Verifiable Credentials Working Group Telco — Minutes

Date: 2023-05-17

See also the Agenda and the IRC Log

Attendees

Present: Brent Zundel, Ivan Herman, Manu Sporny, Michael Prorock, Phillip Long, Andrew Jones, Paul Dietrich, Samuel Smith, Joe Andrieu, Andres Uribe, Greg Berstein, David Chadwick, Kevin Griffin, Dave Longley, Oliver Terbu, Chris Abernethy, Mircea Nistor, Dmitri Zagidulin, Orie Steele, Hiroyuki Sano, Ted Thibodeau Jr., Kristina Yasuda, Michael Jones, Gregory Natran, Will Abramson, David Lehn, Przemek Praszczalek, Phil Feairheller, Steve McCown

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Joe Andrieu, Manu Sporny

Content:

Brent Zundel: Welcome folks.
… Today’s agenda: proposal for VCJSON Schema.
… Then issue review for assignees.
… Then work status updates and PRs.
… We are seeing good progress in Github, but we have a lot of items.
… We need to be more aggressive about closing items that don’t have consensus.
… Any additional items?
… Any introductions today? First time or changes or just to say Hello.

1. Proposal - VC JSON Schema.

Brent Zundel: First topic: proposal for VC JSON Schema.
… Not sure who was going to speak to that. Andres?
… maybe Gabe gave us a draft proposal.
… I’ll begin with Gabe’s words and construct a proposal that I think is correct.

Oliver Terbu: +1.

Dmitri Zagidulin: +1.

Brent Zundel: It’s been simplified to just use JSON Schemas.
… It’s in a really nice spot.

Proposed resolution: Publish the VC JSON Schema 2023 specification ( https://w3c.github.io/vc-json-schema/FPWD/2023-05-23/)) as a First Public Working Draft with a short name of vc-json-schema with a target publication date of May 23th 2023. (Brent Zundel)

Orie Steele: +1.

Ivan Herman: +1.

Andres Uribe: +1.

Brent Zundel: +1.

Ted Thibodeau Jr.: +1.

Oliver Terbu: +1.

Chris Abernethy: +1.

Greg Berstein: +1.

Michael Prorock: +1.

Dmitri Zagidulin: +1.

Phillip Long: +1.

Samuel Smith: +1.

Kevin Griffin: +1.

Manu Sporny: +1.

Dave Longley: +0 (supportive of FPWD, just haven’t had any time to review).

Resolution #1: Publish the VC JSON Schema 2023 specification ( https://w3c.github.io/vc-json-schema/FPWD/2023-05-23/)) as a First Public Working Draft with a short name of vc-json-schema with a target publication date of May 23th 2023.

Brent Zundel: Resolved. We are now officially in FPWD for all normative rec track specifications.
… That’s great!

2. Issue Discussion.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc+no%3Aassignee.

Brent Zundel: This link is all those issues not yet assigned.
… Goal today is to get people willing to be assigned.
… If nobody is willing to be assigned, we’ll consider marking pending closed.

2.1. proof in @context and the use of @container (issue vc-data-model#881)

See github issue vc-data-model#881.

Brent Zundel: First one, issue 881.
… Proof in @context and use of @container.
… Raised by Orie.

Orie Steele: This came up recently in open PR about updating diagrams.
… We have this RDF graphical representations of what a credential and proof graphs are.
… Those diagrams reflect the same topics as this issue.
… The fact that the proof is a separate box has to do with the structure of proof in the JSON-LD context.
… I’d like diagrams to represent normative requirements.
… Previously, we talked about defining credential, but opted not to.
… Then the representations here … and other stuff… is creating problems.
… We’re showing how they look after non-normative processing is happening.
… The graph property is what sort of gives you that separation in those two logical boxes.
… I think the best way to address this is either describing the shape of things or making @context normative.

Ivan Herman: First of all, the fact that it is not obvious on the diagram is a problem with diagram tool. We should be careful to reverse the arguments.
… I am stronger and stronger convinced that vocabulary document should be part of the standard.
… In that document, it’s clearly said what proof is. There are good reasons for that, which probably shouldn’t be changed.
… The fact that it is expressed as a container isn’t relevant, that is only the tool to express the vocabulary.

Orie Steele: What are the reasons that proof is a seperate graph?

Brent Zundel: remember, our goal today is to find someone to be assigned.

Orie Steele: You can assign me.

Michael Prorock: +1 ivan - big benefit to standardizing the vocab (and will force us to carefully make sure the json-ld vocab is correct).

Brent Zundel: Thanks, Orie.
… next: 915.

