Verifiable Credentials Working Group Telco — Minutes

Date: 2025-02-05

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Denken Chen, Hiroyuki Sano, Mahmoud Alkhraishi, Brent Zundel, Ted Thibodeau Jr., Manu Sporny, Kevin Dean, David Chadwick, Joe Andrieu, Kaliya Young, Benjamin Young, Dave Longley, Paul Ziv, Jennie Meier, David Lehn

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Joe Andrieu, Manu Sporny

Content:

Brent Zundel: we’ll start today with a report out from security group.
… then CID, then JOSE-COSE.
… any introductions?

1. Security group meeting.

See github issue vc-data-model#1575.

Manu Sporny: all the review requests?

See github issue security-request#81.

Manu Sporny: A couple of us joined the first meeting of the security interest group yesterday.
… we discussed VCDM and a variety of topics including their upcoming review queue.
… We wanted answers about (1) the review.
… they raised an issue asking us to restructure part of the spec.
… We mentioned that would be a burden.
… They agreed, that would be a challenge and this is a more long term ask.
… They didn’t find any particular problems with the spec, so we are cleared to go to spec.
… Second, they said that any threat modeling work… if they request a more complete threat model that does not apply to the recent proposed REC things we are trying to do.
… They believe that SING plus the threat modeling CG will publish notes about threat models related to VCs, JOSE-COSE, etc. And tha twork will likely take several months.
… So that work won’t be a blocker.
… We said we’d be willing to help.

Manu Sporny: https://lists.w3.org/Archives/Public/public-vc-wg/2025Feb/0000.html.

Manu Sporny: I’m going to copy/past some of the proposed rec docs.

Manu Sporny: Verifiable Credentials Data Model v2.0.
Manu Sporny: https://w3c.github.io/vc-data-model/transitions/2025/PR/.
Manu Sporny: Verifiable Credential Data Integrity 1.0.
Manu Sporny: https://w3c.github.io/vc-data-integrity/transitions/2025/PR/.
Manu Sporny: Data Integrity ECDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-ecdsa/transitions/2025/PR/.
Manu Sporny: Data Integrity EdDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-eddsa/transitions/2025/PR/.
Manu Sporny: Bitstring Status List v1.0.
Manu Sporny: https://w3c.github.io/vc-bitstring-status-list/transitions/2025/PR/.

Manu Sporny: One thing did come up. They confirmed they have not done security reviews of DI, CIDs, [and a few others], but they are at the top of the queue.
… We clarified we’ll put this up for proposed REC and hopefully they can get those reviews done before we more to next stage.
… We also offered our help to come up to speed with design intent, etc. They appreciated that for VC2.0 and would appreciate it for other specs.
… one of the chairs has actually implemented DI.
… so they have familiarity with the tech, it’s just a lot of work on their plate.
… That’s the report.

Ivan Herman: on the practical side, manu can you put in the issues that are revelant, especially the ones where we asked for review.
… Just add them to IRC.
… all the security ones (relevant to SING).

Manu Sporny: ok, I think that’s that.
… … one is the tracking issue for horizontal reviews, the other is the security request.

Brent Zundel: anything else on this topic?

2. VC Data Model.

Brent Zundel: https://github.com/w3c/vc-data-model/pulls.

Brent Zundel: ok. moving on. we have a PR on VCDM.

2.1. Exchanged references to Controller Documents to CIDs (pr vc-data-model#1589)

See github pull request vc-data-model#1589.

Brent Zundel: this updates references to CIDs in the spec.

Ivan Herman: there are six pull requests that are essentially identical in six different places.
… it’s nothing, really.
… the CID spec is now published. Short name is changed.
… It’s part of the reference generator used by respec.
… I went through all the document that I believe have adjusted all informative and normative references.

Manu Sporny: +1 to this PR and the others. Thanks for raising them.

3. Publishing administravia.

Manu Sporny: VCDM now has a reference to CID spec and if we take VCDM to proposed REC before CID, that’s ok per W3C process.
… I’m wondering if the publication team is going to have an issue if we don’t take them all at the same time.
… Like, VC-JOSE-COSE… we don’t know when SD-JWT will be at whatever state at IETF it needs to be.
… and VCDM we refer to VC-JOSE-COSE normatively. Which means we can’t take VCDM to global standard until the chain of dominos line up.
… I think we can argue that the spec is stable and our reference to it is stable because it’s just a recommendation.

Ivan Herman: unfortunately, you were not around when I raised the same issues last week.
… There are two aspects.
… First, personally (and management) would prefer to publish them all at the same time.
… We might do a press release about it, but that wants all the docs to be bundled.
… So the problem then is that they should be published at the same time.
… Specifically for JOSE-COSE, the judgment is that we CAN publish JOSE-COSE as a recommendation because the SD-JWT as a spec is technical stable as it goes through administrative process at IETF. That’s acceptable.
… If that is all correct, we won’t have a problem.

Manu Sporny: Excellent. That answered my questions.

