Verifiable Credentials Working Group Telco — Minutes

Date: 2024-03-06

Attendees

Present: Ivan Herman, Brent Zundel, Ted Thibodeau Jr., Jennie Meier, Paul Dietrich, Benjamin Young, Dave Longley, Manu Sporny, Dmitri Zagidulin, Joe Andrieu, Michael Jones, Gabe Cohen, Przemek Praszczalek

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Benjamin Young

Content:

1. Work Item Status Updates/PRs.
- 1.1. Algorithms are poorly defined / unimplementable (issue vc-jose-cose#206)
2. VCDM Issue Processing.
3. AOB.

Brent Zundel: Welcome. The agenda is straightforward. Status updates, pull requests, and then issues on the core data model.
… anyone have changes or additions?

Manu Sporny: just 2 announcements about upcoming maintenance deadlines.
… as folks know, we made a call for DID and VC registries.

Manu Sporny: Volunteer list is here: https://lists.w3.org/Archives/Public/public-vc-wg/2024Mar/0005.html.

Manu Sporny: we need volunteers, and did a training video, collected github handles, etc.
… these folks are all more than qualified to maintain the registries.
… and they’ve mostly signed up for both.
… we sent an email out to get confirmation from the group on the list of volunteers.
… next Tuesday is the deadline to object.

1. Work Item Status Updates/PRs.

Brent Zundel: any comments on volunteering?
… ok. status updates. Please queue up if you have updates.

Manu Sporny: for Data Integrity, all the specs are aligned with Jeffrey Yaskin’s cryptosuite interface proposal.
… it was a major change, so we need to go through another CR.
… no negative feedback from implementers.
… for BBS, we can go into CR by next week (in theory).

Manu Sporny: https://github.com/w3c/vc-di-bbs/.

Manu Sporny: Greg still has some pending PRs.
… once those are in we’ll cut a pre-CR and do a call for consensus.
… ivan, I don’t know what the timing would be. This is just a heads up that this is nearly ready for a vote.

Manu Sporny: https://github.com/w3c/vc-bitstring-status-list/issues?q=is%3Aissue+is%3Aopen+label%3Abefore-CR.

Manu Sporny: Bitstring Status List can be ready for a vote to got into CR early next month.
… we have asked PING to review prior to CR…still waiting on confirmation.
… we have had reviews done and other reviews will timeout in mid-April.
… the big thing we need is what the Traceability group is doing with status list.
… but we need more engagement specifically from Transmute and Mesure.io.
… we have a plan for what we can do with it, but we need implementer feedback from the Traceability cohort.
… the VCDM has a few changes related to requests from the Activity Pub folks.
… but the standing issues seem to be nearly resolved.
… there’s a normative change about “enveloped” Verifiable Presentations.
… just to be clear, the VCDM can now carry any payload of any media type.
… which means it could hold other forms of credentials, mDoc, etc.
… there’s a clear story around how this can be done.
… I think this achieves the “big tent” approach we’ve been aiming at.
… the rest of everything seems to be editorial.
… what we’re targeting is a May timeframe for VCDM.
… and we may be able to push it up a bit.

Ivan Herman: do we want to talk about CR timing now?

Brent Zundel: now’s good.

Ivan Herman: for the March date, we have to take into consideration that the timing lines up with Good Friday, which means one of our reviewers will be on vacation.
… and the 5th of April is a publication moratorium due to the AC meeting in Japan.
… so if we can’t get this request in by next week or the beginning of the week of the 18th, then it won’t happen in March.
… additional difficulty is that from March 22-26 I will be out of town.

Manu Sporny: sounds like we should shoot for the 18th of March.

Ivan Herman: when would the WG get together? the 13th? next week?

Manu Sporny: I can check with Greg to see if he has anything else that needs to go in.
… otherwise, I think we can do it by next week.
… it’s all stuff that’s already in the spec, just some of it will become normative.
… most of it has been there for weeks or even months.
… we can set the publication for the 21st.

Ivan Herman: I admire your optimism. If we vote on the 13th, we’d need an approval by the 15th–2 days later–and that seems unlikely.

Manu Sporny: when’s the better day?

Ivan Herman: the 26th or the 28th.

Manu Sporny: 28th? would that work?
… that would be for BBS or JOSE/COSE? or both?

Ivan Herman: the difference between one or two is marginal, so having both together would be best.

Manu Sporny: I’ll work with Greg to prep for a vote on the 13th.
… we’ll target a publication date of the 28th.

Brent Zundel: Gabe or Mike Jones, any updates on JOSE/COSE.

Michael Jones: we have no open PRs.
… but we do have some issues.

1.1. Algorithms are poorly defined / unimplementable (issue vc-jose-cose#206)

See github issue vc-jose-cose#206.

Michael Jones: 206 is about the verification algorithm.
… but manu’s already mentioned that all the specs are doing the right thing in terms of algorithm.

Manu Sporny: I wasn’t referring to JOSE/COSE, just the Data Integrity specs.
… I think the editors of JOSE/COSE should figure out if the new interfaces apply for create and verify.
… I’m checking to see what Jeffrey wrote about this earlier.

