Verifiable Credentials Working Group Telco — Minutes

Date: 2024-10-16

See also the Agenda and the IRC Log

Attendees

Present: Gabe Cohen, Ivan Herman, Ted Thibodeau Jr., Hiroyuki Sano, Manu Sporny, Mandy Venables, Dave Longley, Phillip Long, David Chadwick, Dmitri Zagidulin, Joe Andrieu, Will Abramson, Benjamin Young, Jennie Meier, Michael Jones

Regrets: Brent Zundel

Guests:

Chair: Gabe Cohen

Scribe(s): David Chadwick

Content:

• 1. Agenda Review.
• 2. CR2 updates.
• 3. vc jose cose media types update.
• 4. Controller Document.
  • 4.1. Add Use Cases and Requirements (pr controller-document#103)
  • 4.2. Specify that semantics are the same if @context is not used. (pr controller-document#106)
  • 4.3. Add security consideration around Multiformat choice. (pr controller-document#107)
  • 4.4. Find a better name for the specification (issue controller-document#100)
  • 4.5. Correct inappropriate uses of w3id.org domain (issue controller-document#66)
  • 4.6. PING/TAG issues.
  • 4.7. Testing the Controller Document.
  • 4.8. security review.

1. Agenda Review.

2. CR2 updates.

Manu Sporny: https://github.com/w3c/vc-di-eddsa/issues.

Manu Sporny: eddsa spec has zero issues, zero PRs and CRv2 has been prepared.

Manu Sporny: https://github.com/w3c/vc-di-ecdsa/issues.

Manu Sporny: ecdsa spec in same shape.CRv2 still to be prep’ed.

Manu Sporny: https://github.com/w3c/vc-data-integrity.

Mandy Venables: present_+.

Manu Sporny: . data integrity had zero issues and pull requests, but a new normative issue has arisen that needs to be addressed.
… . need to resolve this issue with ivan.

Manu Sporny: https://github.com/w3c/vc-data-model/issues.

Manu Sporny: . data model. 2 open PRs but both editorial, so can be done after CRv2.
… . but if we require certain algorithms then this would be a normative change.
… will have CR3 ready for Nov 5th publication date.

Ivan Herman: Manu have you made updates on my requests yet?

Manu Sporny: Sorry no.
… once we do CR2s we need to do final acknowledgements.

3. vc jose cose media types update.

Gabe Cohen: https://mailarchive.ietf.org/arch/browse/media-types/.

Gabe Cohen: media types were registered by me last week.
… . but not sd-jwt yet because sd-jwt registration has not been done. Needs the ID to go to last call first.
… . will this block CR2 for jose-cose?

Ivan Herman: Is sd-jwt to be a standard before the end of the year?
… when we go to PR it must be a standard.
… otherwise we have to remove reference it or declare it as non-normative.

Manu Sporny: did media type has been registered with IANA.

4. Controller Document.

Gabe Cohen: 8 PRs outstanding.

Manu Sporny: I went through PING and TAG reviews and raised PRs for almost all of them.
… one outstanding still, role of subject when controller not there.

Joe Andrieu: the issue about subjects is resolved with PR102.
… DavidC please see if this addresses your issue.

4.1. Add Use Cases and Requirements (pr controller-document#103)

See github pull request controller-document#103.

Manu Sporny: controller doc and did document provide different solutions to ownership.
… did document has twice as many use cases as controller doc.

4.2. Specify that semantics are the same if @context is not used. (pr controller-document#106)

See github pull request controller-document#106.

Manu Sporny: the TAG said a JSON-LD processor might resolve to a different solution to pure JSON processing, so need to make clear that this is not the case.
… so even if @context is not there, the result should still be the same.
… if you get two different results then you have a bug in one of your processors.

Ivan Herman: +1 to put this into VCDM.

Phillip Long: +1 to putting this in the VCDM for consistency.

4.3. Add security consideration around Multiformat choice. (pr controller-document#107)

See github pull request controller-document#107.

Manu Sporny: TAG also asked for Security Considerations for multi format choice.
… cannot tell difference between base64 and base32 encodings but with multi-encoding you can.
… but we have not done this is the relatedResource property.

David Chadwick: the way I read this, in order to determine whether its b64, you have to read the spec. in multi-encoding you don’t have the issue (have a prefix that tells you what it is); however, you have to go to the spec to understand this too.

Manu Sporny: multibase encoding has a multibase type so can take the text and you know that the first character will tell you the encoding format.

Dave Longley: +1 you define the multibase type once, and you can then reuse it across software and specs and if you need to switch anything, the impact can be reduced.

4.4. Find a better name for the specification (issue controller-document#100)

See github issue controller-document#100.

Manu Sporny: need to find a better name for the specification. We could run a rank poll on various naming options.
… this usually provides good results.

David Chadwick: +1 to a poll for a better name.

Ivan Herman: group can decide what sort of poll to use.

Manu Sporny: there is a web site that does poll rankings for you.
… this shows what the ranking is, and the group can then decide to accept this or not.

Gabe Cohen: I will follow up with Brent after this call to create the poll.

Manu Sporny: please make sure you have included all the name choices.

4.5. Correct inappropriate uses of w3id.org domain (issue controller-document#66)

See github issue controller-document#66.

Manu Sporny: would be great if W3C took over the domain name, but this is not likely.
… issue is still open to see if W3C has an opinion on this.

Michael Jones: I asked Ralf about this at TPAC.
… but I am OK on closing this if W3C will take an action on this.

Ivan Herman: we have an earlier green light from W3C management for the VCWG.

4.6. PING/TAG issues.

Manu Sporny: we can close the PING and TAG issues once all the resulting PRs have been merged.
… I have tagged these people with our PRs so that they can check that all their issues have been resolved.

4.7. Testing the Controller Document.

Ivan Herman: how are we going to do the testing of the controller doc.

Manu Sporny: all the normative statements in controller doc are same as in did core, so we can point to did test suite.
… alternatively we can create a JSON schema for people to check if their controller docs conform to the schema.

Ivan Herman: I am afraid that saying DID has done it, then the question will come on what has controller doc to do with VCs?
… we can say that the data integrity tests also test the controller doc since they conform to it?

Dave Longley: +1 the other verification test suites make use of verification methods that are from controller documents.

Dave Longley: +1 to Ivan.

Gabe Cohen: test suite for JOSE/COSE also uses the controller doc.

Manu Sporny: verification methods are tested and these are also in controller doc.
… we have a whole set of indirect tests for controller doc even if we do not have a test suite for the doc itself.
… and we are not aware that anyone wants to formally object to the controller doc.

Ivan Herman: but we also need to worry about W3C management as well.
… therefore all these indirect tests should be written up and presented with the controller doc when it is sent to be published as a CR.

Manu Sporny: we have to show two independent implementations of every feature. We can point to DID test suite to show this.
… and DI tests and JOSE/COSE tests.

Dave Longley: +1 to that text.

4.8. security review.

Manu Sporny: on the security review, the W3C security group is about to start soon, so we still need a review from it.