Verifiable Credentials Working Group Telco — Minutes

Date: 2023-06-28

Attendees

Present: Hiroyuki Sano, Phillip Long, Shigeya Suzuki, Michael Prorock, Ivan Herman, Sebastian Elfors, Chris Abernethy, Andres Uribe, Michael Jones, Ted Thibodeau Jr., Oliver Terbu, Manu Sporny, Brent Zundel, Orie Steele, Dave Longley, Greg Bernstein, Will Abramson, Kevin Griffin, Joe Andrieu, Kevin Dean, Dmitri Zagidulin, Mircea Nistor, Gabe Cohen, Paul Dietrich, David Chadwick, Bruno Vavala, Shawn Butterfield

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Phillip Long

Brent Zundel: agenda today is straightforward - intros, work item status update, and shout out to PRs to pay attention to, bulk of meeting on issues.
… additions to the agenda or changes.
… go to CR v2 at end of Sept. Only 10 wks before TPAC. Have only 10 meetings to wrap everything up for the data model, and as much as possible for other work items.

Manu Sporny: notes there are 18 meetings if we skip July 5th.

Manu Sporny: FULL ON PANICING IS OK RIGHT NOW! :P.

Brent Zundel: sharing anxiety and recommends we move expeditiously ;).

1. Work Item status updates/PRs.

Brent Zundel: manu recognized.

Manu Sporny: for VCDM, have discussed through 149, base context getting normative. Orie requesting we might change markers during candidate recommenations. Not controversial. Placeholders URLs must get replaced.

Orie Steele: Vocabulary URLs for terms might change.

Orie Steele: see https://github.com/w3c/vc-data-model/pull/1159.

Orie Steele: GitHub URLs need to be changed, and term defs with issue markers for vocab PR may need changing.

Manu Sporny: other PRs are largely fine but there are a lot of them. Need review within the next 5 days.
… other PRs that aren’t worth mentioning - but do look at them.

Orie Steele: +1 manu, people should review PRs.

Brent Zundel: shout outs for VC-JWT etc. ?
… haven’t heard back from horizontal review groups yet but if any editors want to give attention to a PR or two?

Michael Prorock: +1.

Orie Steele: +1 to defining what a processor will do if normative hashes do not match.

Manu Sporny: Jeffrey Yasskin wanted an issue marker added to #1158 wanted an error message if something doesn’t match but Manu needs the text for that, once done #1158 will be merged.

Brent Zundel: any other PR issues?
… Next topic issue discussions.

2. Issue Discussion.

Brent Zundel: are things that need work now, things than can be done post-CR, or closed?

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Abefore-CR+-label%3A%22pending+close%22+sort%3Aupdated-asc.

Brent Zundel: gives URL of issues to be covered today.

2.1. Media types other than vc+ld+json (issue vc-data-model#1048)

See github issue vc-data-model#1048.

Brent Zundel: starting with issue #1048.

Manu Sporny: Pre-CR ready for PR, on his plate and he’ll do it.

2.2. VC Vocabulary v2.0 does not have any term definitions (issue vc-data-model#1117)

See github issue vc-data-model#1117.

Brent Zundel: #1117 next.
… was a glitch with vocab term defs not showing up. Clicking on the link still seems to have the problem.

Orie Steele: I find the tooling for vocabulary, very hard to contribute too, fwiw.

Orie Steele: I wish I could be more helpful for this kind of thing.

Ivan Herman: seems to be a strange ‘feature’ in GitHub. It’s a generated page. Terms are all in the page in GitHub but do not appear via github.io. but Manu might have something to comment. Tooling problem?

Manu Sporny: Pre-CR and needs to be fixed. Assigned to Ivan and Manu.

Brent Zundel: makes the assignement to Ivan and Manu.

2.3. `termsOfUse` is insufficiently specified (issue vc-data-model#1010)

See github issue vc-data-model#1010.

Brent Zundel: #1010 terms of use insufficiently specified. This may be overtaken by events. Currently at re: ToU is the group decided if there aren’t two independent implementations they get moved to the extensions list (reserved terms table).
… already marked at risk. Will be closed in the event that these sections are removed. Is that correct?

Manu Sporny: you’re more or less right as far as I can tell :).

Brent Zundel: marked before CR but not much work until we have to decide. If there is an implementation, great!

2.4. Remove reference to OdrlPolicy2017 (issue vc-data-model#1123)

See github issue vc-data-model#1123.

Brent Zundel: #1123 - A PR open that Brent raised, adds Brent as asignee, and marked before CR.

2.5. Remove reference toCredentialManagerPresentation (issue vc-data-model#1125)

See github issue vc-data-model#1125.

