Verifiable Credentials Working Group Telco — Minutes

Date: 2022-10-26

See also the Agenda and the IRC Log

Attendees

Present: Kristina Yasuda, Brent Zundel, Dave Longley, David Chadwick, Manu Sporny, David Waite, Michael Jones, Gabe Cohen, Orie Steele, Shawn Butterfield, Oliver Terbu, Ted Thibodeau Jr., Logan Porter, Antony Nadalin, Dmitri Zagidulin, Kevin Dean, Steve Cole, Mahmoud Alkhraishi, Steve McCown

Regrets:

Guests:

Chair: Kristina Yasuda

Scribe(s): Dave Longley

Content:

Michael Jones: I agree that the call would be pretty late during IETF for those of us in London.

Manu Sporny: The special topic call – +1 to cancel during IIW, I think a lot of will be there. +1 to cancel the special topic call that happens really late at 6pm..
… But ok to keep the other meetings..

Kristina Yasuda: Anyone else opposed to canceling?.
… Ok, we’ll cancel those..
… Any introductions / re-introductions?.
… None, cool, next on the agenda is work item status updates and PRs..

1. Work Item status updates/PRs.

Manu Sporny: https://github.com/w3c/vc-data-model/pulls.

Manu Sporny: I don’t think we have any open PRs … nevermind, we have two open PRs on VCDM..

1.1. Switched to YAML for the vocab definition (pr vc-data-model#954)

See github pull request vc-data-model#954.

Manu Sporny: #954, which Ivan has raised..
… To use a great new tool that he wrote, it allows you to take a YAML file and convert it to a vocabulary file. So the credential vocabulary is just generated from a really easy to use file, it’s a great PR that will help us keep things up to date..
… Please take a look at it..

1.2. Corrects out of sync link titles in section 4.3 to json-ld spec (pr vc-data-model#955)

See github pull request vc-data-model#955.

Manu Sporny: Next one, Richard opened a PR to open editorial issues..
… That’s great too..
… The other thing people should note is that the VC v2 context with the DI proof stuff went in and that’s it for the data model spec..

1.3. Create a First Public Working Draft for Data Integrity. (pr vc-data-integrity#67)

See github pull request vc-data-integrity#67.

Manu Sporny: Moving over to the DI spec..
… Last week we said we’d talk about doing FWPD this week and proposals and voting on them. This is a PR to do FPWD for the DI spec..
… I believe it has much of what we agreed to in it, when we take up that proposal, Ivan mentioned that we need to ideally pick a publication date into the future like 2-3 weeks..
… That we also need to specify the kind of doc we intend to publish and any editorial changes to do that and we need to specify that we want to use Echidna to auto-publish editor’s drafts going forward..

Brent Zundel: and we need to choose the shortname.

Manu Sporny: The proposal needs all of those things in there..
… I think that’s it for updates on VCDM and DI specs..

Kristina Yasuda: Fantastic, thank you do so much. For VC-JWT and JsonWebSignature2020…?.

Orie Steele: For VC JWS2020, we have one with changes requested regarding the IANA context..

1.4. Create a First Public Working Draft for Json Web Signature Data Integrity. (pr vc-jws-2020#26)

See github pull request vc-jws-2020#26.

Orie Steele: I’m going to skip over that one, it’s a long discussion..
… PR #26 is the FPWD for JsonWebSignature2020. It’s the same kind of PR that Manu just commented on..
… And that’s it for JsonWebSignature2020, please look at those PRs..
… On VC-JWT, there is one PR remaining..

1.5. Begin production rule definition (pr vc-jwt#11)

See github pull request vc-jwt#11.

Orie Steele: That had comments / changes requested by Mike Jones, I believe I addressed them..
… I did request a re-review. TallTed had some editorial comments that I accepted, I am just requesting Mike Jones to re-review..
… That’s it for VC-JWT PRs..

Michael Jones: Do you want to talk about the issues?.

