Verifiable Credentials Working Group Telco — Minutes

Date: 2024-05-29

See also the Agenda and the IRC Log

Attendees

Present: Ivan Herman, Hiroyuki Sano, Dmitri Zagidulin, Manu Sporny, Brent Zundel, Sebastian Crane, Dave Longley, Mahmoud Alkhraishi, Jennie Meier, Benjamin Young, Joe Andrieu, Kevin Dean, Will Abramson, Anil John, Ted Thibodeau Jr., Gabe Cohen, Phillip Long, Steve McCown, David Chadwick

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Benjamin Young

Content:

• 1. CCG Recap.
• 2. Charter.
  • 2.1. Adding at risk features to charter exception on class 4 changes (pr vc-wg-charter#119)
• 3. security disclosure.
• 4. Work Item Status Updates/PRs.
  • 4.1. Update media types to application/vc and application/vp (pr vc-data-model#1478)
  • 4.2. Use digestMultibase with base64-url-nopad encoding for integrity. (pr vc-data-model#1490)
  • 4.3. On the controller document.
• 5. VCDM Issue Processing.
  • 5.1. Example of Use of renderMethod (issue vc-data-model#1480)
  • 5.2. Consider explicitly allowing/recommending language maps for use in internationalisation. (issue vc-data-model#1479)
  • 5.3. VC-JWT examples are out-of-date (issue vc-data-model#1485)

Brent Zundel: agenda today is concise: work items, PRs, and issue processing.

Manu Sporny: a couple agenda items.
… a PR on the charter to address JoeAndrieu’s concerns.
… maybe a few minutes for that?
… also since aniltj is here, perhaps he can say a bit about what he shared on the CCG yesterday.

Brent Zundel: that OK with you, aniltj?

Anil John: yes. happy to.

1. CCG Recap.

Manu Sporny: Slide deck from presentation to CCG: https://lists.w3.org/Archives/Public/public-credentials/2024May/att-0075/DHS.Technical.Implementation.Requirements-Decentralized-Identity-v1.0-SHARE.pdf.

Manu Sporny: Video recording for CCG presentation on DHS Requirements using W3C VCs: https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-05-28.mp4.

Anil John: I gave a presentation at the CCG yesterday about how DHS is implementing decentralized identity.
… we are focused on using the suite of W3C standards.
… including VCDM.
… we’re using the Data Integrity specifications with proof sets.
… and cryptosuites like BBS+.
… and also using JOSE.
… the rationale is simple, we have a hard requirement for personal credentials.
… where we have additional privacy requirements.
… that requirement is satisfied by the Data Integrity specification.
… and the additional choices we are making there.
… we do also have a different scenario where we do not need selective disclosure.
… on the trade side, it’s organization to organization.
… and the idea of a wallet is interesting there.

Phillip Long: PL-ASU has joined #vcwg.

Anil John: we are also exploring BitString Status List specification.
… and did:web for identifying organizations.
… and in the long term we hope to enable a capability for individuals to bring their own DID for personal identification.
… we will not have that on day one, but we want to learn our way there.
… and we’re depending on many of the W3C standards.
… and happy to help move these toward formal standards as well.

Brent Zundel: thank you for compressing that 45 minute presentation to 5 minutes.
… it’s recorded if you’d like to view more.

Ivan Herman: is it public?

Anil John: yes, it’s recorded in the CCG meeting.
… anything shared there–including our requirements document–are able to be shared publicly.

2. Charter.

Brent Zundel: let’s talk charter…
… I’m going to drop a link to the PR.

2.1. Adding at risk features to charter exception on class 4 changes (pr vc-wg-charter#119)

See github pull request vc-wg-charter#119.

Brent Zundel: this PR is in response to request for changes from the group.
… it clarifies the scope of the group.
… happy to take comments from the queue.

Ivan Herman: it doesn’t clarify. it adds something to the scope.
… previously we were not able to make class 4 changes.
… we did have one exception–serious security problems.
… so I have added another exception, that any of the features that are at risk in the VCDM, any of those can be picked up and added to the recommendation–if all goes well.
… I think that handles JoeAndrieu’s concerns.
… to the group: please confirm that is the right list in the PR.
… and make sure I didn’t forget anything.
… I want to make it an explicit list, as the AC doesn’t like open ended charters.

Joe Andrieu: thank you, ivan.
… one question, this would include making new standards track docs to deal with these standards track documents.
… I’d like the ability to create those specs during the 2 year charter.

Ivan Herman: essentially that’s correct.
… we’ve cut documents in two before, for example.
… it’s not explicit about how things are taken out or put in practically.
… so if it’s an addition to a spec or a new spec is not explicitly stated.
… so the answer to your question is “yes” that is possible to make new specs with those features.

Joe Andrieu: Great. thanks for the clarification.

Brent Zundel: that’s my understanding also.

