- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Tue, 06 Sep 2022 21:08:20 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2022-09-06-vcapi/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2022-09-06-vcapi/audio.ogg ---------------------------------------------------------------- VC API Task Force Transcript for 2022-09-06 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2022Sep/0022.html Topics: 1. (Re-)Introductions, Relevant Community Updates 2. OIDC4VCI and VC API 3. How granular should authorization be? 4. Define credentialStatus correctly in YAML Organizer: Manu Sporny Scribe: Our Robot Overlords Present: Patrick St-Louis, Brian Richter, Manu Sporny, TallTed // Ted Thibodeau (he/him) (OpenLinkSw.com), Dave Longley, Kaliya Young, David Chadwick, Joe Andrieu, Eric Schuh, Logan Porter, Kayode Ezike, TallTed // Ted Thibodeau Jr (via iPhone) Our Robot Overlords are scribing. Manu Sporny: Welcome everyone to the verifiable credentials API work item call this is September 6th 2022 our agenda is going to be put in the chat Channel. Manu Sporny: Bay on the agenda we have a new meeting time that people have selected by going to the pole there 15 well no they were 2025 respondents much more than we expected but in a number of people that haven't been able to come to the call that have suggested new time so that's good we'll cover that. Manu Sporny: At in today's call. Manu Sporny: Is largely about authorization granularity credential revocation in credential status will also do some relevant Community updates towards the front part of the call are there any other updates or changes to the agenda that anyone would like to make before we. Patrick St-Louis: I was wondering if they could be a slight time to discuss so I came across this open ID for about credential issuance document which seems to be a project put forward by Microsoft and matter and I wanted to know what in your opinion is the distinction between this and what this community is working on. Manu Sporny: That is an excellent question let's put that at the front part of the agenda in potentially time box it to 10 to 15 minutes because it is a very thick can turn into a very deep conversation very quickly does that work for you Patrick. Patrick St-Louis: Yeah 100% thank you. Manu Sporny: Okay awesome let's go ahead and add that in if I forget for whatever reason please remind me when we get to it. Topic: (Re-)Introductions, Relevant Community Updates Manu Sporny: Okay introductions reintroductions relevant Community updates is there anyone that's new to the call or is there anyone that would like to reintroduce themselves. Manu Sporny: All right I think most of us know each other relevant Community updates I've got a few the first one is that w3c's technical plenary is next week in that means that we're going to be canceling this call for next week they're good there's going to be a decent chunk of us going to the technical plenary and it's just difficult to have this call in have. Manu Sporny: The technical plan. Manu Sporny: https://doodle.com/meeting/organize/id/bkZ86z5a Manu Sporny: The week after next week we will be meeting during our new call time so our new call time let me I don't know if anyone can get this doodle poll probably not so let me try screen sharing it so people can see. Manu Sporny: Our new call time this interfaces so bad but let me scroll to who there's a fit yeah he 15 okay so I think the highest value you have to scroll all the way to the bottom and then you have to scroll all the way to the top to see where you are I think the highest value we got was 15 people could make this time. Manu Sporny: It's basically an hour earlier so right now we start at 4 p.m. Eastern in only 10 people said that they could make that and if we move it up by an hour hopefully the folks in New Zealand matter can still make the call and we pick up five more people that said that they would participate that's by far the highest time that we got and unless there. Manu Sporny: Objections to that. Manu Sporny: That's going to be the new call time is 3 p.m. Eastern on Tuesdays I'm sorry Logan you're going to probably be waking up an hour earlier get you can you still make it Logan. Manu Sporny: They're now earlier. Manu Sporny: Okay alright okay and again apologies for being on the other side of the planet. Manu Sporny: Yeah I guess if only we had a flat earth right okay so I think so we're going to try that time and if people want to you know if people want to move it again we can we can try running it again but hopefully that's going to work out for folks we will start that time not next week but the week after Joe go ahead you're on the queue. Joe Andrieu: My question was just about Google calendar item I happen to have an old one that you had issued for the current time. Joe Andrieu: I can't change it. Manu Sporny: Yes yeah I'll I'll like I have switched calendars and I can't revoke that thing so everyone will have to delete it from the I know isn't it great calendaring technology it's a standard so so everyone's gonna have to delete that one from their calendar we have two calendars what do people prefer we can either put it on the ccg calendar or I can send a new invite out to the mailing list I was going to just send a new email out to the mailing. Manu Sporny: List since that seems. Manu Sporny: Instead of and I just do that repeatedly