Verifiable Credentials Working Group Telco — Minutes

Date: 2023-04-05

Attendees

Present: Ivan Herman, Kevin Dean, Brent Zundel, Kevin Griffin, Sten Reijers, Michael Jones, Phillip Long, Ted Thibodeau Jr., Michael Prorock, Kerri Lemoie, Orie Steele, Manu Sporny, Dave Longley, Andrew Whitehead, Sebastian Elfors, Gregory Natran, Samuel Smith, Dmitri Zagidulin, Paul Dietrich, Mahmoud Alkhraishi, Przemek Praszczalek, Oliver Terbu, Kaliya Young, David Lehn, Shawn Butterfield, Steve McCown, Joe Andrieu, David Chadwick, Kristina Yasuda

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Kevin Dean

Brent Zundel: Reviewed agenda, including summary of special topics call of yesterday.

1. Scope of work and priorities.

Brent Zundel: First topic, scope of work and priorities.
… Now in feature freeze, work items we have agreed to are what we will work on.
… Features are described in issues, which we will be considering in those work items.
… We have a lot of work on our plates. Eight or nine normative documents in the queue.
… If there is a work item that is important to you or your company, we will expect you to work on the item via issues and PRs.
… Starting today to make sure that people are assigned to issues.
… Most of the editorial team’s plates are full. Need everyone we can to be actively engaged. Chairs’ primary responsibility is to see the group succeed.
… Data model, two data integrity models, in scope.
… We have identified four normative specifications that will be our primary focus. Four or five additional ones will be worked on provided that they don’t compromise the four at the core.

Manu Sporny: +1 to the above ^ :).

Ivan Herman: As a sign of the crowded space we have, here is the list of GH repositories that are, currently, under our “control”: https://www.w3.org/groups/wg/vc/tools.

Sten Reijers: Is there an overview page of the priorities?

Brent Zundel: We have not documented the priorities. Chairs can send out an email outlining the plan.

Michael Prorock: From a priority side, the charter itself states what normative deliverables we expect to provide. Mapping to the exact documents hasn’t been done.

Manu Sporny: +1 to everything brentz said. Editors are in the position now where they have a very full work queue for the rest of the year.
… People have to step up and do work if they want their feature in the specification.

Michael Prorock: +1 manu.

Manu Sporny: Getting the language into the specification isn’t enough. If you have normative text, you will have to implement it and coordinate test suites etc. if no one else comes forward.
… Work has to be done before candidate recommendation.
… Group shouldn’t spend time on features that are not implemented.
… “Are you committed to writing the tech spec and the test suites?”.

Ivan Herman: Emphasize what manu said, it’s not one implementation, there must be at least two independent implementations.

Brent Zundel: Work is underway on a test suite. For features that you are promoting or implementing, you or someone close to the work have to write the test fixtures.

2. Work Item status updates/PRs.

Brent Zundel: Moving on to work item status updates and PRs.

Manu Sporny: On VC Data Model, there are six PRs that are effectively stuck, that we need to discuss how we get them unstuck.
… Other PRs look fairly straightforward and simple.
… Data integrity spec is fine, nothing stuck there, same for EdDSA and ECDSA.
… Need to do first public working drafts for EdDSA and ECDSA.
… StatusList2021, not a whole not of progress. If folks are looking for work, that would be a good place to start.

Brent Zundel: FPWD is important so that other W3C groups can review and so that patent declaration has time.
… Want to enter FPWD as soon as possible.

See github pull request vc-jwt#68.

Orie Steele: https://github.com/w3c/vc-jwt/pull/68 is an open pull request on VC-JWT what we want to merge.
… Document is still close to the format it was in when it was copied out of the core spec.
… Talked to Tobias at IETF about BBS, still in the process of adopting it.
… Happy to do that work.

Manu Sporny: Just a note that I have sent a list of steps to Gabe, who is raising PR on transitioning from CCG to VC-JWT.

Michael Prorock: yep - on the lookout.

3. Issue Discussion.

Brent Zundel: List of issues to assign: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc+no%3Aassignee+.

Brent Zundel: Set of issues in the order we want to look at them.
… Being assigned to an issue doesn’t mean that you are the only one resolving it or that you will create the PR. You will be responsible for moving it forward, coordinating parties, proposing solutions, moving to resolution.

3.1. Underspecification of issuer object format and document obtained if issuer id is dereferenced (issue vc-data-model#709)

See github issue vc-data-model#709.

Brent Zundel: Underspecification of issuer object format and document obtained if issuer id is dereferenced.
… If you say that an issuer ID should be dereferenceable and processed, we don’t say what that should look like.
… Anyone wish to be assigned?

Dmitri Zagidulin: +1 Orie.

Orie Steele: Added a link to the verification method. May not belong to the data model but rather data integrity.

Dmitri Zagidulin: outside the context of securing integrity, there is no requirement to resolve an issuer id.

Joe Andrieu: +1 to dmitriz’ comment.

Ivan Herman: I’m a little bit surprised because the previous iteration of this WG decided in 2019 to consider this as closed.
… The issue remained open and is now back in front of the WG.

Michael Prorock: +1.

Manu Sporny: -1 no, that’s not what issuer was intended to be used for… we’re changing the definition of issuer… I expect those issues to be closed if they were raised on the data integrity spec.

Michael Jones: Agree with Orie. To Ivan’s point about whether it is being reopened, developers have told us that the spec as written is not actionable, that you have to have outside knowledge of how to retrieve the keys, which means you are not interoperable.
… Pleased that we’re considering this issue. I would consider being assigned this issue.

