- From: <meetings@w3c-ccg.org>
- Date: Wed, 28 May 2025 00:05:31 +0200
- To: public-credentials@w3.org
- Message-ID: <CA+ChqYdmfK2rQg+TDc4u0_Xsa+J_4NmrbeBSHvnZjJw-GfHd+Q@mail.gmail.com>
W3C CCG Meeting Summary - 2025/05/27
*Topics Covered:*
-
*Verifiable Credentials Working Group (VCWG) Update:* The VCWG recently
finalized seven specifications, including the VC Data Model 2.0. The group
is now in maintenance mode, focusing on finishing the VC JSON schema and
data integrity BBS specifications, addressing minor issues (AA), and
working on the reserved extension points: render method and confidence
method. Re-chartering is anticipated in late summer/fall to address
additional work items.
-
*Upcoming Work Items:* Discussion centered around several potential work
items for future consideration within the VCWG, including:
- Verifiable Credential Barcodes (already in production for US driver's
licenses)
- Verifiable Credential Rendering Method
- Quantum-safe Crypto Suites
- Verifiable Credential API (life cycle management; differs from the
browser-based Digital Credentials API)
- Verifiable Presentation Request (query language, potential merger
with VC API)
- Verifiable Issuers and Verifiers
- Verifiable Credentials over Wireless
- Confidence Method (raising confidence in credential presenter
identity)
- Credential Refresh (automatic credential renewal)
-
*Key Differences between VC API and Digital Credentials API:* The VC API
focuses on broader life cycle management and interoperability, including
back-office functions and support for multiple protocols (like OID4). The
Digital Credentials API (DC API) is browser-based and aims for
protocol/data format agnosticism, delegating protocol specifics to other
specifications. The VC API can work within the DC API framework.
-
*Threat Modeling for Verifiable Credentials:* The need for a
comprehensive threat model for VCs was highlighted, emphasizing the
importance of addressing this before the next re-chartering.
-
*Geneva Meeting (July 2025):* A meeting involving various organizations
(governments, W3C, OIDF, IETF, etc.) will focus on the state of digital
identity and wallets. Discussions will include updates on VC 2.0, threat
modeling, and the Digital Credentials API. Key concerns raised include
maintaining privacy and preventing government overreach in the deployment
of digital identity systems. The meeting aims to foster collaboration and
address concerns around democratizing credential issuance and avoiding
surveillance.
*Key Points:*
- The VCWG has successfully concluded a significant phase of work.
- The group will take a short break before focusing on the render method
and confidence method specifications.
- Re-chartering is expected to expand the scope of the VCWG to include
further work items.
- There's a need for clarification on the differences between the VC API
and the DC API.
- A comprehensive threat model for VCs is crucial.
- The upcoming Geneva meeting presents an opportunity for significant
collaboration and discussion of important issues in the digital identity
space. Concerns around privacy and the potential for governmental overreach
in the deployment of digital identity systems were highlighted.
Text: https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-weekly-2025-05-27.md
Video: https://meet.w3c-ccg.org/archives/w3c-ccg-ccg-weekly-2025-05-27.mp4
*CCG Weekly - 2025/05/27 11:58 EDT - Transcript* *Attendees*
Alex Higuera, Benjamin Young, Brent Zundel, Chandima Cumaranatunge, Dmitri
Zagidulin, Erica Connell, Greg Bernstein, Gregory Natran, Harrison Tang,
Hiroyuki Sano, Jennie Meier, Joe Andrieu, Kaliya Identity Woman, Kayode
Ezike, Mahmoud Alkhraishi, Manu Sporny, Parth Bhatt, Philippe Le Hégaret,
Phillip Long, Rob Padula, Vanessa Xu, Will Abramson
*Transcript*
Harrison Tang: Hey, Brent.
Brent Zundel: Hey Harrison, how are you?
Harrison Tang: Good. Thank you for taking the time to drop out.
Brent Zundel: Yeah, of course.
Harrison Tang: How's it going?
Brent Zundel: Things are going pretty well.
Harrison Tang: Good to hear. And congrats on the VC 2.0 being the official
years in the making,…
Brent Zundel: Thanks. Yeah,…
Harrison Tang: Yeah.
Brent Zundel: it's been a long time coming.
Harrison Tang: All right, we'll start in about two minutes. I think usually
we have 30 people coming in, but I think people scroll in around 9 910 or
so.
Harrison Tang: All we'll start and then we'll let other people join in the
next five minutes or so. But welcome to this week's W3C CCG meeting. today,
we're very excited to have Brent here to lead a discussion on what's next
on the verifiable credentials working group. but before then just want to
quickly do a quick reminder on the code of ethics and professional conduct.