for like three to four weeks until people have it on their calendars and then I stopped that's what seems to have worked well in the past. <tallted_//_ted_thibodeau_(he/him)_(openlinksw.com)> please update the CCG calendar item which is already there Joe Andrieu: Does the ccg calendar give us the benefit that we have right now with the ccwg stuff we're like if things get cancelled it shows up in my calendar is it plugged into that way. Manu Sporny: No no I mean we can try I could talk with w3c staff in. TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): It was because if you updated. TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Yeah yeah the W3 calendar is working very well. Manu Sporny: Okay well hold on Ted there's the ccg calendar and then there's the actual w3c calendar which one are you talking about. TallTed_//_Ted_Thibodeau_(he/him)_(OpenLinkSw.com): Oh I apologize. Manu Sporny: I think you mean the w3c calendar which I say I agree we should probably just start using because it does have the benefits that you outlined Ted. Joe Andrieu: Yeah if we can it's really convenient. Manu Sporny: Okay okay all right I will try to chat with the appropriate people in set that up it's an I don't think it's extra I don't think it's extra work because I still have to send out a reminder every week or a new agenda every week okay then we'll will Target that IND that will be. Manu Sporny: The first meeting that we have at that new time will be the week after TPAC not next week but the week after and then the following week will cancel the call again because of rebooting but after that we'll be back to our regular time okay any other relevant Community updates questions concerns in general. Manu Sporny: All right then moving into our agenda the first thing is I'd be C4 VCI out go ahead Jo. Joe Andrieu: Are you hoping to have this call also the week of rebooting. Manu Sporny: No I was thinking we'd cancel it but unless you have an idea okay yet. Joe Andrieu: No I'm good with canceling it I mean I'm going to be rebooting but I don't we talk about TPAC we didn't talk about the two weeks. Joe Andrieu: Okay great I just didn't hear it this time around. Manu Sporny: Yeah sorry I thought I said we'd cancel it for tea pack and we'd cancel it for rebooting yep okay all right yeah that's that's the plan and if and if somebody want really wants to have this call during tpack endearing rebooting volunteered a chair it and run it that's a totally fine option as well. Topic: OIDC4VCI and VC API Patrick St-Louis: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html Manu Sporny: Okay next topic is the one Patrick mentioned at the top of the hour or IDC for VCI and the VC API I'm going to try to summarize this unless somebody else wants to take a shot at this. Patrick St-Louis: I put the link in the chat. Manu Sporny: Yes thank you so fundamentally there are let's see I want to be careful about what I say here some of the companies on this call are working currently working with customers to implement both YDC for VCI and DC API and the the general difference between the two. Manu Sporny: Or VCI is a verifiable credential delivery protocol that basically means that you can use it to get a credential from an issuer to a holder. Manu Sporny: To contrast the verifiable credential API. <dave_longley> four main VC functions: issuance, verification, delivery, presentation Manu Sporny: A number of things that oid C4 VCI doesn't do like handle the interface for issuing a credential so the internal calls you'd make at an issuer to construct a verifiable credential it also covers verification so in points that you would use at a verifier to make a call like an HD be called to verify a credential. Manu Sporny: The VC API also allows you to do things like credential revocation so changing the status of a credential and then the current VC API also has the mechanism that allows you to do credential exchange so basically arbitrary back and forth protocols that allow verifiers to request information and holders to respond with information and back and forth and back. Manu Sporny: Back and forth until they're done with. Manu Sporny: Dealer credential workflow so all I DC for VCI is very targeted at delivery the VC API is kind of a much more broad support some more broad set of use cases you can do delivery over both the YDC for VCI and you can do delivery using the VC API well I DC for VCI is something that uses a number of other protocols at the. Manu Sporny: Nid foundation. <joe_andrieu> /s/nid foundation/OpenID Foundation/ Manu Sporny: It kind of Builds on top of existing work there whereas the VC API does not utilize a lot of those mechanisms that exist in oid C 4 V 4 BC i instead it uses things like oh off to but doesn't necessarily require you to use the other oid C4 or sorry open ID connect mechanism so let me stop there did I get anything. Manu Sporny: Wrong does anybody. Manu Sporny: Complications changes to that go ahead look. Manu Sporny: All right thanks Logan next up is David Chadwick then Dave Longley then Patrick go ahead David. Manu Sporny: Got it thank thanks David. Manu Sporny: Okay thanks David Dave you're up next. Dave Longley: Right so I think one of the biggest challenges we've had in understanding the differences between oh I DC for PCI and the VC API is clearly differentiating delivery fee see delivery from VC