Manu Sporny: https://w3c.github.io/vc-data-model/#securing-mechanism-specifications.

Manu Sporny: section 5.13 securing mechanism specifications.
… I don’t know if the VC JOSE/COSE spec does the things that section requires.
… it must provide a verification method that only contains the data in the document.
… there are a bunch of other requirements for embedded proofs.
… but no real requirements for enveloping proofs.
… it’s up to the editors to decide if they’ve hit that bar.
… and the group to agree or not.

Michael Jones: brent, this is assigned to you, do you want to keep it.

Brent Zundel: yes. I’ll keep it.

Gabe Cohen: we have a section on this, but the rendering is broken.

Brent Zundel: I’ll look at that as well.

Manu Sporny: there’s a bulleted list in the issue I made. I’ve not seen responses.
… I’ll not block this going into CR, but without these changes it’s likely to get formally rejected.
… so, going through the list and explaining how they’re addressed should help avoid the formal objection and close that issue.

Michael Jones: you mean the one from December?

Manu Sporny: yes.

Brent Zundel: I’ll tackle this.
… anything else about JOSE/COSE?

Michael Jones: decentralgabe has the other issues.

Gabe Cohen: I plan to do both this week.

Michael Jones: The three vc-jose-cose before-CR issues are https://github.com/w3c/vc-jose-cose/issues?q=is%3Aissue+is%3Aopen+label%3Abefore-CR.

Brent Zundel: if all three of these are addressed with PRs, it’s theoretically possible we could vote next week…but that seems really tight.

Michael Jones: no opinion on timing, ivan’s the expert.

2. VCDM Issue Processing.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc.

2.1. What does the hash values in §B.2 mean? (issue vc-data-model#1442)

See github issue vc-data-model#1442.

Michael Jones: oh, this is before PR, so we’ll skip it for now.

Brent Zundel: 1442 is assigned to ivan.

Manu Sporny: just to provide some input.
… ivan asked about posting the canonical hash.
… what we want is for people to retrieve something from the Web, and pass it through a library to get the hash.
… telling people to have something special on hand to tell if the doc is valid is not what we want.
… using a format they can read, SHA it, and compare would be better.
… we could add hashes for every serialization, but that feels like a bit much.
… we do want to update our ReSpec extension to generate these hashes at publication time.

Ivan Herman: it was already clear back then that the hash is the representation of the JSON-LD of the vocabulary.

Manu Sporny: yes.

Ivan Herman: depending on conneg, you may get other formats.
… it’s not clear enough that the hash is specifically for the application/ld+json representation.

Manu Sporny: I thought we had examples of how to recreate the hashes.

Ivan Herman: it’s there, but it’s still not clear.
… make it clear. should only be a few words.

Brent Zundel: currently this is assigned to you, ivan.

Ivan Herman: I can make a PR.

2.2. Define `verification material` find replace `public keys` (issue vc-data-model#1197)

See github issue vc-data-model#1197.

Manu Sporny: thank you ivan!

Brent Zundel: moving on to 1197.
… Nick Steele agreed to do the work, but he’s not been on the calls.

Manu Sporny: I can take this one.

Brent Zundel: need any clarity from the group?

Manu Sporny: nope. pretty straightforward.

2.3. Authorized Presenters (issue vc-data-model#1359)

See github issue vc-data-model#1359.

Brent Zundel: 1359.
… decentralgabe this is assigned to you.

Gabe Cohen: I still think it’d be helpful for this to be described in the spec.
… when you’re going to make a VP, how can you be sure that the entity presenting it is authorized to present it.
… so we avoid anyone presenting it to anyone.

Manu Sporny: +1. I do think we can point to the confidence method spec.
… the only concern I have is that the spec hasn’t been touched in awhile.
… I do think we plan to revisit it in a future WG, but not sure we want to talk about it before then.

Ted Thibodeau Jr.: having a VC property for “authorized presenters” seems a fine extension, but what to do with it feels like business logic.

Manu Sporny: we could talk about matching DIDs and comparing crypto related to those at each layer.
… it’s really when you want to connect it to a additional binding mechanisms that you’d want confidence method to come in.

Brent Zundel: a full treatment of this seems too much to handle right now.

Manu Sporny: I agree with Brent’s overall analysis. What can we do editorially for this?

Brent Zundel: what aspect of this would fit right now, is my question to decentralgabe.
… we’ve got general interest in closing this, but we should narrow in on a specific recommendation.

Gabe Cohen: I’d like to see non-normative text about it that could later be made normative.
… it would at least help nudge people toward the future.

Brent Zundel: is this something you can do?

Gabe Cohen: yes, but it’s lower priority.

Brent Zundel: I will note you assigned it to yourself in December, and it’s still yours to do.

Ted Thibodeau Jr.: I’m still very unclear how confidence method applies to who’s presenting.
… it does feel reasonable to say “these are my authorized presenters”, but how to enforce that feels like business logic to me.

Manu Sporny: I agree with Ted’s analysis.