I just want to make sure that all of us hold constructive conversations
here that we always have. Next quick note on the intellectual property.
anyone can participate in these calls. However, all substantive
contributions to any CCG items must be member of the CCG with full IPR
agreement signed.
Harrison Tang: so if you have any questions in regards to getting the W3C
account or the community contributor license agreement please feel free to
reach out to any of the coaches. these meetings are automatically recorded
and transcribed and we use a Google Hangout to do that. and we'll publish
automatically again thanks to Among U we'll publish automatically the
transcriptions in the next few hours and then you can just use the raise
hand feature in Google Hangouts if you have any questions and I'll moderate
the queue. All right. I just want to take a moment for introductions and
reintroductions.
00:05:00
Harrison Tang: So, if you're new to the community or you haven't been
active and want to engage, feel free to just unmute and introduce yourself
a little bit. I see mostly familiar faces. So, next announcements and Any
announcements reminders? Money expense.
Manu Sporny: Yeah, just a reminder on the regular other community group
meetings that we are having this week. later on today, there will be the
verifiable credential API call where we are continuing to kind of make
changes to that specification to get in shape to transfer to the BCWG.
tomorrow will be the more broad kind of incubation and promotion call that
we've been having. which covers a ton of other specifications. we'll be
focusing on the confidence method specification tomorrow along with the
verifiable credential rendering method one.
Manu Sporny: and then on Friday is the data integrity incubation work where
we are focusing on the postquantum signatures so that crypto suite and some
advances for postquantum pseudonyms that we've been working on trying to
finish that work up. all of those things of course being proposed to be
handed over to the BCWG. so those invitations went out yesterday. please
join us if you're interested in any of those work items. Thanks.
Harrison Tang: Thanks, Any other announcements or reminders? Any updates on
the work items? So, we'll onion, please.
Manu Sporny: Sorry, there are updates on a variety of work items. Rather
than going through all of them, I'll just put a link here in the chat
channel. unfortunately, we're going to lose that link in the minutes, but
those are kind of all of the things that are under active development in
the various CCG groups. and an estimate on the amount of work that's left
before we feel like we can wrap it up for the CCG part of the work on each
one.
Manu Sporny: That's it.
Harrison Tang: Great. Thank you,…
Harrison Tang: Money. And we'll hold the next work guidance updates and
quarterly review on July 15. Any other announcements or reminders or work
item related stuff? Right, just a preview of what's coming. So, next week
we'll have Wol to talk about Provenence Mark. The week after we'll have
Daniel from Open Wallet Foundation to talk about the latest developments on
open wallet initiative and then actually a month from now June 24th we'll
have a meet and greet breakout sessions.
Harrison Tang: so the co-chairs will hold these breakout sessions so that
people and new members of the community can actually meet each other and
then July 15 we'll talk about the items. All right, last calls for
introductions, announcements work or work item related stuff. All right,
let's get to the main agenda. So again, very excited to have Brent the
chair of the verifiable credentials working group to present and lead a
discussion on what's next on the verifiable credentials working group. So
as Manu and others have talked about, the VC 2.0 has become the official
standard.
Harrison Tang: Congratulations and it's a great time for Brent to come here
and thanks Brent for taking the time to come here to talk about what's next.
Harrison Tang: The floor is yours.
Brent Zundel: Yeah, happy to be here.
00:10:00
Brent Zundel: Thanks my name is Brent Zandell. I've been the chair of the
VC working group for I don't remember long time and we w just wrapped up a
large workload. It was pretty impressive how much work got done. I think
seven specs are now recommendations including the verifiable credentials
data model 2.0. the bulk of the work that we did was first we updated the
data model but we also officially standardized several securing
specifications as well as specifications for a number of the extension
points that are in the data model.
Brent Zundel: what's next for us? this is pretty much going to be a review
of what the charter text says that we're allowed to do along with a little
bit of confirmation. So, our charter and the purpose of our charter is to
cover the possible work items that we can take on. and that's mostly so
that participants can be comfortable with any IPR agreements that they
would be required to make as part of contributing to that work. the other
main point of the charter is to give us a rough timeline for where we're
going to be working in. And our current charter will go through October
2026. our charter is kind of an odd hybrid.
Brent Zundel: we rechartered late last year in order to give us a charter
that would allow us to finish the work that was in progress. wrap up this
recommendations that we were working on. and then the charter would
automatically kind of shift into what's called maintenance mode. And so
that's the mode that we're currently in. of the set of work items that was
originally slated only two of those remain that's the VC JSON schema and
data integrity BBS are the two specs that we didn't move to recommendation
yet the first is looking for a little bit more implementation support and
the second is just waiting for BBS to be official in the IETF so that we
can point to
Brent Zundel: other than that we're in maintenance mode. This is direct
from our charter. So once the planned recommendations have been published,
the working group will continue in maintenance mode to handle new
recommendations Class 4 changes to these recommendations are out of scope
except for and so the process at W3C outlines different classes of changes.
