[MINUTES] CCG Incubation and Promotion 2025-06-25 from meetings@w3c-ccg.org on 2025-06-25 (public-credentials@w3.org from June 2025)

From: <meetings@w3c-ccg.org>
Date: Wed, 25 Jun 2025 18:01:07 -0400
To: public-credentials@w3.org
Message-ID: <CA+ChqYek+o+brrT8b4hd6yVOokoadYnGz-b7YfVRFVj98SegzA@mail.gmail.com>
CCG Incubation and Promotion Meeting Summary - 2025-06-25

*Topics Covered:*

   -

   *Status Update on Incubated Specifications:* A review of the progress of
   several specifications, including their priority and current stage of
   development.
   -

   *Quantum-Safe Crypto Suites:* A large pull request was merged, needing a
   final pass to finalize algorithm identifiers. Near completion.
   -

   *Verifiable Credential API:* Making good progress, closing ~4
   issues/week; expected completion in 3-4 weeks.
   -

   *Verifiable Presentation Request (VPR):* Only 6 issues remaining;
   expected completion in ~1 month.
   -

   *Verifiable Issuers and Verifiers:* Progress stalled due to lack of
   feedback from Isaac and David Chadwick. Minor changes needed before moving
   forward.
   -

   *Verifiable Credentials over Wireless:* Requires community group
   adoption; multiple organizations have expressed interest. Adoption request
   to be submitted in the next two weeks.
   -

   *Credential Refresh:* Requires discussion on design and security,
   particularly addressing "no phone home" concerns raised by the ACLU
   regarding potential abuse. Suggestions include using a separate private
   credential for refresh or moving the refresh signal outside the credential
   itself. Crucially, the verifier should *never* directly contact the
   issuer without holder consent.
   -

   *ZCAP (Authorization Capability):* The MIT Digital Credentials
   Consortium wants to move this forward due to increased need for issuing
   credentials asynchronously into wallets. Discussion with working group
   chairs to establish this as a new work item is ongoing.

*Key Points:*

   - Several specifications are nearing completion and expected to be ready
   for promotion soon.
   - The "no phone home" security concern regarding credential refresh
   needs careful consideration and design changes.
   - Collaboration and feedback from key individuals are necessary to
   unblock stalled specifications.
   - The ZCAP work is gaining momentum due to practical application needs.
   - Many specifications are expected to be ready by the end of summer
   (August).

Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-incubation-and-promotion-2025-06-25.md

Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-incubation-and-promotion-2025-06-25.mp4
*CCG Incubation and Promotion - 2025/06/25 10:58 EDT - Transcript*
*Attendees*

Hiroyuki Sano, John's Notetaker, Manu Sporny, Parth Bhatt, Tom Jones
*Transcript*

Manu Sporny: Hey folks, let's go ahead and get started. It's a light group
today. Again, we've got multiple people out on vacation. so, we might not
have quorum to really have a complete call today. but we can just check in,
really quickly. let me go ahead and share my screen and we can just do a
quick status update with where everything is. all right. so we have an
issue that's tracking all of the specifications that are being incubated. I
think in priority we got the high priority ones done kind of first. so we
do have a number that are ready to go and a number that are being worked on
that are making progress outside of this group.

Manu Sporny: so I'll just go down that list right now. the quantum safe
crypto suites got u a fairly large PR merged last week around all the
different types of postquantum schemes that we plan on supporting. we need
to make another pass at this next meeting this week to kind of lock in some
of the algorithm identifiers and things like that. and large that's in
decent shape. we could almost move it up after the next meeting that we
have in the data integrity group. the verifiable credential API call
yesterday processed a number of pull requests. those are moving forward at
a good clip. we're closing about four issues a week.

