Verifiable Credentials Working Group Telco — Minutes

Date: 2022-06-29

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, SongPu Ai, Michael Prorock, Michael Jones, Manu Sporny, Kristina Yasuda, Brent Zundel, Justin Richer, David Chadwick, Kevin Dean, Shigeya Suzuki, Markus Sabadello, Sebastian Elfors, Oliver Terbu, Will Abramson, Joe Andrieu, Antony Nadalin, Ted Thibodeau Jr., Phil Archer, David Lehn, Gregory Natran, Andrew Whitehead, Dave Longley, Dmitri Zagidulin, Shawn Butterfield

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Manu Sporny, Brent Zundel, Dave Longley

Content:

• 1. Introductions.
• 2. schedule of meetings.
• 3. participation.
• 4. Scope of Work.
• 5. A few words about RCH WG.
• 6. Editorship.

Brent Zundel: Agenda review… introductions, schedule of meetings, participation renewal, scope of work, RCH WG, and editorship..
… Any changes to the agenda?.

Manu Sporny: No changes recommended..

1. Introductions.

Brent Zundel: Hi, Brent Zundel, one of the CHairs of the group, work for Avast… acquired Evernym, who I worked for – only difference now is not worrying about existential threats to livelihood :).

Kristina Yasuda: Hi, Kristina Yasuda, one of the Chairs of the group, work at Microsoft’s Identity Standards team, honored to join this wonderfully intelligent group..

Ivan Herman: Hi, Ivan Herman, W3C Team and staff contact for this WG… I am staff contact for DID WG as well, I also work on EPUB at W3C (digital publishing), been at W3C for a very long time. I also worked on Semantic Web back then..

Michael Jones: I’m Mike Jones, work on Identity Standards at Microsoft, have privilege to work on a number of things that have succeeded like JWTs and OpenID Connect and passwordless stuff and decentralized things. I have worked on things like Infocard and have learned from that as well, pleased to be with this great group of people..

Phil Archer: Hi, Phil Archer, work at GS1 people that do the barcode, also worked at W3C, interested in cross-border, supply chain, also co-chair RCH WG - hope to have something prepared to say before Brent asks me to talk about that :P.

Andrew Whitehead: Hi Andrew Whitehead, working with VCs for a few years in British Columbia, Pratage Cybertech, wanted to get involved with WG. Looking forward to more privacy preserving features in WG..

Dave Longley: I’m Dave Longley, CTO of Digital Bazaar, been working on standards with many of you for a while, co inventor of VCs and DIDs..

David Chadwick: Hi David Chadwick, originally a professor at University of Kent, working on standards, x509, created spinout to do VCs a few years ago, then got acquired by Crossword Cybersecurity, now R&D director for identity..

David Lehn: Hi David Lehn, work at Digital Bazaar, working on standards and implementations for years along with rest of DB folks here..

Dmitri Zagidulin: Hi Dmitri Zagidulin, been working on DIDs and VCs for several years, tech lead at MIT Digital Credential Consortium, also CTO of Hyperconstruct, building VCs and DIDs for VR and metaverse..

Gregory Natran: Hi Gregory Natran, work with Andrew, work with public sector and interest in VCs and replacements for licenses and permits and cards that they put in our physical wallets. THat’s the primary interest, part of decentralized identity and security aspects – collecting great gobs of info in less than secure infrastructure..

Joe Andrieu: Hi, Joe Andrieu, Principal for Legendary Requirements, also Editor of VC/DID Use Cases, and VC API, looking at moving that information into this group..

Justin Richer: Hi, independent consultant working on behalf of Avast/SecureKey, been working on OAuth, OpenID COnnect, JOSE, also involved in first edition of VC WG and DID WG and plan to continue to contribute..

Kevin Dean: Hi Kevin Dean at GS1, technical oversign on GS1 standards, playing w/ VCs for last couple of years..

Manu Sporny: Hi, Manu Sporny, CEO of Digital Bazaar. One of the first working with DIDs and VCs, I’m editor of first VC spec, along with a number of tother specs related to VCs. Really looking forqward to working with so many talented folks over the next two years..

Markus Sabadello: Hi, Markus Sabadello, Founder and CEO of DanubeTech, working on DIDs and VCs, working on digital identity projects around the world, one of the Editor’s of DID Core, also Co-Chair of RCH WG, looking forward to participate in this group and align with RCH WG..

Marty Reed: Hi, Marty Reed, CEO of RANDA Solutions, fairly new to work 3-4 years, RANDA has an open credential publisher and statewide platforms for teacher records, also Chair of 1EDTech CLR learner record standard. Looking to align those specifications with VC specification. Interesting thing about CLR, its a nested VC approach, looking forward to participating/contributing, and further aligning specs across ecosystems..

