Verifiable Credentials Working Group Telco — Minutes

Date: 2023-06-07

See also the Agenda and the IRC Log

Attendees

Present: Brent Zundel, Chris Abernethy, Andres Uribe, Orie Steele, Dave Longley, Joe Andrieu, David Chadwick, Shigeya Suzuki, Phil Feairheller, Dmitri Zagidulin, Ted Thibodeau Jr., Kristina Yasuda

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Phil Feairheller

Content:


Brent Zundel: Agenda today: Work item status updates, PRs, Triage issues.
… Categorize items as before or after CR or closed.

1. Work Item status updates/PRs.

Brent Zundel: https://github.com/w3c/vc-data-model/pulls?q=is%3Apr+is%3Aopen+label%3Adiscuss.

Brent Zundel: Question for the group, do we feel that consensus is possible here?
… on issues 1100 and 1101.

1.1. Media types other than vc+ld+json (pr vc-data-model#1100)

See github pull request vc-data-model#1100.

Dave Longley: We are missing key players to discuss today. Probably should not discuss today.

Orie Steele: +1 people are not here.

Brent Zundel: Agreed we are missing key players, moving on.
… beginning the HR process. Preparing documents to engage other groups.

Ted Thibodeau Jr.: I don’t know why those key players are absent today, but I might suggest including mention of these PRs in the next agenda, so there’s advance warning that they will be discussed (and so encouraging those folks to prioritize attendance)?

1.2. JWT PRs.

Orie Steele: There are 2 new PRs on VC-JWT, 103 and 104.

See github pull request vc-jwt#103.

See github pull request vc-jwt#104.

Orie Steele: There are 2 new PRs on VC-JWT, 103 and 104.

See github pull request vc-data-model#1144.

Orie Steele: PRs up in the core data model 1144.

Phillip Long: pdl-ASU has joined #vcwg.

Joe Andrieu: Added a comment to 103. Would it be useful to reuse the pattern for VCs. A base media type plus securing?
… both securing mechanisms will need a payload with a common basis.

Dmitri Zagidulin: +1 Joe, I was wondering about that as well.

Orie Steele: correct, that is what it is doing.

Dave Longley: agrees it is following the same pattern.

Orie Steele: talking about confidence method in registry.

Dave Longley: +1 to adding confidence method to the reserved terms table + v2 context, sounds good.

Brent Zundel: 9 open PRs, please review and look thru them.
… moving on to final topic, issues.

Ted Thibodeau Jr.: suggest that we call out specific issues and PRs in agenda ahead of time.

Orie Steele: There are also several open PRs here: https://github.com/w3c/vc-status-list-2021/pulls which can be discussed.

2. Issue Triage.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc.

2.1. Support for SD-JWT (issue vc-data-model#1019)

See github issue vc-data-model#1019.

Brent Zundel: Discuss issue 1019.

Joe Andrieu: Thinks it would be hard to discuss this without Kristina’s input.

Orie Steele: +1 to closing the issue, it’s being resolved elsewhere.

David Chadwick: Has this been superseded by Oliver’s email requesting this has been moved to a work item with some positive replies on the working group.

Brent Zundel: talking into mute.

Andres Uribe: +1 to close as well.

Brent Zundel: agreement that this needs to be done but not here. So should be pending close as its being done elsewhere.

David Chadwick: I’m happy with it being pending closed.

Phillip Long: +1 to mark it pending closed.

Joe Andrieu: +1 to close.

Orie Steele: +1 David.

Brent Zundel: Marking issue as pending closed.

2.2. Describe SD-JWT as an alternative for selective disclosure (issue vc-data-model#908)

See github issue vc-data-model#908.

David Chadwick: Please add a reference to Oliver’s proposed work item.

Brent Zundel: Issue raised by Sebastian, current assigned to Kristina. Is this work that should be done before we go into CR?

Orie Steele: Suggest this issue be closed, that work is happening in other working groups.

