Meeting minutes
Organization
Michiko: welcome to OP breakout session
… to our discussion we welcome your input
… to explore our solution
[Michiko explains slides]
… if this fake informatioon distributed, people will get trouble
… how we can avold this kind of situation
… technology can and should help that
… OP collabolated with partnership, established 2023
… including local newspapers, publishers, etc
… global orgs are participating as well
[Michiko shows an example of Yomiuri shimbun online]
… in a further small window, you can see info which can be seen easy way with safe way
[we are watching a video how OP works]
<mt> was that 2 trillion USD or JPY? big difference between the pictures and words
Michiko: mt, 2 trillion is JPY. We will share the video and materials later
Technical explanations
Shigeya: about design of OP
… we are adding content attestation, not only the entire web page
… 1, identity, data model and presentation
… government info as well
… OP is bit generalize to the web pages
… inside of content attesttation set, it provides proof and link to sites
… which consists of Core Profile, Web Media Profile and one more Profile Annotations
<mt> is this technical material available anywhere? The o-p website still says that English material is not available yet
shigeya: (talks about the key points)
… Identity
… OP includes both human redable and machine processable information
… consisting of Core Profile, Web Media Profile and Profile @@@
… Presentation
… implemented as browser extension
… Baseline Governance Framework
… profile issuers for initial deployment
… core profile, app-specific profile and organization profile
… JP newspapers, 3rd-party embership certification
… Chain of Trust and Machine Processing
… designed to allow lightweight decision making
… OP consumers can decide whether accept of reject
… Gaps OP fils
… identity vs X.509 PKI
… scalability challenges there
… Development Status
… initial development done
… 3 phases
… 1. limited number of media outlets
… 2. outlet via aggregators, digital ads
… 3. local gov outlets
… Standardization and Discussions
… data, identity and presentation
… when to start verification?
… SRI for external resources and SRI extension (1)
… content attestation includes integrity property
… select HTML elements with CSS selectors
… SRI for external resources and SRI extension (2)
… support SRI for additional external resource types
… define integrity property for multiple resource with single tag
michiko: (notes we'll share the slides later)
wendy: any example?
… curious about how it works
shigeya: can't provide resources in English, sorry...
… to be provided soon
martin: tx for the explanation
… helpful to see documentation
… would ask what the goal is
… trying to create a governance system to determine what truth is?
… sounds kind of ambitious and possibly dystopian
tatsuya: would like to introduce the technology today
<mt> let the minutes reflect that I used the word "dystopian"
tatsuya: Web contents to be verified by all the users
… using 3rd-party certification, etc.
… it's just launched
… try to start certification providers
shigeya: we don't think we're creating dystopian world
… not going to become so
… we need to verify authenticity of the originator
… we dont have that yet
… we're not aiming entirely controlled world
chris: we should be winding back to the use cases
… would like to hear about use cases we have
… one of the things we do as the owner of our web site
… would like to do some indication
… the content genuinely comes from us
… trust relationship of BBC
… would like to see possible solution for that purpose
… the other view on news distributor
… difficulty of service verification
… any sort of technical indication
… what the content comes from is important
… having indication where the information comes from
… identify those kinds of problems
jun: OP doesn't care about whether the information itself is true or false
… handles the originator of the information
… some kind of mechanism provided to the end user to verify that
shigeya: how the fragments of the news to be handled
… some news from Yomiuri or Yahoo news to be distributed
… aggregator mechanism can identify which comes from which
tatsuya: we're focusing on simple problems
… regarding your concerns
… may related to ads
… e.g., many natural disasters there in Japan
… we can see many fake news sites
… we need to clarify which information is really provided by Yomiuri
… we can split the definitions
… just started to verify the originator
rbyers: important problem
… not sure f possible to handle each component within the Web content
… different level of trust mechanism included there
… authentication for the headline and the content
michiko: (shoes an example)
… each part handled separately
rbyers: actual story inside of the extension window?
shigeya: the content is not shown in the extension window
… don't have the live demo at the moment
… extension just shows which part comes from where
rbyers: have done penetration tests?
shigeya: the extension is implemented as a browser extension using JS
… so could be attacked
… the verification of where the content comes from is done here
… it's not good enough from security viewpoint at the moment
… but the functionality is useful
rbyers: very bad attacker can handle that
tzviya: very interesting presentation
<Zakim> tzviya, you wanted to clarify trust model
tzviya: similar to Chris
<tzviya8> https://
tzviya: credible web did something also
… related to reputational risks
… trying to create some mechanism attackers can't make spoof
… millions of fake books there
… cheaper content might be fake
… also would like to see examples
<Zakim> wendyreid, you wanted to ask about whether threat modelling has been conducted
wendy: wanted to talk about threat modelling
… many of encryption/authentication for publishing also
… any resources on that?
tatsuya: let me clarify the question
wendy: challenges on different components introduced within one page, etc.
… resources are broaden
… wondering about threat model
tatsuya: tx
… my opinion is...
… same answer to the previous questions
… spoofing is a big problem to us too
… heard some news from Forbs
… huge web site providing huge contents
… some of them as fake
… difficult to recognize which content comes from Forbs actually
… very important to show that
… we have 2000 local govs in Japan
… fighting with fake information
… we're now trying to work for that
jun: local gov responsibility is largely about disaster handling
… distribute information for every disaster situation
emily: 2 questions
… key differences from extended validation certificatess, C2PA, etc.
shigeya: C2PA based on X.509
… has their own trust framework
… EB certificate is not enough
… some of the certification for news outlet association can be used additionally
… seems to be useful
emily: have you tested with users how they interpret information?
shigeya: source information is verified by OPCIP
… we can view the certification information
… but how to present the results is a question
… no good way on browser yet
… need some good mechanism
martin: still unclear about the property and the system
… is this about some sort of secondly entity itself?
… content produced, e.g., by BBC?
shigeya: both
martin: goal to be applied to social media, messaging service also?
shigeya: not to be applied to them yet
… they have different characteristics
… this is the first session about OP (at W3C)
… next step to show more details
… let us know about your opinions
tatsuya: looking for opportunity to join the CG
… practical CG
kaz: which CG?
… Credential CG?
… or some other possible CG(s)?
shigeya: would like to start to work within the Credible Web CG
[adjourned]