Verifiable Credentials Working Group Weekly Telco — Minutes

Date: 2023-06-21

See also the Agenda and the IRC Log

Attendees

Present: Brent Zundel, Phil Feairheller, Ted Thibodeau Jr., Joe Andrieu, Chris Abernethy, Andres Uribe, Shigeya Suzuki, Kristina Yasuda, Manu Sporny, Kevin Griffin, Greg Berstein, Gabe Cohen, pl asu, Dmitri Zagidulin, David Lehn

Regrets: Orie Steele, Michael Prorock, Michael Jones

Guests:

Chair: Kristina Yasuda

Scribe(s): Andres Uribe

Content:

Kristina Yasuda: our agenda today has multiple updates. Hopefully we can achieve more than last week’s call. Let’s focus a bit more on blocked PRs that are blocked. On 1100, 1101, 1104, PR 88 for vc-jwt.
… Before diving in, please note that TPAC registrations are open.
… Specific WG dates will be confirmed by the chairs.
… Let’s jump into status update PRs. With a focus on the ones that need attention.

1. Pending PRs.

Kristina Yasuda: https://github.com/w3c/vc-data-model/pulls.

Manu Sporny: The VCDM has 10 open PRs. Folks should post attention on 1140, which we’ll discuss today. Subsequent PRs need more people to weigh in.
… Since last week’s resolutions, we’ve made a couple of PRs.
… Another one for a VP being short lived. That’s in good shape.
… About 7 look like they will be ready to go, please review.
… There will be some design changes to the status list PR. Please mind those updates.

Manu Sporny: support for multiple status codes: https://github.com/w3c/vc-status-list-2021/pull/65.

Gabe Cohen: We kicked off horizontal review for vc-json-schema repo. We have 2 PRs open for text related to PII, and a11y and i18n concerns. Please take a look as you can.

Manu Sporny: (that needs attention ‘cause we’re redesigning some of status list).

Kristina Yasuda: That’s it for work item updates. Last call.
… going into 1140.

1.1. add context integrity capabilities to the core data model (pr vc-data-model#1140)

See github pull request vc-data-model#1140.

Brent Zundel: Mike won’t be able to join, but the PR was updated. It’s worth discussing today.

Kristina Yasuda: Ok, let’s time box it.

Manu Sporny: What this PR does is enable us to attach a cryptographic hash to a resource that’s inside a VC.
… This can be applied to an image that’s externally linked, or any resource that is linkable.
… There is broad agreement that it’s a useful feature to have.
… Mike’s proposal has had a number of changes suggested to it. My opinion is that there is a path towards merging it with consensus.
… the discussion’s right now are around naming.
… The sticking point right now is whether we split the hash algorithm from the hash value.
… If we’re able to get that resolved, it’s likely we’re able to merge it in.

Greg Berstein: are we talking about using multi-hash?

Kristina Yasuda: Where’s the comment around which hashing algo?

Dmitri Zagidulin: part of the question is which registry to draw the hashing algo from.

Kristina Yasuda: two things that need to be resolved, apart from bikeshedding terms. Is that accurate?

Manu Sporny: Trouble finding windows. Off the top of my head it’s either 2 or 3.
… I think the biggest (?) is whether we separate.
… There is an SRI spec that allows you to do this in HTML. Web Browsers will not load that file unless the hash matches.
… But the SRI only allows you to use sha-2. Full stop. That’s it.
… Folks are concerned that using SRI directly is too confining.
… Mike suggested to separate and we can use sha-2 and sha-3.
… But that can introduce weird data models.
… The proposal that would likely end up getting consensus is this group says which hash algos are allowed at the front part of the string (similar to what SRI spec does). The rest would be a hash value bas64 url encoded. . But that looks very close to multibase.

Kristina Yasuda: I don’t think Mike would agree with those changes. Let’s take this as a special topic call next week. There are 150 comments. Just like we did with yesterday, let’s identify starting points (like Dmitri’s last comments), so it’s helpful for the next special topic call. Unless there is more, suggestion is to move on.

1.2. remove securing json (pr vc-jwt#88)

See github pull request vc-jwt#88.

Kristina Yasuda: This PR 88 removes anything JSON from the vc-jwt spec. Me and Mike Jones are requesting changes.
… I would approve, but Mike isn’t here.

Manu Sporny: I think the title isn’t representing what the PR is doing, which is confusing.
… What the removal here is doing is the whole mapping thing?
… If you reviewed the PR, please take a look again.
… I’m curious why kristina -1’d it in the past.

Kristina Yasuda: I don’t agree with that interpretation.
… After speaking with Orie and Mike, what’s being removed isn’t the mapping.
… Instead it’s removing how you vanilla JSON payloads.
… The reason I originally -1’d was not because of the direction. It was because there is a certain group of implementers that wants to know how to sign vanilla json payloads.
… I’m OK with the decision to move the home of those implementers to somewhere else.

Manu Sporny: Do we have an example of what this JSON payload looks like?
… Is it the same as a VCDM sans the context field?

Kristina Yasuda: I think the difference isn’t only that.
… In the VCDM v1.1 we define how to map to JWT claims, including “vc” and “vp” claims.
… In the JWT/JSON world, it’s natural to reuse those JWT claims.
… So it’s not only missing context, but also the mapping and interpretation of many of those claims.
… You aren’t relying on the vocabulary only, but also on semantics defined outside.

