Verifiable Credentials Working Group Telco — Minutes

Date: 2023-01-25

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Michael Prorock, Brent Zundel, Michael Jones, Markus Sabadello, Chris Abernethy, Dmitri Zagidulin, Orie Steele, Shigeya Suzuki, Shawn Butterfield, Dave Longley, Kerri Lemoie, Manu Sporny, Will Abramson, Kristina Yasuda, Phillip Long, Ted Thibodeau Jr., Juan Caballero, David Lehn, Mahmoud Alkhraishi, Joe Andrieu, Kevin Dean, Oliver Terbu, Gabe Cohen, Antony Nadalin, David Waite, Steve McCown

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Michael Prorock, Dmitri Zagidulin

Content:

1. agenda discussion.

Brent Zundel: ftf meeting, issues, etc.

2. introductions.

Brent Zundel: calling for any intros or howdys.

3. F2F Meeting.

Brent Zundel: Miami Feb 14-16, 9am-5pm local time.
… independent dinners, breakfast on your own, lunches provided.
… possible activity wed afternoon.
… any questions on logistics, etc?.

Brent Zundel: See Presents’ list.

Brent Zundel: adding rows to attendance list is fine.

4. Work Item status updates/PRs.

4.1. Added presentationSchema (pr vc-data-model#987)

See github pull request vc-data-model#987.

Manu Sporny: Presentation PR - to add a presentationSchema - use cases and example requested.
… some feedback in the PR that is not well understood.
… not clear who (holder, verifier, issuer, someone else) should be handling the schema.

Orie Steele: appreciates example from David.
… added a link to self describing JSON Schemas.
… believes that this example is almost identical to the use case here.
… wants to see clear consensus on whether or not this should be added to the core data model.

4.2. Remove ZKP Section (pr vc-data-model#999)

See github pull request vc-data-model#999.

Manu Sporny: looking for other folks to weigh in, otherwise just the folks conversing on the pr will contribute.
… location or removal of ZKP section - might be some issues with moving to impl guide given normative language.
… don’t know what to do with the PR yet.

Ted Thibodeau Jr.: don’t think normative language should be a blocker - could move and change to informative language.
… shouldn’t necessarily throw away work.

Orie Steele: notes that the work done is preserved permenantly in 1.1.
… does believe that some of these items may get added back in to core data model at a later date.
… supportive of documenting support.
… concerned that we may be holding onto something that may prevent clean definition of ZKPs in 2.0+ based on work in 1.1.
… also concerned on testing / interop.

Ivan Herman: the fact that it is part of 1.1 will be “hidden” when 2.0 gets published.

Ted Thibodeau Jr.: +1 about the hiddenness (and forgettability) of 1.1 once 2.0 is out.

Ivan Herman: question without knowing all tech details, is this urgent to do now? Not at CR point, maybe a flag is better? other options noting potential removal?.
… not sure on urgency of removal.

Orie Steele: The text adds burden to reviews…..

Kristina Yasuda: no urgency does not mean not doing it… this topic has been up for discussion for a while..

Brent Zundel: as author (not chair) - the section needs significant reworking, removal likely, but removal at this time may be premature.
… don’t think axing now is way to go, even if we are going to axe or rework later.

Kristina Yasuda: q.

Manu Sporny: can try to put a warning in.
… clearly communicate that section is at risk.
… does want to audit normative statements that should probably be removed or modified.
… rework this section with a mind for future inclusion of BBS.
… get things set up so that BBS can integrate when it is ready.
… is that a workable PR?.

Brent Zundel: +1 Manu.

Ted Thibodeau Jr.: +1 on manu’s suggested plan.

Kristina Yasuda: not a big fan of just a warning.
… may be an issue suggesting shorter text.
… wants to avoid postponing problem.

Kristina Yasuda: +1 manu.

Kerri Lemoie: +1.

Brent Zundel: +1.

Manu Sporny: new PR for a new section intending to replace this section, that is shorter and attempts to capture the “spirit” of things in advance of BBS, non-normative for now, that can become normative later if appropriate.

Orie Steele: That suggestion seems good to me..

Phillip Long: +1.

Dave Longley: +1.

Michael Prorock: +1.

Ted Thibodeau Jr.: +1 works for me.

Ivan Herman: +1.

Orie Steele: If you request changes, clearly, i will modify my PR..

Manu Sporny: begs for other folks to help out because his stack is overflowing, otherwise will eventually get to it.

