[MINUTES] W3C CCG Traceability Call - 2023-05-23 from CCG Minutes Bot on 2023-05-24 (public-credentials@w3.org from May 2023)

From: CCG Minutes Bot <minutes@w3c-ccg.org>
Date: Wed, 24 May 2023 15:48:59 +0000
Message-ID: <E1q1qjR-008NZN-F0@titan.w3.org>

Thanks to ben_(transmute) and Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2023-05-23-traceability/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2023-05-23-traceability/audio.ogg

----------------------------------------------------------------
Verifiable Traceability Task Force Transcript for 2023-05-23

Agenda:
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=May&period_year=2023&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
Orie Steele, Mike Prorock, Mahmoud Alkhraishi
Scribe:
ben_(transmute) and Our Robot Overlords
Present:
Nis Jespersen , Russell Hofvendahl, Paul Dietrich GS1, Ben
(Transmute), Orie Steele, Chris Abernethy

ben_(transmute) is scribing.
Our Robot Overlords are scribing.
Ben_(Transmute): Octopus is off.
Nis Jespersen : https://github.com/w3c-ccg/traceability-vocab
Nis Jespersen : Thanks for joining the weekly trace call. Make
sure to sign the contributor agreement.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/736
Orie Steele:
https://github.com/w3c-ccg/traceability-vocab/issues/786
Orie Steele: I was able to get the CI to pass. But it has
surfaced a couple of issues that would be good to discussed.
These are linked in the PR.
Orie Steele:
https://github.com/w3c-ccg/traceability-vocab/issues/787
Orie Steele: The first is schema validation for GS1 and schema
validation.
Orie Steele: The original intention for the PR was a VC version
2 test suite and maybe even convert all of the existing
credentials to version 2 automatically. To start supporting v2.
There are places where we assert the structure of the context.
Orie Steele: In the case of GS1 there is no trace context, but
in the case of MTR we have trace context. To be able to define
what the shape looks like in JSON schema. We want to know about
cases where the JSON is changed before getting to the verifier to
make sure time is not wasted.
Orie Steele: One issue would be to add more contexts, which
would add a lot more processing time. Or adding a giant array of
empty objects, so schema validation is a security vector
especially for data integrity proofs.
Orie Steele: So I can get a yes or no answer if a credential is
able to validate to schema. We might have an issue when we have
issues, like with GS1 we can bundle GS1 into our context. In our
respec document we're saying a context must be in some kind of
allow list.
Orie Steele: The way we're handing schema validation is not
working for GS1 credentials.
Orie Steele:
https://github.com/w3c-ccg/traceability-vocab/pull/736/files#diff-398c38414614698511f6dbce592de71d0be2b3b21504661a5fc7d033fea2eb26
Nis Jespersen : I wanted to the comment about the "must include
traceability" limitation. The GS1 schemas do list which contexts
are required for which credentials. Are we in the clear if we
remove that constraint?
Orie Steele: The respec document needs to be updated, and it
needs to match something to the example that I just linked. We
would expect to say that we have the v1 or v2 context, and then
we have some other list of credentials. And both our respec and
schemas need to say that.
Orie Steele: Another thing we could say is traceabiliy schemas
only allow for version 1 or version 2 or both. And say here are
the other contexts that are allowed. What we should definitely
not do is say you can put in anything. And we should fix this
before we freeze.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/blob/main/docs/openapi/components/schemas/credentials/MillTestReportCredential.yml#L16
Nis Jespersen : At line 16, isn't on a credential by credential
basis where you control what is allowed per schema. So if MTR is
v2, wouldn't that be reflected at this part of the schema? Do we
need to do anything else outside of updating the respec document?
Orie Steele: You're correct, but if you change the property in
this schema, then it needs to line up with what we say in respec.
To say ONLY v1 or ONLY v2. But if you say either or, you run into
problems like issuanceDate is now validFrom.
<ben_(transmute)> Paul: I wanted to confirm, you want to have a
JSON schema to validate the context within some set that is
valid. What's the restriction on what rules you can apply in JSON
schema?
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/blob/main/docs/openapi/components/schemas/credentials/GS1KeyCredential.yml#L16
Orie Steele: You can make a very specific to only what is spec
legal. The GS1 data model that you guys have defined has which
contexts are allowed. And say that it must match that.
Nis Jespersen : We list credential v1 and then two GS1 contexts.
Orie Steele: So reading this out, what this really says, the
traceability GS1 key credential. This JSOn schema validates ONLY
validate credentials that fit the spec. And that should allow you
to check the schema before you do any JSON-LD processing.
<ben_(transmute)> Paul: And somehow this complicates things when
we move to VC v2?
Orie Steele: In order for this to be legal in v2, GS1 would need
to say we're supporting v2. Think about this from a customs
agencies perspective. They want to know if they're v1 or v2
credentials. They want to know is there a schema that verifies an
instance of this JSON.
<ben_(transmute)> Paul: To support traceability with v2 GS1 needs
to provide v2 credentials. and a schema to define those
credentials.
Orie Steele: So might have v1 GS1, v1 traceability, v2 GS1, and
