- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Wed, 16 Mar 2022 00:22:05 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2022-03-15-vcapi/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2022-03-15-vcapi/audio.ogg ---------------------------------------------------------------- VC API Task Force Transcript for 2022-03-15 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0071.html Topics: 1. Agenda Review, Introductions, Relevant Community Updates 2. Remove issue VC option to change verification method 3. Initial PR for exchange discovery 4. Clarify that IDs are opaque to client 5. Bundle VC-API and provide UX on API Docs 6. Initial GET and DELETE Operations 7. Add JSON Schema renderer for ReSpec Organizer: Manu Sporny, Orie Steele, Markus Sabadello, Mike Varley, Mahmoud Alkhraishi Scribe: Our Robot Overlords Present: TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Manu Sporny, Markus Sabadello, Joe Andrieu, Dave Longley, Brent Zundel, Justin Richer, Mike Prorock, Eric Schuh, Kerri Lemoie, Orie Steele, Kayode Ezike, Brian Richter, Dmitri Zagidulin Our Robot Overlords are scribing. Manu Sporny: Seems to be working all right welcome everyone to the VC API call this is March 15th 2022 our agenda is in chat on the agenda today just our typical agenda review introductions relevant Community updates and then we have a lot of PRS to go over which is great thanks to everyone that did PRS thank you Mike Prorock and everyone else that contributed so yeah we've got a long list of things to get through today. Manu Sporny: It like we're just doing PR reviews for the whole any other changes or updates to the agenda is there anything else folks would like to talk about. Manu Sporny: All right if not let's go ahead and get started. Topic: Agenda Review, Introductions, Relevant Community Updates Manu Sporny: First topic up is agenda review introductions relevant Community updates I think everyone. Manu Sporny: I think yeah we everyone everyone knows everyone here so I think we're good. Manu Sporny: So we don't need introductions reintroductions any relevant Community updates. Manu Sporny: All right I think the mic I don't know if it's worth talking a bit more about kind of the VC API as it relates to like the VC 20 working group. Manu Sporny: Continuation of the discussion that started on the ccg call earlier today thoughts are brand I don't know what your thoughts were on that as well. Mike Prorock: I don't know if Brenda comments it my concern is primarily if we can't take at least a core set of you know issue verify holder type operations and Define a clean rest API and some kind of normative fashion like that that eventually right it doesn't have to be a part of working group to I think we can use working group 20 to flush it out. Mike Prorock: If we get strong pushback on and I think he brought this up towards the end of the ccg meeting right like I would like a statement in there that says yep we intend to take this normative at some point you know but you know those these are things that concern me about especially seeing some of the politicking towards the end of the did working group and some of the politicking going on even in just getting those Charter to state where people agree with it right. Mike Prorock: Right these are things that make me nervous. Brent Zundel: Yeah I wonder. Brent Zundel: How much pushback we're going to get in the VC working group to bring some of these things in there not a little bit more settled and I think the notion of. Brent Zundel: Saying here's a note and Republican it as a user guide that talks about this community draft report and here's how you would make use of that to do this over HTTP and rest requests I think the more concrete it is getting into that the better chance they'll be of. Brent Zundel: People not caring so much that it shows up there but I. Brent Zundel: I will never not be surprised at what some people end up feeling deeply about and so the cleaner it is going into it I think the better chance we have. Manu Sporny: Thank you Brian I agree with that brand and I also agree you know Mike that there's you know concern right so you know I think the elephant in the room is like it's pretty clear that open ID Foundation is going to Define V Capi or sorry a thing that moves VCs and in the timeline I've heard is by Q3 or Q4 of this year it will be done in. Manu Sporny: So if that is the case. Manu Sporny: The question you know then is where does the VC API playing that and what should the VC 20 working group say about that. Manu Sporny: And yeah I'm you know I'm I'm as concerned as everyone else is around that. Manu Sporny: And I don't think it's very clear like what we should say so just just speaking from a personal level I think it is problematic for anyone to say that the protocols are going to be anywhere near done in the next two years right I think there are going to be people in organizations that want to say that. Manu Sporny: Um looking at the current protocols it doesn't seem like they're definitely multiple rough spots on all the protocols that exist today and you know and the market continues to mature and all that kind of stuff so you know I think I don't know if anyone else feels differently about this but saying that there will be a standardized protocol or one of many. Manu Sporny: Any standardized protocols by the. Manu Sporny: I think is a dangerous thing to say I don't know if that is controversial or not or you're on the. Orie Steele: I don't think saying that there won't be only one as controversial I think it would be controversial not to acknowledge that there are currently multiple protocols for moving these things around at various levels of standardization everything from Community drafts in the ccg two drafts at ietf to working group work items that I. Orie Steele: Items that open ID. Orie Steele: Foundation to community