- From: David Chadwick <d.w.chadwick@truetrust.co.uk>
- Date: Wed, 25 Jun 2025 23:34:16 +0100
- To: public-credentials@w3.org
- Message-ID: <1559f334-14cf-40fe-b2cc-65a9695f9110@truetrust.co.uk>
Hi Manu Progress has not stalled on Verifiable Issuers and Verifiers. We only have one PR left to commit, and have been closing off all the issues or marking them for resolution by the VC WG when it becomes a work item. Once the PR is merged the document will be ready for handover Kind regards David On 25/06/2025 23:01, meetings@w3c-ccg.org wrote: > > > CCG Incubation and Promotion Meeting Summary - 2025-06-25 > > *Topics Covered:* > > * > > *Status Update on Incubated Specifications:* A review of the > progress of several specifications, including their priority and > current stage of development. > > * > > *Quantum-Safe Crypto Suites:* A large pull request was merged, > needing a final pass to finalize algorithm identifiers. Near > completion. > > * > > *Verifiable Credential API:* Making good progress, closing ~4 > issues/week; expected completion in 3-4 weeks. > > * > > *Verifiable Presentation Request (VPR):* Only 6 issues remaining; > expected completion in ~1 month. > > * > > *Verifiable Issuers and Verifiers:* Progress stalled due to lack > of feedback from Isaac and David Chadwick. Minor changes needed > before moving forward. > > * > > *Verifiable Credentials over Wireless:* Requires community group > adoption; multiple organizations have expressed interest. Adoption > request to be submitted in the next two weeks. > > * > > *Credential Refresh:* Requires discussion on design and security, > particularly addressing "no phone home" concerns raised by the > ACLU regarding potential abuse. Suggestions include using a > separate private credential for refresh or moving the refresh > signal outside the credential itself. Crucially, the verifier > should /never/ directly contact the issuer without holder consent. > > * > > *ZCAP (Authorization Capability):* The MIT Digital Credentials > Consortium wants to move this forward due to increased need for > issuing credentials asynchronously into wallets. Discussion with > working group chairs to establish this as a new work item is ongoing. > > *Key Points:* > > * Several specifications are nearing completion and expected to be > ready for promotion soon. > * The "no phone home" security concern regarding credential refresh > needs careful consideration and design changes. > * Collaboration and feedback from key individuals are necessary to > unblock stalled specifications. > * The ZCAP work is gaining momentum due to practical application needs. > * Many specifications are expected to be ready by the end of summer > (August). > > Text: > https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-incubation-and-promotion-2025-06-25.md > > Video: > https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-incubation-and-promotion-2025-06-25.mp4 > > > *CCG Incubation and Promotion - 2025/06/25 10:58 EDT - Transcript* > > > *Attendees* > > Hiroyuki Sano, John's Notetaker, Manu Sporny, Parth Bhatt, Tom Jones > > > *Transcript* > > Manu Sporny: Hey folks, let's go ahead and get started. It's a light > group today. Again, we've got multiple people out on vacation. so, we > might not have quorum to really have a complete call today. but we can > just check in, really quickly. let me go ahead and share my screen and > we can just do a quick status update with where everything is. all > right. so we have an issue that's tracking all of the specifications > that are being incubated. I think in priority we got the high priority > ones done kind of first. so we do have a number that are ready to go > and a number that are being worked on that are making progress outside > of this group. > > Manu Sporny: so I'll just go down that list right now. the quantum > safe crypto suites got u a fairly large PR merged last week around all > the different types of postquantum schemes that we plan on supporting. > we need to make another pass at this next meeting this week to kind of > lock in some of the algorithm identifiers and things like that. and > large that's in decent shape. we could almost move it up after the > next meeting that we have in the data integrity group. the verifiable > credential API call yesterday processed a number of pull requests. > those are moving forward at a good clip. we're closing about four > issues a week. > > Manu Sporny: We have about 24 total and maybe about 12 left to go. So, > we're looking at 3 to four weeks before the verifiable credential API > is kind of wrapped up into a form that we can hand it over to the > verifiable presentation request. we still need to categorize those > issues, but there are only six left on that one. that again should be > in fairly decent shape in about another month or so. for verifiable > issuers and verifiers. that work's stalling partly because we're not > getting kind of feedback from Isaac and David Chadwick. I'll try to > check in with them to see if