[MINUTES] W3C CCG Verifiable Credentials API Call - 2022-11-01

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2022-11-01-vcapi/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2022-11-01-vcapi/audio.ogg

----------------------------------------------------------------
VC API Task Force Transcript for 2022-11-01

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2022Oct/0124.html
Topics:
  1. Introductions and Relevant Community Updates
  2. Processing Pull Requests
  3. credentialId in updateCredentialStatus
  4. Requesting client features
Organizer:
  Manu Sporny
Scribe:
  Our Robot Overlords
Present:
  Manu Sporny, vivien (mavennet), Greg Bernstein, TallTed // Ted 
  Thibodeau (he/him) (OpenLinkSw.com), Eric Schuh, Dave Longley, 
  Joe Andrieu, Dmitri Zagidulin, John Kuo, Patrick (IDLab), Logan 
  Porter, Mike Varley, Mahesh Balan - pocketcred.com, Ted Thibodeau

Our Robot Overlords are scribing.
Manu Sporny:  All right welcome everyone to the November 1st 
  verifiable credentials API call I will put our agenda in the chat 
  Channel.
Manu Sporny:  And I will share my screen.
Manu Sporny:  On the agenda today we've just got this agenda 
  review introductions and relevant Community updates I forgot to 
  mention pull request we have a number of pull requests so we'll 
  go over those and then we will go into our main agenda which is 
  seeing if credential ID makes sense and update credential status 
  will talk about how.
Manu Sporny:  All deals with requesting client features we are 
  hoping for an update on kind of use cases Eric Joe if that's 
  possible sorry to put you on the spot but this was an issue that 
  was in the queue in about time for discussion again and then any 
  other issues as time permits are there any other changes or 
  updates to the agenda before we start.

Topic: Introductions and Relevant Community Updates

Manu Sporny:  Okay is there anyone new to the call Vivian I think 
  you might be new or re intro would be great from you.
Vivien_(mavennet): This is Vivian from Mavennet.
Manu Sporny:  Awesome welcome welcome to the call Vivian anyone 
  else new to the call thanks I think everyone's been here before.
Manu Sporny:  All right well welcome again Vivian wonderful to 
  have you on the call.
Manu Sporny:  All right relevant Community updates.
Manu Sporny:  Let's see there's some special topic calls that 
  folks here might be really interested in around verifiable 
  credentials the verifiable credentials working group has had a 
  special topic called those minutes will be published on that 
  mailing list that has to do with making at context optional which 
  could have a variety of consequences so make sure you're paying 
  attention to that if you were not on the special topic call 
  today.
Manu Sporny:  Other thing that's happening in two weeks well next 
  week is the internet identity Workshop how many people here are 
  going to be there should we cancel next week.
Manu Sporny:   Oh really.
Manu Sporny:  Well I mean is anyone he gonna be there like we 
  don't have it okay.
Joe Andrieu:  Yeah I'm surprised it's next week already oh yes 
  please let's go I will be but but if I'm the only one maybe we 
  don't need to cancel I think both Eric and I are going to go.
<john_kuo> I'm planning to be there
Manu Sporny:  Okay cool have fun London.
Dmitri Zagidulin:  Which event is this.
Dmitri Zagidulin:  Right on right on right on.
Joe Andrieu:  That's what I was going to say yeah you didn't miss 
  me so that's like really next week oh my goodness.
Manu Sporny:  Hi I'm sorry the ITF sorry I must misspoke I 
  misspoke i-i'm sorry yeah next week is ITF yeah sorry and next 
  week is next week is ITF the week after is IW we will definitely 
  cancel for iiw do we need to cancel next week for ietf.
Manu Sporny:  Okay so I'm guessing no none of us are going to 
  ietf okay good so we'll have the meeting next week but the week 
  after that is definitely canceled and I think the week after that 
  is u.s. Thanksgiving if I remember correctly okay good so we'll 
  have the meeting next week and then a two week break.
Manu Sporny:  Any other announcements or things we should be 
  aware of before we get into our agenda.

Topic: Processing Pull Requests

Manu Sporny: https://github.com/w3c-ccg/vc-api/pulls
Manu Sporny:  Okay next up its processing pull requests here is 
  the link in the chat Channel.
Manu Sporny:  I'm gonna go on these and the order that they were 
  raised so the first one the group has been discussing for a while 
  publishing a version of the VC API that could be published as a 
  note a draft note in the verifiable credentials working group.
