Verifiable Credentials Working Group Telco — Minutes

Date: 2024-08-14

Attendees

Present: Brent Zundel, Ivan Herman, Benjamin Young, Hiroyuki Sano, Kevin Dean, Nicholas Steele, Dave Longley, Michael Jones, Gabe Cohen, Ted Thibodeau Jr., Will Abramson, Manu Sporny, Phillip Long, David Chadwick, Joe Andrieu, Jennie Meier, Brian Campbell

Regrets:

Guests:

Chair: Brent Zundel

Scribe(s): Manu Sporny, Dave Longley

Brent Zundel: Welcome to the WG weekly call.
… Agenda today – vcdm wrap up process near 2nd CR, implementations gather data, take remainder of time and focus on controller document (first CR by end of this month, hopefully).
… Request to add a bit at beginning to Nick to talk about IETF things of interest to WG, additions/changes to the Agenda?
… Not seeing anyone jump on the queue, over to you Nick.

1. Credential Exchange Protocol.

Nicholas Steele: Hey Nick Steele, we have been working on Credential Exchange Protocol at IETF and FIDO, been working in that group for a while. Update and some context… credential exchange protocol working on dashlane, apple, microsoft, google, bitwarden, and 3rd party credential providers (12 in all), trying to figure out a way to exchange credentials across “vaults”, wallets, credential stores, defines protocol itself, based off of HPKE.

Gabe Cohen: https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20240522.html.

Nicholas Steele: Two parts to this, published in FIDO on Aug 22nd and then between 12 partner companies, but what we’re pushing out is a Working Draft of the stack… credential exchange protocol and credential exchange format – update as well as call for review and help – would like credential exchange format to be cognizant of VCs and other formats, few of us plan to launch feature flagged version of this protocol in products in September, supporting passkeys, passwords, credit cards.
… As we move forward, we want to support other types of credentials.
… This is first standard where FIDO can publish publicly in WD form in regular cadence, feedback from public feedback and can work into technical work.

Gabe Cohen: Cool work, thank you for sharing – does it have overlap w/ DC API that FedID CG is doing? Or is it a different set of use cases?

Nicholas Steele: This is focused on migration w/ long term backup and storage, enterprise exchange of keys across different vaults and products.
… If I wanted to share a credential from Google Password Manager to Dashlane, you could move from one to another… current mechanism is moving CSV, which is not really secure.

Manu Sporny: That’s great, Nick. I kind of had the same kind of question. I know a few folks in the DC API work, said that FIDO is working on cross-device messaging of credentials. It sounds like you’re describing a vault backup/migration capability.
… Whereas what’s being talked about in the DC API with respect to the FIDO work is really about a cross device presentation capability. I wonder how much those groups are talking to each other since these things are so similar.
… I’m trying to figure out how much communication is happening between the two groups – I am having a hard time understanding how the work items are related. CTAP2, etc.

Nicholas Steele: These are ancillary to CTAP2.
… The credential exchange work is separate from authentication, after authn happens and credential exists, there is no guidanec on how credentials should be migrated/exported, current thinking with larger providers – we won’t export your passkeys when you export your credentials. We’re doing this in FIDO because folks interested in credential management – I’m main author on CXP and Renee is CXF – we need better communication, we want to hear all the work going on in space. This work is specifically around sharing different forms of credential across providers.

Gabe Cohen: We’ve been trying to solve for broader problem of “I have credentials and need to access at certain point in time” – is this a “happens in realtime”, or is it a background job?

Nicholas Steele: I have a demo we could look at. Current, early iteration is to support migration or setup of new devices for new users and handle export on mobile devices and desktops – user is very much involved – in B2C and B2B cases, transfer credentials and be aware of what happens when credentials are moving. Authorizing party – user and business provides authorization of encrypt/decrypt to transport credentials… want enterprise policy to be applied in B2B use case, and B2C, want user to know when moving from vault to vault, which one you’re moving to. Direct vs. indirect, where platform (android supports this, others to follow) – use platform to transfer credentials… indirect protocol to provide key and use Diffie Hellman to migrate to … envelope to encrypt keys and take them elsewhere.
… There will be a way for this to be facilitated natievly by platforms.
… I’ll be at W3C TPAC WG meetings.