they're planning on some of the changes > to the specification before it's ready to go. > > Manu Sporny: I'll note that it's not really a big set of changes, but > it's changes that would be good to make here. before we move it on for > verifiable credentials over wireless, we still need that adopted by > the credentials community group. I've been going around kind of asking > some organizations privately if they want to support it. I do have > multiple organizations saying yes at this point. So that's the next > step here is to just raise the adoption request and move forward with > that a bit. I'll try to do that over the next two weeks or so, but > that's the only thing that we really need with that spec so far to be > able to say that it's ready for promotion. credential refresh is > something that we need to have a decent design conversation around. > > > 00:05:00 > > Manu Sporny: I was hoping to have that conversation today, but I don't > know if we have enough people here to have that conversation. So, the > big thing that's come up is the no phone home thing that has been > raised by the ACLU on the mailing list. and there has been some > feedback by people saying that they think that it's possible to abuse > the credential refresh mechanism. and we just want to make sure that > that is not possible or it's not spec or it's clearly marked as an > attack. one of the things that Dave Longley had suggested previously > was that we would provide a different credential that was private that > allowed refreshing. > > Manu Sporny: we might also want to move the refresh signal completely > out of the credential so that it's done through u mechanisms that the > holder supports since the holder is typically the one that should be > refreshing this credential. To be specific, at no point should the > verifier just as in the general sense reach out directly to the issuer > and pull a new credential. That is the phone home problem that people > are really concerned about where the person's activity out in the > world is strongly identified because they end up directly contact the > verifier contacts the issuer out of band without consent from the holder. > > Manu Sporny: that sort of thing. So, we've gota I think given the new > discussion around that no phone home thing, we have to make sure we do > a decent privacy and security pass on the credential refresh mechanism > before we move it forward at promotion. And then during the call last > week, Dimmitri noted that the MIT Digital Credentials Consortium in > their wallet team would like to move the Zcap stuff forward the > authorization capability work forward because they're seeing more need > for that specifically in u issuing credentials after the fact into a > holder's wallet. > > Manu Sporny: So this is for example a business process that takes a > bit of time where the individual comes to a issuer. They say Here's my > information. But then there's some kind of asynchronous business > process that's kicked off that would then result in the issuance of a > credential into the individual's digital wallet in a pre-authorized > capacity and an authorization capability could be used to specify > specifically the very specific type of credential, the fact that it's > a single use, all that kind of stuff. > > Manu Sporny: it's got a time limit on it. All of those things could be > done through the Zcap stuff. So, Dimmitri is trying to talk with the > chairs to see if that can be a new work item that's kicked off. that > is the full list that we have and I think our current state with each > one of those. I expect the quantum safe crypto suites, the VC API and > VPR, the top three to keep moving forward in their respective groups. > I think the verifiable issuers and verifiers list stuff has stalled > and we need to talk with the authors there to see if we can restart it. > > Manu Sporny: VC over wireless we've got form for forward momentum > there a credential refresh we need to have a discussion in this group > about that capability and then ZCAPS are waiting for Dmitri to push > that forward in the working group in the CCG. all that said, just > these three give plenty of stuff for the VCWG to do and we do expect a > good chunk of these, to be done by the end of the summer, August time > frame, for inclusion in that working group. Okay, I think that is > largely it for the updates. > > Manu Sporny: Are there any other updates from any new information > that's relevant to these work items that folks want to provide. If > not, that's our call for today and we will meet again next week and > see if we get a better group larger group to discuss the verifiable > credentials over wireless sorry the credential refresh mechanism next > week. Okay, thanks all. have a good one. take care. Bye. > > > Meeting ended after 00:10:25 👋 > > /This editable transcript was computer generated and might contain > errors. People can also change the text after it was created./ >
Received on Wednesday, 25 June 2025 22:34:27 UTC