Verifiable Credentials Working Group Telco — Minutes

Date: 2022-10-19

Attendees

Present: David Chadwick, Michael Prorock, Ivan Herman, Shigeya Suzuki, Orie Steele, Brent Zundel, Ted Thibodeau Jr., Dave Longley, Sebastian Elfors, Manu Sporny, Markus Sabadello, Dmitri Zagidulin, Kevin Dean, Phillip Long, Snorre Lothar von Gohren Edwin, Oliver Terbu, Kerri Lemoie, Gabe Cohen, Przemek Praszczalek, Kristina Yasuda, Shawn Butterfield, Joe Andrieu

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): David Chadwick, Manu Sporny

Ivan Herman: prsent+ abramson.

1. status updates.

Manu Sporny: We should add @context discussion to the agenda.

Phillip Long: I am representing T3 innovation network.
… I participate in various W3C working groups and CCG.

Phillip Long: I should have added I’m the facilitator of the LER Network of the T3 (LER= Learning and Employment Records, that subset of VCs relevant to education, training and professional development)..

2. Work Item status updates/PRs.

2.1. Add DataIntegrityProof to credentials/v2 JSON-LD Context. (pr vc-data-model#943)

See github pull request vc-data-model#943.

Manu Sporny: only one PR pending in VCDM.
… pr#943.
… we have a couple of objections which we are currently resolving.
… orie’s objection (human readable descriptions) will be added.
… other one to removing from base @context is not easy to resolve.

Michael Prorock: I appreciate the problem so I will withdraw the change requests.

Orie Steele: dont like PRs to be made that don’t lead to anywhere.
… but don’t have a blocking change.

Manu Sporny: thank you guys.

Ivan Herman: See Initial work for the vocabulary:.

Ivan Herman: there is quite a lot of work still to be done, so if we keep 943 open till resolved it might be quite a long time.
… I am pushing people to help on vocabulary ASAP.

2.2. Remove the unnecessary Create Verify Hash Algorithm. (pr vc-data-integrity#63)

See github pull request vc-data-integrity#63.

Manu Sporny: still trying to figure out what the text might be for this.
… we will remove the current wrong language.
… key thing is that the way verify hash is created in BBS will be different to all other crypto suites.
… its hard to predict what will happen with BBS so getting the language right now will be difficult.

Markus Sabadello: might fit into RCH working group.

Manu Sporny: we will remove the wrong text now. Worst case is that every crypto algorithm might have to use same text.

2.3. Update algorithm for Verify Proof (pr vc-data-integrity#64)

See github pull request vc-data-integrity#64.

Manu Sporny: this is just updating the language.

2.4. Create formal version of the security vocabulary (pr vc-data-integrity#65)

See github pull request vc-data-integrity#65.

Manu Sporny: do we want to externalise the libraries for vocabularies.

Ivan Herman: the most important thing is that the whole doc with proper vocabulary was based on CCG document with not a good description.

Manu Sporny: Yes, the CCG document is in a half-baked state… it represents a decade of stuff that’s been added. :).

Ivan Herman: there are a number of properties that say ‘to be done’.

Manu Sporny: I am happy to do a full detailed review as I have been maintaining the vocabulary for a decade.

2.5. FPWD for the security spec?.

Manu Sporny: once these PRs are merged we will be ready to FPWD.
… target date the end of October.
… is the WG Ok with me preparing the FPWD?.

Ivan Herman: the final static version should only be done after we have voted for it.

Orie Steele: +1 ivan..

Manu Sporny: can we vote on next week’s call.

Ivan Herman: I wont be here next week so please don’t forget short names.

Orie Steele: echidna.

Ivan Herman: and to have the publication done by echidna.

2.6. Begin production rule definition (pr vc-jwt#11)

See github pull request vc-jwt#11.

Orie Steele: there are changes requested on this.
… not sure when FPWD will be ready.
… please submit all your comments ASAP.

2.7. Add IANA to context (pr vc-jws-2020#24)

See github pull request vc-jws-2020#24.

Orie Steele: no changes requested for this.

Manu Sporny: there is an objection.
… use fully qualified URLs.

Orie Steele: please make it clear what change you request.

Dave Longley: I also have a change request.

Orie Steele: this pull request is trying to point to IANA for term definitions.
… IANA is required to maintain these registeries rather than a community group re-direction service.
… concern is if people add their own terms which are not defined in IANA.
… but if they get widely used then they are usually eventually registered.
… sometimes we use an algorithm name but then stop using it and it does not get registered.
… because it is superceded and the new term gets registered at IANA.