Orie Steele: its not possible to “test” without defining this… but perhaps those tests only apply to the “security suites” where “verification” can actually be tested.

Brent Zundel: Would you accept opening and assigning to yourself?

Michael Jones: Not this week.

Manu Sporny: it is possible to test verification w/o “how to dereference issuer” being defined.

3.2. Question about verifiable presentations (issue vc-data-model#996)

See github issue vc-data-model#996.

Brent Zundel: Question about verifiable presentations.
… Resulting thing might not be a VC but we want to include it in a Verifiable Presentation.
… Is there someone willing to be assigned to this issue to work toward greater clarity?

Dmitri Zagidulin: Willing to be assigned to the issue or to provide an example.

Sten Reijers: To add to that, doesn’t want to be assigned but is using VPs and may apply to their examples. Will look into it.

Dmitri Zagidulin: May have misunderstood. Reconsidering being assigned to it.

3.3. Enable CBOR Representation(s) of Verifiable Credentials (issue vc-data-model#985)

See github issue vc-data-model#985.

Brent Zundel: Will assign both to the issue to discuss and move things forward.
… Enable CBOR Representation(s) of Verifiable Credentials.
… Is there someone willing to be assigned to this issue?

Dave Longley: Who would be the closest, based on resolutions made previously?

Oliver Terbu: +1 dave.

Manu Sporny: +1 dave.

Dave Longley: Maybe we should close this.

Joe Andrieu: +1 to close.

Manu Sporny: CBOR is a new work item, we are past feature freeze, close it.

Ivan Herman: Do we want to add another work item for CBOR representation?

Kevin Griffin: +1 to close.

Michael Jones: I concur. With where we are and what we need to do, not willing to add another work item.

Michael Prorock: +1.

Orie Steele: +1 to close.

Ivan Herman: +1 to nuke it.

Michael Jones: Supports closing.

Kevin Dean: CBOR supported in ACDC, so may be covered there.

Brent Zundel: ivan will close it.

3.4. Remove 3-party Issuer-Holder-Verifier diagram and replace with 2-party Raw Credential Sender-Receiver Model (issue vc-data-model#1008)

See github issue vc-data-model#1008.

Brent Zundel: Remove 3-party Issuer-Holder-Verifier diagram and replace with 2-party Raw Credential Sender-Receiver Model.

Dave Longley: I would also recommend we close this.

Oliver Terbu: +1 closing this issue.

Sten Reijers: +1 to close this.

Michael Jones: Once again, I agree that three-party model is integral to what we’ve created and how it’s used. This should closed with prejudice.

Brent Zundel: There is no consensus in the group to change the three-party issuer-holder-verifier setup.
… Therefore we are going to close this.,.
… We will include in the weekly communication the list of issues that are marked “pending close”.
… We’re not necessarily going to say in a call that we want to close it.

3.5. Requesting content type for presentation (issue vc-data-model#1017)

See github issue vc-data-model#1017.

Brent Zundel: Requesting content type for presentation.

Manu Sporny: Self-assigned and ready for PR.

3.6. Separation of Cryptographic Verification from Business Process (and Semantic) Validation (issue vc-data-model#986)

See github issue vc-data-model#986.

Brent Zundel: Separation of Cryptographic Verification from Business Process (and Semantic) Validation.
… Marked as a conversation. If this is an issue that you want to help resolve, please speak up,.

Phillip Long: +1 to Oliver’s suggestion.

Oliver Terbu: Mark as pending close due to no activity on the issue. No action resulted from the discussion.,.

3.7. Clarify credentialStatus (issue vc-data-model#991)

See github issue vc-data-model#991.

Brent Zundel: Clarify credentialStatus.
… Not sure if this has been resolved because of our adoption of the StatusList work item.

David Chadwick: I think it’s a valid comment. If you take the case of a degree certificate, revoke could happen if the private key is compromised or a student cheated. Need to differentiate between them.
… There was a problem with the CredentialStatusList. Did raise an issue.
… It would be nice if anyone involved in CredentialStatusList could say so.

Brent Zundel: Assigned davidc.

3.8. Address `controller` ambiguity (issue vc-data-model#915)

See github issue vc-data-model#915.

Brent Zundel: Address controller ambiguity.
… Is there someone that wants to be assigned to the issue?

Orie Steele: Similar to previous when discussing how to obtain key material, this may belong to data integrity, not data model.
… Would like for someone else to take this issue.
… Seen a lot of confusion in VC-JWT over what to do with this property.

Manu Sporny: Agree that this issue should be transferred to vc-data-integrity and vc-jwt (and ideally, they both give the same advice) :).

Brent Zundel: Speak up to be assigned.
… Is the step forward to raise issue with vc-data-integrity and vc-jwt and link to this?

Orie Steele: Cannot address this in the core specification. What you get back from dereferencing will depend on the integrity specification, not the model.

Ivan Herman: Just a minor thing, in the core model where this property is defined, it should say that it depends on the security format.

Orie Steele: ivan than it should stay in core data model, and the guidance should be added to the vocab.

Orie Steele: who is willing to do that?

Orie Steele: I have observed data integrity implementations doing that binding, regardless of what the spec says.

Orie Steele: and I have observed vc-jwt ignoring that convention as well.

Brent Zundel: Is there a need to have a Data Integrity version of this issue?

Orie Steele: vc-data-integrity and vc-jwt can define document independently.

Dmitri Zagidulin: +1 Orie, I agree, there’s definitely a normative behavior for DI, wrt controller.

Brent Zundel: Adding ready for PR label.
… We are going to continue triaging until all issues assigned.