18:57:38 RRSAgent has joined #vcwg 18:57:39 logging to https://www.w3.org/2022/10/12-vcwg-irc 18:57:41 RRSAgent, make logs Public 18:57:42 please title this meeting ("meeting: ..."), kristina 18:57:46 Meeting: Verifiable Credentials Working Group Telco 18:57:52 brentz has joined #vcwg 18:57:52 Chair: Kristina 18:58:24 gkellogg has joined #vcwg 18:58:57 present+ 18:59:23 present+ 19:00:38 markus_sabadello has joined #vcwg 19:01:12 mprorock has joined #vcwg 19:01:23 present+ 19:01:35 TallTed has changed the topic to: VCWG 2022-10-12 Agenda: https://lists.w3.org/Archives/Public/public-vc-wg/2022Oct/0003.html 19:02:07 selfissued has joined #vcwg 19:02:12 present+ 19:02:12 present+ 19:02:20 present+ 19:02:25 dmitriz has joined #vcwg 19:02:29 present+ 19:02:58 decentralgabe has joined #vcwg 19:03:01 present+ 19:03:03 what's the scribe nick incantation? 19:03:05 present+ 19:03:11 present+ 19:03:12 scribe+ 19:03:43 kristina:

19:03:49 q+ to review PRs for vc-data-model and vc-data-integrity 19:04:24 manu: is now an appropriate time to review PRs? 19:04:27 ack manu 19:04:27 manu, you wanted to review PRs for vc-data-model and vc-data-integrity 19:04:42 kristina: let's do intros / special topics, and then move to PRs 19:04:52 Logan_Porter has joined #vcwg 19:04:57 Orie has joined #vcwg 19:05:01 shawnb has joined #vcwg 19:05:01 present+ 19:05:09 present+ 19:05:24 Pzemek: hi I'm Pzemek from MasterCard (Cyber and Intelligence Division), working on Identity there. Excited to be here. 19:05:49 present+ 19:06:03 Steve_C has joined #vcwg 19:06:07 present+ 19:06:49 kristina: first item - IRC etiquette 19:07:06 ... at the last call, Ivan proposed starting a second IRC channel (to contain side-conversations on IRC during the call) 19:07:12 ... which was a fair observation. 19:07:41 ... so, we had the discussion with chairs, editors and Ivan. consensus was: we don't want a second IRC channel right now, but want to reinforce the etiquette -- when using IRC, please be mindful to keep the conversation relevant to the topic 19:08:00 ... what you're typing (without a '/me ' preceding it) will go onto public record, so please be mindful 19:08:20 ... so if you feel the need to add off-topic comments, please use /me, which won't go into the minutes 19:08:27 q+ 19:08:31 Przemek_Praszczalek has joined #vcwg 19:08:40 Steve_McCown has joined #vcwg 19:08:41 ack brentz 19:08:49 brentz: thanks Kristina. I second everything Kristina said; Ivan did admit that proposing an entirely separate IRC channel for snark & side-convos was slightly extreme 19:09:11 ... but really, we're just asking to do three things. 1) whenever your comment is snark, use emote options. 19:09:39 ... we want people to feel free to make comments pertinent to the conversation as it happens. you don't need to emote those. but we don't want the IRC conversations and the call's conversation to diverge 19:09:55 q? 19:09:56 kristina: thanks Brent. any questions related to this? 19:10:20 ... moving onto the next topic 19:10:21 In case you want to join the W3C Slack channel, and post your snark there too: https://w3ccommunity.slack.com/archives/C0456S64PPF 19:10:24 topic: Special Topic Calls 19:10:42 kristina: this is related to the conversation we had last week, issue #929 "What does JSON-LD compatible mean?" 19:10:51 ... the chairs are not yet ready to take resolution on this topic. 19:10:58 ... we'd like to continue the conversation and discussions. 19:11:17 ... but because we do need to move forward the Data Model & other docs, we would like to organize a Special Topic Call on various issues 19:11:39 ... and issue #929 was recently closed, and Manu kindly offered to re-open individual issues for separate topics in that thread 19:11:51 ... and Brent has kindly agreed to organize special topic calls when needed 19:11:51 q? 19:12:13 q+ to review PRs for vc-data-model and vc-data-integrity 19:12:13 topic: Work Item Status Updates and PRs 19:12:32 ack manu 19:12:32 manu, you wanted to review PRs for vc-data-model and vc-data-integrity 19:12:48 mprorock_ has joined #vcwg 19:12:58 manu: VC-data-model / #924 -- we'll skip that 19:13:03 https://github.com/w3c/vc-data-model/pull/924 we're going to discuss today 19:13:11 ... 