14:49:24 RRSAgent has joined #vcwg 14:49:28 logging to https://www.w3.org/2024/08/14-vcwg-irc 14:49:29 RRSAgent, make logs Public 14:49:30 please title this meeting ("meeting: ..."), ivan 14:49:33 Meeting: Verifiable Credentials Working Group Telco 14:49:33 Date: 2024-08-14 14:49:33 Agenda: https://www.w3.org/events/meetings/9bfb4063-230b-4f59-b14c-fbf670b8a51b/20240814T110000/ 14:49:33 chair: brent 14:49:34 ivan has changed the topic to: Meeting Agenda 2024-08-14: https://www.w3.org/events/meetings/9bfb4063-230b-4f59-b14c-fbf670b8a51b/20240814T110000/ 14:59:22 brent has joined #VCWG 14:59:30 hsano has joined #vcwg 14:59:32 present+ 15:01:30 present+ 15:01:32 bigbluehat has joined #vcwg 15:02:05 present+ bigbluehat, hsano, kevin 15:02:29 present+ steele, dlongley 15:03:06 present+ selfissued 15:03:33 decentralgabe has joined #vcwg 15:03:39 present+ 15:03:54 present+ decentralgabe 15:04:06 present+ TallTed 15:04:08 gkellogg has joined #vcwg 15:04:10 present+ will 15:04:20 present+ manu 15:04:49 PL-ASU has joined #vcwg 15:04:57 Wip has joined #vcwg 15:05:00 present+ 15:05:11 selfissued has joined #vcwg 15:05:24 present+ 15:05:27 scribe+ 15:05:30 KevinDean has joined #vcwg 15:05:33 present+ 15:05:38 brent: Welcome to the WG weekly call. 15:06:09 present+ davidc 15:06:26 brent: Agenda today -- vcdm wrap up process near 2nd CR, implementations gather data, take remainder of time and focus on controller document (first CR by end of this month, hopefully). 15:06:27 DavidC has joined #vcwg 15:06:32 present+ 15:06:46 brent: Request to add a bit at beginning to Nick to talk about IETF things of interest to WG, additions/changes to the Agenda? 15:07:03 brent: Not seeing anyone jump on the queue, over to you Nick. 15:07:05 q+ to talk about work b/w the DID WG and VC WG for the controller doc 15:07:33 Topic: Credential Exchange Protocol 15:07:43 present+ joe 15:08:25 nicksteele: Hey Nick Steele, we have been working on Credential Exchange Protocol at IETF and FIDO, been working in that group for a while. Update and some context... credential exchange protocol working on dashlane, apple, microsoft, google, bitwarden, and 3rd party credential providers (12 in all), trying to figure out a way to exchange credentials across "vaults", wallets, credential stores, defines protocol itself, based off of HPKE. 15:09:03 https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20240522.html 15:09:19 q+ 15:09:31 nicksteele: Two parts to this, published in FIDO on Aug 22nd and then between 12 partner companies, but what we're pushing out is a Working Draft of the stack... credential exchange protocol and credential exchange format -- update as well as call for review and help -- would like credential exchange format to be cognisant of VCs and other formats, few of us plan to launch feature flagged version of this protocol in products in September, supporting 15:09:31 passkeys, passwords, credit cards. 15:09:35 present+ jennie 15:09:43 nicksteele: As we move forward, we want to support other types of credentials 15:09:47 q+ to ask about DC API work 15:10:11 nicksteele: This is first standard where FIDO can publish publicly in WD form in regular cadence, feedback from public feedback and can work into technical work. 15:10:23 ack decentralgabe 15:10:23 decentralgabe, you wanted to talk about work b/w the DID WG and VC WG for the controller doc 15:10:31 JennieM has joined #vcwg 15:10:39 present+ 15:10:45 q- 15:10:47 decentralgabe: Cool work, thank you for sharing -- does it have overlap w/ DC API that FedID CG is doing? Or is it a different set of use cases? 15:10:48 q- 15:11:08 nicksteele: This is focused on migration w/ long term backup and storage, enterprise exchange of keys across different vaults and products 15:11:09 q+ 15:11:36 scribe+ 15:11:37 nicksteele: If I wanted to share a credential from Google Password Manager to Dashlane, you could move from one to another... current mechanism is moving CSV, which is not really secure. 15:11:40 q+ to ask a follow up 15:11:42 ack manu 15:12:11 Wip has joined #vcwg 15:12:21 manu: That's great, Nick. I kind of had the same kind of question. I know a few folks in the DC API work, said that FIDO is working on cross-device messaging of credentials. It sounds like you're describing a vault backup/migration capability. 