[MINUTES] W3C CCG Traceability Call - 2023-01-10

Thanks to Mahmoud Alkhraishi and Our Robot Overlords and Mahmoud Alkhraishi and Benjamin Collins for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2023-01-10-traceability/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2023-01-10-traceability/audio.ogg

----------------------------------------------------------------
Verifiable Traceability Task Force Transcript for 2023-01-10

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2023Jan/0022.html
Topics:
  1. interop week
  2. Vocab PRs
  3. Issue Review
Action Items:
  1. issue correction to mailing list to change next meeting date 
    to 21 Feb
  2. update issue 457 with Orie's comments regarding warnings for 
    Azure
Organizer:
  Orie Steele, Mike Prorock, Mahmoud Alkhraishi
Scribe:
  Mahmoud Alkhraishi and Our Robot Overlords and Mahmoud Alkhraishi and Benjamin Collins
Present:
  Orie Steele, Nis Jespersen , Paul Dietrich GS1, Benjamin Collins, 
  Mahmoud Alkhraishi, Chris Abernethy, TallTed // Ted Thibodeau 
  (he/him) (OpenLinkSw.com)

Mahmoud Alkhraishi is scribing.
Our Robot Overlords are scribing.
Mahmoud Alkhraishi is scribing.
Nis Jespersen :  Welcome everyone and IPR Note.

Topic: interop week

Nis Jespersen :  Announcement of 4 week of calls, break due to 
  CBP, this does not preclude our normal merging work etc. Proposal 
  to block until feb 14
Orie Steele:  Starting 14, we would alternat evocab/interop calls

ACTION: issue correction to mailing list to change next meeting 
  date to 21 Feb

Mahmoud Alkhraishi:  14 Has VCWG in person, lets do it on 21.
Orie Steele:  Consesnsus to push it to 21st, we should send out 
  announcement on the list.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/pulls
Mahmoud Alkhraishi:  We should also update the CCG calendar 
  invite, will ping mike
Mahmoud Alkhraishi:  I merged a typo fix, it was editorial only.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pulls

Topic: Vocab PRs

Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/682
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/683
Nis Jespersen :  682, Plenty of approvals no issues, merging
Nis Jespersen :  683, Fixed all of issue  574, no objections, 
  will merge
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/684
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/685
No objections on 684, all approvals merging
Nis Jespersen :  685 Invoice/PO narrowing of organization.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/686
Orie Steele:  I reviewed this, it just removes erroneous usage of 
  @types, alters RDF graph to not include type info.
Orie Steele:  If you're using Identifiers from schema.org they 
  ahve their own opinions, this appears to just be removing 
  inconsistencies.
Chris Abernethy: Russel removed the incorrect usage, leaves the 
  correct implementation to future PRs.
Nis Jespersen :  No objections, merging.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/687
Mahmoud Alkhraishi:  571 Needs to stay open, the others can be 
  closed.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/issues/572
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/issues/569
Orie Steele:  We should identify on a case by case bases when 
  adding types, to make sure we have type interop on things that we 
  care about. In ecommerce for example, if you want the
Orie Steele:  In context of ecommerce , if you want query interop 
  on knowledge graph then you want the context t odefine type in 
  the same way schema.org does, so you can query the graph 
  correctly.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-vocab/pull/689
Mahmoud Alkhraishi:  It can wait a week, to merge as it isnt 
  critical.
Orie Steele:  We should surface important issues on the list, but 
  give it a week for normal reviews.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-asc
Nis Jespersen :  17 Issues we can do this!
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/307
Benjamin Collins:  Presentation Exchagne Oauth is still a valid 
  issue, as it does not have a readme, I will tackle it.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/438