943 has been opened as a counter-proposal 19:13:17 Counterproposal for #924 https://github.com/w3c/vc-data-model/pull/943 19:13:18 apologies, related to the previous discussions, but link to the issue that has been closed, which also has links to the new issues that manj broke down into: https://github.com/w3c/vc-data-model/issues/929 19:13:29 manu: so I expect that we should discuss that today as well; those two issues are just two sides of the same coin 19:13:36 https://github.com/w3c/vc-data-integrity/pulls 19:13:36 ... so that's it for data model pulls 19:13:52 ... as far as Data Integrity pull requests, there is a PR to add an initial JSON-LD context for data integrity 19:13:54 Add initial JSON-LD Context for Data Integrity -- https://github.com/w3c/vc-data-integrity/pull/61 19:14:02 ... that is also related to the discussion we want to have today 19:14:14 Refactor Generate Proof algorithm -- https://github.com/w3c/vc-data-integrity/pull/62 19:14:17 ... and then there's some cleanup work happening in PR #62, which refactors the Generate Proof algorithm 19:14:40 ... the take-away at this point is -- there are only 2 more algs that need to be refactored in the Data Integrity work, and then I believe it's ready for a FPWD 19:14:55 ... so let's say, the end of this month, we're likely to be in a position to call for a First Public Working Draft for Data Integrity and other specs 19:15:06 gkellogg has joined #vcwg 19:15:15 Links to implementing Data Integrity streamlining: https://github.com/w3c/vc-data-integrity/pull/61#issue-1402344013 19:15:27 ... the other thing to pay attention to -- here's a link to implementing Data Integrity streamlining 19:15:39 ... we discussed the DI spec at W3C TPAC. there is now a JSON-LD context for that 19:15:53 ... there is an implemented Cryptosuite (something called 'eddsa-crypto' suite) (sp?) 19:16:06 gkellogg has joined #vcwg 19:16:11 s/eddsa-crypto/eddsa-2022/ 19:16:12 how is this related to PR 943, counterproposal to removing proofs in vc-data-model 19:16:22 ... there's going to be a spec very shortly for it 19:16:28 ... there's an implementation, and a conformance test suite 19:16:48 ... so pay attention to that, if you haven't been following Data Integrity, since that will be moving faster 19:17:25 kristina: the PR #61 is similar to vc-data-model PR #943? 19:17:38 manu: close. One is about establishing a context that has nothing to do with VCs, that's just data integrity related 19:17:49 ... in the vc-data-model, we're saying -- let's pull the DI context into the core VC context 19:17:58 q? 19:17:58 kristina: thanks 19:18:18 kristina: editors of JWT VC and JSONSignature2020, can you please report on the status? 19:18:57 selfissued: Orie and I need to address the comments on the PRs, including those by Kristina, 19:19:02 ... none of them make normative changes 19:19:12 kristina: any update on JsonWebSignature? 19:19:27 Orie: we're almost there. we have a PR that's been open since August 10, and it involves a context change, 19:19:31 https://github.com/w3c/vc-jws-2020/pull/24 19:19:33 ... and it has 3 people who have commented on it. 19:19:39 ... it's not looking super good in terms of engagement 19:19:54 q+ to note some synchronization might be needed between jws-2020 and data-integrity. 19:19:58 ... so either there's not a lot of interest in the group on this, or my pleas for engagement are going unheeded 19:20:09 ... so please weigh in, add your comments, PR approvals, etc. 19:20:20 ... and make it clear if you're requesting changes, or if you're against the whole thing 19:20:40 ... otherwise, it's impossible for the PR author (me in this case) to resolve your feedback 19:21:01 ... I'd like to merge this PR, to set a foundation for some of the semantic processing associated with WebSignature2020 19:21:12 ... I've tested it out, it has behavior that I like more than the current implementation 19:21:13 i would like this merged as well for similar reasons when looking at data in a node graph 19:21:16 ack manu 19:21:16 manu, you wanted to note some synchronization might be needed between jws-2020 and data-integrity. 