Manu Sporny:  That was raised an issue 304 we had some discussion 
  they were there was a request to basically take exchanges out and 
  make a couple of modifications or you request that we have made 
  those changes to the request and then those requests were carried 
  through in the pr so today we.
Manu Sporny:   Have a.
<manu_sporny> Prepare document for publication as VCWG Draft 
  NOTE: https://github.com/w3c-ccg/vc-api/pull/320
Manu Sporny:  So this is 320 prepare document for publication as 
  V CG W no put this in the chat Channel there and so what this 
  what this PR does is it branches off of the main repository so it 
  takes the latest version of what we're working on right now and 
  then it deletes all the things.
Manu Sporny:   All of us agreed.
Manu Sporny:  So it deletes exchanges it deletes you know that 
  from the yanil files from the OAS files it anyway it's so deletes 
  all that stuff and deletes all the content talking about it so 
  the only thing that's left is the standard API so you can look at 
  a rendering of it here so down here in the issue I've published a 
  rendering of the specification here.
Manu Sporny:   Which has.
Manu Sporny:  The front matter content you know empty design 
  goals the architecture overview Joe description of the apps.
Manu Sporny:  And then issuing verifying and presenting you'll 
  note that all the exchanges stuff has been deleted and the spec 
  doesn't mention exchanges anywhere they're so so the basic stuff 
  here that in theory should be non-controversial is in there and 
  that's what we have right now we were the last time we talked 
  unsure about how we would manage this but I've found a way to do.
Manu Sporny:   This through GitHub that looks.
Manu Sporny:  Let me kind of highlight what the problem is a note 
  as published through a w3c working group has zero intellectual 
  property rights protection zero IPR protection in this group in 
  the ccg we at least have some right which means that everyone 
  participating in this has agreed to the credentials community 
  group IPR policy so there is IPR protection on this thing that 
  we're we're.
Manu Sporny:   Creating together if we were to.
Manu Sporny:  Of that as a note into the V CW G and give a full 
  access and control over the V CW G they would have zero IPR 
  protection on it so the suggestion is let's keep the 
  specification in this group so there's IPR protection on it but 
  what we can do is we can Fork the specification into the V CW G 
  in have this Branch mainly cwg published as the published as the.
Manu Sporny:   The VC.
Manu Sporny:  Verifiable credentials working group version of a 
  draft note that means that we can continue to work on the spec 
  here our work here is not you know compromised or disturbed in 
  any way we continue to have IPR protection here but we are also 
  able to simultaneously publish a note in the verifiable 
  credentials working group okay so that's that's kind of the pr 
  and the suggestion on how we would manage this.
Manu Sporny:  Questions comments concerns.
Manu Sporny:  Go ahead go ahead Dave.
<greg_bernstein> Sounds reasonable. Didn't know about the IPR 
  issue.
Dave Longley:  My one concern would be if the VC w g wanted to 
  make any kind of changes or whatever they wanted to do with the 
  note that might not be a goal but if they did I would be worried 
  about the IPR stuff would we tell them those changes should flow 
  back through the ccg for that reason.
Manu Sporny:  Probably in there may be a couple of people in the 
  group that get super cranky about that and they're like we need 
  control over the VC API spec so that's just a conversation we'll 
  have to have with that group ideally what we do is we were like 
  oh yeah that's a great change please raise an issue on the in the 
  ccg and then make a change to the spec and the next time we make 
  a snapshot for the draft note will include those changes.
Dave Longley:  That sounds good.
Manu Sporny:  The other thing is if you have not already approved 
  this PR and you want this thing to go through please please do a 
  PR review and approval on it don't have to do it right now but 
  please get to it at some point over the next week.
Manu Sporny:  Okay any other concerns about the ccwg draft note 
  on BC API.
Manu Sporny:  All right if not moving on to the next PR and I 
  have not seen these yet Andrew raise something about adding a 404 
  as a response for get delete credentials ID and same for 
  verifiable potential credentials it seems like a pretty 
  reasonable thing so if that thing with the ID doesn't exist you 
  get it.
Manu Sporny:   Four for four.
Manu Sporny:  And we don't need to you know discuss today this is 
  just raising awareness to the group that there's a PR that does 
  this in here seems pretty reasonable.
Manu Sporny:  Alright next up is.
Manu Sporny:  Verifiable presentation to exchange examples 
  corrects the mistake where the exchange examples didn't match the 
  exchange continue schema Dave you take a look at this what are 
  your thoughts.
Dave Longley:  Yeah I believe there was another PR that made it 
  in a little while ago that fixed up the exchange of spec 
  somewhere and the examples just were not brought along with that 
  is my understanding of this PR and that just fixes that up.
