multi-market interplay is important and a key aspect. Design principles, identity-tech standards, standards around vertical market and representation of claims (types of claims and how they appear during data exchanges). The vision of ToIP as a multi-layer model is key to the outcomes being worked on and the group of individuals/companies motivated to join. There is still a lot of work to do. Collaboration is they key to be able to address the challenges and problems to be able to make the data exchanges required for payment systems.

[Jim St.Clair / Lumedic] Lumedic is a member of the Steering Committee at ToIP. Patient identity has unique challenges - the issue of patient identification - correlating to the right individual is what is the current focus. It does not inherently do not align to or support SSI or decentralization of identity. This brings about marketability of healthcare data. How do we build in mechanisms to preserve privacy while being able to healthcare engagements in a frictionless environment. The work on the ToIP stack contributes to making this outcome possible.

[Drummond] With ToIP stack having both governance and technology, how is governance being used?

[Jim] Lumedic is providing the technical underpinning, business framework and policies, rules for the exchange members when sharing and exchanging credentials.

[Drummond Reed (standing in)/ GLEIF] GLEIF is a governance authority and issues an identifier LEI - classic federated identifier. GLEIF would be creating a digital trust ecosystem through LEIs. LEI holder can also issue VCs to organizations and things. Not limited to people. GLEIF is a founding member of ToIP

[Timothy Ruff] GLEIF was formed post financial collapse. The G20 authorised the identity to issue LEI to every financial institution on earth eg. BoA has a single identifier of all entities across the world. This solves the problem of regulators and compliance entities could assess how extended banks were. Outside of ICANN this is the only other identity to issue globally unique identifier.

[Ajay / Stanford University] (presentation) How might we return to campus safely? Every informed decision must rest on a foundation of trust? ToIP based interoperable framework between test labs, doctors/hospitals and the community of students and staff. ‘Protected Entry Use Case’ - for access to public areas and requires proofs that they were recently tested -vely along with other specific proofs around being a student and so forth.

[Charlie] have you (or anyone in the community) defined what a CV19 health status, or a CV19 vaccine claim looks like within a W3C VC? This is an important interoperability topic for the industry (travel, health, government) to work through. I would be quite interested to understand if there are answers, thoughts, details, something/somewhere in Github or elsewhere address this detail. I am reachable at charles.walton@mastercard.com if anyone is aware of an answer for the industry.

[Daniel Hardman] Orie Steele did some great work to define a schema for COVID credentials, and I believe his proposal was checked into a W3C repo. I don’t have the link to his schema at hand, but you could ask him for it.

[Margo Johnson] I believe is the previously mentioned repo re: COVID credentials: https://github.com/w3c-ccg/vc-examples/tree/master/docs/covid-19

[Jeff Kennedy] If this is done on a phone, how do you assert that the holder of the phone is the person they claim to be?

[Daniel Hardman] binding a holder to a credential can be done in various ways, depending on the level of assurance you need. Biometrics is one of the strongest ways.
 Hyperledger Aries is about to have two RFC proposals about biometric binding to credentials; see https://github.com/dhh1128/aries-rfcs/blob/bsp/features/0529-biometric-verification-protocol/README.md

[Dan Bachenheimer] How do we know that the presenter is that person?

[John] Horizontal ecosystems. A call out for the Human Experience WG at the ToIP. Would like to see ToIP find a way to bring in some of the voices who are at this moment not being included.

Retrieved from "https://iiw.idcommons.net/index.php?title=1A/_ToIP_and_Digital_Trust_Ecosystems&oldid=23211"