19:21:20 manu: it's not related to this PR, but in general, 19:21:43 ... Orie and anyone who's working on the jws-2020 spec -- I've updated the core spec to be more inclusive of other algorithms / different ways of doing things 19:22:01 ... Orie, you're still using the 'jws' property, and I've made an affordance in the DI spec to account for that 19:22:08 ... I was wondering if we could unify on 'proofValue' 19:22:17 ... or would you prefer to continue using 'jws' 19:22:23 Is there an issue to track that 19:22:24 ? 19:22:25 ... so, there's something for us to discuss, and I just wanted to raise awareness 19:22:31 Nope :) 19:22:42 I will comment on issues when linked / requested. 19:22:50 manu: I'll open an issue 19:22:52 q? 19:22:55 q+ 19:22:59 kristina: ok, that concludes our updates on PRs and issues for the items 19:23:03 ack mprorock_ 19:23:13 mprorock: Manu, are you asking that in the 'proof' block, we change 'jws' to 'proofValue'? 19:23:22 manu: yeah, there's some upsides & downsides to doing that. I'll raise an issue 19:23:27 Related to the open PR... https://github.com/w3c/vc-data-model/pull/943/files#diff-267b7e47789daf9a1d312b42826aa937a1bb5af4312ee90df6b8a64cd6426f4fR146 19:23:44 kristina: let's move to the next topic 19:23:48 topic: PR #924 19:23:53 subtipic: https://github.com/w3c/vc-data-model/pull/924 19:23:56 kristina: manu has briefly mentioned it 19:24:07 ... brief overview -- Orie did a PR removing 'proof' from the VC @context 19:24:19 s/subtipic:/subtopic:/ 19:24:19 ... there is another PR that's a counter-proposal (to keep the proof) 19:24:34 q+ to make my case / comment. 19:24:40 ... anyone who would like to speak to move this forward? 19:24:41 ack Orie 19:24:41 Orie, you wanted to make my case / comment. 19:24:42 q+ 19:25:10 Orie: so, in the conversation on that open issue, Manu and I talked about how to move the item forward, and he's implemented a path forward for adding a 'proof' definition for Data Integgrity to the VC context 19:25:17 Phil-ASU has joined #vcwg 19:25:17 ... this is a valid path forward, and I'm happy to close my PR. 19:25:28 ack manu 19:25:29 ... I asked for a counter-proposal, and it was given. so unless anyone objects I'll close my PR 19:25:50 manu: does everyone understand the ask? 19:26:06 ... Orie, not everyone on the call may understand what's being proposed in the PRs 19:26:17 ... we can ask if anyone has objections, but I'm just concerned people are unclear 19:26:20 I'll sheepishly admit that I don't fully understand - I'm about 60% of the way there. 19:26:21 kristina: that's a fair point 19:26:34 q+ to try and cover what's being discussed. 19:26:40 ... Orie would you like to comment? 19:26:52 Orie: I invite people to look through the comments / conversation in the issues 19:26:57 ack manu 19:26:57 manu, you wanted to try and cover what's being discussed. 19:27:03 manu: ok, let me see if I can explain 19:27:21 ... so, fundamentally, the question is -- to what lengths should we go to, to make people's lives easier, when they're developing VCs (using JSON-LD)? 19:27:36 ... for those developers, do we want to give them an easy way of covering 80% of the types of proofs that might be attached to a VC 19:27:49 ... so the whole question is -- do we want to create a base format for a Data Integrity proof, that's batteries included 19:28:04 ... meaning, when somebody includes the VC v2 context, for most usecases, they can just attach a DI proof 19:28:08 ... that's what my PR does 19:28:40 ... basically says - for devs using the v2 context, they don't have to painstakingly look through a registry of proofs, and copy and paste the context for that proof type, they can just use it 19:28:53 q? 19:29:03 ... the counter-argument was -- 'you're favoring DI stuff', to which the reply is -- if you don't care about JSON-LD, then this doesn't affect you 19:29:13 ... this whole thing does not hurt or affect JWT VCs 19:29:27 ... it just makes JSON-LD dev experience easier; cuts down on too many cryptosuite contexts from being created 19:29:39 ... so, it offers upsides for DI users, while not dis-enfranchising JWT users 19:29:42 q+ 19:29:50 ack shawnb 19:30:01 shawnb: just wanted to say thank you, Manu, that was helpful, and I see the connection between the PRs. I think this is great 19:30:22 +1 to the explanation and support closing 924, as well. 19:30:30 kristina: so, what's on the table is closing #924 19:30:40 ... any objections? 