Brent Zundel: That would be a good time to do a demo.

2. DID WG and Controller Doc.

See github issue did-core#854.

Gabe Cohen: The DID WG was kicked off recently, many of you have attended, one of the things we’ve discussed is aligning w/ Controller Document.
… It seems like consensus is forming in DID Core to remove content from that document and point to Controller Document. Timeline seems fine for VCWG Controller Document and DID Core. Just calling that out, we’d like folks to participate if they want to.

3. VCDM Wrap Up.

Brent Zundel: https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc.

Brent Zundel: We have a list of issues, many if not most of them have been addressed.
… We have one open issue, one open PR, talk about those and next steps.

3.1. Changed the Media Type specifications to ignore HTTP link headers (pr vc-data-model#1539)

See github pull request vc-data-model#1539.

Manu Sporny: The PR is a suggestion that came up during a discussion in an issue that makes it clear that “we” (the VCWG and media types) that we specifically prohibit using a link header for a JSON-LD context and we do this because it externalizes the context and we don’t have any use cases for the added complexity. Ivan indicated it would be a good idea to specifically call this out so this PR does that.

Ivan Herman: Just to be precise, before, when we were using the hypothetical media type vc+ld+json – then this remark was not necessary because JSON-LD spec has clear language on this.
… Using HTTP for context was automatically disallowed. We changed the media type, this remark remained ineffective for our media type. I.e., it’s a bit more than an extra note, it’s setting the situation where we were before we changed the media type.

Brent Zundel: this looks like its on track to be merged soon.

3.2. Respec’s VC plugin still does not work (issue vc-data-model#1538)

See github issue vc-data-model#1538.

Manu Sporny: Benjamin has tracked this down it will get fixed shortly.

3.3. editorial pass.

Manu Sporny: The other heads up on VCDM – I’m about 50% of my way through the final spec review, lots of content taking a long time. If anyone can please do security and privacy consideration editorial reviews that would really help a lot.
… If not, it’s going to take a couple more weeks to get all the way through. I did also update the ZKP section adding examples from BBS.
… Now we have examples from BBS base and derived proof. Some diagram updates, Ivan, on what the BBS-secured VC looks like, etc.
… I think that’s it.

Brent Zundel: Would it be helpful to raise a draft PR for this?

Manu Sporny: No, I’ve been doing mainline editorial edits, and raising these as PRs will make the diffs look like big changes when they are just formatting. But I can share the commits that have gone to mainline.

Brent Zundel: That would be good, yes.

Ivan Herman: Can you send me a short description by email on BBS changes?

Manu Sporny: You converted some previous diagrams – I already made some changes and I just need review from you. You converted some BBS stuff, it looks like what you did.
… It’s just in the ZKP section.

Ivan Herman: Ok.

Brent Zundel: Any comments on this issue or the editorial work being done?
… Anyone willing to do some work in the privacy and security sections?
… Any questions/comments on editorial work being done? Is anyone willing to do editorial work on privacy/security considerations sections?

Gabe Cohen: I’m happy to help out - I’d like some more guidance on what type of content is missing.

Manu Sporny: Thank you, Gabe. It’s not about missing content, it’s about re-reading the paragraphs that are already there and catching missing commas, missing periods, weird phrasing that could be simplified. It is purely editorial work.
… If a human being is reading this for the first time, will it make sense to them? If it goes beyond purely editorial changes you have to raise a PR. It’s “do not raise the content of the spec beyond a class 1 or class 2”. Class 2 is just largely changing the wording.
… Or, for example, sometimes, but I think I only found one instance of this so far, we have two normative statements that say the same thing in the same paragraph.
… But because we edited the paragraph so many times, we are repeating ourselves. But you won’t find those in those sections anyway.
… It’s largely look at one of the sections there, make sure the line breaks are at 80 chars, make sure brackets refer to terms, make sure when we use a special term we point back to the term section ([= foo =]), etc. Purely editorial clean up. Does that help?