Orie Steele: I was just doing PRs..

Michael Jones: Thank you, that’s fine, that’s to TallTed for the recent approval..

2. special topic calls.

Kristina Yasuda: Thank you Orie, I sent out an email with calendar invitations for the special topic calls, alternating on Europe/US friendly times on Tuesdays/.
… We’re starting Nov. 1 on issue #947 regarding making the @context optional, we have more than 100 comments on that issue..
… Please try to catch up but we realize it’s a lot to read. We hope to summarize the arguments / discussion in the start of the special topic call next week..
… After issue #947, we want to continue with #948 and #953 around @vocab usage in @context..

Michael Jones: I’m looking at my calendar and the special topic call doesn’t appear. Now, if there’s an email that just says when it will be, but I would expect ical links to be included..

Kristina Yasuda: There is an email with an ical attachment that should be in your mailbox, you will have to manually add it I think to make it show in your calendar, I think..

Michael Jones: Oh, ok, I’ll search for it..

David Chadwick: I sent an email to Brent about the email and when I clicked on the details it didn’t work for me and the URL has a /edit on the end of it and the message needs updating before we do new special topic calls because you’ll get an unauthorized response when clicking..

Brent Zundel: It looks like, in creating the special topic call calendar event in the W3C system, I neglected to change it from tentative to confirmed and that’s probably why it’s not showing up for people subscribed to the W3C calendar, I’ll get that fixed..

Kristina Yasuda: Ok, thanks brent..

3. Contributing PRs (‘ready for PR’) for FPWD.

Kristina Yasuda: Let’s move to the issues conversation, and before we start that, there’s one head’s up from the chairs and editors, I’ll paste a link in the chat..
… Brent do you want to go first?.

Kristina Yasuda: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3A%22ready+for+PR%22.

Kristina Yasuda: Ok, let me finish on this and we’ll get back to that..
… Heads up from the chairs and editors that there is a “ready for PR” tag in the issues and we would like to encourage WG members to actively pick those up and help out by creating PRs..
… Many of those are editorial and straightforward..
… The reason they have the tag is because there is a complete and concrete solution for solving the issue in the issue, so doing a PR should be straightforward. So please, if you are willing to contribute, even if you aren’t an editor, please do a PR..
… We have 76 issues left on the VCDM alone, we really need a lot of participation..
… If you need help learning how to contribute reach out to editors / chairs. We really want folks to contribute with these low-hanging fruit issues..
… Ok, brentz, proposals?.

Brent Zundel: I think I have everything we need in this proposal – I chose all the things like date and so on..
… Any recommendations for changes before we run it?.

Kristina Yasuda: Any changes? I think this should be straightforward..

Proposed resolution: The WG will publish as a FPWD the document at https://w3c.github.io/vc-data-integrity/, inclusive of https://github.com/w3c/vc-data-integrity/pull/67 on 2022-11-10 under the shortname vc-data-integrity, and will use echidna to automatically update the working draft when PRs are merged.. (Brent Zundel)

Manu Sporny: +1.

Orie Steele: +1.

Dave Longley: +1.

Mahmoud Alkhraishi: +1.

Steve McCown: +1.

Kevin Dean: +1.

Dmitri Zagidulin: +1.

Michael Jones: 0.

Shawn Butterfield: 0.

Gabe Cohen: +1.

Brent Zundel: +1.

Kristina Yasuda: Thank you everyone, there are no -1s, this proposal has passed..

Resolution #1: The WG will publish as a FPWD the document at https://w3c.github.io/vc-data-integrity/, inclusive of https://github.com/w3c/vc-data-integrity/pull/67 on 2022-11-10 under the shortname vc-data-integrity, and will use echidna to automatically update the working draft when PRs are merged..

Brent Zundel: We have one more proposal for JsonWebSignature2020..

Kristina Yasuda: Any comments / suggestions / changes?.