19:30:43 +1 to close #924 19:30:47 +1 to close 19:30:49 +1 to close #924 19:30:52 +1 to close 19:30:54 +1 19:30:54 I opened it, I closed it. 19:30:58 :) 19:31:00 +1 19:31:12 kristina: I see multiple +1s in the chat, let's give it a moment. Oh, I see Orie closed it (since he's the one who opened the PR) 19:31:42 kristina: ok, the counter-PR was opened 3 days ago, let's give people a few more days to comment on it 19:31:49 ... ok, let's move to issues discussion 19:31:52 topic: Issues Discussion 19:31:58 subtopic: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+label%3Adiscuss+sort%3Aupdated-asc 19:32:27 kristina: I looked through the issues, and I wanted to cover -- so, most of them we have covered once already, in these WG calls within the last 2 months 19:32:40 ... and most of them don't have activity after that 19:32:58 ... so, I picked several that have enough new comments that we haven't discussed 19:33:07 subtopic: https://github.com/w3c/vc-data-model/issues/914 19:33:08 ... the first one was #914 where Brent added the label 'discuss' 19:33:17 kristina: de-referencing relative to issuer 19:33:23 .... Brent was asking the question 19:33:29 ... Orie or Brent -- any comments? 19:33:36 Orie: an issuer is a well-understood term at this point 19:33:45 ... you can use the term definition from VC spec 1.1 19:34:06 ... in the case of a Data Integrity proof, there's a wel-defined relationship between the issuer, the verificationMethod, and the proof 19:34:07 dwaite has joined #vcwg 19:34:16 ... so in a DI proof, as a developer, I know what to do with a key and how to verify 19:34:24 ... in the context of JWTs, it's completely un-defined 19:34:40 ... this may be shocking, you may ask -- how can I use JWTs if I don't know how to obtain the public key? 19:35:00 ... I'm confused as well. I've worked on some documents at DIF a while ago, to make it easier to understand how to obtain the key material, with a JWT VC 19:35:17 present+ dwaite 19:35:18 ... there's a few options we discussed, the most widely adopted is unfortunately my fault, it's to use a 'kid' value that is an absolute reference to the key material 19:35:40 ... that you use to verify the VC. the security risk there is -- if you're just de-referencing the material from kid, there's a chance that the kid and issuer don't agree 19:36:12 ... so, you can see here in that example, if we take the 'iss' and 'kid' together and use those, that might work, but it's different from what I've seen in the wild 19:36:21 ... which was - an absolute 'kid' vs relative url 19:36:22 +1 orie 19:36:30 zakim, who is here? 19:36:30 Present: brentz, kristina, mprorock, markus_sabadello, selfissued, TallTed, dmitriz, dlongley, manu, decentralgabe, Orie, Logan_Porter, shawnb, dlehn, dwaite 19:36:34 On IRC I see dwaite, Phil-ASU, gkellogg, mprorock_, Steve_McCown, Przemek_Praszczalek, Steve_C, shawnb, Orie, Logan_Porter, decentralgabe, dmitriz, selfissued, markus_sabadello, 19:36:34 ... brentz, RRSAgent, Zakim, kristina, Karen, TallTed, tzviya, npd, Mike5Matrix, cel1, cel[m], Github, bumblefudge, stonematt, shigeya, dlehn1, Dongwoo, dlehn, bigbluehat, 19:36:34 ... hadleybeeman, dlongley, manu, rhiaro 19:36:38 q+ to note concern both ways -- but issuer + proof.verificatioNMethod seems dangerous. 19:36:40 ... but basically, we need a consistent definition of how to obtain a public key for a JWT 19:36:41 kristina: thanks Orie 19:36:44 ack manu 19:36:44 manu, you wanted to note concern both ways -- but issuer + proof.verificatioNMethod seems dangerous. 19:36:48 manu: +1 to providing guidancfe 19:36:59 ... we should do that, since this has come up multiple times, and we keep making different decisions 19:37:14 ... the thing that stands out to me that feels dangerous, is the whole 'iss' + 'kid' approach 19:37:23 ... which presumes that the verification method is always relative (or can be relative) 19:37:33 ... this is dangerous because it presumes that the 'iss' property always exists 19:37:45 ... but for Data Integrity proofs, they can be applied to non-VC objects 19:37:46 q+ point of order, issuer is required 19:37:52 q+ tp point of order, issuer is required 19:37:55 ... in use cases where there's no issuer 19:37:57 q+ to point of order, issuer is required 19:38:04 present+ kdean 19:38:13 manu: if 'kid' is /always/ a relative URL and it's enforced, then that might be ok.. 19:38:40 ... I'll also note that there are valid concerns about putting absolute URLs everywhere 19:38:43 ... where the key that's signed is different from the 'iss'uer URL 19:38:49 ... some people look at that as a feature, some as a bug 19:38:50 present+ Phillip_Long 19:38:52 ack Orie 19:38:52 Orie, you wanted to point of order, issuer is required 19:39:04 Orie: so, the example that I've shown, with 'iss' + proof verificationMethod was confusing 19:39:18 ... in a VC that uses a DI proof, you only need proof.verificationMethod to obtain the key material 19:39:20 ok, thanks Orie, that's helpful. 19:39:36 q+ 19:39:36 +1 Orie, ran into this exact issue this week when implementing resolving keys + verifying jwt-vcs 19:39:43 present+ Steve_C 19:39:45 ... as far as I'm aware, you're not required to enforce that the key used to sign a VC is controlled by the issuer 19:39:54 ... I've seen libraries that check for this, and I've implemented that myself 19:39:56 +1 to Orie, thanks for clarifying 19:40:06 ... anyways, so this issue is -- how did you get to that key material in the first place 19:40:13 present+ Steve_McCown 19:40:19 ah, I think I see... 19:40:21 Orie: the other point I don't agree with that Manu made 19:40:40 ... is that DI proofs apply to things that aren't VCs. I agree that that's true, but VCs /require/ issuers 19:40:52 q? 19:40:58 ... so one is not going to encounter a situation, in the context of this WG, where that would happen, unless we make normative changes 19:41:01 ack markus_sabadello 19:41:13 markus_sabadello: I agree, it feels like this should be defined (wrt relative IDs) 19:41:28 q+ 19:41:30 ... in the JSON-LD perspective, such a relative ID would be resolved relative to the 'id' field, rather than the 'issuer' field 19:41:36 q+ to note why issuer and verificationMethod might be different.... and yes, "relative to what" is one of the issues here. 19:42:00 ack decentralgabe 19:42:04 decentralgabe: I'm curious where the normative change needs to be. is this something that the VC JWT spec can handle? 19:42:11 q+ to note "JSON-LD is relative to document BASE" 19:42:12 ack manu 19:42:13 manu, you wanted to note why issuer and verificationMethod might be different.... and yes, "relative to what" is one of the issues here. and to note "JSON-LD is relative to 19:42:13 ... document BASE" 19:42:13 To be clear, I am NOT suggesting `proof.verificationMethod` be ANYTHING other than an absolute IRI to a verificationMethod 19:42:39 I am pointing out that people still have questions about relationship to issuer. 19:42:40 manu: ok, so what Orie just said (in chat) -- great, I totally agree with that 19:42:49 ... so what's our further question... 19:42:50 q+ to ask if we can say that this is specific to VC-JWT 19:43:02 manu, we are talking about this: https://github.com/digitalbazaar/vc-js/blob/main/lib/CredentialIssuancePurpose.js#L72 19:43:03 manu: how about this -- let me try and state a question and provide an ansewr 19:43:21 manu: do we want relative URLs associated with any kind of key material in DI proofs. and the answer is, absolutely not. we should have absolute URLs everywhere 19:43:27 ... does anyone object or disagree? 19:43:37 q+ 19:43:38 q+ to explaint CWT / JWT use cases. 19:43:39 ... introducing relative URLs, especially around key material in DI proofs, is asking for trouble 19:43:49 ... since as Markus points out, there are ways to change the base URL 19:44:15 ... all that to say, for DI proofs, absolute IRIs are required any time there's key material. not sure what to do for JWTs 19:44:17 ack dlongley 19:44:17 dlongley, you wanted to ask if we can say that this is specific to VC-JWT 19:44:30 dlongley: if we haven't done this already (in the DI spec, we were going to specify this) 19:44:43 ... that the base URL for a VC /must/ be null 19:44:48 ... which would enforce the usage of absolute URLs 19:44:56 +1 for absolute URLs in proofs, etc. 19:45:01 iss: did:example:123, kid: #key-1 .... is safer. 