spice

Summary

The inaugural SPICE working group meeting focused on digital credentials and their presentation for both human and non-human use cases. Key discussions included addressing concerns about the charter process, agreeing on a workflow utilizing GitHub for drafts and the mailing list for substantive decisions, presentations from the Wimsy working group on workload identity, and initial discussions around use cases and document adoption for policy guidance and selective disclosure of credentials (COESA SDCWT).

Key Discussion Points

Charter Concerns: Brian Campbell raised concerns regarding open PRs against the charter from a previous BOF that were seemingly ignored. The Area Director (Paul Vauta) suggested a potential recharter if the working group agrees on necessary changes.
Working Group Workflow: A consensus emerged for using GitHub for draft iterations and issue tracking, while reserving the mailing list for significant decisions and substantive discussions. Editors will flag controversial points for mailing list discussion.
Wimsy Presentation: Justin Richer and Peter Saint-Andre presented on the Workload Identity in Multi-System Environments (Wimsy) working group, highlighting the focus on securing workload-to-workload communication in microservices architectures and addressing challenges of cross-boundary identity and context propagation.
Use Cases: Explored use cases related to binary credentials (Seabor), cryptographic agility (post-quantum), FIPS/NIST compliance, selected disclosure type mechanisms, and regulatory cases related to compliance logging.
Use Case Documentation: A discussion ensued regarding documenting use cases. Concerns were raised about publishing as an RFC due to evolving requirements, with suggestions to use GitHub or a working group-controlled wiki instead.
Policy Guidance Document (BCP): Ori Hoch presented a document aimed at providing guidance to policymakers on how to describe data shapes and encodings separately, using examples from international trade regulations.
COESA SDCWT (Selective Disclosure Credentials): Mike Jones presented on a draft specification for Selective Disclosure CWT, emphasizing proof of possession, data minimization through salted disclosed claims, and the issuer's control over redactable claims. Concerns were raised about potential overlap with existing ISO standards such as MDocs and the mandatory nature of the CNF.

Decisions and Action Items

Charter Review: The working group will review Brian Campbell's concerns about the charter and discuss potential revisions.
Workflow Agreement: The working group agreed to use GitHub for draft development and issue tracking, with the mailing list reserved for substantive discussions and decisions. Editors will identify controversial points for mailing list discussion.
Use Case Document Adoption: The working group will consider adopting a use case document for internal purposes (WG-adopted informational status), with the understanding that it will not be published as an RFC and is intended to be a living document. This will be confirmed on the mailing list.
COESA SDCWT: Discussion regarding COESA SDCWT will continue and consider the points raised about potential overlap with the existing ISO document MDocs, the mandatory confirmation claim and the general layering approach.

Next Steps

Continue discussion on charter revisions and confirm any required rechartering steps with the Area Director.
Editors should set up the working group's GitHub repository and establish guidelines for managing draft submissions and issue tracking.
Chairs will initiate a call for input on the use case document and will also consult with co-authors.
Continue discussion and exploration of the COESA SDCWT, including potential overlap with other standards (MDocs) and design considerations.

Session Date/Time: 26 Jul 2024 01:30

spice

Summary

This meeting covered two documents: Spice Discovery and Identifiers for Businesses. The Spice Discovery document is a call for action to determine if a discovery mechanism is needed within the SPICE working group, particularly in relation to confirmation methods and interoperability with other IETF efforts like WIMS. The Identifiers for Businesses document proposes a URI scheme for globally identifying businesses, aiming to provide context and disambiguation for business identifiers used in attestations and supply chain tracing. Both documents were discussed, with feedback provided and calls for further work and community involvement.

Key Discussion Points

Spice Discovery:
- The document is intended as a placeholder for other discovery work happening within the IETF.
- Importance of clarity on expected inputs and outputs for any discovery system.
- Consideration of using CBOR instead of JSON for SPICE, given its focus.
- Distinction between discovery and trust establishment mechanisms.
- Concerns raised regarding the utility of discovery given the time gap between credential issuance and verification.
- Privacy implications of discovery systems and potential creation of privacy-violating oracles.
Identifiers for Businesses:
- The purpose is to create a URI scheme (glue:) for globally unique business identifiers, associated with an IANA registry to provide context.
- The need for this identifier stems from inconsistent use and definition of existing business identifiers.
- Privacy concerns related to taxpayer identifiers in specific domains.
- Use cases in supply chain tracing and verifiable attestations.
- Consideration of the authority responsible for minting these identifiers (e.g., government vs. industry).
- Discussion on the relationship to identity providers and the potential for existing systems to provide this number, with claims tied elsewhere.

Decisions and Action Items

Spice Discovery:
- The document is not ready for working group adoption.
- Action Item: Interested individuals should contact Ori or Mike to contribute to the document.
Identifiers for Businesses:
- The document is not ready for working group adoption.
- Action Item: Interested individuals should contact Brent to contribute to the document.
- Action Item: Open a GitHub issue to discuss privacy considerations related to taxpayer identifiers and nested organizations.

Next Steps

Continue discussion on the mailing list regarding both documents.
Brent will incorporate community feedback and continue developing the Identifiers for Businesses document.
Ori seeks interested contributors to help shape the SPICE Discovery document.
Coordinate with other working groups, including drone remote identity protocol, to align identifier strategies.