Gabe Cohen: will attempt some language, looking forward to it being torn apart :).

Michael Jones: how do you see this list interacting with proof of possession binding?

Gabe Cohen: that’s one option, but there be situations where that’s not present.

Michael Jones: just wanted to note they were related.

2.4. Section title and contents mismatch on “Complex Language Markup” (issue vc-data-model#1254)

See github issue vc-data-model#1254.

Brent Zundel: 1254 is about complex language markup.
… this was pending close.
… we got a comment that if the title is adjusted, that would better apply or reflect the content.
… sounds like a simple change.

Manu Sporny: I’ll take it.
… and just try to work with title, since Sebastian’s no longer with us.
… I’ll provide a PR and we can talk about it there.

2.5. first example contains an http url identifying a credential (issue vc-data-model#1432)

See github issue vc-data-model#1432.

Brent Zundel: 1432.
… this is assigned to decentralgabe. Do you need input?

Gabe Cohen: could I state that public URLs for credentials is a Bad Thing, and suggest we recommend URNs would be better.

Dave Longley: it might be a bad idea for “personal credentials” (credentials about people).

Manu Sporny: I think we should not do that, but state that it’s nuanced.
… there are all sorts of credentials that should use the ID.
… and many that should not state an ID–when they’re for private individuals, etc.
… we may want to put this in the Privacy section–and it may already be covered.

Dave Longley: +1 to what the credential is about should be a strong consideration on what ID/what kinds of IDs you might use.

Gabe Cohen: +1 Manu, understood.

Paul Dietrich: we do use resolvable URIs for public credentials.
… if it’s PII, then there are reasons not o.
… but there are certainly reasons to use public URIs.
… and I do think it’s already in the Privacy section.

Michael Jones: there are cases where we use these, and without them key discovery breaks.

Brent Zundel: did that help?

Gabe Cohen: yes. I’ll incorporate it into a PR.

2.6. `expires` header for https://www.w3.org/2018/credentials/v1 is in the past (issue vc-data-model#1239)

See github issue vc-data-model#1239.

Brent Zundel: 1239…did we decide about this one? ivan ?

Ivan Herman: I proposed we delay this one.
… the transcript of the meeting is inconclusive.

Brent Zundel: I think this one’s OK to ignore for now.
… anyone object?

2.7. Define what a credential validity does mean (issue vc-data-model#1176)

See github issue vc-data-model#1176.

Brent Zundel: 1176 define what credential validity means?
… JoeAndrieu ?

Joe Andrieu: …still need to get to it, sorry.

Brent Zundel: if there still isn’t a PR in the next few weeks, we will need to close it.

2.8. Non-normative changes from Jeffrey Yasskin’s review (issue vc-data-model#1348)

See github issue vc-data-model#1348.

Joe Andrieu: understood.

Brent Zundel: 1348.

Manu Sporny: this ones mine. It’ll take a few days, but I should be able to do it.

2.9. Unnecessary direction attribute? (issue vc-data-model#1424)

See github issue vc-data-model#1424.

Brent Zundel: 1424 unnecessary direction attribute.

Ivan Herman: there’s a PR for that one.
… and it’s been merged. So lets close it.

2.10. Explain that natural language examples are illustrative (issue vc-data-model#1192)

See github issue vc-data-model#1192.

See github pull request vc-data-model#1449.

Brent Zundel: excellent!
… 1192.
… has a PR, 1449…still open.

Manu Sporny: the rest of the list have PRs.

Brent Zundel: we’ll go through them one by one.
… PR1449 looks ready for merging this week.

2.11. Multiple Credential Status Lists (issue vc-data-model#1291)

See github issue vc-data-model#1291.

Brent Zundel: 1291.

See github pull request vc-data-model#1450.

Brent Zundel: PR1450 covers this one. several approvals.
… can be merged this week.
… please take a look at it.

2.12. Specify what kind of processing is safe on a returned document (issue vc-data-model#1388)

See github issue vc-data-model#1388.

Brent Zundel: 1388.

See github pull request vc-data-model#1451.

Brent Zundel: PR1451 covers this one. Has lots of conversation and approvals.
… please review.

2.13. Tell a bit more about `verificationMethod` type schema (issue vc-data-model#1274)

See github issue vc-data-model#1274.

See github pull request vc-data-model#1452.

Brent Zundel: 1274, PR1452 - large number of approvals, ready to be merged.

2.14. EnvelopedVerifiablePresentation missing in data model (issue vc-data-model#1431)

See github issue vc-data-model#1431.

See github pull request vc-data-model#1453.

Brent Zundel: 1431, PR1453 which has approvals and on track to be merged.
… we’re headed toward wrapping this up.
… so expect to be bothered by us to get the work done…probably weekly.

3. AOB.

Brent Zundel: many folks will be at IETF soon.
… 2 weeks from now.

Ivan Herman: one warning, day light savings time 3 week nightmare starts next week.
… it’ll always be a mess, because there’s no way the US and EU will agree about this one…

Ted Thibodeau Jr.: let your calendar tell you the relevant local time that matters!