Manu Sporny: biggest issue is the use of vocabulary. With this PR we are saying you can put anything into a JWK which will be in the IANA registry.
… when we are doing crypto we should be very specific with our terms so there is no ambiguity.
… The alternative is if the PR said which parts of the JOSE registry we are using, and is precise, without including everything..
… because the way the PR is now you can use prohibited terms and terms that are not defined.

Orie Steele: Please make sure to put your concrete change suggestions on the PR and request changes, so I can address each of them individually..

Manu Sporny: Sure thing..

Manu Sporny: Though, I did just elaborate on them here, in the minutes, which should be included in the PR.

3. Issue Discussion.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Adiscuss+sort%3Aupdated-asc.

3.1. followup of the TPAC discussion on JSON/JSON-LD.

Manu Sporny: original issue has come from TPAC, but it seemed as if there were two separate issues..

See github issue vc-data-model#947.

Manu Sporny: first one requests @context to be optional.
… second one it to enhance developer experience of JSON-LD by limiting JSON-LD functionality.

See github issue vc-data-model#948.

Manu Sporny: so that a JSON only developer wont need to worry about JSON-LD processing.

Kristina Yasuda: I think it was correct to break down the original TPAC tracking issue into two, but will point out that a lot of good conversation is in that original issue that is now closed is not translated into the new issues. so will encourage folks to re-comment/re-engage..

Manu Sporny: intention is that you wont need a JSON-LD processor to use @context.
… done by adding a developer @context, but this should not be used in production.

Brent Zundel: folks should read the original issue for background and good information.

3.2. Implementation Issues and under specification (issue vc-data-model#709)

See github issue vc-data-model#709.

Brent Zundel: revolves around whether issuer is an object or not.

Manu Sporny: I like Orie’s comment.
… can we close the issue and raise a simpler one.

Brent Zundel: suggested you ask Tony.

Dmitri Zagidulin: the current text also is problematic.
… in OpenBadges 3 we make extensive use of issuer as an object.
… also useful if two issuers are jointly issuing a diploma.
… ‘compound issuers’.

Manu Sporny: what is the problem since today we allow it to be an object.

Orie Steele: Does not look like that was scribed..

Manu Sporny: what is the concrete change you are requesting.

Dmitri Zagidulin: add examples to the VC spec that have issuer as an object.
… add common fields of name, image, web site to v2 context.

Dave Longley: See https://www.w3.org/TR/vc-data-model/#example-usage-of-issuer-expanded-property.

Dmitri Zagidulin: open an issue to discuss compound issuers.

Manu Sporny: we have an example in the spec of a compound issuer.

Kristina Yasuda: there is a multi-issuer issuer by gabe too: https://github.com/w3c/vc-data-model/issues/932.

Dmitri Zagidulin: please add image and name to this.

Orie Steele: my favorite field to add to the issuer block is a postal address and email address..

Dmitri Zagidulin: +1 for the latter.

Manu Sporny: should image be under the issuer or as a top level property that can be used anywhere.

Ivan Herman: I dont think we should come up with another vocabulary for person.

Dmitri Zagidulin: sure, use schema.org.

3.3. Can a credentialSubject be only a string value? (issue vc-data-model#762)

See github issue vc-data-model#762.

David Chadwick: this issue is whether a subject can only be a string value.

Manu Sporny: No we should not allow subject to be only a string value.

Oliver Terbu: +1 manu.

3.4. [Tracking Issue - Proposed Corrections Feedback] URL to URI (issue vc-data-model#862)

See github issue vc-data-model#862.

David Chadwick: url vs uri.

Manu Sporny: this is an old discussion about url vs iri vs uri.
… so maybe we should move to using url as this is used by browsers and is ubiquitous.

Ivan Herman: tendency in W3C is to move towards url spec; not only browsers but various libraries, e.g., for JS or TypeScipt, rely on that nowadays.

Dave Longley: +1 to ivan, implementations use the WHATWG spec.

3.5. PresentationSchema for VPs (issue vc-data-model#839)

See github issue vc-data-model#839.

David Chadwick: I haven’t looked at this for some time..
… I think there was an agreement, that what I’m looking for is presentationSchema, which is equivalent for credentialSchema – that will tell RP whether VP has been properly formed or not..

Orie Steele: +1 david, that is my understanding of your request..

David Chadwick: The proposal was to have a presentationSchema property..

Manu Sporny: thinks it lets an attacker choose the schema.