Verifiable Credentials Working Group Telco — Minutes

Date: 2024-09-18

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Brent Zundel, Gabe Cohen, Manu Sporny, Nicholas Steele, Benjamin Young, Kevin Dean, David Chadwick, Hiroyuki Sano, Will Abramson, Dmitri Zagidulin, Phillip Long, Dave Longley, Joe Andrieu, Jennie Meier, David Lehn, Steve McCown, Ted Thibodeau Jr.

Regrets: Ted Thibodeau Jr.

Guests:

Chair: Brent Zundel

Scribe(s): Phillip Long

Content:

• 1. TPAC Agenda.
• 2. Path forward each spec, boulder discovery.
  • 2.1. VC Data Model 2.0.
  • 2.2. Data Integrity.
  • 2.3. VC JOSE COSE.
  • 2.4. VC JSON Schema.
  • 2.5. Bitstring Status List.
  • 2.6. controller document.
  • 2.7. Use Cases.
  • 2.8. Implementation Guidelines.
• 3. AOB.

Brent Zundel: agenda is TPAC prep and the path forward for each spec with the goal to identify obstacles to get there and how to remove them, if possible. These can be addressed at TPAC to move all specs forward.

1. TPAC Agenda.

Brent Zundel: sharing agenda to the group.
… TPAC 45 mins for intros and logistics. Then first session is focused on the data model to get to resolution for CR2.
… second session is on Data Integrity - a big issue regarding the security vulnerability whether or not the context file is the subject of resource integrity protection.
… Friday arranged full day starting at 9:00 am PDT. First sessions is VC-JOSE COSE. Issue is the Media Types.
… controller document is the topic after break until lunch.
… the agenda sequence may change, so talk to Brent if there is a particular topic you want to be present for.
… after lunch Rec-track docs are the focus. Later the use cases documents will be presented by the authors and hopefully agree to republish as a note.
… Hope to get feedback from the Security Group.

Manu Sporny: All of this looks like a good plan / Agenda for W3C TPAC :).

Phillip Long: Sorry - I thought others might be reading this document for updates and the TPAC agenda discussion might have been useful.

Ivan Herman: the new charter votes will end this evening. No big issues to discuss. Hopefully no objections to the charter will emerge at the last minute. Have one comment about liaison statements are outdated should be a short discussion.

2. Path forward each spec, boulder discovery.

2.1. VC Data Model 2.0.

Manu Sporny: have been issue stable for awhile. Multiple editorial passes on the document, as have many others. Re: Test Suite, almost there. Enough implementations but need to clear out some statements, somethings are implemented that aren’t recognized. Some tests implementers are failing, and should be easy for implementers to fix.
… multiple implementations for every feature. Incorrectly serialized time values may require downgrading the statement from must to should. Test Suite is in good shape. Envelope VC and Envelope VPs have not gotten feedback from implementers re: whether they are going to implement them or not. May be VC JOSE-COSE stuff but at least two implementers are expected.
… presentations regarding holder claims will be implemented by Digital Bazaar but not sure about others.
… Having only two implementers for any given part of the test suit is a bit risky but going forwards but in ok enough shape for CR2.

Ivan Herman: Risky to go into a CR2 is an issue because?

Manu Sporny: would like more implementations.

Ivan Herman: that’s exactly the state that CR2 expects - at least 2 implementations requirement is for PR which is different.
… suggests anything without 2 check boxes is a “feature at risk” and move forward.

2.2. Data Integrity.

Brent Zundel: group needs to decide about what we can agree on for Data Integrity.

Manu Sporny: in great shape, except for the aforementioned issue. Same with EcDSA sill has a couple of items (context injections will be removed), includes EcDSA-SD as well.
… In better shape for DI test suites than ed25519 signature suite.
… EdDSA as in good shape and go to CR2 with the concern regarding the one remaining security concern.

Brent Zundel: are there any other concerns inhibiting moving the spec forward for TPAC.

Manu Sporny: BBS is not ready. Awaiting cryptographic review at IETF. Have multiple implementations, have 3 and expecting a 4th. But from an IETF perspective things are way behind schedule (asked back in Dec 2023). Have reached out to those beyond IETF who are experts in BBS. Many individuals and institutions who are interested in doing a review. A bit confused that they’re asked to review now.
… Need to give cryptographers a standards process 101 as to why its still necessary.
… issue around adding subparts as pseudonyms but will continue the work in the recharter.