issuance so the oid C4 VCI spec is really about how a digital wallet can request a credential on behalf of a end user from an issuer and receive it and that involves it. Dave Longley: An optional involve authorization of the. Dave Longley: As an oauth client and it's like that it's totally agnostic about the backend services that the issuer software would use to it actually issue the VCS or verify presentations or do any of those things the VC API covers a large swath of those things where the VC API is about defining common interfaces that people can Implement so you can swap out different back-end services like an issuing service. Dave Longley: Or a verifier service and then the. Dave Longley: And Grant authority to clients that can act on behalf of the issuer to issue things and to verify things those things have absolutely nothing to do with oid C4 VCI in the sense that that that oid see spec is agnostic about those thing you can use the VC API to implement the backend services for the oid C4 B CI front-end VC delivery service the VC API also has its own VC. Dave Longley: Delivery mechanism which is related to. Dave Longley: Exchanges API and that is where an end user can go pick up a credential and so that if we wanted to compare the two protocols that's where the comparison would be. Manu Sporny: Thanks Dave let's see Patrick you're up next and then Logan. Patrick St-Louis: Thank you Dave that was very interesting and also all the other comments because there's two things that spoken to my mind so the first one regarding the issuance and delivery that was actually a question I had we going to be C API spec for example when you see you have the endpoint to issue a credential for me the way I perceive that before is when you issue a credential there's also the concept of the Korean shoulder. Patrick St-Louis: Ultimately stored in a wallet at some. Patrick St-Louis: The way that this API seems to be Amanda the act of issuing credential is only returning json-ld format of a verifiable credential and it didn't get stored in a wallet so the distinction between those two it was not very clear to me because for example on a Kappa agent there's an endpoint to Simply sign credential which would transform it into a variable. Patrick St-Louis: Potential and there is also a different point. Patrick St-Louis: Credential which does both the signing and send it to a pre-existing wallet that's been connected with that agent so I was not sure what the term issue meant in the VC API spec any other the second part is because I have started to hear some maybe project about potentially developing a test suite for the open ID for verifiable credential and the reason why I wanted to. Patrick St-Louis: To know the difference. Patrick St-Louis: Understand if this this sweet would be similar to what is being worked in this community or if it says something slightly different which seem to be more decays after what they've mentioned that's it thank you. Manu Sporny: Thanks Patrick Logan you're up next and then David Chadwick. <dave_longley> you can combine the technologies/protocols together Manu Sporny: Okay thanks Logan David. <logan_porter> same that I don't seem to be getting picked up by the transcriber bot <dave_longley> could you type in what you said, Logan ... so we have it for the minutes? David Chadwick: In terms of testing, as you know I'm leading NGI Atlanstic project for test suites for OIDC for issuance and verification. We've taken postman test suite from Orie and already got suite path test for pre-auth flow and writing other test for that, later this month working w/ Joseph from OIDF to look at OpenID test suite to add features for OIDC4VCs as well, there will be test suties, not for whole of OIDC4VC protocol, many different comibnations, lots of different flows, authentications that you can use. [scribe assist by Manu Sporny] David Chadwick: We're producing tests against those profiles, those will be publicly available. [scribe assist by Manu Sporny] Manu Sporny: Type of great thanks David sorry it was scribing you Logan David yeah that it's not picking up your audio because whatever browser OS combination you have I don't know if it's possible for either of you to switch to a different combination or if that would actually help but I got watching. Manu Sporny: Yeah it's it's it's Mac you can't sit on a Mac you can't switch browsers you you only get a choice of safari even even though it looks like you're using Google Chrome the backend browser Safari in Safari is unfortunately not standards-compliant when it comes to webrtc I don't know. Manu Sporny: As your Firefox and Safari under the covers that's that's the way Max work unfortunately so it won't matter I guess what I'm saying is it won't matter unless you switch to like an on Mac thing which is a ridiculous thing to ask so we'll try to remember to subscribe you David or if you could remind us describe you when you're talking we can we can fill in okay let me look at the queue. Manu Sporny: I put myself on the cue for a. Manu Sporny: More so we'll just skip that okay so now I mentioned that we'd time box this thank you everyone for the the useful comments as everyone probably knows and this goes without saying both of these apis are Under development right now and are subject to change and the test Suites are under active you know rework and all that kind of stuff