Verifiable Credentials Working Group Telco — Minutes

Date: 2024-10-23

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Brent Zundel, Hiroyuki Sano, Ted Thibodeau Jr., David Chadwick, Michael Jones, Kevin Dean, Mandy Venables, Wesley Smith, Dmitri Zagidulin, Dave Longley, Manu Sporny, Joe Andrieu, Will Abramson, Jennie Meier, Brian Campbell, Phillip Long, Rob De Feo

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Dave Longley, Manu Sporny

Content:

Wesley Smith: wes-smith has joined #vcwg.

Brent Zundel: Our agenda today is that we’re going to look at a proposal to move VC-JOSE-COSE to CR2.
… We’re going to very briefly entertain a discussion about renaming the controller document and then spend the rest of our time on controller document PRs and issues.
… Anyone who would like to changes to the agenda?

Manu Sporny: Just a quick review of where we are with the IETF BBS reviews and questions for Ivan about transition requests / horizontal reviews.

Brent Zundel: We can do that.
… Anyone want to introduce themselves that’s new?
… Not seeing anyone – going to Manu’s topic.

1. BBS Update.

Manu Sporny: The first thing is to just let the group know that the BBS crypto review we’ve been waiting on for almost a year now has been done. Two reviews have been done, hoping for a couple more, but box is ticked for the review.
… Spec authors need to review to the comments, they are working on that now.
… So that’s good news. The other news is that Simone continues to work through the Security Interest group (SING) charter – once that’s wrapped up and the charter officially they can start. We’re already talking with folks that are doing detailed reviews from SING when that starts up.
… I would be surprised if it wasn’t early November by the time we got officially started there.

2. CR transitions.

Manu Sporny: CR2 preps for VCDM, VC-DI, and VC-DI cryptosuites (ecdsa, eddsa) have all been prepped, no non-editorial things left in any of those documents.
… We have 14 implementations for data integrity with a couple of more on the way which is way more than the two we need. We are still looking at features at risk, and the test team has worked with Gabe to create a docker mechanism to run the test suites and it’s on a good trajectory, not sure when it will be fully done.
… But looking good. Question for Ivan – you mentioned that we needed to do something about horizontal review for CR2, was that we didn’t need any necessary additional review? You said some information was missing.

Ivan Herman: The point is that, in theory, I think, we should have contacted the horizontal review groups and get a statement that none of the new changes would raise any issues and I don’t think we’ve done that and I don’t know if there will be push back on that.
… I had a meeting with Philippe on other issues and that’s was a side note.

Manu Sporny: Would have been good to know about that – could lead to delay, what do we want to do about that? In terms of horizontal review, we also have 14 implementers as a form of horizontal review, the CCG summary has been going out, etc.

Ivan Herman: This is all true, but not the point, which is that we have to look at the new substantial additions to the spec. We may try to get a statement into the request whereby none of these are relevant for i18n or a11y, where we are with security we know we’re working on that with SING, same type of thing with privacy.
… We can look at the new features/changes and find the argument where those are irrelevant. I don’t know if that’s the case.

Brent Zundel: We went into CR1, we responded to the requests for changes and made those – would it be appropriate going into CR2 we can say: “Here’s the change set do you have any concerns about these minimal changes?”.

Ivan Herman: Yes, that’s what I’m saying. Another group just did this too – and right after CR request I sent out a request like that.
… We’re not talking about filling out all the forms and all that, just a note asking about concerns.

Manu Sporny: I did do a scan through before prepping the documents, there have been zero changes about i18n or a11y – any changes that we made were in response to previous TAG reviews that have increased and tightened down security in the doc.
… I can make a statement and point the horizontal review groups at the delta, which is documented and then ask.

Ivan Herman: Yes please.

Manu Sporny: I can do that in the request and in parallel, staff or chair requests that the horizontal groups take a look again?

Ivan Herman: The request is out as an issue now, the best is to add a comment there saying in terms of i18n, etc.
… Contacting them, Brent, that would be a good thing to have.
… Whether that will be a real problem for CR2 at all we should do our best in this respect.

Manu Sporny: I will take two actions and draft language and Brent can help there.

Brent Zundel: Works for me.

3. VC JOSE COSE CR2.

Brent Zundel: I believe you have the links we need and are ready to run this portion. Let me know if you need me to do anything.

Michael Jones: Gabe’s not here – so a race to see if myself, Brent, Ivan can find the CR2 candidate links.

Ivan Herman: See CR 2 editor’s draft.

Ivan Herman: Gabe made the main branch entry as the snapshot which isn’t necessarily a good idea, but we can go with it.
… I haven’t put the docs on the website and don’t want to without the green light.

