Summary of last week's W3C Technical Plenary (W3C TPAC)

What follows is an "information known to the general public" summary
of what happened last week at the W3C Technical Plenary (W3C TPAC -
where many of the global standards that drive the Verifiable
Credentials and Decentralized Identifiers ecosystem are standardized).

There is more that is member-confidential that went on, and none of
that is covered in this email, though the most important things are
public knowledge due to the fact that W3C's Working Group minutes are
made public within hours/days of the member meetings -- hooray for
transparency! I'm looking at you, ISO (and all the other organizations
that don't make their meeting transcriptions public)! :P

Apologies for the length, there is a lot to cover.

The JSON-LD WG announced that JSON-LD is now published by 43% of all
websites on the Internet (based on Common Crawl statistics data) in
order to achieve better search rankings. To put that in perspective,
Fetch is used by 38% of all websites. WebAuthn is used by 0.19% of all
websites (ouch). More fun browser API stats at:

It is worth noting that WebAuthn is typically implemented by the big
identity providers (Google, Microsoft, Facebook) so measuring the
number of domains that use it isn't a good measure of actual usage
because everyone gets funneled through centralized IdP to use WebAuthn
-- actual people impacted is probably be much higher, if only those
large IdPs would share their numbers! :P
The JSON-LD Working Group will be re-chartered to continue maintaining
the specification, with the ability to add new features. There is work
going into YAML-LD, and interest in taking up the CBOR-LD work as
well. There is parallel work also being proposed on "labeled property
graphs" (called RDF-star), which allow one to annotate properties
themselves (of dubious value to VCs at present). That work might
provide advantages to the path VCs have taken to date, but we won't
know for another 2+ years. It is explicitly not going to be disruptive
to what we've standardized to date at W3C.
The DID Working Group meeting had significant attendance (40-50
people). The goal was to settle on the next Working Group Charter. The
plan was to work towards agreeing to standardize a few DID Methods
(like did:key and did:web), and possibly start standardizing DID
Resolution. There were objections to standardizing DID Methods. If we
don't standardize at least a few DID Methods, we know that there will
be objections from some of the big-tech companies. There didn't seem
to be objections to DID Resolution or maintaining DID Core. I was able
to meet with some of the big tech companies and negotiate a potential
path forward via DID Resolution (without standardizing any DID
Methods). I still need to engage with some of the potential objectors
to see if they'd be amenable to the plan. There is a decent chance
they'll be ok with it.
Support for the Verifiable Credentials Working Group is quite strong
(and growing). We were given significant air time in the all-hands
Advisory Committee meeting. The Working Group meeting hovered between
42-56 people, which is quite large for a W3C Working Group.
There were no bombshells or any real drama to speak of in the meeting.
The group seems to be on a good trajectory. In general, doing work on
version 2.0 of anything tends to be easier than 1.0 because many of
the guard rails are already established for the work. More on
particular technology discussions that came up below. All slide decks
presented at the meeting can be found here (the ACDC slides take up
112 slides, the other slide decks average around 10 slides per topic):
I spent some time with the Accessible Platform Architectures Working
Group (the group that produces accessibility documents like the Web
Content Accessibility Guidelines that the US Government follows to
ensure Section 508 compliance). As a result of the conversation, they
will be working on a Digital Wallet Accessibility Guidelines document
over the next 1-2 years to ensure that digital wallets meet the
requirements of the 60 million people in the US with accessibility
needs. That guide might be integrated (in time) into WCAG, which is
incorporated into Section 508 in the US (and into other accessibility
regulation documents in other countries). They took this as an action
during the VCWG meeting and also provided some good news use cases
that we should be interested in (for example, Verifiable Credentials
for vaccination status of guide dogs crossing borders -- guide dogs
can be kept for days in kennels if the vaccination paperwork isn't up
to date, 'causing stress for both the animal and the individual
needing the aid from the animal).
As mentioned above, the Verifiable Credentials WG meeting was fairly
uneventful. Orie did a great job counter-acting some of the explosion
of complexity being suggested for the core data model and keeping
things simple via JSON-LD. The streamlining Data Integrity cryptosuites
conversation didn't blow up into a hot mess and there seems to be a
workable path forward there (though, the details matter and we'll get
to those over the next couple of months). The holder binding
discussion and the JSON Schemas discussion will be interesting, but
non-disruptive. The RDF Dataset Canonicalization WG is under way and
seems to be on a good trajectory. We stayed away from discussing
digital wallet protocols, which was probably a good thing.
The SD-JWT work was introduced to the group as a selective disclosure
scheme for JSON payloads. There was some serious shade thrown at BBS
and AnonCreds during the meeting by the EU Digital Identity initiative
stating that "Our cryptographers have looked at both BBS and AnonCreds
and rejected them for being overly complex". Both Avast and Digital
Bazaar fired back noting the CFRG uptake of BBS at IETF and they
backed off to a "Oh, I mean, it's on an experimental path, but we are
committed to SD-JWT, which is not experimental and
uses NIST-approved cryptography."... people should be worried about
this. It feels rushed.
The JWP stuff is even further behind. There was a suggestion that
VC-JWT will be dropped for SD-JWT, or JWP, or maybe we'll keep all of
them, or something better will come along. This work could have a
negative effect on the greater community around VC interoperability.
Adding two new "securing VC" mechanisms to the existing two mechanisms
seems problematic. We'll have to give that spec more time to breathe
and improve.

Those are my notes, I hope they are useful to those that were not able
to attend W3C TPAC. If others have notes on the stuff that's public
knowledge (via transcripts), please share.

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

Received on Tuesday, 20 September 2022 15:52:17 UTC