Brent Zundel: The way I understand this PR is currently the vc-jwt spec describes how to secure vc+ld+json, vp+ld+json, and json.
… The piece that’s being removed is the json piece only.

Kristina Yasuda: that matches my understanding, Brent.

Brent Zundel: So the spec only describes how to secure the first two.

Manu Sporny: ok, I think I understand…

Kevin Griffin: Is there any room to map what’s being removed to another home? Just a thought.
… Is the VC specs dir going to be the home?

Kristina Yasuda: AFAIK there are no plans, but that’s uncertain.

Manu Sporny: Following up on what kevin said. This is related to transformations so it might shed some light on 1100 and 1101.
… Seems like the group won’t say anything related to transformations.
… But the group seems to think it’s important.
… But we can’t come to consensus on what adequately specified means.
… I haven’t heard anyone say that transformations from the VCDM are ok to operate on as long as they aren’t “abused”.
… This PR seems like a side effect of not being able to define transformations in a legitimate way.
… Don’t know if that’s a legitimate read. Curious what others think.

Kevin Griffin: +1 manu.

Kristina Yasuda: I think that’s accurate.

Joe Andrieu: mute dance issues haha. I’m confused by the language that we won’t specify transformations.
… How are we going to test vc+jwt to vc+ld+json if there aren’t testable transformations?

Kristina Yasuda: There will be no mapping to test.

Ted Thibodeau Jr.: I’m still concerned that we are misusing media types with the vc+ld+jwt.

Manu Sporny: agree.

Ted Thibodeau Jr.: That is a JWT, it’s not multipart.

Brent Zundel: Ted has a point, but that is a separate issue from the one we’re discussing.

Kristina Yasuda: I agree. Maybe using media type is not the correct term for this.
… maybe putting this in the header of a JWT is not common.
… But, right now, it’s a pretty established mechanism.
… Yes, it’s the same type that you would be putting in the header as in the HTTP header.

Ted Thibodeau Jr.: It simplifies some things, but it’s a misuse of the tool.

Kristina Yasuda: Agree to disagree.
… I’m going to unblock for now.
… Mike Jones will need to chime in next.

2. issue reviews.

Kristina Yasuda: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc.

Kristina Yasuda: Let’s move to another discussion issue.

2.1. [Terminology] claim (issue vc-data-model#995)

See github issue vc-data-model#995.

Kristina Yasuda: 995 questions the definition of “claim”.
… Do we want to redefine it?
… If no, I’m ok marking pending close and keeping as is.

Manu Sporny: Ok to mark is as pending close.
… Unfortunately, we don’t have the time to take this right now.
… That said, the author is making a really good point.

pl asu: +1 pending close.

Manu Sporny: Some would say the current definitions aren’t harming us that much.

Shigeya Suzuki: https://csrc.nist.gov/glossary/term/credential.

Kristina Yasuda: Any objections?
… Marking.

2.2. Remove normative statements from vocab (issue vc-data-model#1077)

See github issue vc-data-model#1077.

Kristina Yasuda: We don’t have ivan on this call. Do we mark as before CR?

Brent Zundel: +1.

Manu Sporny: Could we mark it as pending close instead? 1080 is already saying that Ivan wants to anchor the things in the vocab to the specification. If we do 1080, then 1077 gets closed.
… Could we mark as duplicate?

Brent Zundel: My understanding is that they are different. One talks about adding statements to the vocab. 1077 mentions what to do with the ones that are already normative.

Manu Sporny: I wonder if Ivan could check if 1080 and 1077 are dupes of one another and they can be closed?

2.3. Verifier Role Confusion (issue vc-data-model#984)

See github issue vc-data-model#984.

Kristina Yasuda: Ok I think this is pending close.
… Any objections?

Manu Sporny: +1 to pending close.

2.4. Define “prover” in addition to “holder”. (issue vc-data-model#902)

See github issue vc-data-model#902.

Kristina Yasuda: Orie says we can close. I’m putting pending close.

2.5. “bound”/”binding” terminology is a significantly stronger relationship than is actually present between VCs and their Subjects or Holders (issue vc-data-model#821)

See github issue vc-data-model#821.

Brent Zundel: The data model only uses the word binding within token binding. So I don’t think this currently calls for any action to be taken.

Kristina Yasuda: I think this was originally raised related to the zkp section.

Ted Thibodeau Jr.: Yes I think we can mark this as pending close. My concern is with the use of the term holderBinding.

2.6. Create the new role of issuee (issue vc-data-model#942)

See github issue vc-data-model#942.

Manu Sporny: Agree that we won’t get to consensus on this.

Kristina Yasuda: I don’t think there is consensus in the WG to introduce a new term “issuee”.
… Can we mark as pending close?
… We assigned Oliver. Don’t think an action has been taken.
. … Where are we with regex for XML datetime?

Manu Sporny: I will do it. At some point. But I will.
… Before CR.

2.7. Make verifiable-credential.id & verifiable-presentation.id REQUIRED. (issue vc-data-model#1031)

See github issue vc-data-model#1031.

Kristina Yasuda: Last one of this call.
… Orie is assigned. Why is id optional?

Kristina Yasuda: asked why it is optional rn.

Manu Sporny: Because you can have objects that you have no idea what their id is.
… There are many example of statement where the object doesn’t have a known id.
… There are even credential subjects where you don’t want to give it an id.
… We’re not going to get consensus here. There are significant privacy issues if you do make it mandatory.

Kristina Yasuda: Marking as pending close.
… Thanks for joining. Please review PR issues. Thanks all.