Proposed resolution: The WG will publish as a FPWD the document at https://w3c.github.io/vc-jws-2020/, on 2022-11-10 under the shortname vc-jws-2020, and will use echidna to automatically update the working draft when PRs are merged.. (Brent Zundel)

Orie Steele: +1.

Brent Zundel: +1.

Mahmoud Alkhraishi: +1.

Manu Sporny: +1.

Dave Longley: +1.

Dmitri Zagidulin: +1.

Oliver Terbu: +1.

Michael Jones: +1.

Kevin Dean: +1.

Ted Thibodeau Jr.: +1.

Shawn Butterfield: +1.

Steve McCown: +1.

Logan Porter: +1.

Resolution #2: The WG will publish as a FPWD the document at https://w3c.github.io/vc-jws-2020/, on 2022-11-10 under the shortname vc-jws-2020, and will use echidna to automatically update the working draft when PRs are merged..

Kristina Yasuda: Ok, great, see lots of +1s, no -1s, this proposal has passed..
… We passed two proposals, any others to run, Brent?.

Brent Zundel: Not that I’m aware of..

Kristina Yasuda: Great..
… Thank you..
… Now going to the issues..

4. issues.

Kristina Yasuda: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Adiscuss+sort%3Aupdated-asc.

Kristina Yasuda: We’re going through the issues labeled discussed..
… There hasn’t been activity after we discussed issue #887..
… I would encourage folks to keep commenting on that issue..

Kristina Yasuda: see https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Adiscuss+sort%3Aupdated-asc.

4.1. issuanceDate/expirationDate and validFrom/validUntil (issue vc-data-model#913)

See github issue vc-data-model#913.

Kristina Yasuda: Can anyone give an overview of this issue?.

Michael Jones: In the big picture, this is about what representations of what dates to include in our spec. There is some history ….
… Let me try to divide the different pieces this is talking about and then I’ll defer to Manu to also give context..
… Some developers apparently found “issuanceDate” to be confusing, because it’s not just a date it’s a date-time. So one proposal in this issue is to rename it to “issued” with the same semantics as the JWT issued at iat claim..
… I would note that the semantics wouldn’t change but it would be a breaking change to give it a new name (from issuanceDate to issued)..
… There are some more issues in this issue..

Orie Steele: -1 to what is being said… validity period and signature date are different..

Michael Jones: One is having a validFrom claim, which is the equivalent of the JWT “not before” claim..

Manu Sporny: yes, -1, I think this is confusing what was being proposed..

Michael Jones: There’s discussion about it being optional or not, I see that it could be optional..

Orie Steele: interesting point, on making validFrom optional though… wonder about the use cases for that..

Michael Jones: We could refer to the SAML / JWT usage – where you only include “valid from” or “not before” if the value differs from “issued at”, but we could discuss that..

Dmitri Zagidulin: @Orie - the use case for validFrom being optional seems straightforward enough. if missing, then it’s “at the time of issuance”.

Michael Jones: There is also a proposal to rename expirationDate to validUntil which would be a breaking change again with just a new name. I could see us wanting to break each of these into its own issue to deal with one at a time..
… Manu, what have I left out?.

Manu Sporny: I would characterize it quite differently. There are broad categories of what’s being discussed. One is “what’s the validity period for the credential?”..
… Way back in the VC 1.0 days, we set the validity period between “issuanceDate” and “expirationDate” and that confused people because of date vs. date-time..
… So we suggested that we change this from “validFrom” to “validUntil”..

Orie Steele: +1, what is the validity period for the credential? and when was the signature applied are VERY different things..

Manu Sporny: The issue itself was very focused on those things. Mike rightly brought up the signature date and time and that’s about securing the VC as opposed to the VC itself..
… So what I want to make sure is that we don’t conflate those things there – this issue is not supposed to be talking about the signature just the validity period for the credential..
… We did talk about this in the 1.1 work and we did come to consensus that we would be renaming it to “validFrom” and “validUntil” and we set that expectation..
… What is Mike is bringing up are interesting things to discuss but this issue was just supposed to be about the validity period for the VC..