Michael Jones: If you look at the github status with the VC-JOSE-COSE … there are no PRs and there is one issue without spec change requests. We believe we’re there in terms of – it’s time to request the second CR.
… Is the thing we do now – to have a resolution?

Brent Zundel: Yes, we run a proposal to transition the doc at the link to CR2.
… With a goal to publish on Nov 5.
… Please look at the emoted proposal and say what language tweaks you’d like.

Ivan Herman: See Submission request draft:.

Ivan Herman: Just for the whole record, I have created a submission request draft with the stuff for management.
… We had one question to the formal objection part which Brent said we have to verify.

Brent Zundel: Do we have to make any changes/textual changes to that?

Ivan Herman: No, not to the proposal itself.

Ted Thibodeau Jr.: We generally want a timestamped doc.

Ivan Herman: We don’t have that right now.

Michael Jones: We’re voting on transitioning to a timestamped link.

Ted Thibodeau Jr.: Historically here and elsewhere, a datestamped document goes out for CR.

Michael Jones: It will, once we decide to create it based on this poll.

Ted Thibodeau Jr.: +1 to what Ivan’s saying.

Ivan Herman: The practice is that in the repo one creates a separate document which is not the editor’s draft and that goes to CR and we vote on that.
… Maybe Manu can put up an example.
… It is a better practice because we may otherwise get into problems with updates, etc. That would have preferred that Gabe or you, Mike, would have created something like that with the final document generated by respec for CR2.

Brent Zundel: There is a document here: https://github.com/w3c/vc-jose-cose/blob/main/transitions/CR2/2024-11-05/index.html.

Ivan Herman: And we vote for the publication for the document provided that it is done.
… We can do a change in the proposed resolution saying something like one of you two will create that version quickly.

Brent Zundel: There is a document – I dropped the link in the chat. Is this not a date stamped version of VC-JOSE-COSE?

Ivan Herman: Except, we have to do precede that with the magic to make it a rendered document.

Brent Zundel: Ok, we have a date stamped link that renders the doc now and I will adjust the proposal with that link. Any other changes?

Proposed resolution: Transition the document at https://w3c.github.io/vc-jose-cose/transitions/CR2/2024-11-05/ to a second Candidate Recommendation with a goal to publish on November 5, 2024. (Brent Zundel)

Brent Zundel: +1.

Ted Thibodeau Jr.: +1.

Michael Jones: +1.

Joe Andrieu: +1.

Will Abramson: +1.

Ivan Herman: +1.

Jennie Meier: +1.

David Chadwick: +1.

Manu Sporny: +0 (think it’s premature, we don’t have a test suite still w/ understanding of implementation depth, but not blocking).

Hiroyuki Sano: +1.

Phillip Long: +1.

Brian Campbell: -1.

Brent Zundel: Could you speak to your -1?

Brian Campbell: We don’t want to, but will have to file a formal objection on this, that’s what it is.

Brent Zundel: Noting Brian’s formal objection.

Brian Campbell: Not being familiar with the processing this involves, appreciate your support in noting the place to do so.

Resolution #1: Transition the document at https://w3c.github.io/vc-jose-cose/transitions/CR2/2024-11-05/ to a second Candidate Recommendation with a goal to publish on November 5, 2024.

Ivan Herman: Can you register Brian in the proper steps to take to file his formal objection?
… In the request I mentioned earlier we should make that clear.

Brent Zundel: At this stage, the formal objection is noted.

Ivan Herman: And we have to report it for the transition.

Brent Zundel: Any action required on Brian’s part until we move toward REC?

Ivan Herman: Not that I know of.

Brent Zundel: Brian for now you’ve done what’s necessary, when the group takes this doc to REC, there will be additional steps to take.

Brian Campbell: This is a different recommendation than this one?

Brent Zundel: The same document, but a different phase for it. Right now we’re moving this document to CR2 and if implementation feedback supports the normative requirements in the document, the group will move to proposed recommendation (PR) and if your formal objection still stands folks will reach out to you.
… To take part in councils and attempts to reconcile.

Ivan Herman: To be precise, a PR means a formal vote goes out to the AC (to members) and it’s on that vote that you formally put your objection with all the right arguments. After that comes the council process brent mentioned.
… I don’t know if you are the AC for your company or someone else.

Brian Campbell: Someone else.

Ivan Herman: That person will need to do a -1 vote with the formal objection.

Brent Zundel: I will take an action to contact you and your AC rep so you are aware of the vote happening and you can vote and formally object at that time.

Brian Campbell: Thanks, that’s acceptable process-wise.

Brent Zundel: Ok, that’s that topic, any other comments before we move into controller document?

