15:27:34 <RRSAgent> RRSAgent has joined #vcwg-special
15:27:38 <RRSAgent> logging to https://www.w3.org/2024/01/09-vcwg-special-irc
15:27:38 <Zakim> RRSAgent, make logs Public
15:27:39 <Zakim> please title this meeting ("meeting: ..."), ivan
15:27:52 <ivan> Meeting: Verifiable Credentials Working Group Special Topic Call on Outstanding Issues/PRs
15:27:52 <ivan> Date: 2024-01-09
15:27:52 <ivan> chair: brent
15:27:52 <ivan> Agenda: https://www.w3.org/events/meetings/f6342df0-f7b5-4fc9-babd-61e55dc5fc2f/20240109T110000/
15:27:53 <ivan> ivan has changed the topic to: Meeting Agenda 2024-01-09: https://www.w3.org/events/meetings/f6342df0-f7b5-4fc9-babd-61e55dc5fc2f/20240109T110000/
15:30:45 <TallTed> TallTed has joined #vcwg-special
15:56:13 <brent_> brent_ has joined #vcwg-special
15:57:21 <ivan> present+
15:58:36 <DavidC> DavidC has joined #vcwg-special
15:58:44 <DavidC> present+
15:59:40 <ivan> present+ brent
15:59:41 <brentz> present+
15:59:49 <ivan> present+ TallTed
16:02:00 <ivan> present+ andres
16:02:10 <ivan> present+ will
16:02:26 <dmitriz> dmitriz has joined #vcwg-special
16:02:40 <andres> andres has joined #vcwg-special
16:02:44 <andres> present+
16:03:20 <ivan> present+ dmitriz
16:03:30 <ivan> present+ selfissued
16:03:49 <ivan> present+ JoeAndrieu
16:04:53 <selfissued> selfissued has joined #vcwg-special
16:04:57 <selfissued> present+
16:04:59 <selfissued> https://github.com/w3c/vc-data-model/pull/1404#pullrequestreview-1809578744
16:05:01 <will> will has joined #vcwg-special
16:05:03 <will> present+
16:05:30 <will> scribe+
16:05:46 <smccown> smccown has joined #vcwg-special
16:07:12 <manu> present+
16:09:49 <ivan> present+ smccown
16:10:16 <manu> q+
16:10:21 <will> brentz: welcome, special topic this week is the vc jose cose spec
16:10:36 <will> ... nearing candidate rec
16:10:59 <will> ... leaving it to mike to point us in the direction for this discussion
16:11:08 <manu> q-
16:11:44 <will> selfissued: over the hols manu and DavidC did thorough review. Resulting in some issues to address
16:11:46 <ivan> Topic: VC JOSE COSE spec prs
16:12:00 <will> ... A couple need some VG discussion to proceed
16:12:07 <selfissued> https://github.com/w3c/vc-jose-cose/issues/201
16:12:23 <ivan> subtopic: https://github.com/w3c/vc-jose-cose/issues/201
16:13:04 <will> ... this issue asks us to reinstate signing of jose jwt
16:13:07 <will> jws
16:13:22 <will> ... Currently the signing method in the spec is sd-jwt
16:13:54 <will> ... in a degenerate case it is compatible with jws accept it includes a tilde
16:14:17 <will> ... manu and DavidC pointed out that people were using JWS in v1
16:14:26 <ivan> present+ pauld_gs1
16:14:34 <will> ... given sd-jwt is not fully compatible with JWS maybe we should add JWS back in
16:14:41 <DavidC> q+
16:14:44 <manu> q+ to note that we have to stop saying that SD-JWT is "compatible with JWTs", and we don't have deployment signals that SD-JWT is the way to go, so perhaps we should put JWT back.
