Verifiable Credentials Working Group Telco — Minutes

Date: 2023-07-12

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Paul Dietrich, Ted Thibodeau Jr., Andres Uribe, Brent Zundel, Chris Abernethy, Gabe Cohen, Hiroyuki Sano, Will Abramson, Phillip Long, Manu Sporny, Dave Longley, Orie Steele, Oliver Terbu, Kevin Griffin, Joe Andrieu, Steve Cole

Regrets: Kristina Yasuda

Guests:

Chair: Brent Zundel

Scribe(s): Orie Steele, Manu Sporny

Content:

Brent Zundel: Welcome, anyone is welcome to do an introduction.

1. Announcements.

Brent Zundel: there are folks wanting to do demonstrations at TPAC… 10-15 minute presentation.
… if you are attending TPAC, and want to be in that demonstration, please contact the chair.

2. Agenda.

Brent Zundel: Proposals, and a little discussion… any agenda bash?

3. VC-JWT shortname change to vc-jose-cose.

Brent Zundel: there has been discussion of the vc-jwt spec… people seems to like vc-jose-cose.
… seems to adjust the name to better refect the work that has been done.

See github pull request vc-jwt#115.

Brent Zundel: seems pretty straightforward.
… any changes requested?

Manu Sporny: Regarding our charter…
… our charter doesn’t explicitly list COSE as being in scope.
… However, we note, under the Securing Verifiable Credentials (SVC) 1.0 section of the charter, that “The following are a non-exhaustive selection of expected input documents”.
… and the group has decided that defining JOSE and COSE would be useful.
… Therefore, the charter allows for this change to be made.

Brent Zundel: yes, our charter says we are allowed to have various input documents.
… seems cose is in scope, as a possible securing mechanism.
… for the record, our charter lists JWT in scope, it also says something about PGP.

Proposed resolution: change the shortname and repository of VC-JWT to vc-jose-cose. (Brent Zundel)

Brent Zundel: +1.

Orie Steele: +1.

Andres Uribe: +1.

Chris Abernethy: +1.

Ivan Herman: +1.

Manu Sporny: +0.75 (due to concerns around scope creep).

Dave Longley: +1.

Ted Thibodeau Jr.: +1.

Will Abramson: +1.

Gabe Cohen: +0 it’s hard to say.

pauld gs1: +1.

Resolution #1: change the shortname and repository of VC-JWT to vc-jose-cose.

Ivan Herman: yeah so… on the practicalities. I had discussed this with the web master.
… there is an issue comment: https://github.com/w3c/vc-jwt/pull/115#issuecomment-1620408736.
… it describes what has to be done… in terms of changing the repo name / TR… etc… its a bit complicated.
… who will do the work?
… I am not sure who is really driving this document.
… I don’t know who my partner will be.

Orie Steele: I’m happy to make the necessary changes, Ivan. Let me know what changes need to be made.

Ivan Herman: thanks orie, please go through the list on the issue comment, sometime next week.

4. Work Item status updates/PRs.

Brent Zundel: any PRs that need attention?

Manu Sporny: the media types other than vc+ld+json… that PR is marked pending close.
… 1101 add guidance of representations is slated to be closed, after a new PR is raised by Mike Jones.

4.1. Add graph node identifiers for registered claims (pr vc-data-model#1149)

See github pull request vc-data-model#1149.

Manu Sporny: 1142 we are still waiting for someone to pick up confidenceMethod.
… there has been discussion on this PR.
… I have the same concerns I have had for a while.
… I plan to respond to Orie some time later.
… I am expecting reviews from Ted, Dave and Ivan.
… I think we need more people to review that PR.

4.2. misc PRs.

Manu Sporny: 1172 is also semi stuck.
… its been suggested to simplify the PR.
… all the other PRs, are on an ok path for vcdm.

Brent Zundel: any updates on vc-data-integrity, ecdsa, eddsa.

4.3. Update controller document reference (pr vc-data-integrity#99)

See github pull request vc-data-integrity#99.

mnau: there is a stuck PR, 99…

Manu Sporny: need to discuss PR 99 probably.
… we are adding new editors to the specs.
… waiting on invited expert status for those editors.

Ivan Herman: the invitation has been received, but he needs to review documents before possibly signing.

4.4. misc PRs (cont).

Ivan Herman: eddsa and ecdsa there are 3 PRs open.
… one moves the normative definition for multikey to data integrity.
… vc status list 2021… 5 PRs open.

