Verifiable Credentials Working Group Telco — Minutes

Date: 2023-08-09

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Brent Zundel, Ted Thibodeau Jr., Hiroyuki Sano, Greg Bernstein, Benjamin Young, Orie Steele, Sebastian Crane, Phillip Long, Kristina Yasuda, Dave Longley, Andres Uribe, Dmitri Zagidulin, Paul Dietrich, Michael Jones, Manu Sporny, Chris Abernethy, Kevin Griffin, Joe Andrieu, Gabe Cohen, Kaliya Young, Oliver Terbu, David Chadwick

Regrets:

Guests:

Chair: Brent Zundel, Kristina Yasuda

Scribe(s): Greg Bernstein

Content:

• 1. updates on test suites.
• 2. PRs.
  • 2.1. Add “author” and “party” to terminology, rewrite “claim” terminology (pr vc-data-model#1172)
  • 2.2. Add validation section regarding holder (pr vc-data-model#1199)
  • 2.3. Add section on JSON Processing. (pr vc-data-model#1202)
  • 2.4. Clarify that some abstract concepts are not realized in implementations (pr vc-data-model#1211)
  • 2.5. Refer to VC-SPECS-DIR for proof types. (pr vc-data-model#1212)
  • 2.6. (pr vc-data-model#1215)
  • 2.7. Add cnf registered claim to v2 context (pr vc-data-model#1219)
• 3. Misc.

Kristina Yasuda: let’s start rolling…
… for today – PRs, new issues, status updates.

Ted Thibodeau Jr.: issue with the links for discussion.

1. updates on test suites.

Brent Zundel: conformance testing – a number of test suites developed in CCG, create repo for these in WG.
… Test suites – VC schemas, and status lists. Recommends reviewing if you couldn’t attend.

Brent Zundel: Link to special topic call minutes: https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-08-08-vcwg-special.

2. PRs.

Kristina Yasuda: https://github.com/w3c/vc-data-model/pulls?q=is%3Aopen+is%3Apr+-label%3A%22pending+close%22+-label%3Adiscuss+sort%3Aupdated-asc.

2.1. Add “author” and “party” to terminology, rewrite “claim” terminology (pr vc-data-model#1172)

See github pull request vc-data-model#1172.

Manu Sporny: VC data model PRs – #1172 unclear where we are on this PR, Orie change suggestions, TallTed too. Getting to close soon?

Orie Steele: Don’t know if it will get to a PR that is better than current text. It’s Rieks that is managing this PR.

Orie Steele: +1 JoeAndrieu, I agree with your comment.

Joe Andrieu: Issue on terminology…

Ted Thibodeau Jr.: not sure where “entity” has been defined (in RDF)…

2.2. Add validation section regarding holder (pr vc-data-model#1199)

See github pull request vc-data-model#1199.

Manu Sporny: PR 1199, about validation section on “holder”, waiting on JoeAndrieu feedback.

Joe Andrieu: not sure where I’m at, “validation” versus “verification”, no new comments from 3 weeks ago.

Orie Steele: Agree “validation/verification”, can file an issue, Joe agrees.

2.3. Add section on JSON Processing. (pr vc-data-model#1202)

See github pull request vc-data-model#1202.

Manu Sporny: PR 1202, everyone who needs to reviewed has reviewed, need JSON/JSON-LD processing section, conflicts needs to be resolved, plan to merge tomorrow.

2.4. Clarify that some abstract concepts are not realized in implementations (pr vc-data-model#1211)

See github pull request vc-data-model#1211.

Manu Sporny: PR 1211 “abstract concepts” trying to get agreement with Orie and David Chadwick. Media types…

Orie Steele: “testable difference” between the two concepts… Feeling mushy.
… media type distinguishable, RDF, english sentence, securing mechanism, duration of proof vs information.
… not sure how to fix.