drafts at dif mean I'm aware of a large number of protocols that move feces around and and I think we should expect the future to look like the present and the past in that regard and I would I wouldn't say much beyond that. <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> ftp, http, smtp, uucp.... all move documents, which may include VCs Manu Sporny: Go ahead okay and I mean that feels like a fairly reasonable position to take right now any other thoughts from anyone else before we move into PRS I I was just curious to hear what you know folks you know thought about this stuff specifically as it relates the VC API. Manu Sporny: Making a very good point in in chat. Manu Sporny: Yeah I mean maybe what we're I mean I'm sure what we're looking at is a multi-protocol future. Manu Sporny: Just like we've got kind of a multi multi multiple ways to express a VC in their extension points you know it's probably going to be multiple protocols to move VCS it's an inevitability go ahead Mike. Mike Prorock: Yeah I think that I just want to reiterate that I mean that's my personal thinking as well and that that's why really the focus should be as much on like what are these operations and how do you conduct them cleanly and safely securely right you know be that issue presents you know you know verify really is the core things and then just keep what does that smallest set of things that could be clearly defined in a way that translates naturally between different. Mike Prorock: Calls right and if we do that from a. <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> sorry... sftp, https, smtp-auth, uupc-over-tls, etc. Mike Prorock: Point and from an API definition standpoint that will translate well to things like gr PC and you know Kafka streams and stuff like that like what can you do what can you do and why should you do that and what kind of role are you taking when you do that and based on that role what are the you know what are the implications of that that you should be cognizant of. Mike Prorock: +1 Manu Sporny: Yep okay if no one else has anything we will move to our PRS I you know I expect this is just a conversation that's going to continue over the next year you know as new things new things happen but I wanted what I wanted to make clear is that this group is still committed to working on the VC API and moving it forward that that is what I got out of the call this morning. <orie> obligatory XKCD link regarding too many standards Manu Sporny: I agree with that statement. Topic: Remove issue VC option to change verification method Manu Sporny: All right with that let's move into our first PR I am going to screen share because why not. Manu Sporny: In theory it didn't crash during the main call today so in theory it should crash here right all right so what's the first one it is to 63. Manu Sporny: So this is the pr that Dave Longley raised I think at the end of the day it just removes verification method proof purpose and type this was modified was it Longley it can you give us some. Dave Longley: Sure yep so it was originally raised to remove just verification method we had a discussion about that and talked about sort of reworking the API at a higher level and at the end of all that discussion or he said I've made a couple of suggestions to remove some other options let's go ahead and remove those if you accept my suggestions then I will approve the pr and so that's where we're at. Manu Sporny: Okay so we've got an approval from Ori because it was changed does anyone else have objections on these these changes. Manu Sporny: Basically remove the optionality. Manu Sporny: Only prove it. Manu Sporny: The call is is that with anyone object to marching this since it's been out there for 22 days. Manu Sporny: Dave made Warriors changes we've discussed it during a call. Manu Sporny: Go ahead Marcus. Markus Sabadello: Yeah I also commented on this I'm trying to remember now I don't object to it I just I just wrote up some some thoughts that I had on this that perhaps sometimes it is useful to be able to configure these parameters on the client side or two that the client specify this oh I remember I wonder if perhaps some implementations in. Markus Sabadello: The future. Markus Sabadello: Will it support is in the vendor specific way right so I'm a bit worried that maybe they will be implementations that defined their own custom parameters or options that allow you to pick a verification method or allow you to pick a proof purpose and and then we have when the lock-in and no interoperability. Markus Sabadello: Buddy I think they've explained the rationale very well and I understand that and I can't object I think it's it's fine. Manu Sporny: Great thank you Marcus yeah I need to speak to that I think if there is a vendor that wants to provide that kind of variability in their API it is their right to do so. Mike Prorock: +1 Manu Manu Sporny: Right and I totally agree with you Marcus if they start doing that and they get very popular then all of a sudden there's potential vendor lock-in but that is a risk. <orie> embrace, extend, extinguish Manu Sporny: Yeah that that risk is always there right but I don't think we limit the options to just the ones there we just Define a set and the implementers can do more if they want to. Manu Sporny: I'm not hearing objections to marching this so we will merge although why is it saying we haven't met. Manu Sporny: I guess other people. Mike Prorock: Sori still have change requests turned on now. Manu Sporny: Why is this all right I'm going to click the button I don't know why it's saying we haven't met maybe we didn't get it enough code owners to okay rebase emerge. Manu Sporny: All right that one's done next one up. Manu Sporny: Mike Farley's exchange Discovery PR is Mike here today. Topic: Initial PR for exchange discovery Manu Sporny: https://github.com/w3c-ccg/vc-api/pull/268 Manu Sporny: Like is not here today we can discuss this briefly then but I don't want to do much on it if Mike's not here does anyone remember the state that we were in for this I think we were. Manu Sporny: What did we where were we. Manu Sporny: So Mike's got some questions back to you or E you've got some statements to Mike. Manu Sporny: Looks like more discussions needed here. <mprorock> still work in progress it looks like Orie Steele: Yeah I mean basic handling of potentially unbounded lists with dictate that we should design a pi to account for those things it's not clear to me what the max range on. Orie Steele: The resource response is but you know generally when you build a rest API you don't want to return you want to return some you know interfaces that you can page over millions of results right let's just build the API thinking about that ahead of time. Manu Sporny: Yep what did you mean by tutorials here or e. Orie Steele: It's literally just an example of how to page over results you can see total items total Pages current page tutorials is the items collection in this example it's one of the first search results you get when you search for page a nation in Json. Orie Steele: Maybe the maybe that was confusing maybe I should have linked to mongodb API documentation or something better for paginated APS. Manu Sporny: Okay all right that's that's clear. Manu Sporny: All right okay so there just needs to be a little more discussion there and I don't think we can do much there anyone else on the Queue to talk about 268 know. Manu Sporny: All right so moving on to the next item which is. Topic: Clarify that IDs are opaque to client Manu Sporny: https://github.com/w3c-ccg/vc-api/pull/269 Manu Sporny: 269 Is I took an action to write a PR to clarify the that exchange ID and transaction ID or opaque to the client so this is what the pr basically does ignore that the other stuffs not being rendered that's a bug in the preview but we're basically saying we'd said this is just the option just says the trait. Manu Sporny: Exchange ID and transaction IDs. Manu Sporny: The server but are opaque to the client just because they're human readable doesn't mean that you should assign any kind of semantics to that human readability as a client and that's it that's all the that's all the pr does small piece of text we need more reviews on it. Manu Sporny: That's kind of where that is. Manu Sporny: It's on ya it was only race two days ago so I'm not going to try and ask folks to merge it. Manu Sporny: So take a look at it see if that meets folks needs I will note on this that I have had random conversations I forget with who a couple of view I think Mike Farley was one of them where he was like people are going to want to show the job in there and I think Longley you had also mentioned that like we can't just presume that these are 128-bit identifiers there might be other things. Manu Sporny: That you know people want to do too. Manu Sporny: Us you know apis again like some some digitally signed something some short-form digitally signed something like a job in the transaction ID. Manu Sporny: Thoughts on that the folks feel like. <mprorock> this is one more reason to go 128bit / UUID Manu Sporny: If feels like it is going to be very hard for us to push against that we can keep it at like uuid and multi base 128-bit ID for now but you know I have a feeling we're going to lose that battle long-term go ahead well Lee. Dave Longley: So I understand having limits on URL lengths and things like that and those come from other systems as well that we don't even control but I don't understand why we why we would need to create validation rules around restricting these IDs to very specific formats like uuid and things like that I don't know what that actually buys us as opposed to just. Dave Longley: Treating them as urls. Dave Longley: Many people know where the transaction IDs and and whatever need to go and allow implementations to put whatever information they need to put their we I do agree that we need to be clear about the semantics that this is a server chosen ID and it should be opaque to the client. Manu Sporny: So is there a concrete change says suggestion in their day like 100 kilobyte a thousand characters you know something like that. <mprorock> XSS etc Dave Longley: Unless the API is going to need to hang anything off of the end of these URLs and maybe they need to the Restriction should just be to the length of a URL whatever you know there are limits and browsers today I don't know what those links are but we should just be inheriting from that and unless this API is going to define or expect to have to put something after that I D. Dave Longley: Through I don't know what the requirement would be. Dave Longley: To do to limit it to anything other than the total length of the URL. Manu Sporny: Thanks Mike Europe. Orie Steele: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html Mike Prorock: Yeah I just wanted to note the main reason you want to Define and very clearly kind of limit to like nope 128-bit numbers uuids Etc is primary from security aspect standpoint I mean ranging from cross-site scripting to buffer overflow type attacks to embedding encoded script tags to you know so basically anything you can do at the spec definition layer to say this is the exact format we want its. Mike Prorock: Completely opaque and has no meaning. Mike Prorock: Leaking any information and logs or intermediary parties looking at requests those are all good things to do right it may make it more make you add an additional layer of like matching Heidi's to descriptions and stuff like that from a developer standpoint but that's comparatively trivial compared to the amount of other things that you can encounter by letting it go pretty unbounded. Manu Sporny: All right go ahead Longley. Dave