Manu Sporny:  Okay the only thing I did take a quick look at this 
  the only thing that I was a bit concerned about is like there's a 
  lot of changes here so I might need to carefully.
Dave Longley:  Yeah it looks like that it should people should 
  carefully look at it but I think that's mostly because of an 
  indentation so this this text just got moved to the right because 
  the change that was made to the exchanges was the adding the top 
  level property verifiable presentation and so instead of dropping 
  a presentation directly into the payload we have that property 
  there and we've been talking about that over the last few weeks 
  and so yep.
Manu Sporny:  Okay so this this thing is really the only 
  significant change.
Dave Longley:  That is my understanding yep.
Manu Sporny:  Okay alright well everyone keep a close eye out as 
  you're looking to make sure that that's true because we just want 
  to make a small change here not a big one all right and then 
  finally add verifiable presentation request property to exchange 
  initiate.
Manu Sporny:  The candies are schema changes.
Manu Sporny:  And lonely looks like you've reviewed this one as 
  well.
Dave Longley:  Yeah my comment so this changes in line with those 
  other ones we just discussed making sure we have a top level 
  property and so this was a change to the schema to do the same 
  and then Michael my comment here is just about the technical 
  detail of that.
Dave Longley:  Don't know if this is I haven't made any of these 
  changes to the schema before and I don't know if this is a 
  precisely the right way to do it that's all.
Manu Sporny:  I think it is yeah it's confusing but it's just a 
  weird OAS thing OAS yeah Mille thing.
Manu Sporny:  Anyway everyone everyone should pay attention to 
  this as well okay I think that's it for pull requests any any 
  other questions comments concerns about the PRS.
Manu Sporny:  The only thing to point out here is this this thing 
  is never going to be merged we're going to have a Perma never to 
  be merged branch called main Dash B CW G that will will be what 
  the VC WG Cuts their draft notes for VC API off of.
Manu Sporny:  So I think I'll probably close this PR after about 
  a week and then we'll bring it up in the VC w g.
Manu Sporny:  Go ahead Logan.
Manu Sporny:  No audio from you Logan I think you're still muted.
<logan_porter> can't unmute for some reason
Manu Sporny:  No sorry Logan you might try just refreshing your 
  browser.
Manu Sporny:  Someone else had that bug right where you couldn't 
  unmute.
Dave Longley:  That has happened to me before you.
Manu Sporny:  Okay do we know if it's like a Firefox Safari 
  thing.
Manu Sporny:  Logan can you unmute.
<logan_porter> still greyed out...
Manu Sporny:  Still no it's grayed out interesting.
<manu_sporny> Can you type your comment/question into chat?
<logan_porter> Question was just if there is a need for IPR 
  protections for the note if the intention is just to run the test 
  suite?
Manu Sporny:  Okay so Logan asks if there's a need for IP are 
  protections for the note if the intention is just to run the test 
  Suite so everyone should check with their favorite legal counsel 
  on what I'm about to say this is not legal advice at all I am not 
  a lawyer typically you always want IPR protections on anything 
  that's potentially going to.
Manu Sporny:   To become a standard of some.
Manu Sporny:  Any kind of Gap in IPR protection means that 
  somebody could sneak some kind of patented thing or in their own 
  intellectual property into it and you don't have any kind of 
  recourse so usually you just want a very nice complete IPR story 
  for the thing that you're working on we have such a story for the 
  VC API specification.
Manu Sporny:  We were to take what we are working on right now 
  and hand it over to the verifiable credential working group it 
  would create an events that the second we handed it over it has 
  no IPR protection whatsoever and so people can talk and say 
  things and raise issues and add PRS and all that kind of stuff 
  and whatever they do they're they can do without having to worry 
  about announcing that they have a patent on the thing that they 
  are saying they're putting into the standard or any of that stuff 
  right.
Manu Sporny:   Right and so is there.
Manu Sporny:  For IPR protection.
Manu Sporny:  Actions for the note absolutely because we do not 
  want to end up where there's a gap in IP are protections 
  companies there are some companies on this planet that look for 
  openings like that or try to play games when when specifications 
  are not IP are protected.
<greg_bernstein> Patent Trolls :-(
Manu Sporny:  Greg said it best patent trolls.
Manu Sporny:  So anyway that's going to the argument to the 
  verifiable credentials working group and then we'll see if 
  anybody has any brighter ideas and how we can.
Greg Bernstein:  Patent trolls particularly look at standards and 
  go after standards I've had bad dealings with them so that's what 
  they do.