vs traceability.
<ben_(transmute)> Paul: Do the versions align with the verifiable
credential data model?
Orie Steele: Yes, so in v2 issueanceDate is now validFrom and
the schema would need to be updated.
Orie Steele: The PR adds a v2 credential. And it would add a v2
credential that would be shipped. And there are a lot of software
libraries that won't be able to issue it. The core spec for v1
made it more difficult. So we want to decent when we want to do
that and how we want to do it. But it's likely we're going to be
in that situation where we have multiple version. and if GLIEF
adds credentials here, the same will apply as well.
Nis Jespersen : Beyond this conversation, do we need to make a
decision where we have double support, and then deprecate version
1 before we get there?
Orie Steele: I think the highest priority action item is to fix
the respec document to make GS1 valid to allow those contexts.
The v1 support is currently not correct.
Nis Jespersen :
https://w3c-ccg.github.io/traceability-vocab/#extensions-to-standard
Orie Steele: In summary if we merge 736 we will be in a world
with three kinds of context, And our respec document says there
is only one kind of context.
Orie Steele: In that section we want to say, "these are the
contexts that you MUST support in order to conform to this
profile"
Nis Jespersen : My opinion is that's a separate issue. We need
to update the respec, I would push towards merging, and then
clean up after ourselves.
Orie Steele: Also we have tests where we expect v1 and it's
going to start surfacing weird errors. I made a comment in the
Pull Request.
Orie Steele: We need to update the tooling if we merge 736.
Nis Jespersen : Any objections to merging 736?
Nis Jespersen : If we include a v2 credential, should we mark it
as experimental?
Orie Steele: We have tags and they are being used.
Orie Steele: If we merge this, there are other things we're
going to have to fix in short order.
Nis Jespersen : We have three approvals, let's go ahead and
merge.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/774
<nis> acl paul
https://w3c-ccg.github.io/traceability-interop/reports/interoperability/
Nis Jespersen :
https://w3c-ccg.github.io/traceability-interop/reports/conformance/
https://w3c-ccg.github.io/traceability-interop/reports/conformance/
<ben_(transmute)> Paul: I ad a question if the lingering
conformance and interop. Are being help off? Looking at the
tests, the last was run in April?
Nis Jespersen : They should be running nightly, these ran 17
hours ago, it looks like the date on the report page is not being
updated.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/774
Nis Jespersen : Let's push forward with the pull requests.
Nis Jespersen : The next is the CATAIR mapping. There are
changes requested and orie and mahmoud are not on the call, so
let's address that next time.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/779
Nis Jespersen : This updates the Importer Security Filing and
took out Oil and Gas because oil is not transported with this
form.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/781
Nis Jespersen : We had "The Thing" credential, which has the
ability to throw generic identifiers into an instance. So this
creates a more business oriented credential. Originally I
overwrote "The Thing" credentials. So this just adds an entry
number. And Mahmoud approved it.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/782
Nis Jespersen : This aligns to the recommendation of using two
letter ISO country codes.
Nis Jespersen : We got a response back from schema.org. And that
dialog has started.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/783
Russell Hofvendahl: This is pretty straight forward to implement
consistent fake phone numbers. Where 555 is the standard fake
number.
Nis Jespersen : Great, probably a lot of what you're fixing is
me not understanding the US area code.
Nis Jespersen : I would go ahead and merge as soon as the
conflict is resolved.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/784
Russell Hofvendahl: This one adds USDASpecialtyCrops237AForm in
response to feedback from AMS. This also goes into a few fields
in agriculture product. And it updates a few related credentials.
Russell Hofvendahl: Extended products has some additional
information from agriculture product.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/785
Nis Jespersen : This PR adds a workflows folder that defines a
traceable presentation.
<paul_dietrich_gs1> have to drop . Thanks everyone.
Nis Jespersen : And this it takes those workflows and renders
them in the respec document using mermaid to render the sequence
diagrams.
Nis Jespersen :
https://github.com/w3c-ccg/traceability-vocab/pull/788
Nis Jespersen : The next one builds on the previous PR and adds
more business workflows. It has SIMA and Mill Test Reports and
importer security filing.
Nis Jespersen : Any questions on what this is doing?
Nis Jespersen :
https://github.com/w3c-ccg/traceability-interop/pull/545
Chris Abernethy: This one is brand new, so we might want to
leave it until next week. This is an old issue for how Azure
handles scope naming, which has a format that doesn't conform to
the format we use. We removed the normative requirements for
which scopes are required. And we make the assertion that
implementations have handled some scopes for security.
Nis Jespersen : It's a little sad with how much work we put into
getting it.
Chris Abernethy: After this came up, maybe we were over stepping
our bounds.
<ben_(transmute)> scribe-

Received on Wednesday, 24 May 2023 15:48:59 UTC