SSI Adoption Sequence in a Pandemic

From IIW

SSI Adoption Sequence in a Pandemic

Tuesday 1D

Convener: Adrian Gropper

Notes-taker(s): Scott Mace & Orie Steele

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

http://docs.google.com/document/d/1KX6Xcm_jAzj_CWMhoYjFBOX7KXE8vVEgYHua6Kj_AKo/edit

Scott Mace’s Notes here are followed by other notes immediately below. Thank you, all.

Adrian Gropper:There is a natural sequence of steps for the example of an immunity passport is going to have to happen. A lot of it may be somewhat controversial. This is tied to a prescription use case in the W3C standards. There is a credential prescriber that issues a credential to a subject (the patient) then verified by a pharmacist. Not that different than British Columbia use case. Which entities and individuals have to do what?

Alan Karp: Missing the ability to delegate. Someone going to the pharmacy on someone else’s behalf.

Orie Steele: Case where credential subject and credential holder are different.

Alan: Would be nice if holder of prescription could delegate to a third party after the fact.

Adrian: I agree with you Alan. How might we modify the sequence? Leave it as a comment or let’s discuss it.

Alan: State of New York didn’t have delegation. Here, you would add a row in the table where holder of the credential will be able to delegate it. Owner of a file can change the access control list.

Adrian: In this sequence, the patient does not really need a DID at all. I consider this to be an asset in terms of adoption, because it’s one less thing to deal with.

Alan: The mechanism isn’t as important as the function.

Orie Steele: You could request a delegated credential from OAuth, get back a bearer token. How about transactional OAuth?

Adrian: Justin is the man. We are hopefully headed to the IETF version of the authorization server. To be standardized in OAuth 3 or whatever. Simplifying the OAuth flows, which are very difficult to use in practice. FHIR is fundamental to what’s going on here. If you monitor the lists where people discuss this, it’s a disaster.

Karp: Signed jots may be better for nonrepudiation than bearer tokens.

Stewart Whitman: There’s a continuum between going to the hospital all the way to self-testing. How can we think about a trusted intermediary? Where is the likelihood of that continuum going to come out?...I could confound a test if it is unproctored.

Adrian: You’re right.

Stewart: I formerly worked for Clear. That’s great in a closed system. In an open system, that’s only as valuable as what it’s being bound to. Need witnesses. Like age-based verification for alcohol purchases. Easy to confound into a wallet, whether in closed loop or an SSI system.

Phil Wolff: Public health subject matter expert?

Dr. Saeme MD: immunity passport, it depends on how you use it. Immunity is normally linked to vaccination. Normally, it’s confirmed by a certified doctor or vaccinator or public health provider. When it comes to COVID-19, it’s really complicated to delegate that to the user. We have no specific test we can trust 100%. Even if you have recent infection, you might still be shedding virus. This is why we have to divide between immunity and the virus itself. Until we get a vaccine, we will need to do both. If you have positive immunity, you might be protected, but we don’t know for how long. If you are negative, you will need to take a test that you are not carrying the virus. After 24 hours you could get the virus contamination again.

Phil: We have a rapidly-changing definition of what’s useful information. The rites and rituals around how a passport might be used will vary. I only see one scenario. We need a collection of scenarios. And still protect privacy of the individual.

Dr. Saeme: When required by a government or employer, you have your own information. Public health [is different].

Adrian: It might be easier for us to view this issue if we thought about contact tracing as the problem, rather than the immunity passport. They both have the same authorization server, has the same characteristic, which is you have to solve for authorization as to what information is available to the issuer. Do you just have proximity? Or do you also have location? And this is a huge debate in Europe, where some countries are rejecting the Apple/Google method because it doesn’t [include] location. My point is the authorization server serves both sides of the health record, of the interpretation made by one of these expert credential issuers. On input side, access to risk profile? On the verifier side, do they have access to the result? Law enforcement, employers? Discrimination.