Manu Sporny:  They're particularly nasty lot.

Topic: credentialId in updateCredentialStatus

Manu Sporny: https://github.com/w3c-ccg/vc-api/issues/126
Manu Sporny:  Okay thank you for that Greg in let's get into our 
  primary agenda here which is use of credential ID when you do 
  update credential status link for that is here.
Manu Sporny:  And I will open a tab to that.
Manu Sporny:  Okay so the general question have we got we've 
  talked about this back in March of this year should we allow 
  should we should do you require a credential ID when you update a 
  credential status Marcus is saying it might not fit all use cases 
  especially use cases where you don't want to give your credential 
  and ID not quite sure if the fields.
Manu Sporny:  We discussed this back in march/april timeframe.
Manu Sporny:  Everyone can read this to catch up I don't want to 
  read out loud.
Manu Sporny:  Yeah so I don't think there's a clear resolution 
  here from the last time we talked about this I think it is 
  definitely known that it is possible to issue a verifiable 
  credential that doesn't have an ID and then once you do that.
Manu Sporny:  There's I guess no way of accessing it unless you 
  iterate through every credential you've ever issued to get it's 
  you know endpoint URL thing go ahead Joe.
Joe Andrieu:  What component is this.
Joe Andrieu:  Who's asking for a get from home.
Manu Sporny:  That's an excellent question.
Manu Sporny:  I don't know because I didn't I'm not the one that 
  yeah suggested this endpoint go ahead Dave.
Dave Longley:  I didn't get on here to answer Jos question but I 
  think the answer is the issuer coordinator does does it well this 
  is a get for getting the status or for changing the Status I 
  would think and then the issuing service would have what have the 
  endpoint to allow the status to be changed in some way I don't 
  know I haven't looked closely to see that whether the.
Dave Longley:   The API.
Dave Longley:  As that the credential ID that's used must 
  necessarily reference the ID field of the credential perhaps 
  there's certainly if you don't have any handle for accessing a 
  credential at all there's I don't see how you could implement 
  this endpoint but I understand that there are use cases where 
  people want to have credentials that don't have IDs that are that 
  use the ID field in the credential but maybe internally there's 
  some other ID.
Dave Longley:  That could be stored and used in the issuing 
  system and when you specify the credential ID field that could 
  map to either that could map into some internal space that the 
  issuer has and is able to look up the credential in short I don't 
  see how we could possibly get rid of this field but we might need 
  to clarify or figure out is whether or not the field needs to 
  necessarily map to the credentialed ID.
Dave Longley:   Field in a credential.
Manu Sporny:  Sorry taking notes go ahead Joe.
Joe Andrieu:  Just as well two things what I think I think Dave's 
  hit the nail on the head and that the the identifiers do not have 
  to be the same identifier so that may be a solution you could use 
  a hash or actually the content of the VC itself as a parameter 
  right update by example I don't necessarily like that approach I 
  wouldn't recommend it to my clients but just.
Joe Andrieu:   We could do that to get around the ID field.
Joe Andrieu:  But I think the better option is just say hey the 
  ID doesn't need to be the ID in the credential it needs to be an 
  identifier in the status architecture for that record.
Manu Sporny:  Thanks Joe baby said something about this is 
  associated with the issuer coordinator.
Dave Longley:  Yeah the issuer Coordinator would be responsible 
  for doing an update to the status and it would be hitting the 
  issuer service giving it some identifiers that the service knows 
  how to use to dereference the credential that's meant to be 
  updated.
Joe Andrieu:  Yeah it's important there man you and your note the 
  it's a call from the issuer coordinator to the issuer service.
Joe Andrieu:  So know the language I've been advocating about 
  which component is it on this is this would be on the issue or 
  service as a component and it's expected to be called by the 
  issuer coordinator.
Manu Sporny:  All right is this enough to write a PR hmm it's a 
  bit hand-wavy if we're going to say I think we can it's a bit 
  hand wavy isn't it.
Joe Andrieu:  But what's what is the value of the ID field.
Manu Sporny:  The credential that ID field.
Joe Andrieu:  In the API do we have an expectation structure of 
  what that ID field needs to be.
Manu Sporny:  I don't I don't remember this is in.
Dave Longley:  Yeah so the field that has to be sent is 
  credential ID that's two words using camelcase.
Dave Longley:  And I don't think we say very much about it but 
  what we should do is add some text that says this just this needs 
  to to map to a credential the issuer needs to know how to map 
  that to a credential that in that mapping may include mapping it 
  to the credential dot ID field or it may not and issuers are 
  responsible for making sure there wouldn't be any conflicts.