16:14:50 <ivan> present+ pdl_asu
16:14:58 <will> ... if we use JWS signature there is nothing selectively disclosable
16:15:21 <will> ... I am a proponent that standards should rely on standards, not working drafts
16:15:24 <brentz> ack DavidC
16:15:29 <pdl_asu> pdl_asu has joined #vcwg-special
16:15:33 <pdl_asu> present+
16:16:24 <will> DavidC: been looking at the specs. I raised an issue suggesting a draft saying how we create sd-jwt's for vcs. Then learnt it was in the JOSE spec
16:16:35 <will> ... not opposed to sd-jwt, think it is a good enhancement
16:16:49 <will> ... because you can produce both selectively and non selectively disclosable VC
16:17:13 <will> ... think there are incompatibilities in the title and abstract because it still refers to JOSE when it doesnt use this
16:17:24 <will> ... I raised three PRs to address this
16:17:34 <will> ... examples in the spec are quite confusing
16:17:45 <brentz> ack manu
16:17:45 <Zakim> manu, you wanted to note that we have to stop saying that SD-JWT is "compatible with JWTs", and we don't have deployment signals that SD-JWT is the way to go, so perhaps we should
16:17:48 <Zakim> ... put JWT back.
16:17:49 <andres> q+ to suggest we should do JOSE first, and SD-JWT later when it's ratified. SD-JWT will still need a way to go from VC data model -> JWT claims, before blinding claims.
16:18:04 <will> two points. First we need to stop saying that sd-jwt is compatible with regular jwts. It is not
16:18:28 <will> ... at least going to be a single char difference in the degenerate case
16:18:42 <will> ... if you are doing selective disclose your system needs to think differently
16:19:00 <will> ... we need to say this in the spec and be very clear about this
16:19:01 <ivan> s/two points. First/... two points. First/
16:19:52 <will> ... point 2 - with respect to support of sd-jwts, there is a lot of hope that sd-jwts will be the next big thing
16:20:12 <will> ... we need to support use cases that do not require selective disclosure
16:20:51 <will> ... if using json you can do selective disclosure. if using CBOR you can't. This is problematic
16:21:04 <DavidC> q+
16:21:07 <will> ... need to specify how you can just use regular JOSE rather than sd-jwt
16:21:11 <brentz> ack andres
16:21:11 <Zakim> andres, you wanted to suggest we should do JOSE first, and SD-JWT later when it's ratified. SD-JWT will still need a way to go from VC data model -> JWT claims, before blinding
16:21:14 <Zakim> ... claims.
16:21:39 <cabernet> cabernet has joined #vcwg-special
16:21:45 <will> andres: sd-jwt have requirement to go from vc data model to the payload that will be blinded by the issuer to decide which statments are selectively disclosable
16:21:49 <cabernet> present+
16:22:23 <will> ... I suggest we start with these JOSE first, sd-jwt is not a standard. Unclear what the timeline is for this
16:22:50 <will> ... went through a lot of debates about how to figure out the mapping. Want this to make it into the specs
16:23:07 <will> ... especially how we are mapping vc data model into claims in the JWS payload
16:23:11 <manu> +1 to what andres is saying.
16:23:17 <brentz> ack DavidC
16:23:18 <will> ... Think we need a way to secure things with regular JWS
16:23:33 <will> DavidC: sounds like a way forward would be to revert current spec to previous JOSE version
16:23:45 <will> ... Then have a new spec that is a profile of sd-jwt for VCs
16:23:53 <will> ... that can progress at the speed of the sd-jwt standard
16:24:06 <will> selfissued: let me respond to a few points
16:24:20 <will> ... manu you are right JOSE signing does not support selective disclosure
16:24:36 <will> ... might be added in future, but not reliable
16:25:12 <manu> q+ to note that we shouldn't pull out SD-JWT.
16:25:13 <will> ... Adoption of VCs in market is the ability to do selective dislosure and other privacy techniques
16:25:31 <will> ... not willing to rip of sd-jwt at this point. Would be willing to put JOSE back
16:25:42 <will> ... don;t think this is that hard
16:25:51 <brentz> ack manu
16:25:51 <Zakim> manu, you wanted to note that we shouldn't pull out SD-JWT.
16:26:03 <will> manu: +1 to keep sd-jwt. Would be bad to take it out
16:26:45 <manu> q+
16:26:46 <will> selfissued: Proposal: VC JOSE COSE will add JWS signing before CR
16:27:11 <JoeAndrieu> JoeAndrieu has joined #vcwg-special
16:27:16 <will> manu: clarification on this proposal. This is how to take a VC and express it in a vanilla JWT
16:27:24 <JoeAndrieu> present+
16:27:55 <will> ... any other variations of jose that you feel important to add in scope selfissued?
16:28:07 <will> selfissued: that is contentious, would rather leave that for now
16:28:20 <will> brentz: and clarifications of the proposal?