Longley: Yeah so I mean I definitely agree that we do need it does need to be bounded to something but I also want us to be careful that we don't I saw some discussion for example people talking about how we should definitely make these uuids so people don't hide things like Social Security numbers in them you know there was some kind of discussion point about that I don't know why anyone would do that but you can hide a social security number in a uuid if you want to as well we're just talking about a hundred you know uuids. Dave Longley: Version 4 is mostly random bits you can encode whatever you want in there so that we need to. Dave Longley: Gage in the certain level of security theater and that we understand what the threats are you did mention some number of threats there that you know are good for us to consider and we definitely do want the ID or at least the oral length something to be well bounded but we should also be careful about what we're actually protecting against. Manu Sporny: Alrighty so I'm hearing no change for now but that was a good discussion. Topic: Bundle VC-API and provide UX on API Docs Manu Sporny: Right I think that's that item next item up is bundled of e c API to provide user usability on API docs or good ux on API Doc's there and. Manu Sporny: https://github.com/w3c-ccg/vc-api/pull/270 Manu Sporny: Mike this is your fine work. Manu Sporny: Please give us some background. <orie> respec actually sucks for defining APIs. Mike Prorock: Yeah basically Respec is great for looking for spec standpoint prior we had Swagger up way back and then I think I added I want to say maybe redock or something as the default but basically there's three core libraries that developers tend to use for looking at open API docs that also do things nice things for us like cross check to make sure that you're actually inspect to open API. Mike Prorock: I had the ability to expand out and look at options on the apis as well as schema stuff and things like that and those are Swagger redock and wrap a dock and I've added just stub so developers know how to get at all three and can access all three from this as well as providing a unified a bundled up auto-generated spec on desire so that if you need to look at. Mike Prorock: At just a. Mike Prorock: Bundled function for like feeding into other developer tooling just issuer capabilities or all of the issue verifier holder for instance right you can go ahead and do that cleanly and pass things into like Swagger code gen nicely and not have any weird collisions and naming collisions or anything like that. Manu Sporny: All right plus one all that this is great work I had mentioned that there are a couple of Auto generated files that are being checked in here and notice that you were doing you were using workflows in I believe we can make it I think you were doing that just as an example Mike and when we. Manu Sporny: Okay plus one to that. Mike Prorock: Yeah I did and I pulled the auto Jen I wanted to make sure folks could go back in and look at the actual commit log so I'm like what actually gets generated right if they need to see that but yes the the auto gem stuff is pulled and there is a base you know workflow stub in there we could turn that on at a later date with a later PR I don't think we need to you know rely on this PR to go enable it. Mike Prorock: And another kind of side effect of this by the way is that this will sanity check and make sure that you're they open API animal stuff is all Linton properly additionally so it will catch errors as part of the build process if you introduce them in the spec or destruction of this. Manu Sporny: Fantastic great yeah this looks nice and clean now Mike so yep plus one to merge after folks have had a little more time to look at it Joe. Joe Andrieu: Yeah thanks no opposition what's going on here my question for you Mike was is there a way that this form of documentation evolves to identify the components I the apps and the services. Mike Prorock: Yeah so this is actually a nice the here this is setting us up to go down a path to actually tie in like if you were to look at rapid dock for instance we could go ahead and feed it the config of anyone complying with the test suite and actually have every one of those providers in the drop-down so you can go issue calls against them assuming you are authenticated at cetera right so yeah it not it. Mike Prorock: Is a lot of that stuff the. Joe Andrieu: Cool sounds good. Mike Prorock: Kind of question mark in this is actually addressed and I think that my second PR which is tagging right from an open API standpoint there really wasn't any in there I added some base tags in just to get this PR in generating cleanly and then the I think the next PR we're going to talk about actually cleans up some of that but that will be a room that we can evolve that tagging aspect of it. Manu Sporny: Okay I think any other thoughts on this looks I mean it looks good sounds like everyone wants to merge it in. Manu Sporny: Holding for a little bit and we'll move on. Topic: Initial GET and DELETE Operations Manu Sporny: https://github.com/w3c-ccg/vc-api/pull/271 Manu Sporny: All right um thank you like that's going to be a super useful PR let's see next one up is the initial get and delete operations that is this PR here to 71 Mike please give us some background on this one. Mike Prorock: Yeah this is kind of a follow on and that's I think why we flagged it do not merge is don't want to merge this until the prior PR that actually allows for proper bundling and stuff is in and especially because of tags and whatnot but this basically is moving us more down the direction of let's actually Define a good clean open API and I may have to looks like I may have. Mike Prorock: That same issue. Mike Prorock: Did I nope this actually looks right I thought I may not have backed out the auto generated