Verifiable Credentials Working Group Telco — Minutes

Date: 2024-06-26

See also the Agenda and the IRC Log

Attendees

Present: Brent Zundel, Hiroyuki Sano, David Chadwick, Gabe Cohen, Manu Sporny, Will Abramson, Dave Longley, Jennie Meier, Anil John, KevinDean, Benjamin Young, Dmitri Zagidulin, Ivan Herman, Steve McCown, Joe Andrieu, Wesley Smith, David Lehn

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): David Chadwick, Manu Sporny

Content:

David Chadwick: I suggested newer simple definitions for issuee, please look at and comment on it, please: https://github.com/w3c/vc-data-model/issues/1467#issuecomment-2185331647.

Brent Zundel: Visitors from EBSI next week, we can speak with them about Terms of Use.

Brent Zundel: https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/discussions/211.

Brent Zundel: feedback has been received from cryptographers on the above.

Gabe Cohen: discussion on VC formats - https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/discussions/211.

Gabe Cohen: on DIDs - https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/205.

1. media types.

1.1. update updated media types to application/vc-ld and application/vp-ld (issue vc-data-model#1509)

See github issue vc-data-model#1509.

Brent Zundel: have had lots of discussions already about this.
… . decided we would just register vc and vp.
… but some folks want ld adding as well.

Dave Longley: -1 to change the core media types again, please move forward with application/vc and application/vp.

Joe Andrieu: I’m also -1 to revisiting this conversation.

KevinDean: -1.

Manu Sporny: strong -1 for revisiting this topic again.
… people who want to use sd-jwt as well actually have nothing to do with our VC DM.
… it duplicates the typing mechanism but is incompatible with VCDM.
… we should contact Oauth group at IETF and ask them to stop creating specs that will confuse people with our W3C VCDM spec.

Dave Longley: +1 to everything Manu said.

Ted Thibodeau Jr.: +1 msporny.

Gabe Cohen: I am concerned about us being blocked from registering our media types.

Brent Zundel: of the two media types we want to register (application vc and vp) should not be a problem.
… it is the addition of sd-jwt that may cause problems.

Dave Longley: +1 to brent, yes.

Brent Zundel: we should register our base two types first.

Manu Sporny: we need to move on, so lets not discuss further unless our initial registrations are blocked.
… its not clear to me how many sd-jwt data types there are, and they all seem to be incompatible with one another.

Gabe Cohen: +1 to Brent’s suggestion to register the base types first.

Steve McCown: +1 for proceeding with the 1st 2 base types. It doesn’t sound like doing that and discussing the others later hinders anything.

Ted Thibodeau Jr.: we should not pre-determine that our registrations will be blocked.
… lets wait to see the outcome.
… I see a lot of sloppiness in what media types are being discussed, with the + and - signs flipped or otherwise incorrectly used.

Anil John: feedback on ARF may suggest changes to media types are needed.

Manu Sporny: I will volunteer to submit the registration request for the two data types in our VC DM.
… application/vc and application/vp.

Dave Longley: +1 to that plan.

Gabe Cohen: +1 thanks Manu.

Joe Andrieu: +1 to that plan.

2. VCDM Issue Processing.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc.

Brent Zundel: currently have 9 open issues that are not marked future.
… Tou will be discussed next week.

2.1. Consider explicitly allowing/recommending language maps for use in internationalisation. (issue vc-data-model#1479)

See github issue vc-data-model#1479.

Dmitri Zagidulin: coming along shortly.

2.2. Could not define “name” and “description” as attributes of my type (issue vc-data-model#1500)

See github issue vc-data-model#1500.

Brent Zundel: what is there for us to do here?

Manu Sporny: its not a good idea to redefine name and description.
… we should say WG has discussed it and its not a good idea to change the terms as currently described.

Ivan Herman: +1 to close.

Brent Zundel: so the issue should be closed.

Benjamin Young: +1 to close.

Brent Zundel: so I will close it after the meeting today.

2.3. Comments/Suggestions on Privacy Considerations (issue vc-data-model#1502)

See github issue vc-data-model#1502.

Manu Sporny: these are comments from EFF.
… EFF has reviewed the PR and says it addresses their concerns.
… only other thing is edit from TallTed.

2.4. SD-JWT fields in the v2 context should use "@type": "@json" (issue vc-data-model#1503)

See github issue vc-data-model#1503.

Brent Zundel: if I remember correctly this issue should be addressed.
… PR#1505 addresses this.

See github pull request vc-data-model#1505.

2.5. Add Security Considerations related to advances in Artificial Intelligence (issue vc-data-model#1507)

See github issue vc-data-model#1507.