4. Controller Document Rename.

Manu Sporny: https://github.com/w3c/controller-document/issues/100#issuecomment-2432419800.

Manu Sporny: At the editor’s call I took an action to summarize the options that are in front of us. Joe, you added another one, I’ll add it to the list.
… We could open a ranked choice poll and see what people would like.
… Just to gather data.
… We keep the poll open for a week or two and then close the poll, bring the data back to the group and see if there’s a particular name that’s clearly winning and choose it or decide to keep the other name – whatever we want.
… With Joe’s addition, we can run the poll, gather data. If anyone wants another choice listed, please tell us right now, because once the poll is open we can’t change it.
… I will open the poll after the call today.

Brent Zundel: May I make a request? Right now – all of the options are in the plural but the name of the document is in the singular.

Manu Sporny: I think that’s a decision – plural or not – that we can make later and hopefully be an easy one. Just because it’s plural in the poll doesn’t mean it has to be that way.

Brent Zundel: I am eagerly anticipating that conversation.
… I am not seeing anyone jump on the queue to say their option isn’t in the poll and you’re cleared to move forward with this poll as a data gathering exercise so we can see which of the choices is likely to be preferred or not and we can work off of that.

Manu Sporny: +1 I will take that action.

David Chadwick: Two points I want to raise: you’ve got cryptographic identifiers (plural) and another that is singular, we ought to be consistent.
… I also suggested that the cryptographic information documents as a choice, not identifiers, so please add that to the list of names to choose from.

Manu Sporny: You wanted me to add “Cryptographic Information” and you wanted equivalences between “Cryptographic Identifiers” and Cryptographic Identifiers Documents” … is that correct?

David Chadwick: I think there should be consistency in singular and plural and choosing whether to have the word “document” in the title.

Manu Sporny: I think I made the change you wanted, can you make sure I did?

Brent Zundel: Thanks, Manu.

5. Controller Document PR-s.

Brent Zundel: There are currently three open PRs.

Brent Zundel: https://github.com/w3c/controller-document/pulls.

5.1. updated introduction to focus on verification of proofs (pr controller-document#102)

See github pull request controller-document#102.

Brent Zundel: Updated introduction to focus on verification of proofs. Request for changes from Ted. It looks like requests for changes from David Chadwick or some suggestions that have been resolved.
… If folks have comments here – Ted have your requests been addressed?
… It looks like they’ve all been incorporated from a quick glance. If that’s the case, nothing standing in the way.

Manu Sporny: That would be great with true. I thought I saw some misalignment between Joe and Dave Longley who is scribing – that just needs to be resolved.
… I don’t think we can do the CR without resolving this.

Dave Longley: Taking a quick look, I was being responsive to a point that DavidC was making in comments. I don’t think I had changes in the PR that I requested.
… I don’t think I’m blocking the PR with my comments.

Ted Thibodeau Jr.: I don’t need to speak; my changes appear to have been applied, modulo addressing that the “abstract” is entirely reproduced as the first paragraph of the “introduction”, which doesn’t seem to bother others as much as me.

Joe Andrieu: Yes, this is just the introduction section, I think Dave and I are discussing something else. I don’t think the language addresses the confusion around subject not being the controller.
… Whether or not the controller property is semantically different when it’s in a verification method or in the root of the controller document; I don’t think we need to resolve that argument to resolve this PR so we can move forward.

Ivan Herman: +1 to joe.

Brent Zundel: No one else is on the queue, but I would recommend to filip that he raise his concerns as a separate issue.
… I can make a comment in the PR recommending that filip open an issue to track his concerns. Ted, if you can do a re-review and make sure your changes have been made to your satisfaction then this PR can be merged.

Ted Thibodeau Jr.: My changes have all been applied, with one exception that I can live with.
… About the abstract and intro being duplicated that doesn’t seem to bother anyone else.

5.2. Add service to document properties and context. (pr controller-document#112)

See github pull request controller-document#112.

Brent Zundel: This is about a property in a DID doc that did not exist in a controller doc and the conversation at TPAC had the group agree to bring it over.
… We has minimal review, but open for 3 days, so if folks can review it or if there are any comments we can take those now.

Ivan Herman: I am always the troublemaker with the vocab, the URL with the service is in the DID space, will that stay that way?

Manu Sporny: Yes, that’s intentional to ensure that we don’t make a backwards breaking change.

Ivan Herman: That means that I will not make any the vocabulary document. This property will not appear in the document.

Manu Sporny: I think that’s ok. There’s a DID vocabulary where it points.

Ivan Herman: That’s the only element.

Manu Sporny: Yes, that’s true at this point because we split the two docs apart.

Ivan Herman: Ok, I hold my nose, but it’s fine.