4.5. chore: update title and urls to contexts (pr vc-status-list-2021#69)

See github pull request vc-status-list-2021#69.

Manu Sporny: there are big changes being suggested.
… change name, change URLs, remove versioning, etc…
… probably needs the wg to decide.
… one concern is that when we added multiple status to status list, that it will be a breaking change.
… we would need to bump the version to avoid breaking change.
… we are discussing what the normative vocab url should be.
… the other updates is to vc-specs dir.

4.6. Spec dir PRs.

Manu Sporny: https://github.com/w3c/vc-specs-dir/pulls.

Manu Sporny: there is 1 PR open for that…
… there is an argument to list all the media types associated with “VC ecosystem”.
… there is a request to listing all the media types, and some concern on not listing “any media types”.
… this could be a good topic for a longer discussion.
… will we have a discussion on related media types, transformations, etc..
… it seems like there is a transform in the spec today.
… that media type, could be listed in the spec directory.

Orie Steele: There is an open PR to remove that transformation and associated media type. There is only one person objecting to that PR, so I expect Chairs will make a consensus decision on it, based on reviews, it’ll be removed. What that will mean is that there aren’t any media types that require a transformation that the WG is working on.

Phillip Long: What is that PR# for removing media types?

Dave Longley: PL-ASU: I believe this one: https://github.com/w3c/vc-jwt/pull/88.

Orie Steele: The interesting thing about media types directory is if it will contain references to things that WG is not working on -> vc+acdc, vc+gordian – might be confusing if some are official work items and some of them are not, agree that it should have a longer discussion.

Joe Andrieu: the whole point of the directory of related resources… was to allow work outside of the group to be listed.

Brent Zundel: anything before we move to issues?

5. Issue Discussion.

Brent Zundel: See List of relevant issues.

Brent Zundel: all the issues that need to be triaged, ordered by LRU.
… our goal is to label all issues.
… we need a label and assignment, or to close.

5.1. Horizontal reviews.

Brent Zundel: in general horizontal review.

Orie Steele: I think Kyle had pointed out that PING horizontal review had not started yet for VC-JWT, he was doing review for VCDM, did we fail to register the PING horizontal review for VC-JWT directly? Is PING supposed to do VCDM and VC-JWT at same time?

Brent Zundel: I thought the chairs had send all these things off at the same time… we need to make sure PING horizontal review happens.

Manu Sporny: VCDM request to PING is here: https://github.com/w3cping/privacy-request/issues/121.

Brent Zundel: I don’t see vc-jwt here.

Manu Sporny: VC-JST request to PING is here: https://github.com/w3c/vc-jwt/issues/93.

Manu Sporny: seems TAG was submitted but not PING.

Ivan Herman: we are creating difficulty for the reviewers… by having so many parallel work items.
… horizontal reviewers might not realize these are related rec track documents.
… this could cause things to be blocked.
… can the chairs bundle the requests?
… can we get them all reviewed at once?

Brent Zundel: I can ask them how they want us to handle it’.
… Orie, please initiate the ping review for vc-jose-cose.

Manu Sporny: +1 to Horizontal Reviews as “before CR”.

Brent Zundel: seems these reviews are needed before CR.
… oliver I want to assign you to the issue regarding accessibility.
… oliver I want to assign you the security questionnaire.
… internationalization is already assigned.

Oliver Terbu: I created these a while ago….

Brent Zundel: if they have questions, they will ask you.

Manu Sporny: for folks assigned, you might watch their issue tracker closely… we will need to address their issues.
… and keep addressing issues as they are raised…. not a passive role.
… need issues raised to be addressed as they are raised.

5.2. Missing security considerations on MITM, cloning etc. (issue vc-data-model#1138)

See github issue vc-data-model#1138.

Brent Zundel: missing security considerations… seems post CR.

Manu Sporny: +1 to after CR.

Brent Zundel: who will be assigned?

Gabe Cohen: I can take it.

5.3. Change credentialSubject to subject (issue vc-data-model#1128)

See github issue vc-data-model#1128.

Brent Zundel: change credentialSubject to subject.
… change credential subject to subject.

Manu Sporny: strong -1 to this, there is no need to break things… we have URLs locked in.
… its what we have used for a long time.
… its pre CR, but I propose we close it.

Phillip Long: +1 to closing this one.

Dave Longley: +1 to close and not spend time on it.

Gabe Cohen: the term has caused a lot of confusion, I am not swayed by breaking changes before CR.
… I think we should consider it.