Dave Longley:  You know you could get into a situation where if 
  you have a set of credential you want the names you want the 
  namespace to be clean so.
Dave Longley:  Any credential ID that is handed to you should not 
  be able you should be able to find two different credentials as a 
  result of it should uniquely identify one credentialing you're 
  issuing system.
Joe Andrieu:  From that issuer.
Dave Longley:  From that issuer.
Dave Longley:  It is I mean it is also the case we should 
  probably just go ahead and say this so that people so that it's 
  simple the the credential dot ID field in the VC data model is a 
  URI that's supposed to be globally unambiguous the credential ID 
  field should be the same.
Dave Longley:  Sure should make sure that when they create 
  generate identifiers for their credentials the ones that they use 
  internally can't be somehow in conflict with the ones that are 
  exposed through the credential that ad field.
Manu Sporny:  Okay is that enough to write a PR probably but we 
  are kind of hand waving around like.
Manu Sporny:  We're leaving it up to implement or stick.
Manu Sporny:  I do the mapping so so I you know what happens 
  when.
Manu Sporny:  I don't understand how when something is issued.
Manu Sporny:  Where that is signal to the receiver to the in the 
  response call like do we give it back like in the metadata.
Dave Longley:  So this is one of the reasons why we wanted to 
  make sure that when the credentials issued there's a top-level 
  property like credential verifiable credential which I believe we 
  made sure that we do so if the credential itself does not have a 
  credential that ID field you could place a different top level 
  property and we should probably call it credential ID so it maps 
  to this field were using here and put the credential ID there.
Dave Longley:   And so.
Dave Longley:  An issuer Coordinator would would need to keep 
  track of that information in some way or be able to find it again 
  in some way and we're with that's very hand wavy we haven't said 
  how that would work.
Manu Sporny:  Logan Logan I'm sorry I don't know if that was an 
  old Q or a new cue I was assuming it was an old queue.
<logan_porter> old one
Manu Sporny:  Okay I mean that's Fields enough to write a PR I 
  don't know if I don't know if I'm super happy about that type of 
  PR are they any other people that have reservations around this 
  language or should we attempt to PR and see what it see where we 
  go from there.
Manu Sporny:  Go ahead Greg.
Greg Bernstein:  Let me see since I'm an outsider we've got the 
  unique URL we're supposed to use to identify.
Greg Bernstein:  Central right that's the credential dot ID that 
  we have to have in the credential correct and then we're saying.
Greg Bernstein:  That's what I'm asking.
Dave Longley:  Just just jump in real quick you technically don't 
  have to have one so that's really where the mess comes in yep go 
  ahead.
Greg Bernstein:  You don't even have to have one and then we have 
  how we're going to talk to the API about this credential that has 
  say already been issued and we'd like to get an update or a 
  status on it right and so I kind of think well if I had that 
  other URL that may not be the same place I talk to the API it 
  might be.
Greg Bernstein:   Symbolic but.
Greg Bernstein:  Of a subfield within it that I would use to talk 
  to the API right some you know the number part of the ID like we 
  see in the examples when I've been reading the docks so you know 
  that's where I kind of see okay we have this one field kind of 
  identifies it and then we have this other use of something 
  similar so is that getting kind of like why we've got this bit of 
  a.
Greg Bernstein:  What's its job.
Joe Andrieu:  II think so I'm trying to I'm trying to parse 
  through what you mean by the the update on the status so this 
  this end point here is to just to set the status of a given 
  credential so if you're going to revoke the credential you need 
  to and actually I'm not sure this lives on the issue or service 
  but I think that's that's a fair debate and not vital to this 
  point it may live on the status service.
Joe Andrieu:   But that's a that's an architectural difference.
Dave Longley: +1 This is for the issuer coordinator
Joe Andrieu:  This is not an endpoint for someone other than the 
  issuer coordinator to do anything so if you're the holder or the 
  verifier this is not an endpoint you would use for that 
  credential.
Greg Bernstein:  Okay so I don't want to go back to that language 
  that I thought you guys were getting away with away from internal 
  versus external interface but this is definitely not.
Greg Bernstein:  Older talking to the issuer.
Greg Bernstein:  Okay don't know if that helps at all.
Joe Andrieu:  That's right yeah there is another property which 
  is the the refresh endpoint which I think is closer to what you 
  were looking for in terms of the holder saying hey I need a 
  refreshed version of this VC and that's a that's a different.