19:45:04 ... what I wanted to ask about -- is what Orie asking specific to JWTs? 19:45:13 +1 to ack selfissued 19:45:17 ack selfissued 19:45:20 selfissued: this may be more of an analogy to think about, 19:45:34 ... rather than directly actionable, but - JWT key ids just tend to be locally unique IDs, not URLs 19:45:46 ... you get the key from a .well-known off of the issuer, or something along those lines 19:45:59 ... so I'm sympathetic to 'kid's being local to the context of key retrieval 19:46:04 yep... the DIF vc-jwt implementation made it up... because there was no guidance. 19:46:09 ... I know that doesn't answer the question of where do you get the keys. 19:46:12 which hurt us all. 19:46:18 ack Orie 19:46:18 Orie, you wanted to explaint CWT / JWT use cases. 19:46:23 ... but I think that should be separate from requiring kid from being absolute URLs. that would be overkill 19:46:42 Orie: as many of you, I'm interested in compact representations, where we don't repeat information, and I'm also interested in building safe APIs 19:46:55 ... in the context of VCs -- I'm going to focus on JWTs and JOSE for a sec 19:47:04 ... there are some usages, in the JOSE spec, that are more or less safe 19:47:14 ... and we should discuss on whether we should allow both, or ONLY require safe usages 19:47:37 ... and Mike is right -- the definition for 'kid' is that it's an opaque hint, it's not a direct absolute IRI, it doesn't provide key resolution advice 19:47:53 ... if we were to say nothing (in the VC spec), in my opinion it would be very harmful, in using JOSE with JWT 19:48:04 ... because 'kid' is something a developer expects to be helpful 19:48:18 +1 to "we should explain exactly how to use iss/kid in VC-JWT" 19:48:19 ... we should explain why 'kid' is valuable and helpful, and how we should use it to get the key material 19:48:22 q+ 19:48:30 ... regarding the duplicate info piece, I propose that we should break the convention 19:48:42 q+ to ask "what's the security issue"? 19:48:44 ... that 'kid' should be an absolute URL, and I think that's a mistake now 19:48:59 ... so I would propose we use 'iss' + 'kid' together, instead 19:49:10 ... it's safer, and would allow us to have clearer guidance for implementers 19:49:18 +1 to iss and kid 19:49:19 ... if we don't give that guidance, they could do multiple different things 19:49:29 ... but devs will for sure be doing extra work 19:49:50 ... so we should plan to make their lives easier by dictating one consistent way of how to obtain the key materials for a JWT 19:50:03 ... so while it's possible to leave optionality in, wrt key resolution, I don't think we should 19:50:08 kristina: thanks, Orie 19:50:11 +1 to removing optionality wrt. key resolution with respect to VC-JWT. 19:50:31 ... so, do we want to provide guidance on what to do with 'kid's in a JWT VC? 19:50:35 ack selfissued 19:50:42 selfissued: again, I'll make an analogy to other solutions 19:50:51 ... in OIDC4VC work, we do retrieve the keys based on the issuer 19:50:59 ... now, there is a case statement, which I think is ok, 19:51:19 ... if the URL of the issuer is a DID, you retrieve the DID keys. if the URL is an https:// url, you tack on a .well-known/ identifier, and get the keys from that place 19:51:27 ... and I think we'd do well in the VC 2.0 spec to do something similar 19:51:37 ... recognizing the different affordances with DIDs and HTTP URLs 19:51:47 ... but it would be good to have a normative retrieval method, yes 19:51:51 ack manu 19:51:51 manu, you wanted to ask "what's the security issue"? 19:51:53 +1 to normative guidance on retrieving public keys. 19:51:54 +1 for normatively described ways to get the keys 19:52:07 manu: real quick, +1 to what Mike was saying, and to what Orie was saying -- we should be super clear, eliminate optionality 19:52:16 ... and that's what people are suggesting, let's provide guidance for VC JWTs 19:52:40 ... my concern is that we may not be thinking --- iterating though every single scheme (did, http) might be difficult. but what about people who want to use other schemes, IPFS, etc? 19:52:48 ... that's challenging (the 'case' statement grows) 19:52:49 We can't comment on identifier formats that are not standards. 