*(By the way, this week we're in what I call "summertime skew" -- UK and Europe have changed, and US hasn't. Be sure to check the online calendar for the exact call time. US Pacific is normative. Things right themselves again by next week. It's always best to subscribe to the calendar for best results.)* http://kantarainitiative.org/confluence/display/BSC/2016-11+%28November+2016... Agenda: - Report <http://kantarainitiative.org/confluence/display/BSC/Report+from+the+Blockchain+and+Smart+Contracts+Discussion+Group> writing – Sovrin Foundation questionnaire answers discussion Attending: Eve, Thomas, John W, Kathleen, Susan, Jeff S, Andrew, Alex, Adrian *Logistics:* Today marks four months out of six in this DG's journey. *Smart contracts vs. legal contracts:* How has this difference been articulated? Barclays has written a paper, and we've discussed it some (need for jurisdiction information and formal identification of parties). The MIT event had some discussion as well, with Bart Suichies' comparison table (was that distributed to the list?). Where does the role of consensus come in? Any delta is relevant to our report-writing, especially as it relates to identity. Scott D has the action to write about legal contracts. Thomas listed four elements: parties (majority have 2), terms of the contract, consensus/verifiability (other parties can independently check whether the terms were executed on), semantic connection between legal prose and machine-readable code. Do the elements of (machine-readable) access control constitute a machine-readable contract? Lots of machine-readable authorization policy languages either could be (and/or or) easily translated to, or constitute themselves, a near-natural language declarative semantic description. Could they be "taken to court", that is, could they be validated in a way that is traditional for legal contracts? How does Jim H envision (or actually implement, by now) the connection between the legal contract text in CmA and the smart contract code? What if one half "blows up"? How does the regulatory regime under which the contract operates get identified? Have smart contracts been operating in such a gray zone that they've been trying to set totally separate standards that add a different and possibly even bigger risk? Could civil law standards usefully be created to mitigate this risk? Thomas and Susan took the assignment to flesh out the Smart Contracts definition and analysis in the report. This section should link to and discuss the CmA connection, and, where it can, talk about parties in their "identity" guise. *Sovrin answers:* You can find them in your inbox or in the email archive <http://kantarainitiative.org/pipermail/dg-bsc/2016-October/000289.html>. See also the paper <https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2016/blob/master/topics-and-advance-readings/Sovrin--digital-identities-in-the-blockchain-era.pdf> Thorsten mentioned in email. Discussion of the "Different approaches being taken in the new solution space, e.g. if other approaches are being taken outside of Sovrin" answer: Adrian attended IIW and the Sovrin-related sessions. Sovrin came across as "one of only four standards-track efforts that are alternatives to federation". You can use the private key you get as part of your identity to sign things. Evernym has basically become Sovrin now, having donated the code to the Foundation. The technical part of the model seems identical to the Blockstack model, and then there's a governance model on top that adds permissioning. The answer in this section talks about other blockchain use cases such as Bitcoin. As for other blockchain *identity* use cases, it appears they have all converged on a single technical answer: Don't put identity information itself on the blockchain (for the usual reasons: security and privacy of PII, latency, bloat); only put pointers on the blockchain; make that pointer model flexible so that that the identity holder can have pseudonyms; identity information is actually stored in a traditional repository of some kind. It's not that IdPs necessarily go away (they're mentioned in the Sovrin FAQ), but they would depend on the Sovrin layer. It's a four-layer model. Thomas notes that UMA enables a distributed model when it comes to an identity-holder's resources. Eve also notes that OpenID Connect enables distributed and aggregated identity claims in SSO explicitly. Adrian discusses the W3C verifiable claims work as being uncontested as solving the triple-blind concern. The question is: What, then, is the Sovrin work actually solving, if the current state of the art in identity and federated identity isn't so bad? Is it just that "having IdPs in the world is evil?" (Not that this may not be enough...) For whom is this solution targeted, then? Is the value worth the implementation/deployment cost, and for whom? *AI:* Eve: Send her analysis of the triple-blind vulnerability identified by researchers to the list. *AI:* Adrian: Send a link to the verifiable claims work to the list. *AI:* Thomas and Susan: Work on the Smart Contracts subsection of the Blockchain report section. Next time: Assemble a final list of comments and questions back for the Sovrin folks to answer, and work on the Sovrin Foundation Case Study report draft section. *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging Technology Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl *The ForgeRock Identity Summit* is coming to <http://summits.forgerock.com/> *Paris in November!*