so hopefully Patrick that helped provide. Manu Sporny: Vide at least. Manu Sporny: Idea of the differences between the two of them right now and those differences may change as they're developed over the next you know year to two years okay any anything else about the differences between y DC for VCI in. David Chadwick: Current design for a secure wallet has a concept of a front-end wallet and back-end wallet, and flowcharts are showing both of these, interesting concepts, necessary or not to have that? Some believe it is, I'm not sure it is. That's one difference. Also, way it's shaped at the moment, it appears that wallet software provider will be identified to an issuer. [scribe assist by Manu Sporny] David Chadwick: I think that will be a really bad design. Some people think that EUDI is the way it's going to be. [scribe assist by Manu Sporny] David Chadwick: This seems to be a privacy violation to the user, don't want to work with a wallet provider. [scribe assist by Manu Sporny] <kaliya_identitywoman> but how do you know the wallet has been built with proper securitiy? <dave_longley> +1000 to David Chadwick's concerns on wallet identification to the issuer problems Manu Sporny: All right thank you David I put myself on the cue the speak exactly that that David I'm I'm trying to I'm trying to be kind of even-keeled about this conversation one of our biggest I'm going to speak just for digital bizarre one of our really one of our biggest concerns with the open ID protocol is exactly what you. Manu Sporny: Said David it. <david_chadwick> To Kaliya. By having the software certified by a TTP Manu Sporny: As identification by the wallet vendor to the issuer or sometimes well we'll just say to the issuer we think that that can be used in a whole bunch of anti-competitive ways in the same way that you know providing browser cookies seem like a totally reasonable thing to do in the early days of the web in providing browser ID strings seem to be a totally okay thing. Manu Sporny: To do at the early part of the. Manu Sporny: But then people started using those browser ID strings to code directly to like Microsoft Edge sorry Internet Explorer so that websites only work with Internet Explorer they would detect effectively the browser / you know the wallet and then tie the website to specific proprietary vendor implementations we think the same danger exists for the oid C4 B CI. Manu Sporny: Ian their ways. Manu Sporny: But we're not seeing David as you said in an acknowledgement of the issue in the first place into a desire to kind of solve it so I'll leave it at that there are ways to mitigate it but we're not seeing them to contrast this the the VC API exchange flows David you asked about metadata a lot of the meta data is exchanged in the flow itself not outside of it so you're not able. Manu Sporny: Lee if at all do wallet fingerprinting right which is what some of these some of the O open ID you know protocols do I won't go any deeper into that again I think we're at the end of our time box so Logan you've got the last word and then we'll move on to the rest of our agenda go ahead Logan. <kaliya_identitywoman> What is a TTP and how does the issuer know that it has passed such a thing? Logan Porter: I don't think that, from my understanding at least, that the OID4VCI spec that you have to identify the wallet, that it's a requirement, but it's important to manage that [scribe assist by Dave Longley] Topic: How granular should authorization be? <david_chadwick> Trusted Third Party certification authority Manu Sporny: Yep all right okay so with that good job everyone we managed to cover that topic without getting wrapped around the axle on it hooray for everyone next up expect like a lot of this conversation to be kind of furthered over the next couple of months it's it's a it's kind of the next stage of kind of wallet. Manu Sporny: Tikal discussion. <dave_longley> if you have to do dynamic registration and identify a callback URL to send the authorization code, you're identifying the wallet to the issuer Manu Sporny: https://github.com/w3c-ccg/vc-api/issues/223 <david_chadwick> By the TTP issuing a VC to the wallet <kaliya_identitywoman> what is a TTP??? Manu Sporny: I think okay issue 223 is how granular should authorization be let me share my screen and maybe zoom in here so Brian you raised this issue would you mind giving us kind of a background on it and then we can. Manu Sporny: Get into discussion. <kaliya_identitywoman> sometimes people and their acronyms <david_chadwick> I already said "trusted third party" Brian Richter: Yeah I mean it was quite a while ago but I think the reason I originally raised it was all the authorization discussions that were going on it seemed that the rich authorization or are whatever it is and had capabilities that you could make the API extremely granular whereas just playing with two Scopes kind of doesn't have that so it was kind of a way to maybe. Brian Richter: Make some decisions. Brian Richter: But the discussion kind of evolved from there so. Manu Sporny: Alright okay so go ahead Dave. Dave Longley: I was going to say that as Brian mentioned this issue came up a long time ago when I think we had slightly less Clarity around some of the things we were just discussing around issuance and delivery and which you know who would be authorized to hit the issue and that and point