Eric Welton (Korsimoro): I’m a big fan of trustee concept. Gets beyond idea of an immunity passport. The project I’m working on now, two consulting houses, close to half million employees total. Reopening football matches in Europe, Toyko Olympics, office space, airlines. These are semi-public spaces. They’re guarded. Tested upon entry. They need to do something that’s better than nothing. A phase we need go through on short end where we don’t have really rich issuance verification. Emirates was doing nurses at the airport. After that, moving to a place where you can bring your own data. Having someone at a Walmart or pharmacy witness a test. A lightweight risk assessment that integrates your credentials. Using the Walmart.com signing certificate. Could be done in 3 weeks. Not a strong solution, moves towards bring your own certification, proof of stuff, an integrated interpretation. I’d love to get to a place where we have a trustee-based solution. Bring your credentials.

Adrian: From perspective of these very large operators, what incentive do they have to adopt standards?

Eric: Real pain not to bring nurses into office buildings. Bring some kind of proof to move the pain point of getting tested away from the front door. They have a motivation to pursue standards to push that into the healthcare environment where it belongs. Now it becomes a small item they have to pay for, not a large one.

Adrian: They lose interest. If you’re right, the cost is not in eliminating the doorman but in eliminating the nurse.

Eric: This is the path that leads us to a long-term solution.

Adrian: All this worrying about a verifiable credential is unimportant in the adoption scheme of things. Fair statement?

Eric: I’ve been an advocate for having a clearinghouse for the medical payload. You can get some light convergence on the encodings. Outside of that, need to use a particular standard like W3C, I don’t think anybody cares, because these are semi-public environments. I already have a lot of PII about you. Security cameras. I am watching you. Not quite private. I was just at the cargo terminal at the airport here. Semi-public space. 100 vendors there but it is a highly regulated access environment. Took 20 minutes to get an on-the-spot credential. So I was allowed to walk around the facility. Those are the kinds of semi-public environments that have a slightly different set of rules than the society at large.

Orie Steele: I have a tiny demo in the DID space.

Adrian: Tell us where it fits.

Orie: Like you said, we need to be able to bind credentials to pictures. Mostly around using the VC data model in DIDs. One thing I’ve noticed working with CCI and W3C and DIF, not a lot of feedback on that piece. Crypto is irrelevant. I’m reaching the end of how I can contribute to the discussion as a technical person.

Stephen Curran: I’ve been going through your document. Seems incredibly complex. In the past we would have used paper for this. There’s a bridge in Ottawa checking people bringing paper, police won’t touch it. VC model is the new paper. We built the demo, I’m from the BC gov team, the big thing about that from the complexity point of view. For humans used to paper credentials, the whole VC model makes incredible sense, much more palatable for everyone to make use of and understand. That is the bigger enabler for creating an environment where something works, where we can apply SSI technology. We want verifiers to be able to trust it. We’ve been amazed how quick can put it together. Demo is BC safe entry, for an extended care facility, might include immunity passport or covid test. It replaces visitor logs. I focus entirely how to enable issuers and verifiers.

Adrian: In India I mentioned adhar as the biometrically-linked digital credential. I’m asking you in a situation where a government can dictate who gets to cross the bridge…I tell them you have to include an authorization server in india stack. Need VC to be somewhat standardized. What would the Indians have to do to take up any of the standards we’re talking about here?

Stephen: Don’t know.