Dave Longley:  Yeah so to try and walk through on the Fly here 
  how I would expect the system to use this credential identifier 
  you can imagine a system that has a set of users that it wants to 
  issue credentials to.
Dave Longley:  Those users could authenticate into their system 
  using whatever mechanism as desirable and then they could choose 
  to receive a credential and when they make that choice the a 
  credential identifier could be generated that would be bound to 
  that users record internal record in this would be somewhere like 
  in the issuer coordinator system and so would be a binding 
  between that local user account of sorts and.
Dave Longley:   The credential that they're going to be 
  receiving.
Dave Longley:  That credential ID could then be used when you're 
  generating the credential and it could either go into the 
  credential data field or it could just be stored internally in 
  the issuing system where some kind of or the status service where 
  some kind of binding and linkages between a credential and its 
  current status.
<greg_bernstein> Makes sense...
Dave Longley:  And so it might be more the case that instead of 
  assuming that these issuing services will generate ideas for you 
  you'll be you'll be managing your own ID space generating some 
  kind of ID linking that to some local record and then that idea 
  either goes into the credential that ID field or it doesn't but 
  you can always reference the credential that is linked to a 
  particular user account so if you need to suspend it or revoke it 
  or change some status in some other way you.
Dave Longley:   You know this is the user I need to change there.
Dave Longley:  You ask your system to give you the credential ID 
  and then you can use that to make the change to the status.
Manu Sporny:  So I have a question around how if the status 
  service sorry if the.
Manu Sporny:  Where's this endpoint it's on it's the issue it's 
  the issuing service when it issues a credential.
Manu Sporny:  How does it communicate what the credential ID is 
  back to the caller.
Manu Sporny:  If you don't set credential ID.
Dave Longley:  So I think it's the case that the caller should be 
  saying what the ID is and the issuing service should use whatever 
  idea was presented was handed to it and only if there's some kind 
  of conflict like that credential already exists should there be 
  an error generated that way the caller has complete control over 
  what id gets used and whether or not it appears in a credential 
  and what we probably are missing what we the Gap that we probably 
  have here is.
Dave Longley:   Being able to specify the credential ID property.
Dave Longley:  To the issuing service when you ask it to issue a 
  credential so that it has an identifier to keep track of it if it 
  need if it has status that could change so you know we're trying 
  to cover a number of use cases we have credentials that don't 
  have status so their status is never going to change and those 
  credentials may or may not have IDs and then we have credentials 
  that have status and the status might change and those may or may 
  not have IDs.
Dave Longley:   And whoever's calling into the issuing service 
  should be providing the identifiers.
Dave Longley:  That the issuing service can store those and and 
  enable status changes if their status on the credential.
Dave Longley:  So that keeps the control over the identifiers and 
  the identifier space in the hands of the party that's using this 
  third party software to do the issuing and it's only the 
  responsibility of the of that issuing party to let them know 
  whether or not they have a conflict in ID.
Manu Sporny:  All right so how many PR says this we need a PR to 
  specify credential ID to raise a PR that specifies how 
  credential.
Joe Andrieu:  Hold on one second I've been confused about this 
  credential ID so assuming there's no Q so this credential ID is a 
  new property being proposed for the VC DM so it's a property of 
  the VC okay that's where I got lost okay but where's it go got 
  it.
Dave Longley:  No it is not okay yeah this is this is just for 
  this API so that you can communicate to the issuing service 
  here's an identifier for this credential that I will use later to 
  refer to it because I'm not going to put I'm not going to use the 
  VC DMS identifier property.
Manu Sporny:  So we need to raise a PR that specifies how 
  credential ID is set when calling credentials issue right in that 
  ID is this ID this credential ID the thing that you can do a get 
  / credentials Prudential ID on.
Dave Longley:  Yes if you do not specify credential dot ID in the 
  credential you send to the issuing service then and you want to 
  be able to refer to that credential you must specify credential 
  ID the field you've most recently typed when you issue the 
  gradual.
Manu Sporny:  Man what happens if you don't do it you throw an 
  error or you ought to generate one.
Dave Longley:  No because there's a use case that's totally valid 
  for specifying a credential that has no status and no i.d..
Manu Sporny:  Okay okay okay comment works on this okay so we 
  need to raise a PR that specifies how credential ID is set when 
  calling credentials issue that value is what is used when making 
  a call to get credentials blah blah blah it is possible to not 
  set this value.
Manu Sporny:  It is also possible that credential ID is set and 
  if that's set and that value becomes Prudential ID I get that 
  right.