4.3. Change the reference URL in the vocabulary template file (pr vc-data-model#1011)

See github pull request vc-data-model#1011.

Manu Sporny: ref url in vocab template file.

Ivan Herman: notes that official vocab points to 1.0, proposing that new version should be official version.

Manu Sporny: back and forth with ivan to clarify.

4.4. Added Presentation as a possible domain for termsOfUse to the formal vocabulary (pr vc-data-model#1013)

See github pull request vc-data-model#1013.

Manu Sporny: straightforward.
… terms of use PR, syncing with latest changes.
… follow on, mostly editorial.

4.5. Add normative requirements regarding media type and proof (pr vc-data-model#1014)

See github pull request vc-data-model#1014.

Manu Sporny: normative requirements for media type and proof, follow on to PR from last week.
… media type “must not be used with embedded proof” is the discussion, as well as general media type discussion.
… please weigh in.

Orie Steele: believe that intention has been made clear in comments, good exchange on intention of PR.
… if you feel intention is not clear, let’s clarify that, then we can discuss and clarify text that reflects that intention.

Manu Sporny: moving on to data integrity PRs.

4.6. Add note on verification relationships to Security Considerations. (pr vc-data-integrity#75)

See github pull request vc-data-integrity#75.

Manu Sporny: 75 is text around verification of relationships.

4.7. Add section on Canonicalization Method Correctness. (pr vc-data-integrity#76)

See github pull request vc-data-integrity#76.

Manu Sporny: 76 is about canonicalization methods for clarity.

4.8. Attempt to synchronize the security vocabulary with the FPWD spec (pr vc-data-integrity#79)

See github pull request vc-data-integrity#79.

Manu Sporny: 79 is taken sec vocab and refactored to match VC data model.
… would be first revision, won’t have all details right on first pass, but is a good first step.
… does not belive anything provacative.

4.9. Add section on Proof Purpose Validation. (pr vc-data-integrity#80)

See github pull request vc-data-integrity#80.

Manu Sporny: new section around proof purpose, and why you want validation.
… onto status list.

4.10. Status List pr-s.

Manu Sporny: looking forward to PRs rolling in.

Kristina Yasuda: +1 to PRs in StatusList :).

Manu Sporny: many issues ready for pr.

4.11. Request media type for 1.1 vc-jwt claim set (pr vc-jwt#40)

See github pull request vc-jwt#40.

Michael Jones: would like to discuss extensive review on PR 40.
… follows onto data model PR re media types.
… creates a second media type for teh 1.1 VC JWT claimset.
… just like OIDC tokens, a credential is much more specific that just a general claimset.
… I think we’re good to go, and should merge this, can always wordsmith later.

Ted Thibodeau Jr.: I think it needs a bit more than wordsmithing; I’m generally not in favor of merging a thing that needs smithing, since that might never happen.
… as I commented on the thread there, there are a number of comments that dont appear to understand how media types actually work, which is not useful.
… I’m not sure people are processing this right.
… it’s frustrating to not have that last comment mentioned.

Manu Sporny: I don’t think we have consensus here.
… I think there’s consensus that we might need a media type for this.
… I think this thing should exist – that’s not under debate. it’s “what should this thing be called” - that’s what under debate.
… what we’re talking about is a Claims Set.
… however, the media type makes it sound like the claims set is the credential, in the VC Data Model sense of the word.
… so the concern is that people will think that it’s In VC format, whereas it’s in JWT format.
… so the suggestion is - let’s call it what it is. the current name is confusing, let’s pick a more indicative name.
… as Ted said, there’s a number of comments that confuse how media types work.
… this is not a popularity contest; concrete changes have been requested. there’s big concern about media type confusion; the group needs to talk about that.

Orie Steele: I think, like Manu said, there’s consensus that this needs to exist.
… there needs to be SOMETHING. there’s debate over the specific name.
… in the interest of acknowledging that we’re definitely intending to add a name, I think we have a couple paths forward.
… we can file an issue next to the name in the spec, saying WG is considering the name, then we can continue to bikeshed.
… but at least we can refer to the entity consistently; that’s my primary interest, as editor – we need to be able to refer to this object.
… and the specific name is less important than it being addressable.
… the comments regarding the claimset.

Ted Thibodeau Jr.: placeholder name should be something that’s blatently not meant to persist, e.g., george/harry+fred.