stuff but it looks like it did but this goes through and covers things like how do I get a credential how do I get a credential by and I get a list of credentials right how do I get a credential by ID Etc if this is not perfect this is intended to be this is a start there are things like pagination for instance that we. Mike Prorock: We will want to look. Mike Prorock: Define a pattern by which we follow like do we want to return total pages in a wrapper object and stuff like that those are all common things that get done but we will want to agree as a you know group as to the best pattern to handle that for everything across the board like it in fact pagination came up was that to PR's back that we were looking at right so there are things like that that we will want to Define one sim and reuse as a pattern elsewhere. Mike Prorock: So yeah that's it's. Mike Prorock: You know Getters and Killers since we have a lot of post you know type operations this is kind of starting to fill in the rest and I think I put puts in there as well I don't recall but wanted to basically say yep let's define this basic pattern if it makes sense we can get this one in and then we can build off of that and fill in gaps for other things that maybe stateful and persisted on the server side. Manu Sporny: All right thank you for that Mike any questions or concerns about this PR. Manu Sporny: I do have one kind of set of questions Mike it's so I've got no objections to marching this I don't know Longleaf we have a position on gets around credentials or presentations so just as long as folks kind of know that like we don't have an opinion on this right now but we may form one in the future. Manu Sporny: In one of his opinions. Manu Sporny: We don't like it but certainly like let's define it see get some implementation variance and then see where we know what folks think about it. Mike Prorock: Exactly makes total sense in it and part of the reason that I want to get this in as like if we think from like a trade credentialing side right if I if we're going ahead and pushing presentations of credentials over and someone has an issue with one right they may need to call back and say hey give me that credential by this idea again right I I missed something on my end or I blew something up you know or need to retrieve some data so a lot of those kind of core things that come up in practice that we're doing already. Mike Prorock: We probably should just Define so. Manu Sporny: Yep go ahead. <orie> the current APIs are broken because revocation lists require this. Mike Prorock: +1 Dave Longley: Yeah I don't have any objections to how it's going so far a lot of this stuff is happening on the on the holder API side of things one thing that has been going on in issues I saw that the the exchanges API is tucked in here with the older API and one of the things we're talking about is how we might want to actually separate that out and have exchangers be their own entity so that's something else to consider in a in a future PR. <orie> I would be fine seeing the exchange apis pulled out of holder apis <orie> I welcome a PR to that effecct Manu Sporny: All right good good things to consider all around would anyone objected this point merging this in the next week I mean we'll give it you know a couple more days to make sure that everyone is able to take a look at it or he's saying he'd be fine seeing exchange apis pulled out a holder apis. Manu Sporny: Maybe we can do a PR I'm sorry there's a q Marcus go ahead. Markus Sabadello: I feel like it's a bit strange that we haven't had this before why didn't we think about this in the in the beginning I think we may have discussed this at some point and decided that maybe we didn't want this and maybe we wanted the API to do not have storage or not I do not remember the very fiber credentials but I think it's fine so I'm also. Markus Sabadello: Do you have this I would. Markus Sabadello: You to this should be optional right so there could be implementations that can issue but then don't remember what they issued but other than that I think this is good. Manu Sporny: Great points Mike you're up. Mike Prorock: Yeah I was going to say a big plus 12 pulling exchanges out into their own kind of deal like how do I manage workflows around stuff like I think that would be dependent on the prior PR that kind of cleans up the open API spec then this one and then I think naturally that would lead to us then breaking exchange out into its own now that we can actually bundle stuff properly and then tag it properly as well so I'm a big fan of that the. Mike Prorock: I think the main reason that I kept this. Mike Prorock: Holder type operations is that's the area where you are by definition like you're holding something right so you need to be able to Define how do you go get something out of that how do you you know you know delete something that's in there how do you update something that's in their etcetera right those are all the implicit kinds of operations and it has strong ramifications and implicit requirements around things like revocation right you need to be able to do these kinds of operations in order to cleanly check revocations or cross-checked it. Manu Sporny: Right okay I mean it sounds like there's you know a lot of support for this Marcus yes like you've got an excellent memory Marcus I do remember us talking about how we might not want these apis to be super stateful and so plus 12 making it an optional thing. Manu Sporny: And so we've got that. <orie> then we added revocation which made them stateful Manu Sporny: Sorry Dave go ahead. Dave Longley: Yeah and I just I want Mike said a lot that I agreed with and my read on this was that this is mostly just around holder apis has mentioned before and I think that that's a little bit new from the original discussions we had a while back where we're