15:02:30 RRSAgent has joined #vcwg 15:02:35 logging to https://www.w3.org/2024/03/13-vcwg-irc 15:02:35 zakim, start meeting 15:02:35 RRSAgent, make logs Public 15:02:36 please title this meeting ("meeting: ..."), ivan 15:02:43 selfissued has joined #vcwg 15:02:44 present+ 15:02:49 present+ 15:02:57 will has joined #vcwg 15:02:59 present+ 15:03:05 present+ davidc, brent, manu, TallTed 15:03:05 present+ 15:03:23 present+ jennie, dlongley 15:03:31 Meeting: Verifiable Credentials Working Group Telco 15:03:32 Date: 2024-03-13 15:03:32 Agenda: https://www.w3.org/events/meetings/0d074559-1457-4540-857b-24b1be7a8d7f/20240313T110000/ 15:03:32 chair: brent 15:03:34 present+ pauld 15:03:47 pauld_gs1 has joined #vcwg 15:03:53 RRSAgent, draft minutes 15:03:54 I have made the request to generate https://www.w3.org/2024/03/13-vcwg-minutes.html TallTed 15:04:01 present+ 15:04:02 RRSAgent, make logs public 15:04:16 present+ dwaite 15:04:47 scribe+ 15:05:03 dwaite has joined #vcwg 15:05:11 Jennie has joined #vcwg 15:05:42 previous meeting: https://www.w3.org/2024/03/06-vcwg-minutes.html 15:06:06 brent: agenda 15:06:46 Topic: BBS Data Integrity CR proposal 15:06:55 q+ 15:07:02 ack manu 15:07:18 manu: sorry I didn't write a statement for BBS 15:07:24 CR ready draft is here: https://w3c.github.io/vc-di-bbs/CR/2024-03-28/ 15:07:48 manu: have prep'd a CR ready draft, in the same way as other DI specs... 15:07:55 s/scribe+/scribe: GregB/ 15:08:00 RRSAgent, draft minutes 15:08:02 I have made the request to generate https://www.w3.org/2024/03/13-vcwg-minutes.html TallTed 15:08:17 present+ bibgbluehat, jandrieu 15:08:21 present+ dlehn 15:08:52 Jennie_ has joined #vcwg 15:08:56 manu: BBS supports unlinkable signatures, hence its importance 15:09:00 q+ 15:09:13 ack ivan 15:09:35 ivan: date is set for March 28th 15:09:57 I will fill out the transition request details... 15:10:08 q+ 15:10:16 ivan: test suite? 15:10:46 ivan: I've created a approval request draft in the repo. HR references? 15:10:51 ack manu 15:10:58 The BBS test suite is here: https://github.com/w3c-ccg/vc-di-bbs-test-suite 15:11:36 manu: procedure, go to CR then test suite or test suite then CR... 15:11:53 manu: can put test suite and implementation report list... 15:12:10 manu: I'll fill out transition request stuff 15:12:37 ivan: will submit request to management with pointer to the repo. 15:12:46 I agree with Ivan's proposed direction on processing the CR Draft. 15:13:18 bigbluehat has joined #vcwg 15:13:51 JoeAndrieu has joined #vcwg 15:13:55 present+ 15:14:28 PROPOSAL: We will publish BBS Data Integrity Cryptosuites v1.0 (https://w3c.github.io/vc-di-bbs/CR/2024-03-28/) as a Candidate Recommendation Snapshot with a goal to publish on March 28, 2024, and will use echidna to automatically publish Candidate Recommendation Drafts. 15:14:34 +1 15:14:34 +1 15:14:35 +1 15:14:37 +1 15:14:38 +1 15:14:42 present+ 15:14:42 +1 15:14:43 +1 15:14:44 +1 15:14:44 +1 15:14:45 +1 15:14:51 +1 15:14:58 +1 15:15:02 +1 15:15:16 RESOLVED: We will publish BBS Data Integrity Cryptosuites v1.0 (https://w3c.github.io/vc-di-bbs/CR/2024-03-28/) as a Candidate Recommendation Snapshot with a goal to publish on March 28, 2024, and will use echidna to automatically publish Candidate Recommendation Drafts. 15:15:19 q+ 15:15:24 ack ivan 15:16:01 Topic: Bitstring Status List PING issues 15:16:12 https://github.com/w3c/vc-bitstring-status-list/issues?q=is%3Aissue+is%3Aopen+label%3Aprivacy-needs-resolution 15:16:35 q+ 15:16:43 brent: all the issues raised, only a couple need group input. 15:16:43 ack manu 15:16:48 smccown has joined #vcwg 15:17:00 present+ smccown 15:17:01 manu: suggest all but one is editorial. 15:17:25 subtopic: https://github.com/w3c/vc-bitstring-status-list/issues/144 15:17:47 (yeyyy normative guidance!) 