Antony Nadalin: Tony Nadalin, co-chair of WebAuthn WG, work on standards, don’t participate in IRC..

Oliver Terbu: Hi Oliver Terbu, I’m standards architect, engineer, representing Spruce Systems, working on SSI data storage and identity solutions, also involved in DIF, worked on ISO-18013-5, and other identity related technologies for about 10 years..

Sebastian Elfors: Hi Sebastian Elfors, senior architect at IDNow, active in FIDO Alliance, EUDI wallet subgroup, also editor of whitepapers, also involved in WebAuthn, also member of EBSI contributor for EU Wallet, also member in Hyperledger, creating wallet using WACI/DIDComm, also working on DID Method for ??? signatures, which we’ll submit to DID WG soon..

Shigeya Suzuki: Hi Shigeya Suzuki, professor at Keio in Japan, I’ve been contributing for 30 years, applying identity tech to make everyone’s life easier, thank you..

SongPu Ai: Hi Songpu Ai, working of Academy for Information Technology, interested in working doing research with ICT technologies, made a DID Method and making VC tech and relative applications, happy new charter is passed and looking forward to working with everyone..

Phil Archer: It is appreciated TallTed :-).

Ted Thibodeau Jr.: Hi Ted Thibodeau, at OpenLink Software and working w/ W3C, if it involves identities or data manipulation or decentralization, I’ll be there… I help w/ lots of editorial cleanup. :).

Will Abramson: Hi I’m Will Abramson, representing Digital Contract Design, haven’t particpated much in standards but looking forward to participating..

Michael Prorock: Hi Mike Prorock, Founder and CTO and Mesur.io, working on open source intelligence, cross broder trade, use VCs for customers for large enterprise and government, pesticides and herbicides to food traceability..

Brent Zundel: Did we miss any introductions?.

Manu Sporny: Doesn’t look like it..

2. schedule of meetings.

Brent Zundel: We will have a meeting at this same time every 2 weeks. Then 1pm ET every other week, we’ll alternate between slightly friendlier for EU and slightly friendlier for APAC. That is the anticipated schedule moving forward..
… In addition to regular calls, we’ll have special topic calls, no time and day yet, open to suggestions, once we select a time, that will be the time for the special topic call, when there is a special topic, we’ll discuss it during that time. That allows us to have a much more narrow focus/broader discussion on specific topic, overcome blockers, etc. Or just to get everyones takes/opinions, get better compromise progress..
… First F2F meetings will be during W3C TPAC this year, please go to TPAC, VCWG will be Thu/Fri..
… TPAC is in Vancouver, but will be Hybrid for those that can’t travel, so you can tune in and remote participation is effective as possible..

Justin Richer: what are the dates of TPAC?.

Brent Zundel: Any concerns/suggestions?.

Michael Jones: Are we going to alternate w/ WebAuthn in the past?.

Brent Zundel: We picked the same dates/times so it works well for WebAuthn..
… TPAC is September 12th-16th.

3. participation.

Brent Zundel: If you have not yet rejoined the WG under the new charter, that needs to happen… 28 days after first day of charter approval, you will be kicked if you have not rejoined..
… Any concerns/questions, reach out to Chairs/Ivan. We need you to formally join and make IPR commitments. Any questions around that before we move on to primary topic?.

Phil Archer: Kevin and I are in the WG and signed up, at least a few colleagues will join us in Vancouver, if I bring other people, can they come to TPAC w/o signing IP agreement?.

Brent Zundel: Individuals representing organization, AC Rep makes commitment on participant AND company… each participant needs to join as well. Yes, they really should be actual members of the WG..
… All they need is a W3C account and association..

Phil Archer: There is one person that I want to bring along, talk w/ other developers, but not going to join these calls regularly… join then unjoin..

Ivan Herman: Number of people in WG is significantly higher than people on the calls regularly..
… Lurkers on the group to listen remotely via email/github to see what’s happening, no problem if they join but don’t show up and actively participate..

4. Scope of Work.

Brent Zundel: See Working Group charter.

Brent Zundel: We are going to start off by looking at charter.
… We have a potentially broad scope of work for this WG, but we are going to focus our primary efforts on two normative specifications, first is VC 2.0 data model. A definition of 2.0 data model, serializations of that data model, replacement of v1.1 recommendation..
… The other specification is “Securing Verifiable Credentials 1.0” - a number of accurate criticisms of first version of VC data model that proof section is underspecified and then we don’t say much more than that. Securing VCs is our answer to “What should go int he proof section and how do you get there?”.