Manu Sporny: We have about 24 total and maybe about 12 left to go. So,
we're looking at 3 to four weeks before the verifiable credential API is
kind of wrapped up into a form that we can hand it over to the verifiable
presentation request. we still need to categorize those issues, but there
are only six left on that one. that again should be in fairly decent shape
in about another month or so. for verifiable issuers and verifiers. that
work's stalling partly because we're not getting kind of feedback from
Isaac and David Chadwick. I'll try to check in with them to see if they're
planning on some of the changes to the specification before it's ready to
go.

Manu Sporny: I'll note that it's not really a big set of changes, but it's
changes that would be good to make here. before we move it on for
verifiable credentials over wireless, we still need that adopted by the
credentials community group. I've been going around kind of asking some
organizations privately if they want to support it. I do have multiple
organizations saying yes at this point. So that's the next step here is to
just raise the adoption request and move forward with that a bit. I'll try
to do that over the next two weeks or so, but that's the only thing that we
really need with that spec so far to be able to say that it's ready for
promotion. credential refresh is something that we need to have a decent
design conversation around.
00:05:00

Manu Sporny: I was hoping to have that conversation today, but I don't know
if we have enough people here to have that conversation. So, the big thing
that's come up is the no phone home thing that has been raised by the ACLU
on the mailing list. and there has been some feedback by people saying that
they think that it's possible to abuse the credential refresh mechanism.
and we just want to make sure that that is not possible or it's not spec or
it's clearly marked as an attack. one of the things that Dave Longley had
suggested previously was that we would provide a different credential that
was private that allowed refreshing.

Manu Sporny: we might also want to move the refresh signal completely out
of the credential so that it's done through u mechanisms that the holder
supports since the holder is typically the one that should be refreshing
this credential. To be specific, at no point should the verifier just as in
the general sense reach out directly to the issuer and pull a new
credential. That is the phone home problem that people are really concerned
about where the person's activity out in the world is strongly identified
because they end up directly contact the verifier contacts the issuer out
of band without consent from the holder.

Manu Sporny: that sort of thing. So, we've gota I think given the new
discussion around that no phone home thing, we have to make sure we do a
decent privacy and security pass on the credential refresh mechanism before
we move it forward at promotion. And then during the call last week,
Dimmitri noted that the MIT Digital Credentials Consortium in their wallet
team would like to move the Zcap stuff forward the authorization capability
work forward because they're seeing more need for that specifically in u
issuing credentials after the fact into a holder's wallet.

Manu Sporny: So this is for example a business process that takes a bit of
time where the individual comes to a issuer. They say Here's my
information. But then there's some kind of asynchronous business process
that's kicked off that would then result in the issuance of a credential
into the individual's digital wallet in a pre-authorized capacity and an
authorization capability could be used to specify specifically the very
specific type of credential, the fact that it's a single use, all that kind
of stuff.

Manu Sporny: it's got a time limit on it. All of those things could be done
through the Zcap stuff. So, Dimmitri is trying to talk with the chairs to
see if that can be a new work item that's kicked off. that is the full list
that we have and I think our current state with each one of those. I expect
the quantum safe crypto suites, the VC API and VPR, the top three to keep
moving forward in their respective groups. I think the verifiable issuers
and verifiers list stuff has stalled and we need to talk with the authors
there to see if we can restart it.

Manu Sporny: VC over wireless we've got form for forward momentum there a
credential refresh we need to have a discussion in this group about that
capability and then ZCAPS are waiting for Dmitri to push that forward in
the working group in the CCG. all that said, just these three give plenty
of stuff for the VCWG to do and we do expect a good chunk of these, to be
done by the end of the summer, August time frame, for inclusion in that
working group. Okay, I think that is largely it for the updates.

Manu Sporny: Are there any other updates from any new information that's
relevant to these work items that folks want to provide. If not, that's our
call for today and we will meet again next week and see if we get a better
group larger group to discuss the verifiable credentials over wireless
sorry the credential refresh mechanism next week. Okay, thanks all. have a
good one. take care. Bye.
Meeting ended after 00:10:25 👋

*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Wednesday, 25 June 2025 22:01:13 UTC