Brent Zundel: #1125 next - Status identical to the last. Part of the same PR #1123 and Brent assigned to it.

2.6. Guidance on `application/ld+json` (issue vc-data-model#1040)

See github issue vc-data-model#1040.

Brent Zundel: #1040 next - Guidance on applications on application/ld+json.

Manu Sporny: will do this one, dup of another.

2.7. Why does the Data Model context file define a DataIntegrityProof RDF class? (issue vc-data-model#1089)

See github issue vc-data-model#1089.

Brent Zundel: #1089 - why does context define a DataIntegrityProof RDF class?

Orie Steele: see https://github.com/w3c/vc-data-model/pull/1149.

Orie Steele: can’t be closed because we need to define additional terms in VC context. Another open PR#1149, similar set of issues. What are we making normative with hashed approach is similar.

Brent Zundel: Before CR label most appropriate and so labelled.
… Mike Prorock assigned to it.

2.8. `proof` in `@context` and the use of `@container` (issue vc-data-model#881)

See github issue vc-data-model#881.

Brent Zundel: #881 raised and assigned to Orie.

Orie Steele: Similar comment to normative context. Impact is on the shape of the graphs. Related to what happens if the hash doesn’t match?
… This property impacts how the resolution of the graph works. Resolving normative context PR should solve this.
… This #881 - comes from certain JSON-LD key words which are normative. Different n-quads produced when normalized depending on what key words are in the context file. These will produce different n-quads and force failure of signatures.

Ivan Herman: don’t understand the clarification.
… Only problem seen is if you want nice graphs you can’t do it because Neo4j is prepared for it. Proof has always been something that produced a graph.

Manu Sporny: It’s not clear what problem you’re highlighting, Orie.

Orie Steele: Neo4j is not the problem - the problem is the context being normative. If you process data with different contexts which you could do before but normative changes will prevent this.

Ivan Herman: still don’t understand this. Know what proofs do and how sigs work. Proof is always a property of the graph.

Manu Sporny: doesn’t see the problem either. Perhaps the issuer signs something and the verifier uses a different context the sig will not verify. That’s a security feature.

Dave Longley: it’s normative in the spec already in https://w3c.github.io/vc-data-model/#syntactic-sugar.

Orie Steele: Seems like this is perceived as a problem but it’s the way digital signatures work. That’s always been the design problem but it’s not clear what that security issue, if signed bytes change the security will fail.

Manu Sporny: Huh, ok? I still don’t understand the problem… but I’m hearing we can close this once we merge the normative context thing.

Orie Steele: This issue can be closed when the pull request for normative nature of the context terms is merged.

Dave Longley: btw, proof and verifiableCredential as graphs was already normative via the above link (even before making the context normative).

Orie Steele: You cannot assume you know what bytes will be signed unless the context value is normative, and issuers and verifiers use the same structure.

2.9. Should we bundle contexts for credentialSchema and credentialStatus int he v2 core context? (issue vc-data-model#1134)

See github issue vc-data-model#1134.

Brent Zundel: #1134 - orie?

Orie Steele: have already merged pull request to merge RDF classes to credentialStatus but have had other complaints with other values added.
… might leave this open if we want to bundle term defs with VC Data.

Manu Sporny: should bundle this. This will make developer lives easier.

Brent Zundel: looks like this is before CR.

Dave Longley: +1 to bundle things we agree make sense for developers to use.

Orie Steele: volunteers Gabe ;-).

Gabe Cohen: will be take it on.

2.10. Add VC-JWT diagrams to core specification (issue vc-data-model#1135)

See github issue vc-data-model#1135.

Brent Zundel: #1135 - Add VC JWT diagrams to core specification.

Manu Sporny: yes, this can be a post-CR thing.

Michael Prorock: +1 post cr.

Brent Zundel: as diagrams are non-normative this is a post-CR.

Orie Steele: related to date integrity proofs in the core context and need to be understood by implementers. The pictures are one of the most important information we offer.

Shigeya Suzuki: Is it possible to add “diagram” tag for any issues requests diagrams?

Manu Sporny: +1 for diagrams visualizing both securing mechanisms.

Orie Steele: prefer to see the diagrams upgraded include proof specs that define securing mechanisms.

Manu Sporny: (PRs welcome) :).

Brent Zundel: #1029.

Orie Steele: anyone working on JWT want diagrams to show up in the core data model? open a PR.

Brent Zundel: PRs are welcomed! (Manu encouraged that).

Orie Steele: You can always put your text in an issue, and ask an editor to do the PR for it.

Brent Zundel: if anyone has a problem raising a PR ask for help of Brent or anyone to learn how.