15:17:55 manu: PING wants normative guidance on caching behavior on status list 15:18:20 q+ to suggest lame test 15:18:22 manu: if we put MUST we need to test it; Not sure how we would test it in this group 15:18:33 +1 to SHOULD 15:18:48 manu: best we can say is SHOULD cache rather than MUST 15:19:08 +1 to SHOULD 15:19:09 manu: would prefer SHOULD 15:19:11 ack brent 15:19:11 brent, you wanted to suggest lame test 15:19:32 q+ 15:19:42 ack ivan 15:20:16 ivan: agree with you. The goal of testing is to see if implementation is implementable... 15:20:39 q+ 15:20:41 brent: other comments on this issue? 15:20:44 ack manu 15:20:53 s/implementation is implementable/specification is implementable/ 15:21:08 q+ 15:21:19 manu: Fine, but concerned with precedent. 15:22:42 Maybe the way we implement this is to add a field to each implementations implementation config file... "iCacheStatusListsISwear": true 15:22:44 ack brent 15:23:29 q+ 15:23:33 brent: I hear the concerned. This group has had a commitment to developing solid test suites. I think we are okay. 15:23:35 ack pauld_gs1 15:23:41 ack pauld_gs 15:24:04 I agree with Brent's analysis. 15:24:05 pauld_gs1: arguing MUST may be too restrictive 15:24:10 I also agree with Paul's concern. 15:24:12 "yes, my implementation caches when `validUntil` is present" 15:24:45 brent: editors of bitstring stat list, do you have what you need? 15:25:05 q+ 15:25:06 manu: yes 15:25:21 ack pauld_gs 15:25:58 q+ 15:25:59 +1 to pauld_gs1's concerns, i think we don't want to lock in caching rules either 15:26:08 ack manu 15:26:19 q+ 15:26:28 (i.e., it would be good to allow better caching rules over time with experience) 15:26:40 manu: I'll take a shot at caching rules, with a MUST and otherwise will backoff to a SHOULD 15:26:46 ack brent 15:26:57 +1 to something like what Brent said around caching rules. 15:26:59 brent: could have a MUST with recommended caching rules. 15:27:43 subtopic: https://github.com/w3c/vc-bitstring-status-list/issues/146 15:28:16 manu: multi-status entries PING -- this could be more dangerous to privacy than "simple status list" 15:28:58 manu: "message" put arbitrary message allows issuer to add new types of status dynamically. 15:29:36 present+ dmitriz 15:29:37 undocumented immigrant 15:29:37 manu: explanation of the privacy concern and data leakage opportunity 15:30:30 issuer publishes, after the fact, that the credentialSubject likes Nickelback, without their consent. 15:30:49 manu: other info can be exposed after the fact. PING wants this written up. 15:31:02 q+ 15:31:26 manu: feature is largely for traceability, but can be problematic in other cases 15:32:28 ack JoeAndrieu 15:32:31 manu: can even be sensitive in supply chain. This "messages" feature will have quite a write up in privacy section. 15:33:08 JoeAnrieu: suprised this is here. A bit too open ended. 15:33:33 q+ 15:33:41 ack manu 15:34:00 manu: half agreeing with you Joe... 15:34:24 manu/JoeAndrieu: discussion... 15:34:36 q+ 15:35:15 ack JoeAndrieu 15:35:51 JoeAndriue: arbitrary messages stuff in the spec? manu: yes 15:35:58 +1 to Joe's concerns. 15:36:18 +1 to Joe's concerns (but not to the level that DB would object to it going in). 15:36:27 s/Andriue/Andrieu/ 15:36:39 Topic: Work Item Status Updates/PRs 15:36:55 brent: updates from JOSE/COSE? 15:36:59 q+ 15:37:04 ack manu 15:37:19 q+ 15:37:33 manu: quick update VC DM down to 11 issues, can knock that down to 5 or 6 in a couple weeks 15:37:47 manu: status list try to get to CR 15:38:05 s/to CR/to second CR/ 15:38:16 manu: status list trying to resolve all issues that PING raised 15:38:39 ack selfissued 15:39:21 MikeJones: JOSE/COSE working on examples. 