Ivan Herman: that means we need to synchronize everything and do it in a single launch to AC vote as a block.

4. CID Issues.

Brent Zundel: there are a few future tracking things, but we can move to the next topic.
… One open PR that is updating echidna. We don’t need to look at that one.

Brent Zundel: https://github.com/w3c/cid/issues.

Brent Zundel: we’ll go through these issues.

4.1. Name conflict with “CID” acronym (“Content Identifier”) (issue cid#147)

See github issue cid#147.

Brent Zundel: there is a name conflict with the identifier with CIDs as used in IPFS.

Manu Sporny: this is them asking us to change the name of the spec again.
… I think they are concerned that people are going to confuse Content Identifiers with Controlled Identifiers. There are more acronyms that use CID.
… We’ve debated this to death.
… It took six weeks plus to do the actual rename.
… If we made a change at this point it would be a huge lift.
… The other argument is that the people providing this input are the bluesky and @proto folks, who don’t really care about controlled identifiers. They are building decentralized systems and they care more about DIDs.
… My suggestion is CIDs don’t meet their needs, so they shouldn’t use them.
… They are different communities: CIDs if for centralized community, DIDs are for decentralized.

Kaliya Young: I saw something go by about CIDs and I just rolled my eyes. What the heck are these and how are they different?
… it confused me. And I track this world a lot.
… I think this causes confusion.

Benjamin Young: I do think we need to be careful here. Fatigue is real. Burnout is real.
… I like to know if there is a streamlined way to do renaming.

Benjamin Young: ctrlid.

Benjamin Young: I was going to propose ctrlid.

Manu Sporny: -1 to ctrlid :(.

Benjamin Young: I think its unwise to say “there will not be conflict” when we have a conflict now.
… Its not fine right now.
… We are in a waiting period anyway.
… I don’t think this confusion is going to away.
… These groups do co-exist within the VC space. I don’t think we need to scare off friends if we can avoid it.

Ivan Herman: unfortunately there is no streamlined way to update.
… we’ve done this several times and each time it is a major pain.

Manu Sporny: I can’t express how much of a pain it is to do a spec rename.

Denken Chen: +1 to this confusion isn’t going away with other namings. We have discussed it a lot.

Manu Sporny: (and it’s not clear to me that the rename would be helpful).

Ivan Herman: It has to be formally republished, involving the webmaster, and must keep the provenance of the doc. Then additional things to get into spec-ref. This time it was at least a week.
… It’s a major pain.
… The other thing, is we have spent hours and hours on the naming.
… This is probably the longest and biggest thread in this spec.
… In the 24th hour, we probably should not reopen.

Manu Sporny: I think we’re /concerned/ about confusion between spec names – I’ll suggest that people were horribly confused about Decentralized Identifiers and Verifiable Claims/Credentials in the beginning as well.

Ivan Herman: I don’t think the world will collapse with this conflict.

Brent Zundel: We may have already mentioned: the ask is not to change the name of the spec, just the short name.
… Not to speak to our ability to come to agreement on a new name, but the scope isn’t the entire name.

Dave Longley: it’s clear there is confusion. But the mere existence of confusion doesn’t mean we should change the name.
… the question is how much trouble is it going to cause.
… These two techs do very different things, so I think the confusion will resolve quickly.

Manu Sporny: remember everyone was horribly confused when we put out decentralized identifiers?
… same thing with VCs: These are confusing, what are you doing?
… Assertions at each point that we are confusing the market.
… We also have people claiming things are VCs that are completely incompatible with the spec.
… So its natural that at first people might be confused.
… To Brent’s point, they are asking to change the acronym.
… We can make the change later if there really is confusion in the market.
… it took us a long time to get here.
… changing this at the last hour feels like a bad move.

Benjamin Young: if we are keeping the acronym, then anyhting we can do to put this in a completely different place…
… and communicate with that community how we are going to help with that confusion.
… I don’t think we’ll revisit it later.
… So we should clarify.

Manu Sporny: there is a subset of this community that wanted this specification.
… I don’t think most people building out VCs with DIDs care about CIDs at all.
… It half-solves the problem. It’s centralized.
… I don’t think there is overlap.
… You can use a CID to do things. But most of us aren’t going to use them.
… The deployment community for CIDs is non-existent today.
… The concept if VERY different from a content identifier. And if there is a concern about that being confusing in context, spell it out.

Brent Zundel: the use of CIDs outside their use as DIDs is virtually non-existent.

Manu Sporny: When you say “controlled identifier” and “content identifier” its clear what is meant.
… So don’t use the acronym where it might be ambiguous.

Kaliya Young: If people aren’t pushing to have the spec renamed, just the acronym. Then the acronym is the problem.
… I like the suggestion that it’s ‘ctrlid’.
… That makes it clear that its different.

Joe Andrieu: agreed with Manu. If the acronym is the problem, don’t use the acronym. The spelled out terms are clear.

Manu Sporny: just from a process perspective, can we take the short-name rename off the table, that is a huge impact for the team.