for example and I think it's become a lot more clear that the issuance I'm point is for parties that have been authorized. Dave Longley: The issuer to act of centrally on behalf of the. Dave Longley: You were to issue. Dave Longley: Being seized which is not the same thing as an end user who's going to be receiving who who have a VC delivered to them to their digital wallet and so this issue might have been raised because we had a little less Clarity around that and it might be a little more obvious now that I don't know that we having granularity around for example the credentials subject or things like that or of that. Dave Longley: Or of a lot of value here it seems more like the regularity we're looking for might be related to exchanges in VC delivery then as opposed to the issuance of point. Manu Sporny: All right so given that what do we want to do with this issue Brian thoughts. Brian Richter: Yeah I think I think Dave point out nicely I think it's kind of deprecated I'd say. Manu Sporny: Are there any objections to Us closing this issue one thing before we if if and if we do that it may be worth noting that Dave you presented a hierarchical scheme for oauth. Manu Sporny: A Scopes and we also know that the traceability API folks don't necessarily have that Mahmood said we'd be too happy to kind of introduce the topic to the traceability API folks which use the VC API to determine if there's overlap there so could we say at this point that if we need to create. Manu Sporny: Tightly scoped credentials whether or not you're using R organ a poor oauth2 or Z caps we have a mechanism to do that across all we have a design pattern that we can apply across all of those use cases is that a fair statement only. Dave Longley: Sorry I didn't mean to put my hand up I think that's a fair statement I think what we were trying to do with the the hierarchical Scopes is more tightly since we were exploring saying these are the Scopes you must use when implementing the API we were exploring tightly binding those Scopes to the API endpoints and their functionality so if we wanted to have new types of functionality that we wanted to expose on the issuer you each. Dave Longley: Each new type of functionality could come along with a scope. Dave Longley: Specifically that functionality and if you had if you were granted a scope in a earlier part of a path in a resource am or what is it higher part of the hierarchy you get all of the functionality underneath that API. Manu Sporny: Okay alright so the proposal is to close this issue because we have a design pattern and if we ever need to utilize the design pattern we can do so when that time comes any objections to that. Manu Sporny: We feel that it should close this issue. Topic: Define credentialStatus correctly in YAML Manu Sporny: Okay great all right so given their no objections I didn't hear any looking at the chat Channel not seeing any there I'm going to go ahead and close this issue all right thanks everyone that was easy next up is finding credentials status correctly in the yeah mobile. Manu Sporny: Ori said that the credential status property is not defined correctly in the Amal and I went looking I did a little bit at diving on this yesterday. Manu Sporny: Or he said we should Define it in this credentials component but then miss said. Manu Sporny: Credential status field is already defined an issue credential options not credentials in you saying it's already defined here so basically you can specify the type of credential status mechanism you want to use when you issue a credential like revocation list 2020. Manu Sporny: One of the discussions that we've had in this group has basically said your revocation mechanism is going to be tied to an end point and so you will probably not specify this the other thing that we also mentioned was that if people want to specify credential status they can do so but that's like a dangerous thing to do. Manu Sporny: So don't do it. Manu Sporny: Be some people that want to do it and if you want to do it then you know buyer beware go ahead Dave. Dave Longley: Yeah my understanding of what we and maybe we need to be more clear whether or not the group's come to consensus around this is that choosing a a credential status method or specifying that you want to credential status method in the absence of any other configured state or anything else that's managing that status method just doesn't work if especially if we're talking about things like status lists. Dave Longley: It's really that you need to create some kind of issuing instance that's configured to work with a particular revocation mechanism and then whenever you use that instance to issue a credential that revocation mechanism is used automatically you can't decide to turn it off or on at that point if you want to issue a credential with some other mechanism or no mechanism at all you need to create a new configuration and use that other issuing instance just because it's it. Dave Longley: You can't make the software. Dave Longley: That way if you didn't do that. Manu Sporny: All right thanks lonely go ahead Patrick. Patrick St-Louis: And two things I want to first of all that I'm curious you mentioned you don't recommend people defining credential status maybe if you could expand a little bit why and what does that exactly mean and my second question is the credentials that