Manu Sporny: Will propose concrete text. One is secure, one is not, or ability to be secured; Can door be locked, does it have a door…
… Three interpretations floating around and they don’t line up. Depending on the securing mechanism may has “proof” on it. JWT and SD-JWT don’t have proof on them.
… okay to have prose that says VC must be secured. We can test it… Concrete suggestion/testable. Can Ted/Orie/DavidC agree?

Orie Steele: I’m not sure its testable, but I hope it can be made testable.

Orie Steele: perhaps it will become more obvious with better text.

Manu Sporny: its absolutely testable. Run a verification algorithm. Know which algorithm to run.

Andres Uribe: You can run algorithms on anything, which is why that test is problematic IMHO.

Sebastian Crane: Analogy – Safe is secure, sledge hammer breaks safe, transfer to VC world, if alg is later insecure it still was a VC.

Michael Jones: agree with Manu. If crypto signed verifiable if not no. That is it.

Manu Sporny: yes, +1000 selfissued !

Joe Andrieu: +1 to that language.

Manu Sporny: plus 1000 to Mike Jones.

Phillip Long: +1 to selfissued.

Greg Bernstein: +1.

Dave Longley: +1 if this doesn’t trigger a bunch of other changes, i’m happy with that solution.

Kristina Yasuda: why can’t we clarify it’s “cryptographicaly verifiable” credential.

Manu Sporny: that might work as well, kristina.

Dave Longley: maybe we can add “cryptographically” before “verifiable credential” to solve this like kristina said.

Manu Sporny: depends on how far down the rabbit hole we want to go.

TalTed: if it remains that loose, I can live with it. If the crypto needs to be at a certain level that is different.

Orie Steele: agree, the abstract concept of “proof”, versus the terminology “proof” in our defs.
… in summary keeping it higher level and not using word proof…

Michael Jones: agree, keep it simple, omit use of word proof.

Sebastian Crane: +1 JoeAndrieu (IRC).

Joe Andrieu: on vetting securing mechanisms, that is us (W3C).

Ted Thibodeau Jr.: -1 we’re not sufficiently crypto expert to perform this vetting, especially not for the indeterminate futurr.

Brent Zundel: we are absolutely not qualified to vet all possible VC securing mechanisms.

Orie Steele: in my experience we are not careful enough to not confuse “abstract proof” with “data integrity proof”.

Orie Steele: and this issue is a result of that.

Manu Sporny: on same path until we had to remove the word proof, concern that we need to replace every use of the word proof…

Dave Longley: Orie: i’m actually not sure if the outcome of this discussion changes anything practical.

Brent Zundel: we were on the right path until the suggestion was made that the VCWG needs to bless every possible securing mechanism.

Manu Sporny: we have been very careful on the use of the language and the word “proof”.

Orie Steele: dlongley I am in the same boat… that is why its so concerning.

Michael Jones: +1.

Dave Longley: Orie: I’m actually not concerned for that reason :).

Orie Steele: It’s ok for me to be.

Sebastian Crane: agree with Manu’s direction. This WG is qualified to say something about cryptography…

Orie Steele: “in the rough” on the proof language…

Kristina Yasuda: we have a section titled “Proofs (signature)” so I think we can safely add clarification that “VC is cryptographically verifiable/secured” without affecting proof terms.

Ted Thibodeau Jr.: Sebastian this WG has an end date. Cannot make any guarantees on on going crypto…

Kristina Yasuda: this sentence is why no need to change anything ‘proof’ while adding ‘cryptographically verifiable’: “The cryptographic mechanism used to prove that the information in a verifiable credential or verifiable presentation was not tampered with is called a proof. “.

Manu Sporny: Yes, to some variation of what Kristina said above ^.

Orie Steele: most of my comments regarding use of the “word proof” are based on the numerous conversations tallted and I have had on many issues regarding this.

Ted Thibodeau Jr.: on lockable/locked door.

Manu Sporny: … and I feel like we already say that in the spec.