Manu Sporny: I have been working with a number of AI companies on how VCs can be used to determine if an online entity is a real person or an AI bot.
… AI systems can now pass Turing test.
… how AI affects IDM systems need to be documented.
… will be a number of research papers published this summer that go into greater details.

See github pull request vc-data-model#1508.

Gabe Cohen: AI does not affect the VC DM data structures.

Brent Zundel: are you saying this PR text is in the wrong section of the spec?

Gabe Cohen: yes.
… move to validation/verification section.

Joe Andrieu: confidenceMethod can be affected by AI.
… there is an AI arms race at the moment.

Joe Andrieu: +1 to that, Manu.

Manu Sporny: the text will not provide text on exact solutions, but we should point to research papers when they become available.

Joe Andrieu: “We have something AI doesn’t have. That is cryptography.” That’s great framing.

Steve McCown: Have we started actively discussing moves towards post quantum cryptography?

Ted Thibodeau Jr.: AI is a moving target so not something we can solve now.
… I have provided substantial text edits to the existing paragraphs.
… leave text as is and more text in Validation section.

Ivan Herman: +1 to Ted.

Joe Andrieu: +1 to Ted. That was a good argument for keeping it in Security Considerations.

David Chadwick: Joe said that humans have cryptography and AI doesn’t, that’s a good point, but I think AI can have that too.

Steve McCown: AI’s are currently being created for brute force attacks on cryptography.

Manu Sporny: yes, +1 to what Joe said, that’s what I meant too.

Will Abramson: +1.

Steve McCown: ECC isn’t quantum secure…

Gabe Cohen: will continue in issue.

David Chadwick: the issue about cryptography is not that AI cannot use crypto and sign, but rather that AI cannot break crypto.
… Therefore AI cannot fake a signed document.

Steve McCown: I would contend that AI can break crypto.

3. Controller Document.

3.1. Add section on Controller Document data model. (pr controller-document#32)

See github pull request controller-document#32.

Manu Sporny: we have a number of approvals already on these additions to the data model.
… the text is mainly from DID core so I prefer not to change it in the Controller document, but rather raise issues on DID core.
… specifically to ivan’s comments.

Ivan Herman: I could not properly explain what a controller document is from the existing text.
… need a higher level section to explain what the controller document is actually about.

3.2. fix grammar, add links (pr controller-document#30)

See github pull request controller-document#30.

Brent Zundel: has a lot of approvals so will be merged after this meeting.

Ted Thibodeau Jr.: there is still one open question did URI or https URL.

Manu Sporny: https.

3.3. general discussion on issues.

Manu Sporny: next step is to remove all controller doc related text in JOSE/COSE and Data Integrity and point to Controller Doc.
… will be a massive edit but not technical in nature.
… we also have to see what happens with the DID documents.

Brent Zundel: https://github.com/w3c/controller-document/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc.

3.4. Contexts and Vocabularies inconsistencies (issue controller-document#10)

See github issue controller-document#10.

Manu Sporny: we need to make the content and vocabularies consistent.
… we already have a security vocabulary so dont need a new controller doc vocabulary.

Ivan Herman: if you go to the vocabulary document we refer to one or our specs for the definition of the term.
… so any references to one of our security specs should refer to controller doc instead.

Dave Longley: +1 to ivan’s plan, unless we bump into some issue.

Manu Sporny: Yes, +1 agree with Ivan on the path forward.

Manu Sporny: We won’t be updating the security context.

Manu Sporny: (IMHO).

Dmitri Zagidulin: manu mentioned updating security vocabulary. This does not require update to security context as well.

Ivan Herman: keeping security vocabulary URLs as now means less changes. We only need to point to controller doc for the definition of terms. The context document remains unchanged.

Manu Sporny: Yes, +1 to what ivan said, agreed.

3.5. Condense Accessibility Considerations section (issue controller-document#8)

See github issue controller-document#8.

Manu Sporny: Yes, +1, agree with what brent just said… applying Mike’s change would change the horizontal review assertions (that they’ve reviewed and approved a variation of this before).

Brent Zundel: because we are pulling text from existing documents, we should not in this case re-write to make text cleaner, but rather keep as is.

Dave Longley: +1.

Brent Zundel: since this will make horizontal reviews much easier.

4. Misc.

Ivan Herman: there is an administrative task for me to do, including obsoleting an existing documents (JsonWebSignature2020).
… Just wanted to inform the WG.

Manu Sporny: +1 to publishing JsonWebSignature2020 as a discontinued draft.

Dave Longley: +1.