is as I understand it they can be used to revoke a credential is there any other uses and revocation to that option. Manu Sporny: Lonely do you want to cover that. Dave Longley: Yeah sure so you're the one that said this money you don't recommend people saying it but I think what you meant was you don't recommend someone sending creating some having an issuing endpoint where you can send it to the same end point multiple different types of revocation status information so you might issue you might hit this endpoint an issue something using a revocation status list on Tuesday and then on Wednesday you have the same issuing. Dave Longley: Point without any revocation specified. Dave Longley: And or maybe you choose an entirely different mechanism to to track status it's going to be extremely challenging for implementations to be able to implement switching off different types of status lists for the same effect of group of credentials and so instead what we're saying is when you want to be able to issue credentials that that use the a certain type of revocation. Dave Longley: Issuing instance it's configured for that and always hit that instance if you want to use that that status method or that list and create groups of credentials that are linked to a certain status replication mechanism to answer your second question are there other types of status information yes yes there are at least one other type is in a community group spec right today so you can. Dave Longley: Can you can specify. Dave Longley: Tension status in the status list 2021 spec there are you can have multiple different types of statuses in the two that are defined there today or revocation and suspension. Dave Longley: So one more one more clarification so I don't think the comment around being able to send an option to an end point for doing revocation and the suggestion that you don't do that was about saying don't use revocation status lists or status lasat all it was set up an end point where any time you use that endpoint that revocation mechanism that same mechanism will be used now and that's different from saying don't. Dave Longley: Revocation of course you can use it just don't. Dave Longley: Try and mix and match. Dave Longley: This is too hard to implement. Patrick St-Louis: I think you very much it's a very clear answer so regarding the point about having an implementation use only one vocation status method at a time with that mean you would hard-code one type of revocation credential status list in your solution and if so then what's the. Patrick St-Louis: Having that option feel available on the API if it's going to be changed towards that implementations method afterwards anyway. Dave Longley: Yes is something that we noticed was missing from these apis a few weeks back was there's effectively another layer of sort of statefulness that's missing we didn't have the concept until recently that you can so when they when they pass was originally designed with sort of designed around building a test Suite very rapidly so that people could expose a simple API. Dave Longley: To a test suite and the tests we could. Dave Longley: A bunch of test vectors and hit that one API and get some kind of output and then we could build a table around whether or not people were being we're having success in implementing the API however that did not lend itself very well to real-world use cases where if you have this one API that's for example digitally signing using cryptographic signature type 1 and if you have a revocation lists associated with that you probably use the same type of cryptographic signature on the. Dave Longley: List as you are going to use on the VC so that anyone trying to verify the VC. Dave Longley: Is to support that one method to be able to do what you need to do in fact if you have certain missed requirements you couldn't mix and match certain types of crypto so if you only have that one endpoint you're not you don't have the affordances that you need to in implementing your software to be able to support other types of cryptography and so we said we're missing a layer here what you shouldn't just have one issuing endpoint which you should have are issuing. Dave Longley: Senses that you. Dave Longley: Where you say I'm going to create this configuration it's going to support this type of signature it's going to support this type of revocation method and you can create as many of these instances as you want and once you create them then this other issuing API hangs off of the end of that instance and that and then you hit when you hit that instance and you hit that API you don't have to specify all of the options that you use to configure it you only you only effectively provide the VC that you want to be issued and then that. Dave Longley: Curation that was state. Dave Longley: Or with that instance gets applied so to answer your question Patrick you're saying you know would you hard-code this into your in your implementation answer's no you would just make your implementation support creating multiple instances and whatever types of cryptography and types of status methods you want to support in your system you would afford you would offer those as possible configurations people would create the configurations they want use those to create instances and then off of those men they would use those instances. Dave Longley: Has