Verifiable Credentials Working Group Telco — Minutes

Date: 2025-01-08

See also the Agenda and the IRC Log

Attendees

Present: Hiroyuki Sano, Ivan Herman, Denken Chen, Kevin Dean, Mandy Venables, Manu Sporny, Ted Thibodeau Jr., Benjamin Young, Brent Zundel, Nicholas Steele, Dave Longley, David Chadwick, Will Abramson, David Lehn, Jennie Meier, Phillip Long, Dmitri Zagidulin, Przemek Praszczalek, Paul Ziv, Wesley Smith

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Dave Longley

Content:

• 1. Proposed Rec.
• 2. CID == Controlled Identifiers ?
• 3. Controlled Identifiers.
  • 3.1. Remove the numerical error codes to be in sync with the VCDM specification (pr cid#140)
  • 3.2. Controller of Verification Method (pr cid#139)
  • 3.3. Open CID issues.
  • 3.4. Delete misleading text about possible purposes for authentication (issue cid#60)
  • 3.5. Context namespace does not exist (issue cid#136)
• 4. Bitstring Status List.
  • 4.1. added note clarifying that credentialSubject.id is not used (pr vc-bitstring-status-list#196)
  • 4.2. Implementer’s feedback on multiple status entries in a single list (issue vc-bitstring-status-list#194)

Brent Zundel: Welcome to the VCWG, this is our weekly telecon, we will be talking about the controller document (controlled identifier document) and bitstring status list.

Manu Sporny: Just wanted to talk a little about proposed REC and when I should cut those documents, it’s a little premature because we need our horizontal feedback, but the issues are done, CID spec needs a little work, but the rest could probably have proposed REC cut for them. Maybe February might be the right time for that.
… Also briefly, the title of the controlled identifier document – I was looking at the DID spec, and we say “Controlled Identifier Document” and just call it “Controlled Identifiers” in the title of the spec as an editorial change, promise no more changes to the naming.

1. Proposed Rec.

Brent Zundel: February is the soonest we could do it from my perspective and I’m hoping we’re clearly there by that time.

Manu Sporny: Yeah, and to be clear, Ivan, this is just me cutting the ready document so we can move. If we get reviews that require changes then we’ll have to revise of course, but this is just getting ready for the next stage. I don’t think we need any announcements or anything, this is just the editors getting ready to go.

Ivan Herman: I appreciate being ready to go when we can so I’m fine with that. There’s one thing that will require a bit more thinking before going to PR, and maybe January will be the right time for that.

Ivan Herman: There are a number of files, vocab files, context files, etc. that are currently on github – where those are developed – and we said when we go to PR we have to place those docs in W3 space.
… This is something we may want to think about so as not to forget all of the various things in a last minute rush.

Manu Sporny: That’s right, that’s exactly my concern, I’d like to give ourselves multiple weeks to get all those final files in place, potentially have a checklist and so on.
… That’s all my request on proposed REC is – is to take time to do it methodically with plenty of time and double check.

Ivan Herman: We are in wide agreement.

Brent Zundel: I agree.

Manu Sporny: I can start cutting some of those documents sooner than later. It would be VCDM, DI, DI-ecdsa/eddsa, we’re still waiting on the CID / bitstring status list, VC-JOSE-COSE, JSON schema with a few things.
… We’re still waiting on SD-JWT for VC-JOSE-COSE?

Brent Zundel: Yes, that’s the plan.

Manu Sporny: Ok, that’s all I needed to know.

2. CID == Controlled Identifiers ?

Brent Zundel: Thanks, Manu.
… Anyone opposed to dropping “Document” the title that is displayed in the document.

Manu Sporny: The DID spec says “Decentralized Identifiers 1.0” and it would be nice to have alignment with “Controlled Identifiers 1.0”.
… Btw, alignment when updating the DID spec went well which was good news.

Ivan Herman: Don’t change the name after this next change. I have to update a lot.

Phillip Long: +1 to Ivan’s admonition.

Manu Sporny: Totally understood.