16:28:27 <brentz> Proposal: VC JOSE COSE will add JWS signing before CR
16:28:31 <manu> +1
16:28:32 <ivan> +1
16:28:34 <selfissued> +1
16:28:35 <brentz> +1
16:28:35 <will> +1
16:28:36 <andres> +1
16:28:38 <pdl_asu> +1
16:28:38 <DavidC> +1
16:28:40 <cabernet> +1
16:28:42 <JoeAndrieu> +1
16:28:42 <TallTed> +1
16:28:47 <dmitriz> +1
16:28:47 <pauld_gs1> pauld_gs1 has joined #vcwg-special
16:28:56 <ivan> present+ dlongley
16:29:00 <smccown> +!
16:29:06 <pauld_gs1_> pauld_gs1_ has joined #vcwg-special
16:29:11 <brentz> RESOLVED: VC JOSE COSE will add JWS signing before CR
16:29:16 <ivan> s/+!/+1/
16:29:16 <pauld_gs1_> present+
16:29:21 <manu> q+
16:29:33 <brentz> ack manu
16:29:36 <will> brentz: issue 201 is open to track this
16:29:57 <will> manu: one of the big mistakes with the jwt stuff in v1 and 1.1. was the mapping or not of iss to issuer
16:30:11 <will> ... we should not provide two ways to do this mapping this time round. We should be consistent
16:30:17 <will> ... hoping for text that makes this very clear
16:30:30 <will> ... think there are only three fields that we need to provide explicit guidance on
16:30:44 <manu> https://github.com/w3c/vc-jose-cose/issues/205
16:30:45 <will> ... raised issue 205 to track this
16:30:59 <ivan> subtopic: https://github.com/w3c/vc-jose-cose/issues/205
16:31:09 <will> selfissued: gabe has agreed to take this on. we agree there should be one way to do the mapping
16:31:27 <will> ... agree there is a small number of fields we want to say something about
16:31:32 <will> ... think we are on track
16:31:53 <selfissued> https://github.com/w3c/vc-jose-cose/issues/195
16:31:58 <will> selfissued: moving on to issue 195. To do with horizontal review
16:32:03 <will> ... more of a progress report
16:32:08 <brentz> subtopic: https://github.com/w3c/vc-jose-cose/issues/195
16:32:33 <selfissued> https://github.com/w3c/vc-jose-cose/issues/192
16:32:37 <will> ... This is related to issue 192
16:32:57 <manu> q+ to note that TAG isn't in the HR tracking?
16:33:17 <will> ... kyle didn't like language in the spec around securing with sd-jwt and JOSE. Neither result in a testable conformant statement
16:33:50 <will> ... manu raised an issue around conformance classes
16:34:05 <manu> q+ to agree with MikeJ/Gabe on how conformance classes can address Kyle's concerns.
16:34:15 <will> ... can satisfy Kyle by using conformance profiles to create testable statements
16:34:20 <brentz> ack manu
16:34:20 <Zakim> manu, you wanted to note that TAG isn't in the HR tracking? and to agree with MikeJ/Gabe on how conformance classes can address Kyle's concerns.