Orie Steele: and whether or not this is really a credential – I think in the interpretation of v1.1, this is actually a credential.
… so I think it’s named correctly and clearly.
… I think if we want to change the specific media type that’s being registered, we can continue to bikeshed..
… but this is blocking additional refinement, not being able to reference.
… if the name changes after it’s merged, it won’t change our ability to work.

Gabe Cohen: +1 to agility.

Orie Steele: so, I request we file an issue registering that there’s no name consensus, but merge this PR.

Dave Longley: there’s already “credential” in 1.1 in JSON format that is NOT a JWT Claim Set much more prominent in the spec (the one specifically called that in the spec) that is easily confused with the media type name “application/credential-1.1+json”.

Michael Jones: I want to agree with something that Ted said, which is - there IS some confusion among some people who commented about how media types are used.
… as I said in a private conversation with Orie, we do have an education task in front of us, to get people used to thinking about declaring the types of things.
… deep background: one of the things that changed in the JWT world, in the 10 years since we invented it, is that IETF and others realized that explicitly typing things has a lot of value.
… it can prevent confusion between two things.
… that are intended for different purposes, which is the root for a number of security flaws.
… which this can prevent.
… so, I’m happy for the WG to continue the education task.
… I think that’s important; we need to get people used to typing things. And this is part of an initiative of the editors of the JWT spec, and I’d like you to support that.
… if we want to continue bikeshedding the name, we should file an issue saying we want to rename it.
… Dave Longley expressed concern in a comment that maybe people won’t read the spec and won’t understand the definition that it’s a claim set. But if people don’t read the spec, we have a different world of problems.

Michael Prorock: +1 selfissued.

Michael Jones: I think it’s time to merge this, so we can strongly type things. and continue bikeshedding.

Manu Sporny: -1 to “merge this”.

Dave Longley: I’m a strong -1 to merging this without just changing the name.
… I’ve said a lot more on the PR regarding what I think the mistakes we’re making, around the usage, around assumptions.
… that if we use a media type in one place, it’ll be used differently in other places, that doesn’t match what developers tend to do.
… so, if we can avoid that kind of confusion, we should do so in the name.
… I’ve responded to comments about redundancy, and pointed out that the RFCs today talk about using the ‘cty’ claim in JWTs, talking about things that are /not/ in the claimsets.

Dave Longley: See RFC section discussed in the comment.

Dave Longley: I’m less concerned about that, than I am concerned about calling something jwt 1.1 credential, whereas the spec has it as something different.
… I responded to Mike’s comment, about explicit typing, and here’s the link to that.
… about using the ‘typ’ claim vs use of ‘cty’, and what the specs say today,.
… if there’s an argument that people will not read the spec (which is what I said about naming of this), I think it’s even more concerning that we DO have a spec that specifically warns against what this spec is proposing.

Ted Thibodeau Jr.: +1 dlongley.

Ted Thibodeau Jr.: -1 merge now.

Dave Longley: it seems very inconsistent that people will go read /that/ spec, ignore the text, then go read our spec, and listen to it.
… so, I’m really confused, generally, about the approach we’re taking.

Kristina Yasuda: but jwt bcp does not prevent specific typing of cty.

Orie Steele: -1 I feel there is effort to confuse the issue in the comments, and its leading to confusion… the only problem is the “name”…. we can bike shed on an issue..

Dave Longley: but all that aside. the main concern is with the name that confuses a JWT Claimset, which is very different from a credential in JWT 1.1 format..
… it’s easily avoidable confusion.
… if we change the name, I won’t block this PR.

Manu Sporny: I find it troubling that we’ve repeatedly brought up technical issues on this PR, and they’re being ignored.

Ted Thibodeau Jr.: I see no effort to confuse the issue in the comments, only confirmation that there is confusion about the issue.

Orie Steele: several CEPC issues have already occurred… assuming folks are not aware of the background, or assuming bad faith… let’s not do that please..

Manu Sporny: one could argue that this is a continuation of the ‘make context optional’ conversation.
… I’m concerned about fairly simple questions not being answered.
… that said, if people are saying that names don’t really matter, let’s just merge the PR,.
… it would be fine if we changed the name to something like: application/credential-1.1+TOBEDETERMINED+json or application/credential-1.1+SOME-KIND-OF-JOSE-CLAIM-SET+json.
… so that people don’t start shipping it in software.
… since people are asserting that name doesn’t matter. so if we rename it to something like this, I won’t block the PR.

Ted Thibodeau Jr.: or even TEMPORARY/application/credential-1.1+json.

Ted Thibodeau Jr.: which is an invalid media type, but can be used to refer to the specific thing.