Joe Andrieu: since the W3C isn’t doing this work, we should move this into the directory of related work and mark pending close.

Brent Zundel: Going to mark issue pending close.

Joe Andrieu: Someone has to move it, right. Have to capture that task.

Orie Steele: nobody needs to add it though… people can list their work there… if they want to.

Joe Andrieu: agreed, Orie. Just seemed like the right resolution of the issue.

2.3. Indicating Encrypted VCs in VPs (issue vc-data-model#938)

See github issue vc-data-model#938.

Brent Zundel: Issue 938 raised by and assigned to DavidC.

David Chadwick: what are people wanting here?
… what i want is some way to indicate to the recipient that the VCs are actually encrypted and maybe how.
… helpful hint.

Orie Steele: encryption is out of scope for this working group.

Orie Steele: or has been… to date.

Joe Andrieu: there are many different ways to do this. That makes it a claim design issue. Either claim by claim or entire VC.

Andres Uribe: Also having the entire VP encrypted.

David Chadwick: This is for the entire VC being encrypted.
… talking about app to app encryption. We should define one recognized best way to do this.

Orie Steele: In JWTs, you check the header for that information.

Brent Zundel: sounds like interest in pursuing this. May require some normative guidance. Mark this as before CR.

Joe Andrieu: Want to suggest quick fix. What if we add a pattern that has a “encryptedCredential” property and define that in the context.
… But that’s not a valid VC, never mind.

Orie Steele: suggest not doing anything with this… we don’t need to add more JSON-LD terms.

David Chadwick: any VC in your wallet may be encrypted. When you send it to the verifier that it is encrypted and be able to present in the Presentation.

Joe Andrieu: +1 to that approach.

Orie Steele: encrypting a presentation is different than encrypting a credential.

Dave Longley: Add a property that indicates an encrypted VC referencing JWE. Expected payload would be JWEs.
… Add a PR to add that property.

Brent Zundel: Mark as before CR and move on.

David Chadwick: asking to talk about 1102 which is now marked pending close.

2.4. Single Extension Point (issue vc-data-model#1102)

See github issue vc-data-model#1102.

Brent Zundel: now talking about 1102. Was discussed and no one liked the idea so it was marked pending close.

David Chadwick: Each of the extension points only get in if there are implementations but that the definitions could change.
… we already have a class of extension which have impls and have a unique URI.
… if we have the concept of a single extension point and all others have their own URI but be under the single extension point.
… don’t need the outer wrapper.
… if you have vague extensions that don’t fit specific items like “TermsOfUse” you don’t know where to put it.

Orie Steele: David, we’ve made this easy for developers by bundling everything into the JSON-LD context.

David Chadwick: a single point makes it easier for developers to propose future extensions.

Orie Steele: We kinda already do have the concept of a single extension point… its called @context, and nobody understands it, and its values are not normative.

Orie Steele: You just need to learn how to use JSON-LD to write conformant extensions, which is super easy.

Brent Zundel: chair hat off, I would not be in favor of this change. It is not less confusing. Implementers have a small set of extension points that are well define is the better option.
… chair hat on, we have recorded that several members have said they would not be in favor of the change. Likely no consensus.

Joe Andrieu: +1 to all that, would also be opposed. Open ended extension mechanism exists in @context.
… agree with Mike Jones it feels more complicated having them all in one bucket.

David Chadwick: looking for technical reasons and haven’t heard any.
… just that people don’t like it.

Orie Steele: technical reason, we already have an open ended json-ld way to do this, adding another makes our spec even harder for people to understand or use.

Orie Steele: the fact that its not obvious that json-ld solves this, is shocking to me, given our entire data model assumes we are experts at JSON-LD.

Orie Steele: +1 joe.

Joe Andrieu: one of the technical arguments is that this mechanism already exists in @context.

Brent Zundel: it is clear, there is no path to consensus. Question to DavidC: do you plan to formally object is we close the issue?