Orie Steele: I agree with pretty much everything Manu just said..
… I would say that in educating new developers about these properties, and I’ve commented to them about “validFrom” and “validUntil” and they were very supportive of using those..
… I think the reaction already to change to those properties is a good move..
… I think what Mike and Manu were saying – and that people are often confused between these and the dates/times used in the securing representations and we need to keep those separate..
… Attacking timestamps is something attackers really love to do – especially for credentials that are delicious and valuable. We should be very careful to not confuse the validity period in the VC and the timestamp/format in the securing format. Keeping those separate lets us be more secure and we can talk about the securing times and so on in those other specs..
… So I’m very in favor of using validFrom/validUntil for the VC validity period instead of issuanceDate/expirationDate..

David Chadwick: It’s clear people have confused the VC validity period and the crypto dates. Now it’s very clear that those are not the same thing. The dates that are used in a JWT should not have any mappings to the VC – because these things are clearly separate..
… I think the rules that Orie is producing right now, the two dates are not related at all (those in the JWT vs. those in the VC) are not related at all..

Orie Steele: David, well not sure I fully agree… but I am happy to discuss…. in the “mapping from the core data model” section of the “vc-jwt” spec..

Kristina Yasuda: Thank you, David..
… I would propose running a proposal to rename “issuanceDate” to “validFrom” and rename “expirationDate” to “validUntil” both separately..
… And then talk about optionality..
… I see support for people to separate VC validity from proof/signature validity..

Michael Jones: The specs that I’ve worked on that have succeeded, we try to keep simple things simple..
… In the vast majority of the cases, the credential becomes valid at the time it’s issued..
… Yes, there is a use case for future-dated coupons, which is fine, in which case you can have an optional / “not before” or “valid from”. But let’s not have two representations of the same thing..

Orie Steele: There are lots of cases, where the cryptographic proofs have different dates than knowledge or claims..

Manu Sporny: University degrees don’t become valid at the time they’re digitally signed… coupons don’t… discounts don’t….

Manu Sporny: They’re not the same..

Ted Thibodeau Jr.: citation needed for 99%.

Michael Jones: I think it’s an unnecessary duplication in 99% of the use cases..
… I think in this case, breaking changes don’t appear to be a good cost/benefit trade off..

Orie Steele: yeah, citation for 99% claim… : ).

Kristina Yasuda: So you’re suggesting let’s keep “issuanceDate”..

Oliver Terbu: I think there are two different issues. One is the semantic meaning/naming of those properties in the core data model. I think that might be errata/controversial … the other issue is whether or not to map those properties onto JWT VCs..
… Specifically onto JWT claims. I think these are two different issues. One relates to the VC data model and is about renaming those properties, the other is about whether or not to map those onto standard JWT claims or standard DI claims/proof properties..

Kristina Yasuda: I agree, that’s the separation we need..

Manu Sporny: +1 to what Oliver said about separation..

David Chadwick: Totally agree with Oliver..

Kevin Dean: +1 to separation.

David Chadwick: Degrees that were issued to people 10-20 years ago, that’s the VC issuance date. That’s got nothing to do with the JWT. It will still have 1970 as the date of issuance. We have to clearly separate these. My driving license was valid until I was 65 and I got it when I was 16..

Orie Steele: +1 David.

David Chadwick: There’s no way the JWT would have been valid that long – for credentials the periods are very clearly different..

Orie Steele: +1 Manu, this isn’t a breaking change..

Manu Sporny: I wanted to speak to the breaking change that might happen. So this would happen in the VC 2.0 context and I’d argue that isn’t a breaking change and new implementations that pull that context in will never know that there was this VC 1.0 thing..
… And the things handling VC 1.0 will continue to work..

Mahmoud Alkhraishi: +1, v1 context will still support the existing implementation.