16:34:34 <will> manu: +1 I agree this would address mine and kyles concerns
16:34:53 <will> ... on issue 195, the TAG isnt in the HR tracking, may want to add
16:35:29 <will> ... We need to get a response from security before we close the issue
16:35:51 <will> ... Don't need it to go into CR, but don't close issues on other groups trackers
16:36:21 <will> brentz: I know review request was submitted in May 2023
16:36:56 <manu> https://github.com/w3ctag/design-reviews/issues/899
16:36:59 <will> ... TAG has an issue that is design review, that is closed on orie's request because of text changes
16:37:10 <will> ... new one has been opened. Issue 899 in september 23
16:37:35 <will> ... Looks like they are planning to discuss in the f2f in london this month
16:37:55 <will> selfissued: can you add this to Horizontal Review issue 195
16:39:45 <will> selfissued: another progress report - issue 206
16:39:57 <selfissued> subtopic: https://github.com/w3c/vc-jose-cose/issues/206
16:40:33 <will> ... this tracks the ask for more actionable description of verification and validation
16:41:06 <will> ... I have assigned this to myself
16:42:28 <selfissued> subtopic: https://github.com/w3c/vc-jose-cose/issues/214
16:42:50 <will> selfissued: sounds like this says the drafts published in diff places have different content
16:42:56 <will> ... maybe I misunderstood though
16:43:23 <will> DavidC: it may well be a tooling issue. All I know is two links take you to specs with different examples
16:43:31 <will> ... neither examples are wholly correct
16:43:31 <ivan> q+
16:43:42 <will> ... The examples should be a superset of both
16:43:50 <will> ... not sure what the base document is here
16:44:37 <will> ... there is some JSON in the spec with a VC. In one spec the spec contains the JSON of the VC. In the other it just shows the sd-jwt without showing the original VC
16:44:40 <will> ... we should include both
16:44:42 <brentz> ack ivan
16:45:06 <will> ivan: The github actions seem to be okay. Not looking into this further
16:45:27 <manu> q+
16:45:32 <will> ... I know in VCDM document, there is some transformation of the VC JSON in the document that happens
16:45:40 <will> ... maybe this is not in the JOSE spec
16:45:59 <brentz> ack manu
16:46:05 <will> brentz: sharing screen to show this substantial difference
16:46:17 <will> ivan: looks like something to do with the tooling
16:47:01 <will> manu: I know the details, issue here is that the extension to respec. Called respec-vc has been modifed to support sd-jwt
16:47:19 <will> ... believe this has been done in a way that is not compatible at publication time
16:47:33 <will> ... Think this is a known issue, needs to be fixed.
16:47:40 <will> ... this is a non trivial excercise
16:47:53 <DavidC> q+
16:47:53 <will> ... code written for respec, does not work in publication
16:48:05 <will> ... handed respec over to W3C
16:48:33 <will> ... All examples need to be updated to use software to generate the examples.
16:48:52 <will> ... We need to put effort and work into fixing respec vc to support all securing methods
16:49:16 <will> ... Do we pull in ories code for sd-jwt into  the respec-vc extension. I suggest we do this
16:49:42 <will> selfissued: does the vc extension work when publishing in both cases
16:50:09 <will> manu: two options, we either hack on ories code to get this working. Or we integrate some of ories code into respec-vc
16:50:33 <will> ... our intention with respec vc is to get it into a form that will work across all different specifications
16:50:58 <will> selfissued: no need to bikeshed, but orie did custom code to be able to represent all forms of sd-jwt
16:51:27 <brentz> ack DavidC
16:51:30 <will> brentz: this is affecting the examples, which are non-normative. Can handle after CR
16:51:55 <will> DavidC: most of the tabs on the right had side of the example are good. The disclosed tab is not good. No description.
16:52:05 <will> ... We need another tab that shows the raw example
16:52:32 <will> ... show the raw VC and how it has been manipulated
16:52:40 <manu> q+ to ask if this is even a thing in SD-JWT?
16:52:55 <brentz> ack manu
16:52:56 <Zakim> manu, you wanted to ask if this is even a thing in SD-JWT?
16:53:08 <will> manu: The examples DavidC is pointing to, I have not seen this before
16:53:21 <will> ... where has this notation come from. It is the expression of a VC in yaml format
16:53:28 <andres> q+ to explain where it's coming from
16:53:31 <will> ... is this being specified anywhere
16:53:50 <will> selfissued: my understanding is this was copied from how the sd-jwt test suite works
16:53:54 <will> ... I agree this is not clear
16:54:29 <brentz> ack andres
16:54:29 <Zakim> andres, you wanted to explain where it's coming from
16:54:39 <will> andres: I know where this .yaml comes from
16:54:46 <will> ... selfissued is correct, these come from the testing suite
16:55:07 <will> ... sd-jwt has reference impls. These include tests with the.yaml files
16:55:23 <will> ... .yaml files specify which claims will be made selectively disclosable in the paylod
16:55:52 <will> ... If you are designing an api that allows issuers to select which statements are disclosable, you need something like that
16:55:56 <ivan> s/paylod/payload/
16:56:21 <will> brentz: thanks everyone, look forward to the spec moving into CR
16:56:21 <ivan> rrsagent, draft minutes
16:56:22 <RRSAgent> I have made the request to generate https://www.w3.org/2024/01/09-vcwg-special-minutes.html ivan
18:06:06 <csarven> csarven has joined #vcwg-special
19:29:31 <Zakim> Zakim has left #vcwg-special