Michael Prorock: +1 brent - proof structure and details are a critical item, especially for interop.

Oliver Terbu: It would be great to have a more defined proof property in VCDM, also raised something on holder binding, no normative definition to verify that someone was same person that issuer made claims about… common use case, holder gets credentials, present to relying party and holder is in control, rightful person that owns them, we might tie that into that conversation..

Brent Zundel: Those two are the normative specifications, we have a number of conditional normative specifications… ones that normatively rely on other specifications outside of this group… and we don’t have any control being able to point to JWPs or BBS+, for example..
… There are some other normative specs that we might choose in same general category, externally standardized cryptographic primitives that we might want to refer to..

Michael Jones: A BOF to work on JWP was approved at IETF next month, please participate next month if you’re there..

Michael Prorock: +1 mike - will be there.

Brent Zundel: Next thing we might do, create a set of registries, charter text around registries is vague… we may do this, if we do, we might have definitions and tables..
… Caveat with registries, anywhere we have a registry, an extension point that’s mandatory, property in spec that we say “MUST be here” there must be ONE standardized entry for that. For interoperability purposes..
… if we do registries, there might be some rules there..

Manu Sporny: I hesitate to bring this up, there’s some amount of interpretation around mandatory there. We don’t have any mandatory fields. We don’t have to define anything, however, I think we should shoot for a higher bar than that. I think we should be looking at things like the credential status field, the schema field, and trying to do our best to point to specs that are implemented and have test suites..
… I don’t know if we have, for example, if we look at status list … I don’t know how much of that we can define without getting into protocol. So, there’s a question around whether things in the registry need to have to implementations or do we need to rigorously define everything..
… That’s what Google wanted, but I don’t know what others want or where that leaves us..
… I don’t know what the strict requirements around registries are there..

Brent Zundel: This is a good place to remind everyone of email that manu sent, relationship of different deliverables and specs w/ one another..
… Please check that out..
… Any other comments on deliverables? Run through of non-normative deliverables that we anticipate..
… Non-normative deliverables, WG notes, other documents we might produce, we will probably have test suites, we’ll probably publish a note about presentation request, various protocols that can be used w/ presentation request, how do we store/share VCs? We could have note about greater privacy guidance around VCs? We got some accolades on privacy considerations section so detailed, so breaking that out into NOTE is a possibility, how do we bind multilingual resources, how to present credentials, or developer guide – guidance for implementation and best practices, some VC API or OIDC protocols, how do we do exchange over GNAP..
… These are all possibilities, we also have within our scope to update NOTEs previously issued, implementation guides, and the like. That’s the charter defined scope for the WG, according to deliverables section, read through scope so we’re all on the same page..

• Building on the experience gained through implementation, deployment and usage of Verifiable Credentials (VCs), this Working Group will extend Verifiable Credential foundations with new standardized technologies to improve the use of this technology on the Web..
• The scope of the Verifiable Credentials Working Group is:.
• Addressing errata, ambiguities, and interoperability problems found in previous versions of the Verifiable Credentials Data Model.
• A data model for Verifiable Credentials, inclusive of:.
• Credentials and Verifiable Credentials.
• Presentations and Verifiable Presentations.
• requests for or submissions of Verifiable Credentials or Verifiable Presentations.
• Registries for the data model to support extension points in the normative deliverables..
• Algorithms for the expression and verification of proofs that use existing cryptographic primitives.
• Refining multilingual support in the data model.

Brent Zundel: It is explicitly not a requirement that the new specifications be fully compatible with related past specifications..
… “The following features are out of scope, and will not be addressed by the Verifiable Credentials Working group:”.

• The mandate of any specific style of supporting infrastructure, such as a Distributed Ledger (DLT), for a Verifiable Credentials ecosystem.
• The specification of new cryptographic primitives.
• The normative specification of APIs or protocols.

Brent Zundel: We do plan to non-normatively work on APIs and protocols.
… This is ambitious, but do-able..

Phil Archer: No question around scope, but wonder … GS1 community represented here… there are multiple ways of doing VCs, individual people will champion one way over the other, but as an organization with a global reach, the fact that there are multiple ways is a barrier to adoption… one toolchain, two, three, four, does this group whittle down those number of choices? Do we hope to do that?.
… Is that something that others in the group hope to achieve?.

David Chadwick: great question Phil.

Michael Prorock: I think that’s a great concern taht you brought up, we run into that in international scenarios, same overlap with traceability – profile aspect seems to work, a subset of required security/privacy/other aspects, limit down broadness to work with specific type of scenario. I do think the more we can be mindful of adoption, the better off we’re going to be. System to system vs. where you have a human in the loop, different scenarios in practice, what works in one scenario might not work in a different one..