Michael Jones: reinforced Orie’s comment about stuff that should be in the securing spec.

Orie Steele: +1 selfissued.

Manu Sporny: -1 to not talking about securing in the core spec.

Dave Longley: of course, philosophies around external vs. internal securing mechanisms are at odds there – we should remember they are different things and that may influence approaches.

2.11. Describe how JSON-LD framing is used with Selective Disclosure (issue vc-data-model#1029)

See github issue vc-data-model#1029.

Brent Zundel: #1029 - Orie?

Orie Steele: Get mailing list comments into the minutes: https://lists.w3.org/Archives/Public/public-credentials/2023Jun/0165.html. Request for support for data integrity selective disclosure that heavily uses JSON-LD framing.
… We could consider some of what is happening in that docs. Seems like it might be related to competitive framing with ISO mDOc.

Manu Sporny: this isn’t core data model work, and not needed in the core spec. If we need to we can point people to the W3C JSON-LD framing.

Brent Zundel: what is the disposition of this issue?

Manu Sporny: can move it to data integrity.

Orie Steele: Here is the the announcement regarding framing https://lists.w3.org/Archives/Public/public-credentials/2023Jun/0164.html.

Ivan Herman: probably post-CR.

Manu Sporny: no. the algorithms Orie is talking about need to be in pre-CR.

Orie Steele: WG may adopt EDDCSA-SD so it should be in the core data model repo?
… EDDSA-SD currently only works on VCs not other JSON-LD objects. If this is what is intended it should stay in core data model.

Brent Zundel: leave as pre-PR.
… leave as pre-CR.

Orie Steele: This the part of ecdsa-sd that only works for W3C JSON-LD VCs. https://github.com/digitalbazaar/ecdsa-sd-2023-cryptosuite/blob/62c76663f81cb6f836efd5f28109ae3ede113e5d/lib/disclose.js#L141.

2.12. Clarify credentialStatus (issue vc-data-model#991)

See github issue vc-data-model#991.

Brent Zundel: #991.
… how do we triage this one?

David Chadwick: depends is how much left in the core DM. Wants to change the terminology to “certificate verifiable credential”. Certificate can be revoked or the VC can be revoked and status list should be able to distinguish between the two.

Orie Steele: It is relevant to the previous issue, and competitive positioning vs mDoc.

Brent Zundel: sounds like it’s VC Status List work item.

David Chadwick: this is generic, not depending on the revocation status per se.

Joe Andrieu: issue is related to the core. Appreciates certificate suggestion. Status should just be about the VC. If about cert, should use ghe claim status of the cert.

David Chadwick: If we work remotely, then we have only VCs, Certs are only relevant f2f. Therefore if in the remote situation you only have the VC but the underlying cert can’t be verified.

Brent Zundel: Proposes this issue be before CR and allow it to continue within the issue.

Joe Andrieu: fine with proposal - Re: David’s ideas. Cert status? Either a mechanism to check it is there or not. If it exists you can put it in the claim.

Brent Zundel: encourages conversation to continue in the issue.
… to DavidC’s question proposed text should be put in the issue.

2.13. Respec VC plugin is breaking the build (issue vc-data-model#1145)

See github issue vc-data-model#1145.

Orie Steele: I think we fixed.

Orie Steele: close it.

Brent Zundel: #1145 -.

Manu Sporny: can be marked pending closed.

Brent Zundel: Orie just closed it. Done!

2.14. Check status privacy (issue vc-data-model#1148)

See github issue vc-data-model#1148.

Brent Zundel: #1148 Check status privacy.
… person raising it is not a member of the working group. That’s great. Perhaps someone here has an idea of the issue?

Orie Steele: +1 dlongley.

dlongely: issue is in the text in the diagram to change it to may preserve privacy. An editorial change.

Andres Uribe: I can take it.

Orie Steele: Suggest changing the text to “might not preserve privacy”.

Brent Zundel: andres agrees to take #1148.

2.15. Protected term errors when supporting v1 and v2 (issue vc-data-model#1150)

See github issue vc-data-model#1150.

Brent Zundel: # 1150 Orie raised this a few weeks ago. Needs someone assigned and a label.

Orie Steele: If you make v2 presentation and use a v1 you get an error.
… need to address in the normative context.

Phillip Long: dlongley - should be addressed in the context - it’s one line change to be made to the v2 context.

Brent Zundel: assigned to dllongley.
… it’s a wrap.
… all of the issues that we have left we have 69 opene issues.

Orie Steele: correction on scribes part if you make a v2 presentation and us a v1 context you’ll get an error.

Brent Zundel: pending close issues be aware!