Dave Longley: +1 for the change.

Ivan Herman: +1 to the change, b.t.w.

Phillip Long: +1 to the change.

Manu Sporny: +1 to the change, if that wasn’t clear :).

Dmitri Zagidulin: One counterargument is – specifically us using the acronym “CID” is the usage of “CID” content-based identifier.
… Or content-addressed identifier.

Manu Sporny: It’s a good point and we did discuss that when we made the spec name change. Ted also noted that there are 45 other communities using “CID” for different things.
… Any three letter acronym is going to be used by any subset of the community.

Dmitri Zagidulin: Sure, but specifically in the decentralized identity community it’s used.

Manu Sporny: Yeah, we took that into account.

Brent Zundel: Even if we get rid of the word “document” in the title of the document we have that acronym.
… Ok, I think you’re cleared to make the title change, Manu.

Manu Sporny: Ok, I will do that.

3. Controlled Identifiers.

Brent Zundel: https://github.com/w3c/cid/pulls.

Brent Zundel: There are two – let’s look at #140 to start.

3.1. Remove the numerical error codes to be in sync with the VCDM specification (pr cid#140)

See github pull request cid#140.

Brent Zundel: Remove numerical error codes to be in sync with the VCDM spec.

Manu Sporny: +1 to this change.

Brent Zundel: It does what it says. It removes the error codes while retaining the names of the error codes. Anyone want to say we don’t want to do this, please say so, can take comments briefly, etc. if needed.

Ivan Herman: Just remarking that there is a sister PR in the DI spec which does the same. It also makes the changes in the vocab definition file. These two PRs should go hand-in-hand.

See github pull request vc-data-integrity#327.

Manu Sporny: Yes, +1 – we made a decision in the group to remove the error codes in the group and this is just Ivan making sure we follow that guidance.

3.2. Controller of Verification Method (pr cid#139)

See github pull request cid#139.

Brent Zundel: Ok, jump on the queue for other comments or we will move to #139.
… This PR has been open for five days, one request for changes from Ted, otherwise it’s a pretty small PR.

Manu Sporny: +1 in general to the PR, the PR makes two changes, the first one is not necessary because we already say it in the spec. David and I talked a bit about the PR over the break. The first change says you can’t trust a controller of a document to truthfully say which VMs they have control over.
… You have to follow the VM URL to get its controlled identifier document and check the bidirectional relationship.
… I think we’d be restating it a third time but I need to get a reference for David to see if he agrees.
… So maybe some refinement but +1 to the general direction.

David Chadwick: I think what Manu says is correct, but it seems to me that the comment that you first addressed that it should be made at the time that the controller is introduced for VMs and an example is different – rather than stating it at the end in the security section.
… Ted made some positive changes which I accepted apart from wording. So when it says there are outstanding comments but I don’t believe it is. I don’t know what to do there – just need Ted to respond.

Ted: I resolved them.

David Chadwick: Thanks Ted.

Brent Zundel: Thanks Ted.

Manu Sporny: I’m not opposed to keeping the first paragraph in, your reasoning works for me but can you add a reference to the security consideration section? Then people can click through and its all linked, etc.

David Chadwick: Sure, no problem.

Brent Zundel: I was going to ask for the same thing.
… That was the PRs on the controlled identifiers spec, we have a number of open issues still.
… We’re going to go through them.

3.3. Open CID issues.

Brent Zundel: see https://github.com/w3c/cid/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc.

Manu Sporny: Just to speed things along here, I think the vast majority of these are waiting for a PR from me – I’m already assigned, that’s what needs to happen and I will try to get around to those as soon as I can.
… There is one, issue 60, I believe is already addressed but we need Mike Jones to confirm it’s addressed. Can we talk about that first?

Brent Zundel: Happy to talk about 60, note Mike isn’t here though.
… In my list the horizontal review issue is at the top, wanted to talk about this – you’ve had exchanges with the TAG for example … Manu?