Dave Longley:  Yeah the flowchart is is really if the credential 
  has credential that ID that field is used that's the simplest 
  case.
Dave Longley:  The next case is if credentialed that idea is not 
  that sure.
Manu Sporny:  Hold on slow down sold out and kill is used for 
  credential I be if protential.
Dave Longley:  There is no credential that ID.
Dave Longley:  You may optionally specify credential ID.
Dave Longley:  Camel case version.
Manu Sporny:  Give me the name okay.
Dave Longley:  And it if you don't specify you won't be able to 
  change the status on a credential if you do then you can change 
  the status provided that you've also specified whatever type of 
  status you need to that's also open here in the credential.
Manu Sporny:  So what was the last thing you said if you don't 
  specify it you can't change the status.
Dave Longley:  Period you know. And then if you do specify it 
  then you can change the status on a credential using that field.
Dave Longley:  If the credential also has a status to be changed.
Manu Sporny:  Okay do we want it that's fine and I think it's 
  consistent do we want to explore the auto generation of something 
  and specifying that in the HTTP header that sent back like a 
  location.
Manu Sporny:   You know.
Manu Sporny:  When you do a like it what is into one create you 
  can specify a location.
Dave Longley:  So right I think the second we do that then we 
  change who's responsible for creating the identifiers or we make 
  it possible to change possible to decide which response which 
  party is responsible and I don't think we should take on that 
  complexity if we don't need it so let's not do that now.
Manu Sporny:  Okay all right so is this the only PR that we need 
  to raise it feels complete any other any other concerns comments.
Manu Sporny:  Going once going twice.
Manu Sporny:  I'm bright well that's good I will mark this ready 
  for PR in we will go on our merry way all right next up mmm this 
  one is going to take more than 10 minutes.

Topic: Requesting client features

Manu Sporny: https://github.com/w3c-ccg/vc-api/issues/280
Manu Sporny:  But we can get started requesting client features 
  issue 280.
Manu Sporny:  I already had that open all right how our client 
  features requested by the server during exchanges during a 
  verifiable presentation request so the general thing the general 
  issue is how does an issuer say I need you to did off using these 
  did methods or I only support.
Manu Sporny:  It's or things of that nature there was a proposal 
  put forward.
Manu Sporny:  I think Tobias had some concerns about this was 
  back in April.
Manu Sporny:  And we haven't talked about this yet here in the 
  group I guess so there's a suggestion the way did all that is 
  covered in the VC API today there's a did authentication flow and 
  a part of the did authentication flow actually maybe it would be 
  better to bring this up EP request spec.
Manu Sporny:  So in the verifiable presentation request spec 
  there's a section on did authentication in the question is how do 
  you request client features how do you how do you as the server 
  how do you tell the client hey I need you to do these things and 
  these specific ways or I only support these crypto sweets or any 
  support these did methods.
Manu Sporny:   Go ahead Dave.
Dave Longley:  Oh sorry I didn't mean to cut you off just want to 
  get on cue.
Manu Sporny:  Okay well okay okay Rick you then yeah right now we 
  have a mechanism in did authentication that says these are my 
  accepted methods you can also list crypto sweets these are the 
  crypto sweets that I support as as a query that comes across 
  right and that can really be for any kind of client provided 
  feature so it can be either a feature.
Manu Sporny:   That the client has.
Manu Sporny:  It can be like a very specific credential that the 
  individual has or the digital wallet has so like if the issuer 
  was like I want to make sure that your before I give you this 
  credential or before you did off I want to make sure that your 
  keys are protected in an HSM for whatever reason right and then 
  that query goes to the client and then it's up to the client on 
  whether or not they want to respond to that or not to tell.
Manu Sporny:   Then what their capabilities are right.
<greg_bernstein> Finger printing...
Manu Sporny:  One of the reasons it's been proposed this way is 
  because you don't want the wallet to just blanket convey all of 
  the did methods that you have access to and all the crypto sweets 
  you propose that could be a privacy violation right and so what 
  has been proposed is let's make it so that the server says these 
  are the things that.
Manu Sporny:   I could accept from.
Manu Sporny:  You and then as a client you can pick which one of 
  those things you want to use or you can choose to not respond at 
  all okay so with that is kind of you know that's where this came 
  from over to you Dave.
Dave Longley:  Yeah so I would I would try to tweak the framing 
  of this a little bit instead of saying let's find out the client 
  features which does get into the fingerprinting case which we 
  want to avoid what we're really saying is the party that is 
  looking to authenticate someone using a client says these are the 
  things I accept you have to have these things and that means 
  either you know it means I will give you a list of.