Gabe Cohen: Yes, I can do that.

Manu Sporny: Let me know when you get started.
… Let me know which sections you have already done so I don’t need to look at those and I’ll look at others.

Gabe Cohen: Ok, sure.

Brent Zundel: Thank you very much Gabe and Manu.

4. Controller Document.

Brent Zundel: https://github.com/w3c/controller-document/pulls.

4.1. Remove references to “proof purpose”. (pr controller-document#41)

See github pull request controller-document#41.

Brent Zundel: This is removing references to proof purpose.

Manu Sporny: I volunteered to write this PR on an editors call and Mike and I talked about what could make it into the spec. This PR just tries to be very specific about only touching the stuff touching proofPurpose. I scanned for those two words “proof” and “purpose” to make sure we don’t talk about that in the controller document. There is one algorithm where we said “proof purpose” but we meant “verification relationship”.
… I have updated that text to be more generalized.
… Mike has a comment here that should be easy to apply to some of the text. We were saying “proof purpose” before when we meant “verification relationship” and that has been updated.

Michael Jones: Thank you, Manu.

Manu Sporny: Of course.

Brent Zundel: Please review and read over it, raised yesterday, let’s get our eyes on it and move it forward.
… It was raised yesterday, please take a look, we would like approvals.
… If 41 is approved and merged, 40 will be closed.

Michael Jones: We can close 40 now.

4.2. Update examples to provide parity between MultiKey and JsonWebKey (pr controller-document#39)

See github pull request controller-document#39.

Manu Sporny: I owe Gabe a review on this one and then I expect we can merge it.
… I owe gabe a review on this and then we can probably merge it.

4.3. issues.

Brent Zundel: https://github.com/w3c/controller-document/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc.

4.4. Accessibility Self-Review of Controller Documents v1.0 (issue controller-document#23)

See github issue controller-document#23.

Brent Zundel: I did ping Horizontal Review folks for a review. If we reach out for review and don’t get review, what is the guidance there?

Ivan Herman: You can curse, I can give you some ideas there :P.
… When we request CR transition, we have to say their reviews timed out.

Gabe Cohen: 🤣.

Ivan Herman: All the reviews that we got on DI are valid here because we did not do any new technical development here, this was just an editorial move from one place to another, plus timeouts will probably be fine, but I’m not the one who decides that.

Brent Zundel: a11y is pending, i18n is done, so I think we can close 24.

Ivan Herman: For this WG, the question will be security/privacy – not sure where we are with security in general, but that’s a more general question for TPAC.

Manu Sporny: Just to speak to that security thing. Where we are – Simone is very aware of our WG’s work and the need for a security review and he’s collected a bunch of people together to do those sorts of reviews but they aren’t complete. We need to be very clear to him that we need a formal review.
… And at this point, no fault of Simone, he just got started and got a lot of work, but we need the feedback. But we’re going to CR2 and we don’t want changes because of the security review.
… We need to let him know that we’re going to be asking him for a status at TPAC.

Ivan Herman: I don’t know where we are with the schedule for W3C TPAC meetings, it might be a good idea to (now) try to get ourselves a slot w/ Simone.

Brent Zundel: We have one.

Ivan Herman: It would be nice to get something w/ him.

Brent Zundel: We have a joint meeting w/ the Security folks.

Ivan Herman: We shouldn’t schedule for a 2nd CR before TPAC.

Brent Zundel: That is the plan, we are not going to CR2 before TPAC.

4.5. Fix `vmPurpose` / `vmPurposes` discrepancy in Retrieve Verification Method algorithm (issue controller-document#37)

See github issue controller-document#37.

Manu Sporny: This should be a simple editorial change that I just need to get to.

Brent Zundel: can anyone else take this item? This is fixing a typo.

Will Abramson: I’m happy to do this.

See github pull request controller-document#41.

Dave Longley: I think this is going to be addressed by PR #41?