Manu Sporny: TAG wanted to know which changes had been made in the last 6 months, we noted we had links to those changes.
… Privacy noted that they are looking at it. Security knows it’s in there and they know to do reviews, they are aware. Accessibility started processing and I wouldn’t expect it to take very long as very little has changed.
… Internationalization responded as well and I let them know we didn’t change anything there but they will double check.
… All groups doing horizontal review responded and are engaged, which is a great place to be.

Ivan Herman: All those requests that you sent out were referring to a pre-PR review based on the fact that they had already done it, which is fine. But we need the CID document reviews, not the PR reviews. We need specific references for the CID for going to CR.
… Looking at the PRs and the issues that the only thing in the way of getting CID to CR is this.
… I’m not quite sure what to put to the CR request.

Manu Sporny: I thought we had resolved that last year – I thought we had gotten our CR publication request approved for the CID spec.

Ivan Herman: I think you wanted that but we didn’t put it in because we need you to complete this.

Manu Sporny: Ok, they just have to do the horizontal review.
… I thought we discussed this and the conclusion was that all these groups did a review of the CID spec – just on a delta between DID spec and it.
… I thought we were on track to publish CID end of January.

Ivan Herman: There’s no transition request yet, still waiting on horizontal review request info.
… Look at the CR draft – look at what we have in the horizontal review thing and do whatever change you think needs to be changed to get management to accept the request.

Manu Sporny: We have horizontal reviews from the vast majority of the content before and even doing a PR review would count and let us go into CR I would imagine.

Ivan Herman: CID has never been in CR. It’s been reviewed previously in draft form, but we need newer reviews.

Manu Sporny: Ok, then we’re just waiting for these horizontal reviews to happen on the CID spec; does the group need to ask for more reviews?

Ivan Herman: I don’t remember from the top of my head, some reviews happened last July.
… Some happened in October, which is fine.
… The one in October we said we’d ask them to look at the differences in the spec, not the whole thing.
… We don’t have to do it in this call, but please look at the transition request and make sure it’s ok.

Manu Sporny: TAG did a review, yes, in September.

Ivan Herman: Some were I think in July, please look.

Manu Sporny: Ok, I will check.

Ivan Herman: I will also check for a formal resolution to go to CR.

Manu Sporny: Yes, we had that on December 18th to publish as CR, shortname, static copy, all that.

Ivan Herman: That is correct.

see: https://www.w3.org/2017/vc/WG/Meetings/Minutes/2024-12-18-vcwg#resolution1.

Manu Sporny: Let me take a look at the transition request.

Ivan Herman: Ok.

Manu Sporny: The review for PR doesn’t change anything. I don’t think what I asked the groups to do changes anything, so that doesn’t need to change.

Ivan Herman: Right, what you asked for is what we need for going to PR for the whole lot.
… Don’t worry about that, that’s good to have.

Manu Sporny: Just look at the transition request.

Ivan Herman: Yes, please.

Brent Zundel: Thanks, let’s look at issue 60.

3.4. Delete misleading text about possible purposes for authentication (issue cid#60)

See github issue cid#60.

Brent Zundel: This is a suggestion or request to reword some text. The text in the current form of the document matches that in the opening statement so I don’t believe this has been addressed.

Manu Sporny: I remember changing text in the specification around authentication.

Manu Sporny: This is the spec text we have today: The authentication verification relationship is used to specify how the subject is expected to be authenticated, for purposes such as logging into a website or engaging in any sort of challenge-response protocol. The processing performed following authentication is application-specific.

Manu Sporny: That last sentence is the text that Mike asked for and there were assertions from other members in the group that the first sentence is fine as is.
… I would object to removal of examples because it very clearly highlights what the verification relationship can be used for.

Ivan Herman: For the records, my comment on this is in https://github.com/w3c/cid/issues/60#issuecomment-2414370219.

Brent Zundel: I don’t think we can make progress without Mike.

Manu Sporny: Yeah, we need to move forward, I’ll just put in the issue that I object to removing the examples.

Brent Zundel: The other thing would be adding more examples.