Brent Zundel: we aren’t going to have people review BBS at TPAC.

Manu Sporny: Will have some people looking at BBS looking at our spec.

2.3. VC JOSE COSE.

Brent Zundel: need conversation about media types at TPAC that leads to the lowest probability of formal objections.

Gabe Cohen: For TPAC Gabe will present slides presenting the positions to catalyze decisions.
… for VC JOSE COSE there are 7 open issues 5 of which have PRs. Test Suite is underway. Help in implementing welcomed.

Ivan Herman: What is the status of SD-JWT?

Brent Zundel: SD-JWT is a rec track doc at IETF. Authors say it was near completion. If it proceeds, the VC JOSE COSE spec it can remains.

Ivan Herman: Should JOSE COSE be put aa At Risk if it’s not done after TPAC?

Brent Zundel: yes it should be marked At Risk.
… VC JOSE COSE now has several conflicts re: media types. Natural media type for VC JOSE COSE SD-JWT should be the same media type was used by VCs.
… VCDM relates to VC JOSE COSE SD-JWT is unclear.

Ivan Herman: aren’t we at the point where it is safer to remove the SD-JWT from the spec and move on?

Brent Zundel: that’s a TPAC conversation.

2.4. VC JSON Schema.

Gabe Cohen: re: JSON Schema, there are a few issues, mostly updating examples and clarifying language and reacting to whatever the JOSE COSE discussion reveals.

Gabe Cohen: See https://github.com/w3c/vc-json-schema/issues/235.

Brent Zundel: since going into CR has there been any substantive changes for the VC JSON Schema spec?

Gabe Cohen: just a some clarification but no normative changes expected.

Brent Zundel: next step get some clean up and implementers and we’re ok.

Gabe Cohen: Yes.

2.5. Bitstring Status List.

Manu Sporny: Bit String Status list in ok shape. Effectively 4 issues. Could be normative changes to the spec.
… changed where to put status messages and status size. SpruceID has some concerns about that and short discussion needed.
… Have a TTL issue to talk about. Discuss multiple revocations entries and such. Need more time on the spec, test suite and implementers. Not ready for CR2 at TPAC.

Brent Zundel: no roadblocks?

Manu Sporny: no just getting implementers remains an issue.
… Can mark those with concern as At Risk.

Ivan Herman: No requirement to go to CR2 if the changes are minimal to the document. If there aren’t major changes to the document it doesn’t need to go to CR2, and go straight to PR when there are implementations.

Manu Sporny: Agrees with that.

Gabe Cohen: agree.

Ivan Herman: For JSON Schema there is equally no need to go to CR2 can encourage implementations and go to PR.

2.6. controller document.

Brent Zundel: have not yet entered CR with the controller doc. Some issues. Formal responses from TAG and PING that need to be addressed. A number of issued marked “discuss”, and these can be brief. Preference emphasis is does it need to be solved before publication or not? Can it be closed and published?

Manu Sporny: Almost all issues can be dealt with in CR1. They look mostly editorial. One may have a normative change. If that’s true can be marked At Risk as the language might change.

Ivan Herman: +1 to manu.

Brent Zundel: agrees with that as a course of action. i.e., go through issues to mark changes as normative or editorial to define future work.

2.7. Use Cases.

Kevin Dean: https://github.com/w3c/vc-use-cases/.

Kevin Dean: asks if people would take a look at the use cases they have it would be appreciated.

Joe Andrieu: said at last TPAC that there be a section on deployed examples but haven’t gotten any submissions. Would help the use case docs.

2.8. Implementation Guidelines.

Brent Zundel: published Implementation Guidelines in 2018. A revision of the doc could be very beneficial.
… It’s a note, old, and have many newer ideas. Needs attention. Do we have the time to spend on it?

3. AOB.

Brent Zundel: TPAC plan to end week with a solid path forward for each document. For VC Data Model it’s to publish it CR2. Data Integrity issue is security, for JOSE COSE there is considerable work media types, etc.
… will be using this chat channel for TPAC. Zoom links likely changing.