Manu Sporny: people have been using the term for years.
… v2 would be different from v1.

Gabe Cohen: we have “broken” expirationDate.

Manu Sporny: the suggestion that change the name will fix confusion is unfounded.
… people will be confused regardless, I don’t find the argument compelling.

Phillip Long: Also this is terminology was used (CredentialSubject) is used in the 1Edtech VC compatible standards for OBv3 and CLRv2.

Manu Sporny: seems not worth it to fix it.

Orie Steele: We made several breaking changes between v1 and v2, in v1 issuanceDate -> validFrom – that’s fundamental to the security property, all of the claims are already being adjusted by a breaking change, regarding time, most important time of all cryptography. Not swayed by argument that we shouldn’t break backwards compatibility.
… We use holder, but we use credential subject, I disagree, I think people will find it more intuitive than what we have.

Brent Zundel: I have made my opinions clear, I have no desire to have this conversation again.
… charter says we can make breaking changes.
… I have made my opinions clear in the issue – I have no desire to have this conversation again. I will note that our charter allows us to come to consensus aruond breaking changes. My only response to Manu is “people expressing confusion around credentialSubject”, they say “why didn’t you name it subject” – anecdotal, having been repeated numerous times, havinv said that, happy to close this issue w/ no action.
… if people are saying they are confused… they say.. why didn’t you name it “subject”… anecdotal, but I have heard this… before.

Joe Andrieu: I wanted to talk about this.
… feels like we are allowed to make breaking changes with consensus.
… we can’t make a breaking change without consensus.
… this is confusion, not a fundamental security problem.

Dave Longley: similar to what joes said… people have opinions on if a change is worth it… some security changes are worth it…
… changes in other areas, might impact people beyond developers.

Ivan Herman: not taking a side, but fact… In our agreement old URL-s do not disappear, so credentialSubject will become deprecated and subject will come in as a new term (with both in their own URL-s).
… we can’t remove the URL.

Philip Long: both the standards we use for edu, have credentialSubject in their spec.

Brent Zundel: I suggest this be labeled as pending close, rather than before CR.
… I don’t see possibility of consensus here.

5.4. Verification of multiple credential schemas (issue vc-data-model#950)

See github issue vc-data-model#950.

Brent Zundel: multiple schemas.

Orie Steele: I implemented support for this recently, essentially the recommendation that I have is that we treat this property like all the other properties… object or array of object w/ array and type. I already have a working implementation that supports multiple schemas, would object if that is made illegal before CR.

Gabe Cohen: I think we are agreed, you can have multiple, and the processing rules are determined by each schema type.

Manu Sporny: +1 to both, the type property is what tells you what to do.

Brent Zundel: seems its before CR.

Ivan Herman: its normative so it must indeed be before CR.

5.5. Address “Credential” vs “VerifiableCredential” (issue vc-data-model#1126)

See github issue vc-data-model#1126.

Brent Zundel: address credential vs verifiable credential.
… we tried to address this, not sure what is left.

Manu Sporny: this is before CR.
… I can be the backstop on it.
… we have… 702 statements of the word credential “446” for verifiable credential.
… editors will need to address “credential vs verifiable credential”.
… there are some issues remaining…
… we need to adjust the language of the spec, but its a lot of work.

Brent Zundel: thanks, I will try to help.

5.6. Create the new role of issuee (issue vc-data-model#942)

See github issue vc-data-model#942.

Brent Zundel: recommends, creation of a new role.
… issuee, assigned to oliver.

Manu Sporny: -1 to a new role.
… every time we try, everyone seems to push back.
… not clear we need a new role, seems more non normative text would help, and this could be post PR.
… we can explain the behavior better in post CR.

Brent Zundel: POLL: Should we create a new ‘Issuee’ role?

Manu Sporny: -1 to new issuee role.

Oliver Terbu: -1.

Brent Zundel: -1.

Joe Andrieu: -1.

Ivan Herman: 0.

Dave Longley: -1.

Phillip Long: -1.

Orie Steele: -1 to new issuee role.

Ted Thibodeau Jr.: 0.

Gabe Cohen: -1, but think we should clarify “holder”.

Kevin Griffin: 0.

Brent Zundel: seems we should do this post CR, with editorial changes.

Manu Sporny: correct.

Brent Zundel: 13 open issues not triaged remain.
… we need to keep making progress.
… if you want to demo during TPAC, contact the chairs.

6. Resolutions