15:12:50 manu: Whereas what's being talked about in the DC API with respect to the FIDO work is really about a cross device presentation capability. I wonder how much those groups are talking to each other since these things are so similar. 15:13:20 manu: I'm trying to figure out how much communication is happening between the two groups -- I am having a hard time understanding how the work items are related. CTAP2, etc. 15:13:21 nicksteele: These are ancillary to CTAP2 15:15:01 nicksteele: The credential exchange work is separate from authentication, after authn happens and credential exists, there is no guidanec on how credentials should be migrated/exported, current thinking with larger providers -- we won't export your passkeys when you export your credentials. We're doing this in FIDO because folks interested in credential management -- I'm main author on CXP and Renee is CXF -- we need better communication, we want to hear 15:15:01 all the work going on in space. This work is specifically around sharing different forms of credential across providers. 15:15:09 scribe- 15:15:09 Topic: DID WG and Controller Doc 15:15:17 ack dlongley 15:15:20 ack decentralgabe 15:15:20 decentralgabe, you wanted to ask a follow up 15:15:56 decentralgabe: We've been trying to solve for broader problem of "I have credentials and need to access at certain point in time" -- is this a "happens in realtime", or is it a background job? 15:16:18 s/Topic: DID WG and Controller Doc// 15:18:06 nicksteele: I have a demo we could look at. Current, early iteration is to support migration or setup of new devices for new users and handle export on mobile devices and desktops -- user is very much involved -- in B2C and B2B cases, transfer credentials and be aware of what happens when credentials are moving. Authorizing party -- user and business provides authorization of encrypt/decrypt to transport credentials... want enterprise policy to be 15:18:06 applied in B2B use case, and B2C, want user to know when moving from vault to vault, which one you're moving to. Direct vs. indirect, where platform (android supports this, others to follow) -- use platform to transfer credentials... indirect protocol to provide key and use Diffie Hellman to migrate to ... envelope to encrypt keys and take them elsewhere. 15:18:19 nicksteele: There will be a way for this to be facilitated natievly by platforms. 15:18:34 nicksteele: I'll be at W3C TPAC WG meetings 15:18:39 brent: That would be a good time to do a demo. 15:18:44 Topic: DID WG and Controller Doc 15:19:04 https://github.com/w3c/did-core/issues/854 15:19:04 decentralgabe: The DID WG was kicked off recently, many of you have attended, one of the things we've discussed is aligning w/ Controller Document. 15:19:39 JoeAndrieu has joined #vcwg 15:19:52 decentralgabe: It seems like consensus is forming in DID Core to remove content from that document and point to Controller Document. Timeline seems fine for VCWG Controller Document and DID Core. Just calling that out, we'd like folks to participate if they want to. 15:19:54 Topic: VCDM Wrap Up 15:19:54 q+ 15:19:55 scribe+ 15:20:03 https://github.com/w3c/vc-data-model/issues?q=is%3Aissue+is%3Aopen+-label%3Afuture+sort%3Aupdated-asc 15:20:07 brent: We have a list of issues, many if not most of them have been addressed. 15:20:25 brent: We have one open issue, one open PR, talk about those and next steps. 15:20:27 ack manu 15:20:52 present+ 15:20:54 subtopic: https://github.com/w3c/vc-data-model/pull/1539 15:21:33 q+ 15:21:44 manu: The PR is a suggestion that came up during a discussion in an issue that makes it clear that "we" (the VCWG and media types) that we specifically prohibit using a link header for a JSON-LD context and we do this because it externalizes the context and we don't have any use cases for the added complexity. Ivan indicated it would be a good idea to specifically call this out so this PR does that. 15:21:55 ack ivan 15:22:26 ivan: Just to be precise, before when we were using the hypothetical media type -- then this remark was not necessary because JSON-LD spec has clear language on this. 15:23:04 ivan: Then, using HTTP for context is disallowed... we changed the media type, this remark remained ineffective for our media type, it's a bit more than an extra note it's setting the situation where we were before we changed the media type. 15:23:36 brent: this looks like its on track to be merged soon. 15:23:46 subtopic: https://github.com/w3c/vc-data-model/issues/1538 15:23:56 q+ 15:24:12 manu: Benjamin has tracked this down it will get fixed shortly. 