Manu Sporny: It’s not a breaking change. We have warned people in the spec for years now that we’re going to make this change for years now and it’s not a surprising thing. If we’re really concerned about this, we could say that “issuanceDate” and “expirationDate” are still allowed, you have to use validFrom/Until but if you see those you can use them..
… I hesitate to do that because of the complexity – it’s not difficult to do an if statement, but better to be avoided..
… It’s not a breaking change in the way that things usually happen because of the versioning we have with the context..

Michael Jones: You can call it a breaking change or not but it’s still a code change if you want to use the new specification. I agree that it’s a separate thing, the mapping to the JWT claims..
… And what the mapping to the CBOR claims will be, etc..
… And Orie talked about this and he’s right. Do you only have one representation of dates or do you have two? One in the body and one in the container. I think that’s another highly-related issue which we haven’t resolved. It could be very well that we rename these things to validFrom/validUntil but in the JWT mapping we don’t use those properties at all..
… And we use IAT or NBF or you allow the duplication..
… I think the duplication is problematic. What I’m saying probably isn’t directly actionable, but I think the whole date representations in signed containers vs. representations in the VC data model are distinct but very interrelated..

Orie Steele: Most of what Mike is saying, is for a different issue, imo, but since he has said it, I am q’d to reply..

Michael Jones: I know Tony Nadalin who is on the call and he would like the VC data model not use anything duplicative that’s already in JWTs..

Kristina Yasuda: Thank you, Mike, I’m thinking of a straw poll..
… Do we want to have 4 separate claims, “issuanceDate”, “expirationDate”, “validFrom”, “validUntil”..

Ted Thibodeau Jr.: I’m more than a little frustrated that the most significant argument that’s put forth – one of the reasons to go from 1.1 to 2.0 is to make a fix in what most of us consider to be a bug that we did in 1.1..
… I was here for all of it. Those people arguing against that change were not. You might want to consider that in formulating your arguments..

Orie Steele: I know Mike Jones raised a bunch of issues related to the mapping from the core data model to the security proof formats and he made a number of statements about how you can legally do that in 1.1 and how we might change that in 2.0..
… I want to say again that mixing those issues together is a huge mistake and we shouldn’t be doing that. We should have this issue focus on the core data model only. Bringing those other security items in here is confusing the issue..
… We can address those issues on the repo that defines that mapping..
… We can define that mapping elsewhere in other issues. I’d like to ask us to focus on the labels we’re providing on the labels for these fields in just the VCDM..

David Chadwick: +1 Orie.

Orie Steele: The proposal is just to rename issuance/expirationDate => validFrom/Until and let’s not get confused with other issues..

Shawn Butterfield: +1 Orie.

Manu Sporny: +1 Orie.

Dave Longley: +1 Orie.

Michael Jones: I am often in favor of separation of issues as well..
… If we can agree that the core data model will not talk about issuance at all, but you leave that to the formats of the security tokens that secure the data model members, then I’m ok with the renaming..
… We need to be clear then that the VCDM doesn’t have issuance and expiration, that’s something at the security level. If that’s the separation we can agree to then maybe there’s a path forward..

Orie Steele: I’m not sure we’re going to agree to that. I don’t agree with the idea that the core data model can’t have the issue make claims about the validity period..

Brent Zundel: validity period seems to be what we are talking about with validFrom and validUntil.

Manu Sporny: +1 Orie.

Manu Sporny: +1 brent.

Orie Steele: The VCDM has a responsibility to allow the issuer to provide clear definitions for the validity period – and we should improve the definitions and provide clarity and I’m strongly opposed to any idea that we’d move the VC validity period into the security assertions format. I think that’s a violation of layers..

Dave Longley: +1 Orie.

Michael Jones: I thought I was agreeing with Orie..

Shawn Butterfield: That was how I interpreted it… I’m a +1 on VCDM owning claim validity - not security envelope expiry… Two different things..

Brent Zundel: Then issuanceDate and expirationDate would be a concern of securing VCs.