15:39:27 Topic: VCDM Issue Processing 15:39:35 https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc 15:39:49 q+ 15:39:54 q- 15:40:12 subtopic: https://github.com/w3c/vc-data-model/issues/1254 15:40:46 manu: I'll continue to work on this. 15:41:03 brent: no meeting next week, IETF meeting 15:41:42 brent: would like for issues without activity, mark as pending close. Then next meeting decide to close. Inputs? 15:41:43 +1 to Brent's proposed plan. 15:41:44 q+ 15:41:50 ack manu 15:42:10 manu: agree, makes me a bit nervous 15:42:27 subtopic: https://github.com/w3c/vc-data-model/issues/1432 15:43:18 brent: Gabe agreed to do a PR, he's not here... I'm marking pending close. Will reach out to Gabe. 15:43:38 subtopic: https://github.com/w3c/vc-data-model/issues/1197 15:44:14 brent: assigned to X, manu said he will take it. manu: still planing to work on this. 15:44:36 subtopic: https://github.com/w3c/vc-data-model/issues/1348 15:45:06 brent: will not be marked pending close. Jeff Y. review. manu: trying to address as many as possible. 15:45:48 brent: folks if you want to raise a small PR, please do, greatly appreciated! 15:46:20 steele has joined #vcwg 15:46:45 q+ 15:46:54 DavidChadwick: section on trust model Jeff Y. wants quite a lot. I'm willing to work on but need more discussion. Break out into 15:46:59 ack manu 15:47:03 ... separate issues. 15:47:50 manu: can skip section 5.2, will provide commit for each checkmark. agree trust model changes require discussion 15:47:56 subtopic: https://github.com/w3c/vc-data-model/issues/1442 15:48:14 https://github.com/w3c/vc-data-model/pull/1454 15:48:46 brent: there is a PR, positive review, changes from TallTed. Please review. Should be merged soon. 15:48:58 subtopic: https://github.com/w3c/vc-data-model/issues/1455 15:48:59 q+ 15:49:11 ack manu 15:50:29 manu: add crypto hashes to files refered to. Disagreement on whether SHA-256 is enough, then folks wanted SHA-384 then why not 512 15:50:48 q+ 15:51:05 ... then why not a CLI that everyone has, then OpenSSL, but different on different platforms 15:51:40 ... NIST guidelines, PQ in year 2035, SHA-256 good until 2035 15:51:56 FYI, Apple us launching PQ for iMessages in the near term: https://security.apple.com/blog/imessage-pq3/ 15:52:22 manu: so we have confirmation from NIST, so we should backoff multiple hashes. 15:52:25 q+ to recall Y2K 15:52:42 ack ivan 15:52:45 manu: should change all hashes across the board for SHA-256 15:53:21 i.e., no wide, default support for sha3 15:53:26 s/SHA-256/SHA2-256/ 15:53:26 ivan: OpenSSL on Mac doesn't have SHA-3. Install alternative... Not everyone will do that... 15:54:08 ivan: happy to write a PR if group agrees. Only when PR nnnn is merged. Don't want merge conflicts 15:54:24 ack JoeAndrieu 15:54:24 JoeAndrieu, you wanted to recall Y2K 15:54:29 ivan: will write PR for DI spec to have everything aligned 15:54:35 q+ 15:54:37 s/nnnn/1454/ 15:55:10 ack manu 15:55:16 JoeAndrieu: disagree, we shouldn't get rid of extensibility. 15:55:32 q+ 15:56:00 manu: to be clear a maintenance group can publish at any time. If SHA-256 is broken, many things would need to be rev'd 15:56:10 q+ 15:56:59 manu: many things more important that hashes of vocabulary files. This is different from the cryptography used in ECDSA, EDDSA, etc... 15:57:35 q- 15:57:39 manu: This is for vocabulary files. 15:57:40 ack selfissued 15:58:17 MikeJones: If SHA-256 is broken, then every piece of software that uses crypto will be broken. 15:58:18 Completely agree with Mike Jones... "It'll be a frikkin' big deal" <-- YES! :) 15:58:19 +1 to Mike 15:58:38 brent: closing meeting for today, not meeting next week. Thanks 15:58:48 rrsagent, draft minutes 15:58:49 I have made the request to generate https://www.w3.org/2024/03/13-vcwg-minutes.html ivan 15:59:47 rrsagent, bye 15:59:47 I see no action items