Manu Sporny: Agreed, we’ll just wait for Mike.
… The issue says “Defining a login protocol is out of scope” — and we’re not doing that so I think that’s a misread on what the spec says.
… We’re not defining a login protocol.
… I think he’s asking for the removal of something that adds clarity and we can come back to it once he’s on the call.

Brent Zundel: And just to clarify the five issues that you’re assigned to – you’re not feeling the need for input from the group, right?

Manu Sporny: That’s correct.

3.5. Context namespace does not exist (issue cid#136)

See github issue cid#136.

Brent Zundel: Context namespace does not exist. This is raised by and assigned to Ivan, what are next steps, Ivan?

Manu Sporny: We just changed the name and the examples aren’t working – so we need to publish.

Ivan Herman: We have a bunch of links that are temporary/wrong because we haven’t registered the shortname, so until we are in CR these links are broken, they will get fixed when CR happens.

Manu Sporny: +1 to that Ivan, so all the terminology references are broken too – I can’t merge things on DID core for example. This is a lot of broken links that will be resolved when we go to CR, but it’s causing issues in the meantime. I don’t know if there’s any reason why the ns stuff … it doesn’t have to do with publishing to TR…

Ivan Herman: It’s the publishing of the document that is the source of the problems.

Manu Sporny: It’s just the URL that’s being published and the name of the github version of the document path changed. If that’s updated then this issue is resolved, which doesn’t depend on TR space, I don’t think.

Ivan Herman: I have to check.

Manu Sporny: I think it’s just changing a URL in the ns space.

Ivan Herman: We have a more generic problem and I’ll look at this.
… Apart from that, we said we’ll do this official name change with CR and we could a working draft change and go through that and get this over with. It depends whether we want to do that as a separate process, which I’m not keen to do, but we could do that as well.

Brent Zundel: I don’t think that’s necessary.

Ivan Herman: Ok, good.

Brent Zundel: For #136, we’re going to see what’s still broken after we go to CR, right?

Ivan Herman: Yes.

Manu Sporny: Yes.

Brent Zundel: Ok, that’s the CID issues.
… Moving to bitstring status list.
… Let’s look at the open PRs first.

4. Bitstring Status List.

Brent Zundel: https://github.com/w3c/vc-bitstring-status-list/pulls.

4.1. added note clarifying that credentialSubject.id is not used (pr vc-bitstring-status-list#196)

See github pull request vc-bitstring-status-list#196.

Brent Zundel: There is one request for changes from Dave Longley.

Phillip Long: for #136 a note to the effect summarizing the conversation we just had might be helpful, at least to ubamrein.

Kevin Dean: Just to say that Joe is unable to join today, power outage, high winds, etc.

Brent Zundel: Yes, thoughts with Joe with the CA fires.

Kevin Dean: He feels that the PR is simple enough to be worked on without his presence.

Brent Zundel: Looks like Dave’s changes are editorial for the most part.

Manu Sporny: +1 to the PR as long as the changes go in, that’s it.

Brent Zundel: Any other comments? Our standard practice is to allow the PR author to accept changes so we shouldn’t move forward with those things regardless of how editorial they may be.
… If any other folks have comments – otherwise we can look at the issues next.
… PR #196 is going to address issue #184. I don’t believe we need to talk about that one.

4.2. Implementer’s feedback on multiple status entries in a single list (issue vc-bitstring-status-list#194)

See github issue vc-bitstring-status-list#194.

Brent Zundel: I think we’ve talked through horizontal reviews, so it looks like the issue to discuss is #194.
… Has the at-risk marker been removed?

Manu Sporny: No, I will take an action to do that.
… We’ve got the test suite going, and it’s still not showing any implementers for a feature there.
… The “status size > 1” thing.
… We’re still waiting on two independent implementations for that.

Brent Zundel: With Mesur.io’s and the implementation mentioned in the spec will cover the requirement, we’ll get with our resource and make sure we get that in.
… I believe we’re done with business today, thanks to Dave for scribing and thanks to all for your comments today.
… We’re very close to wrapping things up, thanks everyone!