Orie Steele: There are dedicated issues to those issues..

Manu Sporny: Maybe I just misunderstood Mike, but maybe we have consensus..
… I’d like to run the proposals before the end of the call..

David Chadwick: To muddy the waters a bit, my driving’s license, it had my date of birth… didn’t have an expiration date but my classification of vehicles to drive did..
… For having validFrom/validUntil for the whole VC is perhaps the wrong model because each claim could have its own model..

Ted Thibodeau Jr.: new issue! distinct convo!.

Dmitri Zagidulin: that does seem like the drivers license could stand to be separate credentials :).

Shawn Butterfield: * lols @Orie.

Brent Zundel: I think a validFrom/validUntil would not at all prohibit from an issuer using validFrom/validUntil for each and every claim that they make..

Manu Sporny: +1 brent.

Proposed resolution: Rename issuanceDate in the VC Data Model to validFrom.. (Manu Sporny)

Orie Steele: +1.

Ted Thibodeau Jr.: +1.

Oliver Terbu: +1.

Brent Zundel: +1.

Logan Porter: +1.

Manu Sporny: +1.

Dave Longley: +1.

David Chadwick: +1.

Dmitri Zagidulin: +1.

Shawn Butterfield: +1.

Mahmoud Alkhraishi: +1.

Resolution #3: Rename issuanceDate in the VC Data Model to validFrom..

Michael Jones: 0.

Kristina Yasuda: Ok, I don’t see any -1s, this proposal has passed..

Proposed resolution: Rename expirationDate in the VC Data Model to validUntil.. (Manu Sporny)

Orie Steele: +1.

David Chadwick: +1.

Oliver Terbu: +1.

Dave Longley: +1.

Brent Zundel: +1.

Steve McCown: +1.

Manu Sporny: +1.

Logan Porter: +1.

David Waite: +1.

Mahmoud Alkhraishi: +1.

Shawn Butterfield: +1.

Ted Thibodeau Jr.: +1.

Dmitri Zagidulin: +1.

Resolution #4: Rename expirationDate in the VC Data Model to validUntil..

Kristina Yasuda: Thank you everyone, no -1s, this proposal has also passed..
… I think this issue is now ready for PR..

Dmitri Zagidulin: I just didn’t understand why people were confused about “issuanceDate” but not why “expirationDate”..

Orie Steele: The confusion is around VC validity vs. security representation. Both require mappings in order to be secured in JWT – vs. Data Integrity which doesn’t transform the JSON..

Dmitri Zagidulin: thanks Orie.

Dmitri Zagidulin: makes sense..

Orie Steele: Any security format that has to handle those mappings on both sides it can be confusing and there’s where the confusion is coming from..

David Waite: My confusion about the rename is about also having an issued property – but from a validity perspective, I don’t know what that means. It seems like “issued” was proposed because “issuanceDate” might serve a different purpose as well as a granularity … will this be a breaking change for people who thought they were using “issuanceDate” correctly but weren’t?.
… In addition to the rename, I think there’s also a new parameter being proposed and it’s not clear if it has a security context or if it’s just a new thing the issuer claims about the VC itself..

Orie Steele: I don’t know about the “issued” term or where that’s coming from. I can only speak to the software implementations I’ve reviewed – with distinguishing between the VC validity and the signature period..
… In most JWT implementations you can’t even set the implementation to move the date around and that’s hard if you have a mapping..
… There are some that let you set it. I haven’t seen “issued”. The JWT iat maps to the proof.created in DI..
… That has to do with when the proof was created and the security was applied..

Manu Sporny: +1 Orie.

Orie Steele: Which is to be distinguished from when the VC / claims validity period applies..

David Waite: fwiw, issued property is from the note in https://www.w3.org/TR/vc-data-model/#issuance-date.

Dave Longley: +1 Orie.

Kristina Yasuda: Please read over issues and link as needed, see you on the special topic call and thanks to everyone!.

5. Resolutions