- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 20 Sep 2022 11:51:27 -0400
- To: W3C Credentials CG <public-credentials@w3.org>
What follows is an "information known to the general public" summary of what happened last week at the W3C Technical Plenary (W3C TPAC - where many of the global standards that drive the Verifiable Credentials and Decentralized Identifiers ecosystem are standardized). There is more that is member-confidential that went on, and none of that is covered in this email, though the most important things are public knowledge due to the fact that W3C's Working Group minutes are made public within hours/days of the member meetings -- hooray for transparency! I'm looking at you, ISO (and all the other organizations that don't make their meeting transcriptions public)! :P Apologies for the length, there is a lot to cover. ------------------------- The JSON-LD WG announced that JSON-LD is now published by 43% of all websites on the Internet (based on Common Crawl statistics data) in order to achieve better search rankings. To put that in perspective, Fetch is used by 38% of all websites. WebAuthn is used by 0.19% of all websites (ouch). More fun browser API stats at: https://chromestatus.com/metrics/feature/popularity It is worth noting that WebAuthn is typically implemented by the big identity providers (Google, Microsoft, Facebook) so measuring the number of domains that use it isn't a good measure of actual usage because everyone gets funneled through centralized IdP to use WebAuthn -- actual people impacted is probably be much higher, if only those large IdPs would share their numbers! :P ------------------------ The JSON-LD Working Group will be re-chartered to continue maintaining the specification, with the ability to add new features. There is work going into YAML-LD, and interest in taking up the CBOR-LD work as well. There is parallel work also being proposed on "labeled property graphs" (called RDF-star), which allow one to annotate properties themselves (of dubious value to VCs at present). That work might provide advantages to the path VCs have taken to date, but we won't know for another 2+ years. It is explicitly not going to be disruptive to what we've standardized to date at W3C. ------------------------- The DID Working Group meeting had significant attendance (40-50 people). The goal was to settle on the next Working Group Charter. The plan was to work towards agreeing to standardize a few DID Methods (like did:key and did:web), and possibly start standardizing DID Resolution. There were objections to standardizing DID Methods. If we don't standardize at least a few DID Methods, we know that there will be objections from some of the big-tech companies. There didn't seem to be objections to DID Resolution or maintaining DID Core. I was able to meet with some of the big tech companies and negotiate a potential path forward via DID Resolution (without standardizing any DID Methods). I still need to engage with some of the potential objectors to see if they'd be amenable to the plan. There is a decent chance they'll be ok with it. --------------------------- Support for the Verifiable Credentials Working Group is quite strong (and growing). We were given significant air time in the all-hands Advisory Committee meeting. The Working Group meeting hovered between 42-56 people, which is quite large for a W3C Working Group. There were no bombshells or any real drama to speak of in the meeting. The group seems to be on a good trajectory. In general, doing work on version 2.0 of anything tends to be easier than 1.0 because many of the guard rails are already established for the work. More on particular technology discussions that came up below. All slide decks presented at the meeting can be found here (the ACDC slides take up 112 slides, the other slide decks average around 10 slides per topic): https://docs.google.com/presentation/d/1hrqozY2EGZ8i8y40abyEuJmIb6hCiRS-37pdj6bhBLY/edit ------------------------------- I spent some time with the Accessible Platform Architectures Working Group (the group that produces accessibility documents like the Web Content Accessibility Guidelines that the US Government follows to ensure Section 508 compliance). As a result of the conversation, they will be working on a Digital Wallet Accessibility Guidelines document over the next 1-2 years to ensure that digital wallets meet the requirements of the 60 million people in the US with accessibility needs. That guide might be integrated (in time) into WCAG, which is incorporated into Section 508 in the US (and into other accessibility regulation documents in other countries). They took this as an action during the VCWG meeting and also provided some good news use cases that we should be interested in (for example, Verifiable Credentials for vaccination status of guide dogs crossing borders -- guide dogs can be kept for days in kennels if the vaccination paperwork isn't up to date, 'causing stress for both the animal and the individual needing the aid from the animal). ------------------------------- As mentioned above, the Verifiable Credentials WG meeting was fairly uneventful. Orie did a great job counter-acting some of the explosion of complexity being suggested for the core data model and keeping things simple via JSON-LD. The streamlining Data Integrity cryptosuites conversation didn't blow up into a hot mess and there seems to be a workable path forward there (though, the details matter and we'll get to those over the next couple of months). The holder binding discussion and the JSON Schemas discussion will be interesting, but non-disruptive. The RDF Dataset Canonicalization WG is under way and seems to be on a good trajectory. We stayed away from discussing digital wallet protocols, which was probably a good thing. ---------------------------------- The SD-JWT work was introduced to the group as a selective disclosure scheme for JSON payloads. There was some serious shade thrown at BBS and AnonCreds during the meeting by the EU Digital Identity initiative stating that "Our cryptographers have looked at both BBS and AnonCreds and rejected them for being overly complex". Both Avast and Digital Bazaar fired back noting the CFRG uptake of BBS at IETF and they backed off to a "Oh, I mean, it's on an experimental path, but we are committed to SD-JWT, which is not experimental and uses NIST-approved cryptography."... people should be worried about this. It feels rushed. The JWP stuff is even further behind. There was a suggestion that VC-JWT will be dropped for SD-JWT, or JWP, or maybe we'll keep all of them, or something better will come along. This work could have a negative effect on the greater community around VC interoperability. Adding two new "securing VC" mechanisms to the existing two mechanisms seems problematic. We'll have to give that spec more time to breathe and improve. ------------------------ Those are my notes, I hope they are useful to those that were not able to attend W3C TPAC. If others have notes on the stuff that's public knowledge (via transcripts), please share. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Tuesday, 20 September 2022 15:52:17 UTC