2.2. Address controller ambiguity (issue vc-data-model#915)

See github issue vc-data-model#915.

Brent Zundel: Controller ambiguity.
… Also raised by Orie.
… Anyone willing to move it forward?

Orie Steele: the controller property, as far as I’m aware, completely not relevant to VCs.
… There’s no reason we need it. But it is mandatory in a few places.
… To work on this, someone would have to think about VCDM and if they need to say anything. Data Integrity proofs? Do they?
… probably.

Brent Zundel: Is anyone willing to be assigned?

Michael Prorock: i think it should get moved to DI.

Dmitri Zagidulin: +1 to move to DI.

Brent Zundel: Or is there agreement to move it to DI.
… anyone opposed to moving it?

Oliver Terbu: I think there might be interplay between this and VC-JWTs as well.
… This applies to other integrity mechanisms right?

Manu Sporny: DI already talks about this and how you do processing. So I’m not sure what’s being asked for DI.
… Clarity there would be helpful before reassigning.

Phillip Long: Does this mean that the problem posed is already addressed in the data integrity spec?

Michael Prorock: I am inline with Manu. the right place for this is not core data model.
… just in scanning, it looks like DI covers it.
… I suggest we just close it.
… To oliver, about possible overlap with JWTs, there is to some degree, but the JWT spec is covering that as appropriate.

Orie Steele: vc-jwt does not cover this topic.

Brent Zundel: current informal proposal: just mark it closed?

Michael Prorock: no concern from me.

Orie Steele: that might be valid. The concern is that if VC-JWT describes different behavior, would that be ok?
… If so, great.

Michael Prorock: they are different securing mechanisms.

Ivan Herman: there is a more general problem I raised in another issue. When I read the VCDM document and I go through the examples. The fact is many examples use terms that are defined all over the places.
… There may be examples that use controller, and it’s not clearly stated that this term is defined over there.
… There is editorial work to be done to make it clear to outside readers.

Dmitri Zagidulin: I suspect we need to add those sections to the Example descriptions (“Terms controller, proof, etc, defined in DI”).

Brent Zundel: is anyone willing to be assigned? Or is anyone opposed to closing?

Ivan Herman: this is a separate issue.

Brent Zundel: my suggestion is to mark as pending closed.
… no opposition. Marking pending close.
… Moving on to issue 1089.

Orie Steele: vc-jwt still has no documented way to obtain public keys.

2.3. Why does the Data Model context file define a DataIntegrityProof RDF class? (issue vc-data-model#1089)

See github issue vc-data-model#1089.

Brent Zundel: I raised this. I’m satisfied, but others are not.

Orie Steele: same conversation about separate graphs.
… if the graph is separate, why do we bundle data integrity proofs.
… I think it biases how to secure to DI.
… I still don’t see why the context file include DI terms if you don’t need that to understand core data model.
… either the document should be normative and we should include these definitions.
… or they should just appear in the DI context.

Manu Sporny: nothing weird going on here.
… we are trying to make it easier on developers that make it easier for them.

Dave Longley: +1 these are not political concerns, they are technical and we’ve explained them many times … making something easier isn’t weird.

Manu Sporny: For example, how languages include things by default that lots of developers use.

Dave Longley: +1 to mark this pending close.

Manu Sporny: We can discuss this more, but the reason is not going to change.

Manu Sporny: +1 to mark pending close.

Brent Zundel: my inclination is to mark pending close unless someone is willing to be assigned.

Michael Prorock: I think the problem is there isn’t consensus.

Orie Steele: +1 mprorock.

Michael Prorock: I’d prefer that there is a context that just has VCDM terms.

Dave Longley: -1 … it is like “let’s remove @vocab because it helps JWTs”.

Michael Prorock: I’m willing to be assigned if we can yank this out.

Orie Steele: I prefer to see the data integrity terms come from a data integrity context.

Brent Zundel: reminder we are looking to assign.

Orie Steele: I don’t think this makes things easier for developers… I am a developer.

Dave Longley: Just to mention some things that make things easier for developers. Not doing those things in hope of avoiding bias just makes it harder for developers.

Dmitri Zagidulin: I think it’s worth remembering that JWT community doesn’t really care what’s in the @context or not. So, anything we do with the context to make developers lives easier, doesn’t affect JWT community in any way.

Ivan Herman: mike, you made a mistake. I commented in IRC. this may be a source of misunderstandings.

Manu Sporny: yes that ^.

Ivan Herman: the context doesn’t not define the vocabulary.
… Data Integrity proof is not defined in the vocabulary for VCDM.
… Context is there to also include for example, terms from schema.org.