15:24:15 q- 15:24:17 gkellogg has joined #vcwg 15:24:45 manu: The other heads up on VCDM -- I'm about 50% of my way through the final spec review, lots of content taking a long time. If anyone can please do security and privacy consideration editorial reviews that would really help a lot. 15:25:06 manu: If not, it's going to take a couple more weeks to get all the way through. I did also update the ZKP section adding examples from BBS. 15:25:30 manu: Now we have examples from BBS base and derived proof. Some diagram updates, Ivan, on what the BBS-secured VC looks like, etc. 15:25:32 manu: I think that's it. 15:25:33 i/manu: The other/subtopic: editorial pass/ 15:26:01 q+ 15:26:08 brent: Would it be helpful to raise a draft PR for this? 15:26:38 manu: No, I've been doing mainline editorial edits, and raising these as PRs will make the diffs look like big changes when they are just formatting. But I can share the commits that have gone to mainline. 15:26:43 brent: That would be good, yes. 15:26:50 ack ivan 15:26:57 ivan: Can you send me a short description by email on BBS changes? 15:27:31 manu: You converted some previous diagrams -- I already made some changes and I just need review from you. You converted some BBS stuff, it looks like what you did. 15:27:40 manu: It's just in the ZKP section. 15:27:42 ivan: Ok. 15:27:58 brent: Any comments on this issue or the editorial work being done? 15:28:10 brent: Anyone willing to do some work in the privacy and security sections? 15:28:16 brent: Any questions/comments on editorial work being done? Is anyone willing to do editorial work on privacy/security considerations sections? 15:28:19 scribe- 15:28:27 q+ 15:28:36 ack decentralgabe 15:28:44 decentralgabe: I'm happy to help out - I'd like some more guidance on what type of content is missing. 15:28:44 q+ 15:28:47 scribe+ 15:28:49 ack manu 15:29:14 manu: Thank you, Gabe. It's not about missing content, it's about re-reading the paragraphs that are already there and catching missing commas, missing periods, weird phrasing that could be simplified. It is purely editorial work. 15:29:47 manu: If a human being is reading this for the first time, will it make sense to them? If it goes beyond purely editorial changes you have to raise a PR. It's "do not raise the content of the spec beyond a class 1 or class 2". Class 2 is just largely changing the wording. 15:30:03 manu: Or, for example, sometimes, but I think I only found one instance of this so far, we have two normative statements that say the same thing in the same paragraph. 15:30:21 manu: But because we edited the paragraph so many times, we are repeating ourselves. But you won't find those in those sections anyway. 15:31:04 manu: It's largely look at one of the sections there, make sure the line breaks are at 80 chars, make sure brackets refer to terms, make sure when we use a special term we point back to the term section ([= foo =]), etc. Purely editorial clean up. Does that help? 15:31:12 decentralgabe: Yes, I can do that. 15:31:18 manu: Let me know when you get started. 15:31:31 manu: Let me know which sections you have already done so I don't need to look at those and I'll look at others. 15:31:34 decentralgabe: Ok, sure. 15:31:39 brent: Thank you very much Gabe and Manu. 15:31:43 Topic: Controller Document 15:31:53 https://github.com/w3c/controller-document/pulls 15:31:53 scribe- 15:32:13 DavidC has joined #vcwg 15:32:29 subtopic: https://github.com/w3c/controller-document/pull/41 15:32:44 brent: This is removing references to proof purpose 15:32:44 q+ 15:32:50 ack manu 15:32:50 scribe+ 15:33:46 manu: I volunteered to write this PR on an editors call and Mike and I talked about what could make it into the spec. This PR just tries to be very specific about only touching the stuff touching `proofPurpose`. I scanned for those two words "proof" and "purpose" to make sure we don't talk about that in the controller document. There is one algorithm where we said "proof purpose" but we meant "verification relationship". 