Brent Zundel: With Chair hat off, I share that concern, we want interop to be real, we want to increase the usefulness of the specification. With my chair hat on, going to paraphrase, the criticism of our charter and previous work levied by some companies is that the specification as written does not allow for true interoperability. We haven’t firmly enough proven interoperability. If you have a registry, it needs to point to actual standards and implementations. There has been an unspoken promise that if we can’t demonstrate real interop to a level that’s acceptable, they’ve already promised formal objections to our work..
… From a Chairs perspective, this is very much in mind..
… Whether they’re in the group working on the spec, those implementations would be compatible with one another..

Manu Sporny: In order to try and address that, Phil, Digital Bazaar has already started creating very specific test suites, modular test suites for Verifiable Credentials feature sets. We already do have a test suite that tests against the specification during the 1.0 work. During the 2.0 work we’re working on test suites to test things like StatusList2021. That’s a specific feature and if you implement it you should be able to pass the test suite..
… Already these test suites exist, we’ve been working on them for the past year, we plan to transition them with the working group and we already have interop from implementations on those test suites. Those test suites won’t be finalized until we’re in CR. So if someone comes in and says you haven’t demonstrated “real interop” ….
… We’ve noticed people don’t mean the same thing / have the same definition of “real interop” … we’re looking for actual implementations that are going to or are in production that implement VCs. We’ll be actively contributing to test suites that meet that level that these orgs are asking for..

Phil Archer: Thank you, Manu..

5. A few words about RCH WG.

Brent Zundel: Let’s hear about the RDF Dataset Canonicalization WG.

Phil Archer: The RCH WG is what came out of the draft chartering process for Linked Data Integrity, 2nd normative deliverable was going to be in that WG, but its now in this WG. Markus is the security person and I have a history in Linked Data, that’s the idea of the two of us doing it. I know more about Linked Data than Cryptography, the group isn’t yet formed, no schedules yet, but it is really about the thing that matters in this group – you have a VC expressed as JSON-LD, in order to digitally sign, you have to canonicalize that, there exist methods to do that, develop that into W3C standard so we have a way to canonicalize in RDF and sign the data..
… We believe the people likely to be interested in that are on the call here, will be interesting to know how many of you will participate in that group, whether anyone outside VC world will participate, we don’t know… 2 hours will be used to focus on RCH WG..

Markus Sabadello: I agree with what you said. Relationship between two groups – one of the deliverables of VCWG as brent explained is securing VCs, the RCH WG will define building blocks for Data Integrity cryptosuites in VCWG..
… Not all proof mechanisms will use RDF Dataset Canonicalization and Hashing, but some will. Canonicalization and Hash work is important for securing VCs, but can be used for other things (like dataset diffing)… the way I think about RCH WG, it’s a well defined, narrow scoped building block for use with VC WG and broader Linked Data ecosystem..

Phil Archer: Any quick questions?.

Kristina Yasuda: this is the right place to track RCH WG, right? https://github.com/w3c/rch-wg-charter.

6. Editorship.

Brent Zundel: This is about contributing, our primary goal is to create specifications. We cannot do that without people in the group willing to step up and serve as Editors. Manu can you talk about primary roles of editor?.

Manu Sporny: So the role of an editor is pretty simple in theory. You listen to what the WG says, you see where there might be or is consensus, and you try to write spec text that reflects the consensus view. You listen to people and you write stuff down. The other part is reviewing PRs that other people submit to change text. You make sure the PR works with the rest of the spec and merge those things down when they match the will of the group..
… If you’re going to edit, you must minimally show up to the calls and spend 1-2 hours a week of work to do and show up to editor calls, if any..
… 2-3 hours a week, minimally of time commitment..

Brent Zundel: I’d say maybe closer to 5 hours per week . . ..

Manu Sporny: It’s very rewarding to get all this stuff together, get the entire group behind the thing we’ve collectively created, and push out a global standard that will impact the lives of many people around the world. If you’ve never edited before, please step forward and be an editor, or at least step forward and contribute text. For example, I love Ted’s suggestions. He nitpicks and make every spec better. He improves readability and.

Dave Longley: understandability on every spec he contributes to..

Manu Sporny: If you’re editing, you keep an open mind, you listen to everyone and write down what you think the group agrees to..

Brent Zundel: No call next week, we’ll meet again in two weeks, thank you all for being here – excited to get work started..
… Ya’ll are fantastic, this is going to be great!.