Manu Sporny: and mine also.
… now to poke the charter bear a bit…
… if I understand this correctly, we want to publish VCDM 2.0 sooner than later.
… but our charter would let us add the at risk features to a v2.1 edition.
… which could put the features back.

Ivan Herman: yes.

Manu Sporny: from an editorial perspective, some of these features may be cut due to lack of implementation.
… but starting in January, those could get added back with proper implementations and tests.

Ivan Herman: correct.
… for those not familiar with “class 4” these have to be existing features stated as “at risk” in the documents.
… oh, and one more thing, the current charter which we are under now was extended to the end of the year.

Brent Zundel: great. are there any objections.
… please review the PR and comment there.
… it was opened this morning, so by our next meeting we will merge it assuming all are in agreement.
… and then we can move the draft charter forward for review.

Manu Sporny: what’s the timeline?

Ivan Herman: ASAP.

Manu Sporny: this goes to W3M, then the AC, then the vote starts in July?

Ivan Herman: that sounds realistic…maybe a bit earlier.
… the changes are explicitly very small.
… the paragraph in the PR is the only meaningful change.
… the horizontal review folks did not have anything to add.
… with the AC, though, nobody knows.
… but assuming no objections, this new charter will take over in January.

3. security disclosure.

Manu Sporny: the editors of the Data Integrity have received a security disclosure which is still not yet public.
… the editors have already done a review, and the questions raised seem handled by the spec.
… however, since this is presented as a security disclosure, we will need to review it as a group.
… we should see it this week or next at the latest.

Brent Zundel: please watch the mailing list for that.
… and we’ll put it on the topic list for a future meeting.

4. Work Item Status Updates/PRs.

Ivan Herman: on the overview document, I put 2 PRs.
… I would like some review–mostly for linguistic issues.
… one is adding alt text to the new diagrams.
… the others I have copied over.
… alt text is hard to write, so please review those.
… the other PR adds references to other documents we have.
… to make the overview more complete.
… I also got some feedback to have this document as an official document sooner than later.

Manu Sporny: +1 to publish as a NOTE.

Ivan Herman: to help review.
… and getting it to NOTE will let us version it.
… which will ease external communication.

Brent Zundel: do you want to review those PRs now?

Ivan Herman: no, these mostly need grammar checking.

Manu Sporny: just a quick update across many specs.
… BitString Status List is now in CR.
… the Overview is an Editor’s Draft.
… the Controller document is now an FPWD.
… for the Data Integrity specs, they are on a decent glide path, mostly editorial.
… however, there is the upcoming disclosure we’ll be discussing.
… nothing much beyond that.
… for BBS we have upcoming implementers.
… Canadian and Swiss developers have stated they have code underway.
… we do have some issues to discuss.

4.1. Update media types to application/vc and application/vp (pr vc-data-model#1478)

See github pull request vc-data-model#1478.

Manu Sporny: this is the media type discussion.
… the group decided to push ahead on registering what was in the documents.
… we were supposed to hear back in 2 weeks…we got no feedback.
… there was an ask on the mediaman list if there was new guidance…there was/is not.

Ivan Herman: now that we are working on the charter, if we take out the multiple suffixes and things change at the IETF…
… should we put something in the charter so we can deal with that…if/when it happens?

Manu Sporny: it’s a good question, ivan.
… I think we’ve wasted enough time on this topic.
… we’ve talked it to death…and it’s not holding up any implementations.
… we can always expand the list of media types later.
… given how this has gone so far, it’s only going to take longer.
… so I think we can deal with this later.

Ivan Herman: than let’s forget about it.

Brent Zundel: agreed.

4.2. Use digestMultibase with base64-url-nopad encoding for integrity. (pr vc-data-model#1490)

See github pull request vc-data-model#1490.

Manu Sporny: the other one is the question around digest values.
… we have 3 options that have been put in front of the group.

Manu Sporny: digest options: https://github.com/w3c/vc-data-model/issues/1489#issuecomment-2134164168.

Manu Sporny: A. use digestSRI.
… B. use digestMultibase.
… C. use both.
… all of these have objections.
… so we need to make a decision.
… I’ll note that the folks arguing for digestSRI want it to be base64url…but SRIs in browsers are not URL encoded, just base64.
… the same folks object to digestMultibase.
… pretty much no one wants both…
… so we need to have a path through these.

Brent Zundel: (representing measur.io, not as a chair) I believe the digestSRI stuff is in the spec because Mike Prorock wanted it because Mesur.io was implementing it.
… I’ve opened an internal conversation to ask about how we’re using it.
… we’re supporters of it currently, so would not want it removed.
… but I will gather more data.
… any other thoughts on this PR?

Dave Longley: +1 to the PR … approved already.