4.6. Define “valid” (issue controller-document#35)

See github issue controller-document#35.

Manu Sporny: https://w3c.github.io/controller-document/#conformance.

Manu Sporny: Right, agreed with what you said, Brent, I think we already have this in the spec. We have a conformance section – talks about conforming document, processor, etc. There may be some detail that I’m missing in some comment.

Brent Zundel: Would the fix then just be to fix the data integrity language to say “conforming”?

Joe Andrieu: +1 to say “conforming”.

Manu Sporny: Yes.
… I moved this over to the controller document spec because the retrieve verification method algorithm is now in the controller document spec. The change needs to be made there now.
… What we should do is say “If the verification method is not a conforming verification method…” that will make it clear.
… What Mike said in here is correct. We can make this more clear, it’s an editorial change, I think it’s ready for PR. We just need to link to the conforming statements and make this really clear.

Brent Zundel: This is another one that is editorial and it’s clear what to do so if they can help out Manu, that would be great.

Will Abramson: I can do this one.

4.7. Put publicKeyJwk on an equal footing with publicKeyMultibase (issue controller-document#5)

See github issue controller-document#5.

Brent Zundel: PR #39 will address this issue.

4.8. X25519KeyAgreementKey2019 has wrong property (issue controller-document#34)

See github issue controller-document#34.

Manu Sporny: No, Dave has the suggested change in here … suggested in July 2023, so we just need to apply that fix.

Brent Zundel: So this is just changing from using an X25519 key to a P-256 key.
… Anyone else want to work on this?

4.9. Contexts and Vocabularies inconsistencies (issue controller-document#10)

See github issue controller-document#10.

Brent Zundel: Ivan, do you have what you need to move this forward, or would group discussion help?

Ivan Herman: We’ve made changes on DI vocabulary, there is no need for separate vocabulary for controller, that’s the cleanest thing. The only thing that changes is where the formal specification pointer is. I did that, I think that addresses this issue.
… I think it’s been done.

Brent Zundel: Mike Jones, this is your issue, we’d want your agreement on that.

Michael Jones: I’m trying to understand why this was marked pending close, this is a twisty set of passages.

Ivan Herman: I acted on Mike’s requests for changes, but maybe I don’t understand what Mike’s commenting on.

Ivan Herman: We’ve done the 2nd approach in https://github.com/w3c/controller-document/issues/10#issuecomment-2122449898.

Brent Zundel: The first approach was overtaken by events.

Michael Jones: So we removed a section from the controller document spec.
… But we didn’t remove that section?

Ivan Herman: I didn’t refer to any section in my comment, vocabulary description is a separate document.

Michael Jones: Because that vocabulary (and related context) is much larger than what the controller document defined, it makes sense to remove this section from the controller spec and leave the DI spec in charge.

Michael Jones: That’s a comment from you, Ivan ^.
… what is the “it” we’re referring to?

Dave Longley: I was reading over the issue, one of the things you offered Mike – “should it be deleted” – Ivan said that DI has been updated, referring to term in controller document. That is a little different from Ivan had written, but has been done (the 2nd suggestion you made, Mike).

Brent Zundel: Yes, 2nd suggestion has been applied.

Michael Jones: Ok, it would help me approve closing the issue if someone could provide a link to an old draft of DI referencing the thing that was deleted, so I can compare “this used to be there and this isn’t there anymore”.
… Once that’s done, I can approve closing the issue.

Brent Zundel: Can DI folks point to the merged PR?

Dave Longley: I followed Ivan’s comment to assertion method link, which takes you to a vocabulary document, which then if you click on that, see formal definition of term, which takes you to the controller document.

Ivan Herman: Yes, and previously it took you the DI specification.

Michael Jones: I’m asking for a reference for an old rendering of the DI document that has the text to see what was removed.

Ivan Herman: https://www.w3.org/standards/history/vc-data-integrity/ : history of documents.

Ivan Herman: We need to find at what date that change happened.

Brent Zundel: We’re out of time on this.

Manu Sporny: I can look into the history on this.