focusing on issue we're in verifier and the fact that I see this stuff only going into the holder API is why I am supportive of it it's not imposing anything on issuer verifier apis to add. Dave Longley: Add storage or special access to credentials. Dave Longley: You know this is this is tied to a holder API were which implicitly or supposed to represent some kind of storage or the ability to get access to some kind of storage of credentials. Orie Steele: The current revocation apis with the issuer update credential status operation or stateful and they imply ability to store credentials and resolve them over the network and it is totally broken that we happen to find that endpoint in some way in these sets of apis so yes like get operations are a thing developers are going to reach for. Orie Steele: That we have a broken revocation feature in the current sets of apis because we don't Define how to get that revocation list credential so it definitely needs to be fixed. Manu Sporny: Thank you Lori Mike Europe. <dave_longley> well, status list / revocation list specs define how to get the revocation VC Mike Prorock: Yeah and it and I think or he's getting at something that's important well Lori Mike Europe this transcriber makes me happy sometimes sorry the but yeah I two things you know one in relation to Horry and then one in relation to mr. Dave Longley there the when we look at things like updating credential status that really is a put operation of. Mike Prorock: Following rest best at best. Mike Prorock: This is an implied. Mike Prorock: That you're actually holding something right because otherwise how would you be updating it so I there is this sets up the ability to start more cleanly defining that stuff right that's probably misplaced being in the issuer side of the world and in fact thought very hard about pulling that over into the holders into finding it there properly but it did we can deal with that at a later date and I think you know Dave to. Mike Prorock: A point around option. Orie Steele: +1 To what mike is saying, revocation apis need to be updated or removed. Mike Prorock: Ality that's one of the reasons we have these separate roles is by definition you could go in and pick out and say nope I'm only doing stateless issuer or verifier type operations cool great awesome you know but if you do want to get into that holder aspect which is going to have other security requirements and operational that's pretty well you know it's implying some kind of state or you can't do it like revocation list for instance or an obvious one retrieval in the event of a storage failure is another one. Mike Prorock: Right so we're going to have to go in and Define the stuff cleanly. Mike Prorock: About saying well if you define a holder you can opt into the ability for someone wanting to use older stuff to go get a credential like that makes me a little nervous but I think from a role-based as far as opting into what roles you're filling that makes sense to me. Manu Sporny: All right go ahead Longley. Dave Longley: Yeah just one quick point to make I agree with most of what's been said here we'll there are some interesting lines for which you know buckets Things fall into whether or not an issue is being which which holder role are you playing or you holding credentials for X Y or Z the the if we're talking about revocation and certainly their stateful information with issuers and. Dave Longley: Fires that you know you. Dave Longley: Whole challenges for. Mike Prorock: +1 Dave - can get nuanced <orie> an issuer is a holder of revocation list credentials. Dave Longley: Apple for it to be a good verifier for for to be an issuer that does revocation need to be able to hold on or reference revocation lists credentials and someplace and but currently in the API we you know or he was saying it's broken I don't think that it's actually broken right now we just defer to revocation list specifications to say this is how you go fetch the revocation credential and that does work with the apis we have it's just not bound to these other restful. Dave Longley: Apis for fetching credentials and we should consider. Dave Longley: Was revocation list credentials go into the same bucket that you would find these other credentials and or you talking about a different holder instance those sorts of things are questions that are going to come up in the future. Manu Sporny: All right thanks Dave Keys Emmy we've had a good bit of discussion all good things to keep in mind as we move forward on this but I'm not hearing any one objecting strongly to merging this after a couple of days. Manu Sporny: Okay now that is that item let's see what's next up we're actually almost all the way through all over P ours. Topic: Add JSON Schema renderer for ReSpec Manu Sporny: So next up is adding a Json schema render for Respec. Manu Sporny: https://github.com/w3c-ccg/vc-api/pull/272 Manu Sporny: That is pull to 72. Manu Sporny: This is my futile attempt to try and render open API specifications and Respec and auto-generate normative spec language from it the initial experiment didn't get I mean it went fairly well like So currently in the VC API spec let me see what we have today right today if you look at one of the definitions it's looks awful. Manu Sporny: A bunch of. Manu Sporny: You can't really make out and there's just a lot of it that kind of stuff right so I wrote a Respec renderer to render that Json schema to look like this this is the first iteration but it does you know show you kind of the object that you should expect and the values there and even generate some normative text where it says like each item in the context array must be a string that comes directly from. Manu Sporny: The Json schema. Manu Sporny: Whatever changes we make to the Json schema is are automatically rendered and reflected in the Respec file and hopefully