Orie Steele: I am a vc-jwt implementer, and I care about what is in the context.

Dmitri Zagidulin: @Orie - you are literally the only one.

Manu Sporny: haha, true :).

Orie Steele: ^ why do we have a charter if that is the case?

Manu Sporny: in an attempt to help mike write something that survives consensus. Remember that we had consensus to add name and description.
… those are defined not in VCDM, but rather schema.org.
… So if only things in VCDM can show up in context, then that’s a specific notion that probably won’t achieve consensus.

Orie Steele: name and description need to be covered in the TR though right?

Dave Longley: nothing that uses @vocab is defined in the VCDM either… so we can put that in another context too.

Michael Prorock: +1 orie.

Orie Steele: otherwise how do you know how to use them?

Dave Longley: ^just leads to all kinds of problems here.

Orie Steele: also the IRIs are normative, but they only get defined in the context…. it feels like people are not really aware of how this works.

Brent Zundel: Manu and Mike are wiling to be assigned.

Manu Sporny: not me.

Michael Prorock: I’m willing to take the assignment, with help from Manu.
… Orie noticed this in the chat. It would seem reasonable to get the vocab as normative as possible.
… That probably means instead of chucking name & description, we put it in the vocab.

Dave Longley: “the context does not match ‘a vocab’” <– no, a big misunderstanding.

Dave Longley: json-ld contexts bring vocabularies together.
… Hearing this, it sounds like a massive misunderstanding of what context is for.
… I don’t see us getting consensus.

Orie Steele: Its really odd, that JSON-LD authors say use 2 contexts for examples, but they want to bundle data integrity definitions into the core context at the same time… it feels like its not, consistent… and does not help developers, because it does not establish convention.

Brent Zundel: closing the conversation on this issue.

Ivan Herman: I’m ashamed I can’t find the # of my own issue that I raised. Mike, you might want to combine the two.

Brent Zundel: 1103.

Ivan Herman: I think that the sense of the discussion should be there. There’s some editorial work to be done.
… to try to get this general issue out of the way, cleaning up context and vocab definitions.

Michael Prorock: +1 ivan.

Ivan Herman: The same issues with come with the DI spec.
… We are mixing up concepts.

Dave Longley: Orie: you’re looking for consistency in the wrong place, it’s not about the number of contexts alone.

Brent Zundel: I’ll leave it up to mprorock_.

2.4. How should we refer to the Securing specifications? (issue vc-data-model#1105)

See github issue vc-data-model#1105.

Brent Zundel: one more 1105.
… How should we refer to the securing specifications.
… Who is willing to be assigned to move it forward?
… Or should it be marked pending closed?

Manu Sporny: I think we already point to the specs normatively.
… Doesn’t that address the issue?

Brent Zundel: sounds like a request to mark pending close. Any objections?

Orie Steele: The original issue was regarding attempting to frame the core data model to be more inclusive of more securing mechanisms.
… pointing to DI seems to favor DI over others.
… If we do both, we’re creating a two-tier system. Those that are in the VCDM and those that aren’t.
… The original issue is how we frame securing formats. Not just those we work on here.

Brent Zundel: It doesn’t bother me to point to our own groups specifications.
… but I would not be opposed to adding a link to the VC Specs Directory so that as new mechanisms are added there, they can be found.
… Anyone willing to be assigned?

Ivan Herman: +1 to Brent’s.

Kevin Griffin: I’ll take a stab at it.

Orie Steele: thanks kevin, this seem like a good one for you.

Brent Zundel: Thank you.
… with that, we didn’t quite get through all of them.

3. Work Item status updates/PRs.

Brent Zundel: Moving on to our final topic. Work status updates.

Manu Sporny: vc data integrity has no open PRs. that’s on a good glide path.
… ecdsa has examples we want to get in.
… Orie has been asked to re-review.
… For status list, there is a PR for http status codes.
… There is an issue raised to do that. This is a request to get Kristina and Mike to re-review.

Orie Steele: https://github.com/w3c/vc-di-bbs (no open PRs)… https://github.com/w3c/vc-jwt (2 open PRs, please review) … https://github.com/w3c/vc-status-list-2021 (2 open PRs).

Michael Prorock: VC-JWT. there are two open PRs.
… they’ve had a few eyeballs on them.

Michael Prorock: (1) https://github.com/w3c/vc-jwt/pull/85.

Michael Prorock: On is to remove 1.1 items from VC-JWT spec.
… simplifies things from a testing standpoint.

Michael Prorock: (2) https://github.com/w3c/vc-jwt/pull/86.