Topic: Issue Review

Orie Steele:  438, Gave a presentation of our work to OWF, Linux 
  foundation is still sorting out their workstreams, it is looking 
  like they are close to taking code contributions, we have heard 
  that the VCAPI and data models associated with it, there are two 
  members who would be interested in at a minimum. Those are 
  Gen(Avast/Securekey) and Transmute
Orie Steele:  The Test harness may be accepted as a code 
  contribution. When they have finished call time, we may spend 
  some call time to discuss what moving this to the Linux 
  foundation looks like and its benefits/drawbacks.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/453
Chris Abernethy: One of mine, modifies verifiableCredential 
  schema. right now it cannot be a string, some other 
  implementations make it a requirement. Should be ready-for-pr
Mahmoud Alkhraishi:  To rephrase this is if a JWT was provided, 
  then it should be a valid option.
Nis Jespersen :  Looks like its ready for PR.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/460
Chris Abernethy: this was to update respec doc to allow for 
  updates that were done in our docs to be reflected. We should 
  allow this to go on
Chris Abernethy: if no preferences/guidance it shoudl be good to 
  go.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/464
Nis Jespersen :  646, Workflow needs to be more generic rather 
  than US oriented.
Orie Steele:  I think thats fair, we should be adding more 
  diverse flair rather than removing existing flair.
Mahmoud Alkhraishi:  I like how concrete it currently is, we 
  shouldn't lose that, but we should increase diversity by adding 
  more workflows, if he is willing to help with that contribution, 
  then it is a positive.
Nis Jespersen :  Will assign myself and look for some 
  suggestions.
Scribe-
Benjamin Collins is scribing.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/457
Chris Abernethy: 457 is a long conversation about azure AD for 
  OAuth, it is impossible for them to pass tests. Azure AD 
  require's scopes to follow a rigid naming format.
Chris Abernethy: The proposal is for the scope to be parameter 
  for the tests. Orie pointed out that this makes testing interop 
  impossible. I I agree with that, but unless we mandate that 
  everyone uses the Azure AD names, we can't take that approach.
Chris Abernethy: My suggestion is that we could mandate that all 
  implementations grant all scopes and give an optional parameter 
  to say the scope request must contain this string.
Chris Abernethy: Let me know if you have any questions
Orie Steele:  I pinged my friends at Microsoft to weigh in on 
  this issue. I want a response from them before acting on this 
  issue.
Orie Steele:  I think we want to say that if you're capable of 
  validating, you still get some coverage. We want to have some 
  security posture around that. And then we add a description to 
  the respec document around how scopes are handled in the profile 
  around interop.
Orie Steele:  And then we would need to have some changes in the 
  tests so that people dont have to jump through hoops. So update 
  the respec document, and then add a flag to the tests to ignore 
  scopes for other OAuth implementations.
Chris Abernethy: Would you mind adding a comment to that effect?
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/454

ACTION: update issue 457 with Orie's comments regarding warnings 
  for Azure

Orie Steele:  Sure, I'll copy it from the meeting minutes
Chris Abernethy: 454, this came out of the issue with some VC-API 
  testing around the options behavior.
Orie Steele:  Okay, looking at the issue, `x-`prefix is not an 
  optional
Orie Steele:  The intention here is to show support for data 
  integrity and JWT. And the reason headers came out, should we 
  have headers to opt-in to a feature to be able to show capability 
  to that. I think long-term we want to have body parameters to 
  define this functionality.
Chris Abernethy: So anyone who implements this without any tests, 
  with VC-API will fail these tests, or should we make the options 
  optional, or should we leave them as required?
Orie Steele:  I prefer for options to be required to show 
  intention
Chris Abernethy: This could break interop with VC-API, are we 
  okay with that?
Orie Steele:  I think we want to have specific options around 
  security, and rather than having implicit options that are known 
  to the caller, these should be exposed to the user.
Chris Abernethy: My main issue here was that it didn't seem to 
  match up with what they are doing. But I'm okay with the current 
  proposal.
Orie Steele:  I think that's what we want to do.
Chris Abernethy: I will close with comments.
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/475
Nis Jespersen :  I think this issue might be in the wrong repo, 
  this should probably be moved to trace-vocab
Orie Steele:  Yes, you can move it to trace-vocab.
Chris Abernethy: Can we jump to 482?
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/482
Chris Abernethy: This is something Mike brought up with me. 
  Should we update to statuslist 2021?
Orie Steele:  If we can't resolve the context, can we update?
Nis Jespersen :  It looks like it's fixed, and was just fixed 
  now.
Orie Steele:  I have been bit by implementing something that just 
  got moved to a working group. I would like to see something get 
  further a long in a working group before a working group as 
  published a FPWD on it.
Chris Abernethy: I don't know what FPWD
Orie Steele:  First Published Working Draft. In order to become a 
  technical recommendation it need to start as a FPWD.
Paul: Is there a function that we want to have in interop which 
  would use this?
Nis Jespersen : 
  https://github.com/w3c-ccg/traceability-interop/issues/479
Orie Steele:  This would allow for suspension and revocation, in 
  which there are a few. I think that we don't want to chase a 
  bleeding edge.
Chris Abernethy: In our spec, we have a bunch of examples that 
  contain proofs, but we changed the content, but didn't update the 
  proof. So it doesn't seem right to have invalid proofs.
Orie Steele:  With respect to proofs, we might want to use a 
  respec plugin for proof signatures, to solve this problem 
  elegantly. And inclusively using JWT.
Chris Abernethy: Okay, sounds good. Can we move this to ready for 
  PR, or do we need more specific examples?
Orie Steele:  I think it would apply to every example with a 
  proof in it. I will include a link and a comment.
Nis Jespersen :  Does this apply to trace-vocab?
Orie Steele:  It's weird that we're even talking about proofs in 
  this document.
Nis Jespersen :  I think that means we mostly have a separate 
  similar issue on trace-vocab
Chris Abernethy: If you look at the specification, it will 
  contain a proof. And we want our spec to not perpetuate bias, as 
  well as the respec document.
Orie Steele:  I have included a link for something Manu built to 
  help address that problem.
Nis Jespersen :  Let's wrap this up, I'll see you Feb 21. Let's 
  keep on the progress. Thank you.
Scribe-

Received on Thursday, 12 January 2023 13:59:28 UTC