15:33:52 manu: I have updated that text to be more generalized. 15:34:18 manu: Mike has a comment here that should be easy to apply to some of the text. We were saying "proof purpose" before when we meant "verification relationship" and that has been updated. 15:34:21 selfissued: Thank you, Manu. 15:34:25 manu: Of course. 15:34:34 brent: Please review and read over it, raised yesterday, let's get our eyes on it and move it forward. 15:34:35 brent: It was raised yesterday, please take a look, we would like approvals. 15:34:41 scribe- 15:34:43 brent: If 41 is approved and merged, 40 will be closed. 15:34:56 selfissued: We can close 40 now. 15:34:58 subtopic: https://github.com/w3c/controller-document/pull/39 15:35:02 q+ 15:35:04 scribe+ 15:35:17 ack manu 15:35:24 manu: I owe Gabe a review on this one and then I expect we can merge it. 15:35:29 scribe- 15:35:32 manu: I owe gabe a review on this and then we can probably merge it. 15:35:57 subtopic: issues 15:35:59 https://github.com/w3c/controller-document/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc 15:36:23 subtopic: https://github.com/w3c/controller-document/issues/23 15:36:43 brent: I did ping Horizontal Review folks for a review. If we reach out for review and don't get review, what is the guidance there? 15:36:56 ivan: You can curse, I can give you some ideas there :P 15:37:12 ivan: When we request CR transition, we have to say their reviews timed out. 15:37:55 🤣 15:38:26 ivan: All the reviews that we got on DI are valid here because we did not do any new technical development here, this was just an editorial move from one place to another, plus timeouts will probably be fine, but I'm not the one who decides that. 15:38:38 brent: a11y is pending, i18n is done, so I think we can close 24. 15:38:58 ivan: For this WG, the question will be security/privacy -- not sure where we are with security in general, but that's a more general question for TPAC 15:38:59 q+ 15:39:03 scribe+ 15:39:06 ack manu 15:39:42 manu: Just to speak to that security thing. Where we are -- Simone is very aware of our WG's work and the need for a security review and he's collected a bunch of people together to do those sorts of reviews but they aren't complete. We need to be very clear to him that we need a formal review. 15:40:18 present+ campbell 15:40:21 manu: And at this point, no fault of Simone, he just got started and got a lot of work, but we need the feedback. But we're going to CR2 and we don't want changes because of the security review. 15:40:32 manu: We need to let him know that we're going to be asking him for a status at TPAC. 15:40:41 scribe- 15:41:08 ivan: I don't know where we are with the schedule for W3C TPAC meetings, it might be a good idea to (now) try to get ourselves a slot w/ Simone. 15:41:10 brent: We have one 15:41:20 ivan: It would be nice to get something w/ him. 15:41:29 brent: We have a joint meeting w/ the Security folks 15:41:37 ivan: We shouldn't schedule for a 2nd CR before TPAC. 15:41:50 brent: That is the plan, we are not going to CR2 before TPAC. 15:41:57 subtopic: https://github.com/w3c/controller-document/issues/37 15:42:18 scribe+ 15:42:29 manu: This should be a simple editorial change that I just need to get to. 15:42:53 q+ 15:42:56 brent: can anyone else take this item? This is fixing a typo. 15:43:01 Wip: I'm happy to do this. 15:43:03 q+ 15:43:14 ack Wip 15:43:18 ack dlongley 15:43:30 dlongley: I think this is going to be addressed by PR #41? 15:43:58 subtopic: https://github.com/w3c/controller-document/issues/35 15:44:03 https://github.com/w3c/controller-document/issues/41 15:44:11 scribe- 15:44:20 q+ 15:44:43 scribe+ 15:44:50 https://w3c.github.io/controller-document/#conformance 15:45:15 manu: Right, agreed with what you said, Brent, I think we already have this in the spec. We have a conformance section -- talks about conforming document, processor, etc. There may be some detail that I'm missing in some comment. 15:45:24 brent: Would the fix then just be to fix the data integrity language to say "conforming"? 