Ted Thibodeau Jr.: key left hanging on the door…

Dmitri Zagidulin: @TallTed - in your analogy, the question is “is it the door with a lock?” and YES, it still is, even if key is hanging outside.

Brent Zundel: I’m now officially lost on the locked door analogies.

Orie Steele: FWIW I agree there is a way to make it clear when we are being abstract, and when we are being concrete… my only concern is that when we are concrete we are consistent in both RDF and english.

Joe Andrieu: yes, to Manu’s direction. Let’s get to specifics… To Ted the door is securable.

Ted Thibodeau Jr.: YES, securABLE, not necessarily securED!

Orie Steele: This is the primary place where we are being messy: https://w3c.github.io/vc-data-model/#securing-verifiable-credentials.

Dmitri Zagidulin: @Orie - interesting. any particular place in that section? Looking through it, it seems pretty clear..

2.5. Refer to VC-SPECS-DIR for proof types. (pr vc-data-model#1212)

See github pull request vc-data-model#1212.

Manu Sporny: PR 1212 examples of securing mechanisms in spec. Point to specifications or directory? Need PR about media types?

Orie Steele: VCs with some securing mechanisms, with DI proofs; two specs; or media types; This or that language in DM spec.
… merge media types, refer to them consistently.

Joe Andrieu: this establishes related specs into a privileged position…

Orie Steele: +1 on should to MAY.

Manu Sporny: +1 on SHOULD to MAY conversion.

Ivan Herman: +1 to MAY.

Manu Sporny: securing mechanisms we have vetted here and those not. Anyone can add to specs dir. No review…

Michael Jones: I want XML DSIG.

Manu Sporny: very dangerous thing; any mechanism…

Orie Steele: +1 JoeAndrieu.

Joe Andrieu: I think anything does go; people can come up with new crypto; a directory is okay; our mechanisms are published as recs.

Sebastian Crane: be careful, don’t devalue our (WG) opinion.

Kristina Yasuda: safely change to MAY…

Manu Sporny: we don’t say what has/hasn’t been vetted in registry? The VC DM doesn’t say what has been vetted.
… how should we refer to securing mechanisms we have been working on?

Orie Steele: I suggested a concrete change here: https://github.com/w3c/vc-data-model/pull/1212/files#r1279836059.

Manu Sporny: what sections/where to put?

Orie Steele: if media types is merge is will be obvious;.

See github pull request vc-specs-dir#14.

Orie Steele: +1 manu.

Manu Sporny: blocking on Kristina PR 14; create media type in specs dir; then merge.

Orie Steele: I can edit “register to list”.

Gabe Cohen: directister.

Joe Andrieu: avoid that directory is a registry.

Ted Thibodeau Jr.: Sorry, I’m slow, I have to re-review most recent changes in https://github.com/w3c/vc-specs-dir/pull/14.

See github issue vc-specs-dir#27.

2.6. (pr vc-data-model#1215)

See github pull request vc-data-model#1215.

See github pull request vc-data-model#1218.

Manu Sporny: PR 1215 1218. approvals.

2.7. Add cnf registered claim to v2 context (pr vc-data-model#1219)

See github pull request vc-data-model#1219.

Manu Sporny: JWT stuff from Orie…

Oliver Terbu: how to keep spec in sync with IANA registry.

Kristina Yasuda: Orie only adding already registered.

Orie Steele: has spoken with IANA folks; registries being updated, no timeline.

Manu Sporny: yes, what Orie said :).

Orie Steele: Oliver, the same thing that happens today… you add a second context.

Manu Sporny: correct ^.

Oliver Terbu: concern was publish, then new “claims” get registered; can we update context.

Kristina Yasuda: not sure what claims your concerned about…

Brent Zundel: it is a problem for a future working group.

3. Misc.

Manu Sporny: let’s end here.

Kristina Yasuda: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Abefore-CR+-label%3A%22pending+close%22+sort%3Aupdated-asc.

Kristina Yasuda: thanks all, see you next week.