Michael Prorock: Second is to update titling in JSON-LD section.
… so its clear we are using VC-JWT to secure JSON-LD.

Brent Zundel: we know JSON Schema is going to FPWD.
… any others to report out?

Orie Steele: The status update for data integrity bbs. We completed FPWD.
… there was movement on the cryptographic binding components.
… there was movement on IETF side. People should take a look.
… And consider how long it will take to point to that.
… Good exchange with dlongley about linking information.
… A proposal to use HMAC.
… Waiting for people to chime in if people are comfortable and if there are any implementations.

Brent Zundel: https://github.com/w3c/vc-data-model/pulls.

Ivan Herman: just to be precise, the BBS FPWD will be published tomorrow. It’s scheduled. I don’t see any reason it won’t happen.

Brent Zundel: moving to VCDM PRs.
… two I’d like to look at before 1101.
… PR 987.

3.1. Added presentationSchema (pr vc-data-model#987)

See github pull request vc-data-model#987.

Brent Zundel: open for a while. Three people requesting changes and no one who has approved it.
… The question for this PR is what do we do to move this forward?
… just a brief conversation.

Manu Sporny: There are a couple things we can try, but I’m doubtful we’re going to come to consensus.

Michael Prorock: +1 manu.

Manu Sporny: I tried puting this in a PR in the reserved tables and that was objected to.

Orie Steele: +1 Manu.

Manu Sporny: So if we couldn’t get consensus there, we probably won’t here.
… proposal is to just mark pending close.
… we could try a reserve property thing and CCG spec, but someone would have to lead that work.
… something like what has been done with renderMethod.

Brent Zundel: anyone opposed to pending close.

David Chadwick: I thought we didn’t want to lose the conversation to date.

Manu Sporny: to be clear, I suggested moving to CCG as an option.

Brent Zundel: I’ll market this as pending close. Which will retain the conversation. Next step would be to transfer to CCG and continue incubating there.
… any opposition to that course?
… great. Marking it pending close.
… Another one to look at 1035.
… Add rendering property to VCDM.

3.2. Add rendering property to VC Data Model (pr vc-data-model#1035)

See github pull request vc-data-model#1035.

Brent Zundel: similar questions here.

Manu Sporny: This item did get into the reserve property table.
… There is a proposal to make it a CCG item.

Orie Steele: +1 to closing the PR.

Manu Sporny: I think we can close this immediately (or after the call).

Michael Prorock: #1108 was merged so no reason to keep this open.

Manu Sporny: The plan here is that it is in the reserved properties table, there’s a work item in CCG. maybe a future version of the group can add it, or after CR.
… +1 to marking pending close.

Brent Zundel: alright. unless there’s objection…
… I’ll mark pending close.
… Now, beginning conversation on two related PRs. Last five minutes of this call.
… To queue up what we need to talk about.

3.3. Add guidance on Representations of Verifiable Credentials (pr vc-data-model#1101)

See github pull request vc-data-model#1101.

Michael Jones: Manu is the only one left.

Joe Andrieu: I’m opposed to this, I’m not one of the requested reviewers, didn’t review negatively. This does not address resolution in Miami, this has to do with media types in WG… This PR fundamentally changes the meaning of that resolution. If this is a representation of that resolution, we need to have that language in there.
… If we want to reopen the resolution, we can do that too.

Orie Steele: it seems like a fact that the group does not interpret the resolution consistently, at all.

Dave Longley: I had some change requests as well that I would like applied.
… if you’re not a requested reviewer, those people should still be considered even if they aren’t code owners.

Manu Sporny: I was holding off on re-review because of Joe’s and Dave’s outstanding comments.
… great to have a concrete PR, but there is still a bit of a disconnect.

Orie Steele: kevin’s PR has lots of teeth… maybe too many.

Manu Sporny: I felt the other PR has better language. This doesn’t have any teeth.
… Verses Kevin’s PR clarifies what you must do.

Brent Zundel: Kevin’s PR: https://github.com/w3c/vc-data-model/pull/1100.

Manu Sporny: this has to do with the Miami resolution.
… These PRs should be considered together.

Michael Jones: Kevin’s PR talks about unrelated issues that are controversial, including testing requirements which the Miami resolution did not.

Orie Steele: +1 selfissued, but those teeth are desirable to some, and objectionable (formally) to others…

Michael Jones: unless Kevin removes that PR it should not be merged.

Brent Zundel: I expect this to be the special topic call next week.
… In the meantime, there are still 10 PRs that deserve our attention.
… Thanks Joe for scribing.

4. Resolutions