15:45:26 +1 to say "conforming" 15:45:27 manu: Yes. 15:45:56 manu: I moved this over to the controller document spec because the retrieve verification method algorithm is now in the controller document spec. The change needs to be made there now. 15:46:09 manu: What we should do is say "If the verification method is not a conforming verification method..." that will make it clear. 15:46:30 manu: What Mike said in here is correct. We can make this more clear, it's an editorial change, I think it's ready for PR. We just need to link to the conforming statements and make this really clear. 15:47:04 brent: This is another one that is editorial and it's clear what to do so if they can help out Manu, that would be great. 15:47:04 Wip: I can do this one. 15:47:08 scribe- 15:47:23 subtopic: https://github.com/w3c/controller-document/issues/5 15:47:40 brent: PR #39 will address this issue. 15:47:57 subtopic: https://github.com/w3c/controller-document/issues/34 15:48:27 scribe+ 15:48:41 manu: No, Dave has the suggested change in here ... suggested in July 2023, so we just need to apply that fix. 15:49:01 brent: So this is just changing from using an X25519 key to a P-256 key. 15:49:09 brent: Anyone else want to work on this? 15:49:13 scribe- 15:49:32 subtopic: https://github.com/w3c/controller-document/issues/10 15:50:00 brent: Ivan, do you have what you need to move this forward, or would group discussion help? 15:51:15 ivan: We've made changes on DI vocabulary, there is no need for separate vocabulary for controller, that's the cleanest thing. The only thing that changes is where the formal specification pointer is. I did that, I think that addresses this issue. 15:51:25 gkellogg has joined #vcwg 15:51:25 ivan: I think it's been done. 15:51:38 brent: Mike Jones, this is your issue, we'd want your agreement on that. 15:52:08 selfissued: I'm trying to understand why this was marked pending close, this is a twisty set of passages. 15:52:26 ivan: I acted on Mike's requests for changes, but maybe I don't understand what Mike's commenting on. 15:52:26 https://github.com/w3c/controller-document/issues/10#issuecomment-2122449898 15:52:58 ivan: We've done the 2nd approach. 15:53:04 brent: The first approach was overtaken by events. 15:53:20 selfissued: So we removed a section from the controller document spec. 15:53:54 selfissued: But we didn't remove that section? 15:54:25 ivan: I didn't refer to any section in my comment, vocabulary description is a separate document. 15:54:33 Because that vocabulary (and related context) is much larger than what the controller document defined, it makes sense to remove this section from the controller spec and leave the DI spec in charge. 15:54:48 selfissued: That's a comment from you, Ivan ^ 15:55:31 q+ 15:55:34 q- 15:55:43 selfissued: what is the "it" we're referring to? 15:55:47 ack dlongley 15:56:45 dlongley: I was reading over the issue, one of the things you offered Mike -- "should it be deleted" -- Ivan said that DI has been updated, referring to term in controller document. That is a little different from Ivan had written, but has been done (the 2nd suggestion you made, Mike). 15:56:52 brent: Yes, 2nd suggestion has been applied. 15:57:25 selfissued: Ok, it would help me approve closing the issue if someone could provide a link to an old draft of DI referencing the thing that was deleted, so I can compare "this used to be there and this isn't there anymore". 15:57:31 selfissued: Once that's done, I can approve closing the issue. 15:57:44 brent: Can DI folks point to the merged PR? 15:58:47 dlongley: I followed Ivan's comment to assertion method link, which takes you to a vocabulary document, which then if you click on that, see formal definition of term, which takes you to the controller document. 15:58:56 ivan: Yes, and previously it took you the DI specification. 15:59:33 selfissued: I'm asking for a reference for an old rendering of the DI document that has the text to see what was removed. 15:59:36 https://www.w3.org/standards/history/vc-data-integrity/ : history of documents 16:00:00 ivan: We need to find at what date that change happened. 16:00:04 gkellogg has joined #vcwg 16:00:50 brent: We're out of time on this. 16:00:58 manu: I can look into the history on this. 16:01:07 rrsagent, draft minutes 16:01:09 I have made the request to generate https://www.w3.org/2024/08/14-vcwg-minutes.html manu 16:10:44 rrsagent, bye 16:10:44 I see no action items