helps people kind of understand the type of objects they should be sending in future work includes including the examples in here in you know getting some things better it's really hard to generate human-readable pros from Json schema but you know. Manu Sporny: Not not bad for a first attempt. Manu Sporny: We have some gaps and it's so doing this exposed a bunch of gaps in the Json schema we have in fact some of the descriptions we have are pretty awful in some cases we don't have an explanation of what thing is like this is not a bug it's just we totally don't talk about you know the description here in some cases we put examples in with the Json schema text and other cases we actually Define an. Manu Sporny: Appropriate you know example. Manu Sporny: Fourth so one good thing that came out of this is it caught a bunch of bugs that we have in our actual Json schema. <orie> pretty sure you can see all those bugs in the rendered specs <orie> before Manu Sporny: Okay so that's that PR it just changes this pure Json schema output to something that's rendered a bit more nicely comments thoughts concerns. Orie Steele: Is this handle any of one of conditional type checking for Json schema and so it will render its fully supporting all of the features of open API specification 3s profile of Json schema. Manu Sporny: Fully supporting no but in time it will I only had a couple hours over the weekend to do this so so for example the any of is if you look right here the issuer object must be either a string or an object of the following form that is an any of statement in the OAS file so absolutely we you know I we have to support that stuff if we're going to render it but this is an example of its supporting any of. Manu Sporny: The problem is that. Manu Sporny: Json schema is it's been hacked together over many many years and so. Manu Sporny: I know you do. Orie Steele: I think it's beautiful actually personally I love it my favorite things of all time is that you can see a rendering of this exact stuff currently with any off-the-shelf open API specification rendering tool. Manu Sporny: Yeah yeah the the writing the render of those difficult so so at different levels they do different things and there's a whole bunch of like if then switch statements that nobody should care about but I'm just saying like it'll take a while to get there but you know that this was able you know I was able to do this in a couple hours it's probably not going to be hard to get the rest of the stuff supported. Orie Steele: I mean I know what I'm about to say is probably not going to come across well I'm trying but I would much prefer to see pull requests editing these definitions in the existing renderer than see pull requests to finding a new render open API specification 3. Manu Sporny: Sure I'll handle that w3c has certain things that they expect in your specification there there are a couple of options we have we can either say in order to be conformant with this specification you must be fully comport informant with the entirety of the Json schema. <orie> its OAS3.0 Manu Sporny: And there's one normative statement in the specification I don't expect something like that to go over well or os3 or whatever it is right we just basically say the spec is the spec only has one normative statement where it's like. <orie> The spec is defined in OAS3.0 Manu Sporny: 30 And that's the only misstatement we have versus having actual you know normative statements in the spec and being able to have test Suites you know that that test that stuff. Manu Sporny: My suggestion is that we it is it is going to be very hard for people to look at this in kind of understand what's going on by just looking at pure Json schema in the render Json schema while web developers cannot work with it it it. Manu Sporny: Is not have the type of normative statements that are expected in most you know standards thing so this is an attempt to bridge the world so that the folks that want a Json schema can have a Json schema in that can render it in any way that they want to but it's also expressed in a way that makes sense to w3c in because all of that is being Auto generated from the same Source it all says the same thing like normatively right. Manu Sporny: That's it so that's my you know that is why I feel pretty strongly that we need this renderer because without it the spec doesn't really say much of anything. Mike Prorock: I think I'm on Q there maybe I didn't add right but you know the other thought is that because there's kind of two things one is kind of is this and Reese back from a formatting and a theming standpoint and then you know rendered out you know in a way that's consumable preferably with as much optionality as Pate you know possible to make sure that it you know all the actual details to objects or captured etcetera. Mike Prorock: The other path. Mike Prorock: We could go. Orie Steele: +1 To theming an existing tool, and not reinventing wheels Mike Prorock: Hi is just putting a theme together for you know in a config together for something like a crappy doc or redock and have it render out as you know you know with respect boundaries around it etcetera right and just insert that stuff as header and footer in the templates I mean that that is an option and then we're not worrying about the renderer you know you know like interpreting and rendering this stuff right. Mike Prorock: It's more you know are we. Mike Prorock: Hurting you know normative text where it needs to be inserted. Manu Sporny: Episode two questions is anyone under the impression that 100% of this is not Auto generated like so or you said something that made it seem like you thought that this is hand-written stuff. Orie Steele: No I wasn't trying to infer that I was asking whether you supported all of the features of open API specification that we automatically validate because if you