Brent Zundel: Any other comments?
… Chair hat off, I don’t fully understand why we need to bring service in, I won’t object, but it points directly to a doc that should be a profile of this one; I think that one should handle that. I don’t understand the use case for a service in the controller document.

Manu Sporny: Good question, comes from the ActivityPub community and they are starting to migrate to using the data integrity JCS signatures and they want to be able to list services in their controller documents.
… That plus the other comments from TPAC.

Dmitri Zagidulin: +1 to what Manu said. That said, if this group ends up ruling that no service endpoint can be in a controller document, then ActivityPub will just end up using the DID context. The point in bringing it up – is that it’s that kind of use case. A DID only have two things: keys, services.
… A controller document is a more generic version of a DID, cutting out service endpoints cuts out literally have of it and that seems major.

Brent Zundel: Thank you, Dmitri, I don’t know of anyone actively opposed, so it’s likely this will move forward, but we do some more review on the PR and it’s not yet been a week.
… Moving onto the final PR that is open if there are no more comments.

5.3. Use correct vocabulary URL for alsoKnownAs. (pr controller-document#113)

See github pull request controller-document#113.

Brent Zundel: “Use correct vocab URL for alsoKnownAs” – this one open for 3 days, 3 approvals, just a bug fix.

Manu Sporny: Yes, I was going to say what you said, it was a simple mistake, we’re fixing it.

Brent Zundel: Any comments on this?

6. Controller Document Issues.

Brent Zundel: https://github.com/w3c/controller-document/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc+-label%3A%22during+CR%22.

Manu Sporny: I don’t know if you want to shortcut this – but I could run down why we don’t need to talk about them, but we can do them individually.

Brent Zundel: We can do them individually, it’s fine.

6.1. Adjust framing to correctly describe relationship between the identifier and the controller (issue controller-document#75)

See github issue controller-document#75.

Brent Zundel: I believe that this is at least partially addressed by the PR that Joe raised, what’s the delta?

Joe Andrieu: I think it’s dependent on figuring out what that new intro language is and deal with that issue Filip is bringing up.
… If we get that intro correct that will provide guidance for how to update this. I think that’s where we’re at. I think the other one that spawned off of issue 33 – and we already have the PR for 33, it doesn’t address DavidC’s issue on subject vs. controller.
… If we figure out the intro and then we can talk about subject not being controller and we can update the doc.

Manu Sporny: I’m wondering if this is editorial and we can do this during CR. At TPAC we removed the “during CR” label.
… I don’t know what the language will be – whether editorial or normative – I’d like to figure that out. I would like to presume that other introductory PR will go in and what concrete thing will close this issue.

Joe Andrieu: I can put a PR together if 33 looks good, I think conceptually we as a group really haven’t responded to DavidC’s question and whatever PR I make to update this language should read on that. I can get to spec text.

Manu Sporny: Yes, please, please raise a PR for 75.

Joe Andrieu: Yes, I can.

Ivan Herman: Is it the same issue as what we discussed elsewhere – on what happens if there is no controller property, is there any entity that plays a similar role – is it the same story?

Joe Andrieu: Yes, it’s the same thing.

Ivan Herman: Unfortunately for me, it’s not an editorial question.

Manu Sporny: In which case we have to deal with this then.

Joe Andrieu: +1 to VDR decides who is the controller.

Manu Sporny: I will suggest that the controller of the document is defined by the VDR, which Dave Longley suggested as well – and maybe we just say that.
… So the relationship is defined by the VDR and we can’t say anything generalized or generic – and we can maybe give some suggestions or expectations.

Joe Andrieu: If we do that, I think that addresses both yours and DavidC’s issue.

David Chadwick: Let’s see the text, and we need to resolve it and I’ll review it. You speak of the VDR as a separate entity from the controller document.
… I see the controller document as part of the VDR and it’s the standardized part that someone can retrieve.
… Am I right or wrong in that assumption?

Joe Andrieu: I would say I think you’re wrong. In the context of the bitcoin methods, the DID document doesn’t exist in the blockchain, it’s derived from transactions on the chain. The information needed to manage the document is in the chain.

Manu Sporny: I think you’re right conceptually but we have to talk more to details on how VDRs work.
… I think we can talk about specifying that there isn’t one true way to do it.

Joe Andrieu: I just wanted to get something in the ether – I think then, I don’t believe we have VDRs in the controller document. I’ve been using the language “where the document is stored”. Or do we need to introduce VDRs formally?

Brent Zundel: It’s sufficient to talk about where it’s stored.

Manu Sporny: +1 to not growing scope.

Brent Zundel: Watch for VCWG meeting cancellations, IIW.
… Thanks folks!

7. Resolutions