to. Dave Longley: Why would I. Dave Longley: Figuration say chosen so you can have one implementation that has n many of these configurations may be your first configuration will sign with the key that uses 8255 19 and a revocation list with the same crypto method maybe your second instance signs with an ecdsa key and has no replication and then your third and fourth and so on. Manu Sporny: All right thank you Dave Patrick gave a thumbs up to that explanation any other questions or concerns about this it looks like. Manu Sporny: Well so it looks like. Manu Sporny: Still allow HTTP API this is probably hold on one second I've got a okay so this is currently defined in issue credential options and we still allow credential status to be set there's a question on whether or not mmm we should. Manu Sporny: Remove this option or not. Manu Sporny: So I think that's the real question under under debate right now we have to come to some kind of determination on that go ahead Patrick. Dave Longley: +1 For removing it, it should be bound to a specific configuration (issuer instance) Patrick St-Louis: Yeah that that was a part of what I was wondering is those options some of them like especially like the credentials that is shouldn't be necessarily set as an option but it should be more of a tag in the implementation when it runs the test Suites if I understand like you would tag that well this and point uses this. Patrick St-Louis: Then there would be a test Suite associated with that specific specific implementation. Manu Sporny: Yes exactly right that that is at least that's how the current test Suites design it did to do than that. Patrick St-Louis: Because like when I was working on like I said like a toying around with the beasts API and the Occupy and what I found out is that I implemented those options and it doesn't really say and respect like which ones are optional or required and what I would do is essentially is my API would override some of them to comply to the Occupy and stands and the back end and the credentials taxes was something that I would hard code a. Patrick St-Louis: A word so what I was thinking is like that's. Patrick St-Louis: But if it's a no. Patrick St-Louis: Certain and they want to test it with a specific option and I override this afterwards it didn't make much sense in my head so the that clarifies this a lot. Manu Sporny: Okay great Dave go ahead. Dave Longley: Yeah just want to agree with Patrick and and say the the test Suite should be given specific instances that the test Suite has authorization to access and use and those those instances would be configured with whatever different pieces of the tests we were looking at test so I completely agree with that. Manu Sporny: Okay so the question is should we remove setting credential status from the API I'm almost certain Ori from transmute is going to object to this if we do that so the suggestion is to ask the traceability folks if this negatively impacts them before doing that so my suggestion is as a Next Step here we ask traceability folks if we can get rid of setting credential status. Manu Sporny: And then see. Manu Sporny: From there go ahead Patrick. Patrick St-Louis: What would the potential objects in sound like like what benefit would it have for some implementation at it being an options. Manu Sporny: We don't know I know that they said that I think or he does not agree with the concept of issuer instances yet in he feels like if they want to for example implement the complex State machine in their back end that they should be able to do that and we should not be you know. Manu Sporny: No stop. Manu Sporny: That for example sorry Dave I jump cue in front of you go and. Dave Longley: Yeah that's okay so first of all I would say we would be removing our suggestion should be to remove this from the issuing and point but move it into the the configuration or instance creation and point I my read and again we're talking for someone else's not here so we should really hear directly from worried about my read from or a was not that he objected to these instances where that concept. Dave Longley: It was just making sure that everything was fully. Dave Longley: My understanding is also that they've been waiting to do any status list implementation until they had more clear signals that the spec was not going to change and so I don't know that you know we obviously should still reach out to them but I don't know that they're using this at all but I think the suggestion here would be just to remove it from the the issuing and point and move it to where your the the issuing instance creation and point. Manu Sporny: Okay alright so there's the proposal so the group is suggesting that this option should be moved from the issuance and point to the issuance instance configuration and point the group wanted to check with Trace Bailey API before making this change to ensure that it wouldn't say negatively impact the traceability. Manu Sporny: See see them any objections for this plane of any objections to this plan. Manu Sporny: So I will comment that we are at time 2 minutes over thank you everyone for the great discussion today as always our call next week is cancelled because of w3c TPAC we will see everyone back here week after next an hour earlier on Tuesday. Manu Sporny: Thanks everyone.
Received on Tuesday, 6 September 2022 21:08:20 UTC