don't you'll be maintaining that difference for this tool whereas we wouldn't have that issue if we just used an existing tool that implemented all those features. Manu Sporny: If someone wants to raise a PR that uses an existing tool to render this stuff in a way that makes sense to like either any any kind of you know standards ITF spec or w3c spec like plus 12 that I did look at doing that in some of the challenges with all of these tools is that they view themselves as kind of the center of the world and they are the. Manu Sporny: One that is going to be creating the. <dave_longley> i.e., the renderer output should create W3C normative statements Manu Sporny: And rendering it in you know the appropriate way in that stuff was not easily importable into Respec. Manu Sporny: The other issue of course is that those things what what's in this Json schema files contain zero normative language so there's that challenge as well. Manu Sporny: So I mean plus 12 someone doing the work and you know creating a renderer I tried doing that it was not he liked it it I could not see a path through the jungle primarily because of the way these renders tend to basically create the structure of the document and then just change the CSS classes go ahead or. Orie Steele: Yep I mean I understand the desire to have w3c you know normative language rendered out with these mosques and certainly you've created a tool here that does that I am not volunteering to assist you in the development maintenance or configuration of this tool I am committed to maintaining these API definitions and open API specification three I think it is a mistake to invest in this kind of. Orie Steele: Thing and Spencer. Mike Prorock: https://spec.openapis.org/oas/v3.1.0 Orie Steele: All time on it and we have redock and Swagger renderers for open API specification free and I think it would be better to have a single normative statement that said conformant implementations implement the open API specification 3. Orie Steele: And that. Mike Prorock: https://github.com/OAI/OpenAPI-Specification/blob/main/.github/workflows/respec.yaml <mprorock> using md to html Orie Steele: As a single normative requirement feels to me much better because it makes us put our effort into the spec instead of putting our effort into normative statements under every field and property in the spec we have to actually make the API spec clean and consistent and I think it aligns incentives properly so I mean again like I appreciate the tool it looks very nice but you know I'm definitely not volunteering to assist in any kind of work on this. Manu Sporny: Yep plus 1 I wasn't expecting anyone to help with maintenance of this tool. Manu Sporny: Go ahead Dave. Dave Longley: Is there any other w3c spec that we can turn to that as presidents here so we can copy what they're doing or we get again doing something brand new. <orie> W3C generally doesn't do HTTP APIs, haven't you heard? <orie> lol <orie> /s Manu Sporny: They they all the w3c specs all the specs that I've seen that have come out of standard-setting organizations have handwritten all the normative language when Horry that is not true w3c has defined HTTP apis before. Manu Sporny: The linked data platform is an example. Dmitri Zagidulin: I think that was before OAS was popular. Manu Sporny: Yep yeah just to be clear like the core definition happens in OS nobody's saying that that changes. Manu Sporny: Okay anyone else want to weigh in on this so I'm hearing opposition to this PR. Mike Prorock: I am not opposed to be our I'm kind of more along the lines of like is there perhaps more efficiently and I'm just not 100% sure just because we've done some pretty crazy redeeming without a huge amount of effort on both rapid Dock and ridak Lee the I did note that the open API spec and I think it got lost by the transcriber but like the guys that actually have the. Mike Prorock: Open API specification right away I. Orie Steele: https://swagger.io/specification/ Mike Prorock: They are generating from you know you know just using the normal ITF approach and then generating Respec from that I'm what I've not dug into yet is how much are they like defining normative text or dividing themselves in open API specification but that is something that they for sure are doing and are generating out clean Respec with you know with full documentation itself. Orie Steele: To be clear I did approve the polar. Mike Prorock: https://spec.openapis.org/oas/v3.1.0 Mike Prorock: As did I yeah. Manu Sporny: Okay yeah I mean plus 1 I don't want to be maintaining this tooling either but it's the only way that I can see putting it into a format that w3c members are going to like recognize all right otherwise we're going to be paying you know fighting an uphill battle of trying to convince w3c that they should be using OAS to Define specs and maybe that'll you know happen just fine. Manu Sporny: Yeah but plus 1 if somebody else wants to do the work to make this easier or put it into some kind of format that's going to be easy to put through you know w3c and or ITF like please help to do that and I realize that you know people may not want to help with this current tool but I'm fine with that. Manu Sporny: Other comments questions on this. Manu Sporny: All righty that's it for the call today sorry when a minute over thanks everyone for the great discussion thanks folks for the PRS I think we're clear on actions so please look at the issues and see if there's some PRS that you can raise or want to raise before next week's call we will probably not meet if they're not new people. Manu Sporny: ER so. Manu Sporny: Raise some PR s if you feel that there's a certain item that needs to be pushed forward with that thanks everyone for the call see you all next week bye. Mike Prorock: https://github.com/Mermade/widdershins
Received on Wednesday, 16 March 2022 00:22:05 UTC