19:52:57 ... presuming we might do a relative URL thing might also be problematic 19:53:11 ... this may not match every type of protocol scheme 19:53:20 ... the only way you could be sure, is by having an absolute URL in 'kid' 19:53:29 Orie: well, we can comment on that -- we could say that how you fetch the keys depends on the identifier format and only these N are defined by the spec 19:53:31 ... I think we're presuming a security issue 19:53:48 ... the only thing I can think of here is -- 'iss' is a totally different URL from the URL in 'kid' 19:53:59 ... like, if the issuer is a university, then the issuer URL would be the homepage 19:54:12 FWIW, I could live with `kid` MUST be absolute or `kid` MUST be relative to `iss`... I can't live with both. 19:54:13 q? 19:54:14 ... but if the university is using an HSM to sign it, or a hosted key provider, then the 'kid' might be on a totally different domain 19:54:23 ... so that's my concern -- in the rush to provide clear guidance 19:54:40 ... (such as 'one of them is relative to the other one'), we'll eliminate valid use cases 19:54:49 ... to be clear, I think absolute IRIs are the thing to do, but I'm interested in people who disagree 19:54:58 q+ 19:55:01 +1 to absolute IRIs 19:55:03 ack Orie 19:55:23 Orie: concretely, the security issue is -- I create a JWS signature tomorrow, and I have 'iss' that's one value, and the 'kid' is a DID key URL, 19:55:31 ... then it will always resolve, and there's no way to revoke it 19:55:35 ... so the VC will always verify 19:55:51 ... and to protect against that, we'd need to add additional text, such as 'hey, make sure this key is controlled by the issuer' 19:55:52 there needs to be a trusted link between the issuer and the key. 19:56:01 ^^ yes, that. 19:56:05 ... and we'd need to have a per-protocol discussion for the relationship between iss and kid 19:56:11 q+ 19:56:22 ... the comment about that we don't know the various identifier schemes, I don't think that matters -- 19:56:30 q+ to propose a security model that Data Integrity uses as a solution for this problem. 19:56:40 ... we can define the schemes we expect to see in the wild. if somebody can make a case for another type of identifier, let them come forth 19:56:40 +1 to defining key retrieval methods for the URL types that we do expect to be used 19:56:49 ... we shouldn't wait, to provide clear guidance 19:56:56 ack dwaite 19:57:18 dwaite: the reason 'kid' is defined as a hint, is because you need to know, for a given kid, is that it's something an issuer vouches for 19:57:25 ... DIDs provide a way to enforce this 19:57:33 ... for OIDC4VC, we provided a different mechanism 19:57:36 dwaite is giving a good argument for why `kid` and `iss` should be used together IMO... it would be safer to use relative. 19:57:45 +1 dwaite 19:57:59 ... the issue with having absolute URIs -- we still have to define how does somebody enforce / check that the issuer controls the kid? 19:58:14 Orie: it being "relative" is just a shortcut to getting a trusted link / attestation from the issuer that the key is, in fact, theirs and intended to be used to sign a VC. 19:58:14 ... so, they can be relative, maybe the 'kid' is not a URI but a fragment, but there still has to be a way 19:58:26 ack manu 19:58:26 manu, you wanted to propose a security model that Data Integrity uses as a solution for this problem. 19:58:27 ... of how to go from an issuer to the key, or if the key is trusted by the issuer 19:58:47 manu: here's how this is solved Data INtegrity -- you HAVE to ensure there's a bi-directional link between issuer and key 19:59:02 ... so, you go to the controller document (such as the DID doc), and you verify that the key is authorize3d 19:59:13 ... clearly we need to have further discussion, but I'm confident we can unify the guidance 19:59:25 kristina: thank you, everyone. Orie, anything we can do in this issue, to clarify? 19:59:49 Orie: comment on the issue, make concrete proposals we might discuss on the follow-up call 19:59:55 ... we need more engagement on issues 19:59:58 kristina: agreed 20:00:12 ... we encourage everyone to make proposals, add comments to the issue, so we can make progress 20:00:19 decentralgabe has left #vcwg 20:00:43 rrsagent, draft minutes 20:00:43 I have made the request to generate https://www.w3.org/2022/10/12-vcwg-minutes.html kristina 20:00:51