Benjamin Young: +1 for taking the shortname change off the table–since that seems to be where the cost/pain would be.

Ivan Herman: +1 to manu.

Manu Sporny: maybe we call it a CRID or CTRLID… but can we get some finality so editorial team can put together a proposed recommendation.

Dave Longley: +1 to either no change to the short name or do CRID and be done with it forever :).

Brent Zundel: before we go there, I have a suggestion.

Brent Zundel: what if we change “Controlled Identifiers (CIDs) v1.0” to “Controlled Identifiers v1.0”, but keep the short name “cid-1.0” as is?

Brent Zundel: what if we just changed the title?
… does that help anything?
… Then we back away from the officialness of the acronym.

Manu Sporny: +1 to that suggestion.

Denken Chen: +1 to that suggestion. The communities would pick their beloved short name afterwards.

Manu Sporny: then it just shows up in spec-refs, so I’ve been using expanded form, so you wouldn’t see CID anywhere.

Ivan Herman: minor change, the title.

Proposed resolution: change the title “Controlled Identifiers (CIDs) v1.0” to “Controlled Identifiers v1.0”, but keep the short name “cid-1.0” as is. (Brent Zundel)

Ivan Herman: +1.

Manu Sporny: +1.

Benjamin Young: +1.

Joe Andrieu: +1.

Denken Chen: +1.

Dave Longley: +1.

Jennie Meier: +1.

Ted Thibodeau Jr.: +1.

Hiroyuki Sano: +1.

Resolution #1: change the title “Controlled Identifiers (CIDs) v1.0” to “Controlled Identifiers v1.0”, but keep the short name “cid-1.0” as is.

Brent Zundel: hearing no objections.
… second issue in CID spec.

4.2. Authentication of a CID (issue cid#141)

See github issue cid#141.

Brent Zundel: might just be a small editorial change.

Manu Sporny: you’re just waiting on me to raise a PR.

Brent Zundel: that’s it. the rest are tracking issues.

5. VC JOSE COSE.

Brent Zundel: one more topic on the agenda.

Brent Zundel: https://github.com/w3c/vc-jose-cose/pulls.

Brent Zundel: two PRs, but one is the same as VCDM.

5.1. Correct application/vp+jwt Example (pr vc-jose-cose#327)

See github pull request vc-jose-cose#327.

Brent Zundel: This is in response to issue #325 a copy-paste error where values were identical in couple examples which was confusing.
… Happy to take comments, but this is going in and addresses the last issues of JOSE-COSE.

Manu Sporny: we are so beyond done for these specs :P.

Brent Zundel: Kudos to the group. This has been a remarkable amount of work.

5.2. Diagnostic mode in Cose examples.

Manu Sporny: +1 to your comments. I noticed that we generate examples, like signed examples, for JOSE-COSE, SD-JWT.
… I noticed the JOSE-COSE says they’d provide the data in diagnostic mode.
… but they don’t.
… I just put a feature last weekend for CBOR diagnostics. I could update that to handle COSE? Or we could remove “diagnostic mode” from the COSE examples.

Brent Zundel: i’m not finding what you mean.

Manu Sporny: you see the orange text?

Brent Zundel: I’m seeing something.

Manu Sporny: application/cbor/diagnostic (example 8 in VC-JOSE-COSE).
… that information is the same across all the examples.
… oh way, maybe not.
… but its definitely not CBOR diagnostic.

Dave Longley: is this something we can improve during maintenance with better tooling.

Brent Zundel: this is absolutely something that would fit in maintenance mode.

Manu Sporny: then let’s remove it for now. They can use the blob.

Brent Zundel: or we do nothing at all. is the other option.

Joe Andrieu: What does diagnostic mode do?

Manu Sporny: CBOR data is just a huge hex string, which isn’t very useful for humans. CBOR diagnostic mode will dump that out as JSON so you can see the structure and check it.
… the current thing that is shown isn’t helpful.
… It doesn’t tell me what the payload is or what the signature is.
… It’s showing me sometthing, but it’s not really CBOR diagnoatics and it isn’t helping.

Mahmoud Alkhraishi: About delete? Is that to delete the diagnostic part?

Manu Sporny: these are all autogenerated, so we would have to remove it from all of them.
… happy to remove it, but I’d rather not do anything.

Brent Zundel: argue that this is “not useful” rather than harmful.

Benjamin Young: we can shut off a given tab, e.g., the diagnostics tab.

Brent Zundel: turning it off should be minimal.

Manu Sporny: can’t turn the whole tab off.

Benjamin Young: that would be extra work. I misunderstood.

Manu Sporny: five minutes to make the change.
… currently, it looks like we don’t know what we are doing.
… I think it’s actively harmful.
… We don’t hurt anything by removing it. They can grab the blob and use a real CBOR tool.

Brent Zundel: Topic: Misc.
… that’s our agenda for today.
… thanks Joe. Thanks all.
… Next week’s call: we may have a PR or two, but we may cancel. (Probably).
… thanks all. See you in couple weeks.

6. Resolutions