2021-11-23 Aries Summit Session

Summary:

• Mobile Infrastructure
  • Mobile Verifiers
  • Device Recovery (Backup/Restore/Sync/Rotation to new keys)
  • Secure Element usage
  • SDK / Embedding Agents into existing Mobile Apps

Note: This call was recorded and the recording and chat transcript are at the bottom of the page.

Date

23 Nov 2021 (7AM-9AM Los Angeles)

Anti-Trust Policy:

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Dial-in link

https://zoom.us/j/93810537086

Attendees                                                                                                                                                            

• Sam Curren <sam@indicio.tech>
• James Ebert <james.ebert@indicio.tech>
• Akiff Manji <amanji@petridish.dev>
• Clecio Varjao <clecio.varjao@gov.bc.ca>
• Darrell O'Donnell <darrell.odonnell@continuumloop.com>
• Stephen Curran (Cloud Compass Computing Inc.) <swcurran@cloudcompass.ca>
• Sai Ranjit Tummalapalli <sairanjit.tummalapalli@ayanworks.com>
• Jakub Koci <jakub.koci@gmail.com>
• Jason Leach (BC Gov) <jason.leach@fullboar.ca>

Welcome / Introductions

Focus

Mobile Infrastructure

Discussion Topics

• Mobile Verifiers
  • We need them.
  • Flow
    • Holder displays QR, Verifier scans with mobile app and sees the result. - Common Model, assumed by those new to industry.
    • 'presenting' the QR code feels natural when 'presenting' a credential.
    • QR is best as invitation, not requiring user to know in advance what to present.
    • Verifier can also display QR.
    • Speed of transaction
      • User prepares to have transaction happen fast
        • Preselect or preauthorize set of actions
        • Can be assisted by governance / trust registry to find common targets
      • build set of 'reapprovals' after done initially.
        • save my authorization
  • Unique Features
    • Offline Verifications
      • Can't use shortened QR codes
      • BLE Verification useful offline
        • Needs framework support
      • Machine Readable Governance - cached
        • Cache schemas
        • Cache public keys for verifiers?
        • Pass file? (Interaction)
      • NFC - Needs investigation
    • Common Hardware
    • Framework support required
      • Offline aware
    • UI Supports required
    • Cache Needed
      • Speed of local assets
      • Mechanisms
        • Trust Registry Protocols - https://wiki.trustoverip.org/display/HOME/ToIP+Trust+Registry+Protocol+Specification
          • Webinar - https://www.continuumloop.com/trust-registries-webinar/
        • Machine Readable Governance
        • Hard Coded
      • TTL
    • User Experience
      • Clear for Holder
      • Clear for Verifier
      • Clear indication of where in the flow they are. Universal progress bar?
      • Particularly for non-happy paths
        • Internationalization / Localization
    • Performance
    • Auditing verifications
      • reporting verifications back to main org
      • minimal disclosure auditing
      • knowing what is stored/passed
  • Actions Items
    • Framework Support
      • Caching
      • Transport (BLE, NFC)
    • Summary of existing state - Where are we?
      • BLE
        • https://github.com/decentralized-identity/didcomm-bluetooth/blob/main/spec.md
      • NFC - how would it work? - Sebastian (Lissi)
      • Docs about Machine Readable Governance is currently being used.
        • Mike to provide overview in a few weeks, for now a presentation
        • Trust Registries from ToIP - Darrell provided, to link
        • How do verifiers get templates of presentation requests so they know what to ask.
    • UX of selecting which you want to verify and doing verifications
      • Use cases – e.g. Verifier is processing a line up going into an Event collecting Ticket+PoVaccination
      • UX for some use cases
• Device Recovery (Backup/Restore/Recovery/Rotation to new keys)
  • Backup / Restore Formats?
  • https://w3c-ccg.github.io/universal-wallet-interop-spec/
  • Data Model + app specific in the same format?
  • Keep them separate?
  • Security of backups?
    • huge attack vector – e.g. family member restores backup to new device and uses data
    • Is it possible to disable an old phone when a restoration is done to a new phone?
    • Assumption is that encrypted backup goes one place, the recovery key goes elsewhere and the only come together for restore
      • Is there more that can be done?  Other protections?
        • N of M recovery mechanism – e.g. Shamir's Secret Sharing (coolest algorithm ever!)
      • Can this be done with self-service?  Is that safe enough?
      • Selective recovery – is that possible?
  • Some things that can't be backed up or restored
    • Example is a device-based keys – you can't back these up
      • If there is a credential somehow tied to a device key, that credential must be reissued (and that's OK)
  • How to do continuous backups (don't lose data)?
    • File format
      • File format for a full backup
        • Contents – connections, credentials, history
      • Will we have to do (more or less) continuous backup - full backup every time efficient enough vs. incremental?  Classic backup issues.
        • Treat this as an optimization for now
    • An RFC to define such a protocol to be used with a backup service – perhaps supplied by a mediator (but could be any connection).
      • Setup backup – location, recovery key(s) (format – e.g. passphrase? biometrics?), restoration process
      • Make backup – ongoing – data format
      • Retrieve backup for restoration
      • Restore backup using recovery key(s)
    • How can Mobile OS features help with this?
      • E.g. Backup/Restore of app data
• Secure Element usage
  • Provinces Project - diagram, markdown - decisions when making a wallet.
    • starting point for security framework oriented folks.
• SDK / Embedding Agents into existing Mobile Apps

Action items

Call Recording