Dave Longley:   The things that I.
<greg_bernstein> Like HTTPS hello?
Dave Longley:  Is whatever you want from that list and if you 
  don't have something on that list we're not compatible but if you 
  have something that lets choose something and communicate with me 
  and if there's a set of things that aren't part of the protocol 
  necessarily but are a set of things that the the issuer wants to 
  ensure that you have as you mentioned storing keys in an HSM or 
  something like that then what the client the client would respond 
  to that by saying well here's a VC.
Dave Longley:   From some auditing party or something that says.
<tallted> like the "MasterCard, VISA, AmEx, Discover..." NASCAR 
  stickers at merchant cashier station
Dave Longley:  I meet the requirements whatever that is so you're 
  either responding back by choosing some protocol to speak or some 
  did method to use or your presented or the client is presenting 
  VCS that say you know I meet whatever your requirements are and 
  in all of those cases I think it makes the most sense to have the 
  the issuer say I will accept this stuff now you choose and that 
  of that avoids the fingerprinting problem.
Manu Sporny:  Thanks Dave Patrick you're in the queue.
Patrick_(IDLab): Yeah so just a few question like when we talk 
  about this is it more of what I need kind of in point or more of 
  the what I can do.
Dave Longley:  Well I think in this case we're talking about the 
  the verifier I you know I keeps using the term issue irksome 
  imagining someone picking up a credential but in that case there 
  the really playing the role of verifier when you're asking 
  someone to do a did authentication and what they're doing in that 
  cases they're saying I want you to do a did authentication and 
  here are the did methods for example that I accept in the crypto 
  sweets that I would be able to check so.
Dave Longley:   So there is sort of a crossover between what I 
  can.
Dave Longley:  And what I can accept but it's really just about 
  what I would accept it doesn't really matter if I can do these 
  other things if I wouldn't accept them that's not relevant to 
  this interaction.
Patrick_(IDLab): Okay because and is this something that would be 
  like and point specific or is just more like a bold sort of 
  Discovery and point that you can filter the results because then 
  your example you're mentioning like a verifier but within this 
  kind of feature be also interesting on issuer for example.
Dave Longley:  Yeah so in the context of having this be on an 
  issue I think is when the issue is playing a role of verifier 
  because they want someone to do a did authentication before they 
  issue them a VC so it would be happening on issuing system but 
  they'd be playing the role of a verifier but I think what's 
  important here is we're talking about doing all this through a 
  verifiable presentation request which could be sent by any party 
  but it's generally when that party is playing the role of.
Dave Longley:   Fire because they want you.
Dave Longley:  Kind of authentication and prove that you control 
  the dead or prove that you have some set of VCS.
Patrick_(IDLab): Okay and is this specifically scope for 
  Authentication.
Dave Longley:  I think when you're asking another party for a 
  verifiable presentation you you're asking them to provide you 
  with VCS that they have and usually but not always you want an 
  authentication proof over the whole presentation proving control 
  of some did that may or may be bound in some way to either those 
  credentials or some other important field you might have 
  previously for.
Dave Longley:   Well bounded it too.
Dave Longley:  It does seem like it's very very much associated 
  with with Authentication.
Patrick_(IDLab): Okay and one final question what is this 
  something that's supposed to be used like programmatically or is 
  it sort of a more of a like Discovery like it would return you 
  the method that support with maybe some documentation URL and 
  then you implement this and after that you can correctly 
  communicate with that agent or is it something that's more meant 
  to be used in the process.
Patrick_(IDLab):  every time.
Patrick_(IDLab): Take action based on the return here.
Dave Longley:  Manas on the Queue but my my view is it's this is 
  mostly the latter it's for programmatic you know someone wants to 
  do a did all somewhere they read their requite where they request 
  a VC and the issuer in the role of verifier says well if you want 
  this VC I need you to did all the first and so this is in a 
  protocol message and their client is going to process that and 
  maybe they might offer the user some choices you know do you want 
  to use this data or that dead if.
Dave Longley:   So that's an option but then it's responded to.
Manu Sporny:  I just put myself on the key to in the meeting so 
  this is great good start to the conversation we're not done with 
  it we'll pick it up next week group will continue the discussion 
  on this item to be all right with that thank you everyone for the 
  great and great engagement as always really appreciate that we 
  will meet again next week where we will.
Manu Sporny:   This conversation.
Manu Sporny:  Issues thanks everyone have a great rest of the 
  week chat with you next week.

Received on Tuesday, 1 November 2022 21:04:08 UTC