Brent Zundel: I want to run a straw poll, see where consensus lies.
… I’ve got the text of a proposal I think a lot of people will hate, and we can run it a few different ways.

Proposed resolution: The WG will merge https://github.com/w3c/vc-jwt/pull/40 with the name ‘application/credential-1.1+jwt’ and raise an issue to track further bikeshedding of the name. (Brent Zundel)

Brent Zundel: so let’s see what happens, and iterate.

Ted Thibodeau Jr.: -1.

Joe Andrieu: -1.

Manu Sporny: -1 that’s not what the PR is about, IMHO..

Dave Longley: -1.

Michael Jones: -1.

Brent Zundel: and… people all hate it, wow.

Ivan Herman: -1.

Manu Sporny: it’s not about a JWT, it’s about a claims set.

Mahmoud Alkhraishi: -1.

Oliver Terbu: -1.

Brent Zundel: ok! well, at least we have consensus on that.

Orie Steele: -1.

Michael Prorock: -1.

Chris Abernethy: -1.

Steve McCown: -1.

Kristina Yasuda: I think you should run the same proposal about application.credential json.

Michael Jones: yeah, that’s what’s in the PR.

Proposed resolution: The WG will merge https://github.com/w3c/vc-jwt/pull/40 and raise an issue to track further bikeshedding of the name. (Brent Zundel)

Michael Jones: +1.

Orie Steele: +1.

Dave Longley: -1.

Michael Prorock: +1.

Mahmoud Alkhraishi: +1.

Joe Andrieu: -1.

Oliver Terbu: +1.

Ted Thibodeau Jr.: -1.

Chris Abernethy: +1.

David Waite: +1.

Manu Sporny: -1 there are significant technical concerns that have not been addressed..

Kristina Yasuda: +1.

Shigeya Suzuki: +1.

Steve McCown: +1.

Phillip Long: -1.

Kristina Yasuda: tony says +1.

Ivan Herman: -1.

Gabe Cohen: +0.

Andres Uribe: 0.

Brent Zundel: we have 6 ‘-1s’, which is more opposition than I was hoping.
… let’s go back to the queue, but I want to know what the path forward is, for the -1s.
… what changes are being required, and is there further conversation to be had.

Michael Jones: manu, I don’t find it’s helpful when you say that technical issues have not been addressed. this is a pattern that you have. if you read the comments, you’ll find issues are addressed.
… I find it unhelpful to cast aspersions on people operating in good faith.

Dave Longley: no, they were not addressed, “explicit typing” uses the typ field, this was ignored.

Michael Jones: secondly, if it provides a path forward, it’s not the end of the world if we add ‘claimset’ to the name; I’ll run a proposal for that.
… it is redundant, but if it unblocks, I can live with it.

Michael Prorock: or application/credential-claimset-1.1+json.

Proposed resolution: We should merge the PR after changing the name to application/credential-claims-set-1.1+json. (Michael Jones)

Orie Steele: +1.

Oliver Terbu: +1.

Michael Jones: +1.

Dave Longley: +1.

Michael Prorock: +1.

Joe Andrieu: -1.

Gabe Cohen: +1.1.

Manu Sporny: +0.7 – better… feel like we can improve from here, though..

Brent Zundel: the proposal is in, is the 1.1. part necessary?.

Michael Jones: 1.1 is critical.

Ivan Herman: +1.

Kristina Yasuda: +1 can we do application/credential-claimset-1.1+json MikeP is proposing?.

Chris Abernethy: +1.

David Waite: +1.

Brent Zundel: ok, seems to be a feeling that it’s critical.

Mahmoud Alkhraishi: +1.

Phillip Long: +1.

Ted Thibodeau Jr.: media types rarely if ever include version numbers, for good reasons.

Brent Zundel: all right, in general, this is way more consensus.

Steve McCown: +1.

Ted Thibodeau Jr.: -0.8.

Brent Zundel: I’m only seeing one -1 at this point – Joe, would you like to speak to it?.

Joe Andrieu: I think we all know that naming is hard,.
… my concern with the term ‘credential’ at all is that we have significant and deep confusion in the marketplace between a VC as a digital object, and the real world credentials/claims that are modeled.

Michael Jones: “Credential” is the term that this WG defined and uses.

Joe Andrieu: since it seems like I’m a lone voice, I won’t block it, but I wish we had a better name.

Ted Thibodeau Jr.: application/claimset+json MIGHT work.