David Chadwick: No I would not.
… would appreciate more technical arguments.

Dave Longley: If you want some incubation for your idea, create an extension in the @context that is a generic extension.

David Chadwick: Thank you Dave, that is a good idea.

Brent Zundel: Issue 959 back on the table.

2.5. Clarification needed on the ease of deducing that a subject is the holder. (issue vc-data-model#959)

See github issue vc-data-model#959.

Brent Zundel: current assigned to Orie.
… it is marked ready for PR, Orie what is the status?

Orie Steele: Joe pointed out that we already have this in a section in the spec. Willing to compare current section with this issue. Should be current CR work.

Brent Zundel: Adding before CR label to issue.

2.6. Clarifying credential from verifiable credential (issue vc-data-model#1009)

See github issue vc-data-model#1009.

Brent Zundel: moving to issue 1009, assigned to Manu, DavidC and Kristina.
… wonder if this has been overtaken by events. How should we mark before or post CR?

Orie Steele: Suggest closing this, the group has essentially resolved there is no difference.

Orie Steele: There is not spec legal way to distinguish between credential and verifiable credential.

David Chadwick: this needs someone to carefully go through current version and ensure use of credential or verifiable credential are proper and submit editorial change.

Orie Steele: indeed, the base media type explains that you never know.

Joe Andrieu: Appreciate the clarification. Agrees the language in the spec is confusing.

Orie Steele: +1 to what Joe said. Base media type does not talk about securing mechanism.

Brent Zundel: suggests to make this as post CR.

Orie Steele: this may effect normative statements. esp the definition of what a proof is. Must be addressed before CR.

Brent Zundel: adding before CR label.

2.7. ManualRefreshService2018 - what exactly is it? (issue vc-data-model#981)

See github issue vc-data-model#981.

Brent Zundel: moving on to 981, assigned to Manu, marked as ready for PR.

Orie Steele: I tried fixing this, Manu need to fix : /.

Dave Longley: +1 for Manu to fix.

Brent Zundel: will leave it for Manu to fix. Editorial so can add post CR label.
… marking issue as post CR.

2.8. Clarify credentialStatus (issue vc-data-model#991)

See github issue vc-data-model#991.

Brent Zundel: next issue 991, to discuss label. raised by and assigned to DavidC.

Orie Steele: We have a separate work item for credential status. This issue seems overtaken by events with open PRs. Close this PR and go over to that work item.

Orie Steele: I suggest closing this issue.

Brent Zundel: suggestion is to move this item to status list repo.

Orie Steele: and instead reviewing the open PRs on that work item.

Orie Steele: (you don’t).

Joe Andrieu: that is not correct. Does seem to be about a specific status mechanism.

Orie Steele: there are not 2 objects, we spent over month on this.

Dave Longley: +1 just one object.

David Chadwick: There are 2 objects, credential and verifiable credential and now talking about the status is “mixed up” as well.
… one could be valid while the other is invalid and vice versa.

Brent Zundel: +1 just one object.

Joe Andrieu: +1 just one object, but this is the layering problem.

Orie Steele: It seems http range 14 is yet again, disrupting our ability to communicate.

Dave Longley: key revocation at the crypto layer is different than at the credential layer.
… key revocation and credential revocation are different things.

Joe Andrieu: We don’t have separate items in our work. We have just one digital thing.

Orie Steele: joe is correct, and the digital thing, may or may not have any integrity protection.

David Chadwick: Driver’s license is my credential (and I’ve been driving for a long time).

Joe Andrieu: There are three layers here. Different between having driven, the physical license and a digital thing.
… we don’t have good language differentiating these three things.

David Chadwick: Yes it is difficult to talk about.

Dave Longley: there can a validity period on a proof (expressed via internal / external proof securing mechanism), a validity period on the VC, and a validity period expressed in a claim about a license that someone possesses … all different things.
all works with 1 VC object.