Manu Sporny: it would be good to get feedback on the PR.
… I will note that multibase is definitely being used by DHS.
… among those were Drivers Licenses and Employment Authorization Documents.
… multibase stuff is also in production in TruAge.
… it is now very much defined in a specification and is in use in production.
… that’s where we are with that technology.
… we would prefer to pick one, but not object if the group picked both.
… it’s annoying if the group picked both, but still doable.
… and not hard to implement either one.

Brent Zundel: thank you, manu.

4.3. On the controller document.

Ivan Herman: this is on the Controller Document.
… if we have any hope to get that done, we need to start horizontal requests…like…now.
… one thing we should make very clear…
… we need to make the horizontal reviewers aware that this is not new content, but rearranging text from other documents.
… that should help review to go more quickly.

Brent Zundel: not seeing Mike Jones on the call. manu can you do this one?

Manu Sporny: concerned about my workload…but yes…I’ll try.

Brent Zundel: I’m concerned (as ever) about manu’s workload.

5. VCDM Issue Processing.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc.

Brent Zundel: question is if we plan to do anything about these, and if so, when.

5.1. Example of Use of renderMethod (issue vc-data-model#1480)

See github issue vc-data-model#1480.

Brent Zundel: renderMethod is currently at risk.
… European community is using these already.

Manu Sporny: there is a renewed…evolving interest in renderMethod.

Anil John: DHS is very interested in render method as well.

Manu Sporny: there are two or three variations coming from Singapore.

Dmitri Zagidulin: DCC and ASU in the US are implementing renderMethod as well.

Manu Sporny: there are some Australian and Canadian developers interested.
… these are all different approaches.
… so it’s unlikely we can get a single example in the spec.

Dmitri Zagidulin: and can confirm that E.U. (the EU Learning Data Model team) is implementing renderMethod.

Manu Sporny: so we should probably remove it from VCDM 2.0 and get activity going in the CCG.

Brent Zundel: removing? what specifically? the feature? but keep the term as protected, correct?

Manu Sporny: yes.

Brent Zundel: good. so the term is there for use, but the contents are still undefined and under active development at the CCG.
… are there other actions here? or specific ones?

Dave Longley: +1 that render method is a vital tool for helping issuers to present VC information to holders in digital wallets (digital wallets that will not necessarily understand every piece of information in a decentralized world)… but lots of different explorations right now, definitely need to reserve it.

Ivan Herman: do we have a “next release” label? we should use that here.
… when we go out to the AC for the vote, we should make sure that this is something we are happy to work on later.
… and want their input, but we do not think we can solve it in the next 6 months.

Brent Zundel: any objections to adding the “future” label to this one?

5.2. Consider explicitly allowing/recommending language maps for use in internationalisation. (issue vc-data-model#1479)

See github issue vc-data-model#1479.

Brent Zundel: consider recommending language maps.
… please jump on the queue.

Manu Sporny: there’s nothing preventing using them.
… I don’t think we can get to consensus on it.
… we reached back out with that as a comment, but haven’t heard back.
… if we were to do that now, it’d be very last minute.
… so the ask could be, please experiment.
… especially since language maps differ from what we recommend right now.
… and can reconsider it if/when we get feedback showing it’s a good way for handling I18N.

Anil John: mostly want to say that this is a feature of interest to DHS because of our international audience.
… as long as there is not anything preventing us from using these capabilities from JSON-LD, then we are satisfied.

Ivan Herman: should we show that JSON-LD can do this in an appendix?

Manu Sporny: yes. we can do that in an appendix, and adding that would editorial.

Brent Zundel: so, add an editorial example of language maps to the spec.

Phillip Long: +1 to editorial example to the language map spec.

Brent Zundel: manu has assigned himself, but someone else please volunteer.

Dmitri Zagidulin: I can volunteer.

Brent Zundel: thank you all for volunteering!
… I’m unassigning manu.
… and assigning dmitriz and Mahmoud.
… o.k. we have time for one more topic.
… let’s jump to 1485.

Dmitri Zagidulin: clarifying question - language map examples should go into their own appendix? Or just in the internationalization section?

5.3. VC-JWT examples are out-of-date (issue vc-data-model#1485)

See github issue vc-data-model#1485.

Brent Zundel: VC JWT examples are out of date.

Manu Sporny: good news is we released a new version of respec-vc.
… but the new jose/cose stuff is not in there yet.
… it should be a copy/paste into respec-vc.
… or decentralgabe can send a PR there.

Gabe Cohen: it’s on my list.
… and given the update to remove YAML from the jose/cose spec, it should be simpler to do now.

Manu Sporny: just to make sure we’re aligned, what are you planning to implement?
… SD-JWT, JOSE, COSE, something else?

Gabe Cohen: I was going to do all 3, but not automatically render them.
… I’ll put up a PR.
… I’d prefer to start by fixing what is currently labelled VC-JWT.

Manu Sporny: you can pick which tabs to show per example.

Brent Zundel: with that, we are out of time.
… great consensus building. we love our volunteers.
… bye for now.