Orie Steele: agree with joe’s comment, but I believe its best resolved by merging the PR, so we can define the requirements associated with the name..

Ted Thibodeau Jr.: media types rarely if ever include a version number in them, for very good reasons. I dont think it should be included.
… if that’s vital, I want to know exactly why, in the technical sense.

Dave Longley: +1 to TallTed, the technical needs are confusing here.

Ted Thibodeau Jr.: as I’ve said here and in the issue, I really want the people who are approving this to demonstrate they understand the technical aspect of how media types work, since I still don’t think everyone who is participating/voting has that understanding, which is I think why the naming is not proceeding well.
… if you do the naming wrong, it’s difficult to fix stuff in the wild.

Kristina Yasuda: we could file an issue to revisit this naming before CR to incorporate JoeAndrieu’s comment.

Brent Zundel: the question for you, Ted, is – if the issue is raised to continue working on the name, would you still be opposed to the PR.

Manu Sporny: +1 to TallTed, I’m not convinced that the people voting for one approach understand the ramifications at depth (though, it’s always difficult to understand if people truly understand)..

Ted Thibodeau Jr.: yes, because if the thing we settle on is going to continue to percolate, tracking it down to change it again might be difficult.
… unless we do something drastic like adding ‘TEMPORARY’ to the media type.
… so that it’s clearly named, but clearly wrong and temporary.

Kristina Yasuda: from my observation we rarely have the same level of “technical understanding” in many issues….

Brent Zundel: before we go back to the queue, Ted, I don’t appreciate your assertions that those involved do not have the expertise necessary to have the opiniion.

Ted Thibodeau Jr.: I’m basing my assertion on the comments in the issue, that demonstrate the lack of understanding.
… I’m sorry if that hurts feelings, but that’s how it is.
… I feel it’s a technical point, not a personality point.

Kristina Yasuda: I’m sorry Brent, I’m still not OK with the language used….

Ted Thibodeau Jr.: that’s very different language, and I’m sorry, we should have an offline conversation.

Michael Prorock: other options can include application/1_1.credential-claimset+json.

Kristina Yasuda: thank you, yes, let’s have it offline.

Brent Zundel: we are over time.

Orie Steele: I was queued to comment on the specific binding to 1.1.
… it is important, because we have need to describe the requirements associated with this object.
… based on teh way the conversation has gone here, it does seem that with the sole exception of Ted, it would be possible to merge the PR, and continue to bikeshedding the name.
… but I’m not sure I’m interpreting Joe’s comments fully.

Ted Thibodeau Jr.: I see people’s typed comments concurring with my spoken words.

Dave Longley: just quickly, I appreciate people moving to change the name to address my concern. I’‘m no longer blocking the PR on those grounds.

Kristina Yasuda: +1 dlongley.

Dave Longley: I want to caution people that I made a number of technical arguments quoting different specs, I want to make sure you do the right thing.

Orie Steele: Thanks dave, indeed I have read your comments and appreciate them..

Manu Sporny: to echo Dave, I also am no longer blocking the PR.
… I do want to point out this media type discussion is way deeper than what it seems.
… I’m not sure what the rush is.
… and explore the things that have been raised multiple types with regard to media type discussion.

Kristina Yasuda: would consider having a special topic call wrt bringing everyone on the same page wrt media types.

Manu Sporny: so this is a request to the chairs to maybe have a special topic call on media types.

Michael Jones: We can have a bigger discussion on Media Types during the F2F, if the chairs think that would be valuable.

Kristina Yasuda: yes, manu, was typing exactly that.

Manu Sporny: so that we can all get on the same page.

Brent Zundel: thank you Manu.
… we are over time, and can have a special topic call.
… we do need a decision on the proposal though.
… my inclination as chair is to say - we are raising an issue to handle it, we hear the objections, and will work on addressing those concerns.
… but I don’t want to block the PR.

Kristina Yasuda: Ted, would you prefer a special topic call before merging.

Ted Thibodeau Jr.: no, go ahead and merge, if it goes wrong in deployment, I’ll wave my ‘told you so’ hat.

Michael Prorock: see this comment https://github.com/w3c/vc-jwt/pull/40#issuecomment-1403934090.

Resolution #1: We should merge the PR after changing the name to application/credential-claims-set-1.1+json and raise an issue to track further bikeshedding of the name.

Michael Prorock: periods can cause issues with some processors.

Brent Zundel: thank you all for attending and for your comments.

5. Resolutions