Adrian: That’s my point. If you’re not going to drive adoption Chinese-style…

Anil John: My mom is 90, lives in India in a state called Karola in the extreme south. Was interested in how somebody of her generation uses this technology. My mom has a piece of paper with a number on it and an incredibly bad photo. To prove her ID, she gives the paper to one of her cousins in order to get stuff. Let’s be real about the magic of the india stacks. There is a set of services I’m sure that uses it. Everything else is, shall we say, flexible. I was stay away from contact tracing for now. We may be putting in place technical rails that may have unintended consequences downstream. On the immunity cert piece of it, let’s get real. The fastest anybody has developed a vaccine was 4, 3 years. We’re still about 18 months to 2 years out from a vaccine. Whenever I hear about immunity certs, the question in my head, just because we can do it doesn’t mean that we should. Feels like a desire by technologists to move things forward. Instead of immunity certs, what is considered essential in the supply chain is very different. A lot of fragility in it. Maybe they’re the one who need a mechanism to prove that they are indeed essential. Feels as though the immunity cert conversation is just so early at this point in time because of what we don’t know.

Adrian: You’re certainly right from a tech perspective, but wrong from a policy perspective. If we do not put in the infrastructure to manage pandemics and treatments that aren’t there yet, at this point, we would be negligent. We have to run an authorization server in a way people can trust.

Anil: I agree we need a clear understanding of how to prove a certain set of entitlements. The equivalent of a doctor’s note. We’ve had that technology for the last 10-15 years. Not as magical as SSI or UMA or OpenID Connect. Question is, if this was so important, why are we not focusing on the interoperability frameworks around existing technology?

Stephen: I agree with Adrian, although we don’t know what the credentials look like, we need the infrastructure. We have 6-18 months. The demo we prepared is the combination of all the credentials that allow people to travel or go into different places.

Dr. Saeme: In many areas we have no testing or lack of sufficient testing, and the epidemic is very new. We will be dealing with this until we get a vaccine. When we get it, might take 3-4 years to immunize the 60, 70% needed to stop the epidemic. Quarantine rules oblige medical providers to inform the authorities to stop the infection. Any kind of certificate should be tightly linked to a real identity.

Slack channel: http://iiw.slack.com/archives/C012VNM1760

The key challenge for SSI is adoption

Immunity passports are a natural use case for SSI, ties back to the W3C prescription use case defined by W3C (Never waste a crisis)

Is delegation of credentials a possibility? where does delegation fit into the model in the link above ^.

Delegation could be something other than OCAP.

Patient does not need a DID.

Can we get Transaction Authorization Server / OAuth3 reference implementation links?

FHIR is critical to existing healthcare systems, we need to FHIR <-> OAuth3 showcase.

Encrypted JWT good for preserving privacy… when we say “bearer token” we may want to specify that we prefer the encrypted JWT format.

Here is an example of a Not Encrypted JWT for a Rapid Test, its based on this CCG work: http://github.com/w3c-ccg/vc-examples/blob/master/docs/covid-19/v2/v2.md

Regarding Liveness Detection Test: https://www.bioid.com/ ^ Open ID Video based biometric facial recognition…

Secure Data Store (Identity Hubs / Encrypted Data Vaults)

http://github.com/decentralized-identity/secure-data-store

^ joint work item with W3C and DIF.

For anyone that is not aware of the COVID Credentials Initiative, the issues being discussed here, are also being grappled with here: http://covidcreds.com

Q. How does decentralization strengthen/weaken passports/tracing?

Q. What are the incentives for standard adoption by government?

Q. Africa is working on a five minute ten-cent self-test strip, producing billions of them yearly. How well are we modeling individual self-testing and reporting?

Q. What “shovel ready” SSI infrastructure exists that can scale globally if, say, China or India or the EU said “Yes!” on Monday?

Q. What SSI solutions work on really old stupid phones used by a few billion humans? Proof points.

BC Canada’s “Safe Entry” app looks to replace visitor logs and guest pass generation. Link

Links from slack:

interop demo links for VC Data Model + DIDs http://c19-vc.com/ (edited) http://wallet.interop.transmute.world/ (edited) http://verifier.interop.transmute.world/ (edited) Here is our little blog post on it: http://medium.com/transmute-techtalk/covid-immunity-badges-dd9b8a05fa86

BC Gov Example: Here is the link - https://vonx.io/safeentry