And class 4 means normative additions not in response to obviously being
mistakes that we made or bugs that people find. and there's except for
reserved extension points and any serious security issues.
Brent Zundel: So, we're currently in a mode that is restrictive as to what
we can take on and work on. the charter explicitly says no new
recommendations and it limits us to anything below a class 4 change. so
other than VCJSON schema and data integrity BBS, technically we're not
allowed to do any new recommendations. except for these extension points
and that's what we're going to go into. kind of summarizing this into
regular language. So any specs in progress, we can finish those and we can
obviously republish and keep working on any of our notes. For example, the
use cases and requirements document has had a lot of work go into it and we
will continue to publish and update that.
Brent Zundel: and then these extension points and the two extension points
that are explicitly called out in the charter and in the VC data model
document itself are the render method and confidence method extension
points and then security issues and then aa and aa is everything from hey
you guys missed a comma to can you explain this a little bit better? It
doesn't make any sense to me. and so any AAA that we address ideally will
be done non-normatively. but if there are normative changes required for aa
we technically can do those but we try to avoid it if possible. And a
hummingbird just came to my hummingbird feeder for the very first time.
Sorry that was very exciting. I've had this hummingbird feeder out for
months now and it's just been sitting there and I've been replacing the
sugar water every week.
00:15:00
Brent Zundel: and come on hummingbirds and somebody just drank from it. It
was very excited. back to any questions so far? you guys can interrupt at
any point if anything. I mean, I don't have a whole ton of slides and so
this should be more of a conversation than me just gav at people, but just
invite people to feel like they can interrupt at any moment. I'm not at all
bothered by that.
Harrison Tang: Yeah, you fine, please.
Brent Zundel: And Harrison, if you want to run Q or I can either way kind
of thing.
Mahmoud Alkhraishi: Hi Brent. how long do you think we're going to stay in
maintenance mode and when do you anticipate next rechartering and anything
on that
Brent Zundel: That is a very good question. and I will get into that in a
little bit. So if what I cover doesn't address your question, recue and
remind me that I haven't covered it adequately. so as of now and I think
this is my last slide. So seriously awesome deck here. we are pretty much
taking a break till August. And what that really means is everybody is
really busy doing a lot of other stuff and so we're not going to put CCG on
top of all that other work that people are doing.
Brent Zundel: when we start back up, we already have several issues filed
that we're going to be working on along with some response to security
review that was requested. at that point in August, we can very easily
promote the render method and confidence method specs to the VC working
group. just to forstall the possible question people might have, if the
charter says no new recommendations, how are we going to justify bringing
in a render method and confidence method recommendation? that's because as
long as the work that we are doing fits within the scope of the charter,
the V the W3C doesn't really care whether it's part of one recommendation
or become breaks out into its own recommendation. Whether there's two
recommendations or one really doesn't matter.
Brent Zundel: So if a work item is justifiably part of the VC data model
according to the charter and we say we want to break this thing out of the
data model into its own specification, nobody's going to give us grief for
doing render method and confidence method we can easily pull in. promoting
other work items from CC would likely require recharter. So I'm fully
expecting in August we're going to start talking about recharter. We're
going to look at the slate of work items that are ready to move on and look
at the people who are on board and say how much work do we want to do here.
Brent Zundel: and then we're going to begin that rechartering conversation.
And I fully expect the rechartering to occur as part of the work groups
conversations, which means we're probably going to meet at in Coobe this
year for a half day or so to talk over what work items, kind of begin
finalizing that, putting it together. so even though our current charter
runs until October 2026 and if we made no changes to it, we would be in
maintenance mode until then. without rechartering, we could do render
method and confidence method and obviously the Ara stuff. to do more than
that, I think we really would need to recharter. And so I'm expecting those
conversations to begin probably this fall or late this summer. and I'm not
sure did somebody's hand go up?
Harrison Tang: Joe, do you still have a question?
Joe Andrieu: I do I had thought Brent that the last time we talked about
whether or…
Joe Andrieu: not render method and confidence method could be separate
because of the language in the charter we were advised that we can't do
that. has there been a new advice on that new guidance?
Brent Zundel: t know I think that this is just my opinion as chair of the
group and…
Brent Zundel: my understanding of the process.
Brent Zundel: I really think we would be fine bringing those two things
without a recharter because nobody cared that we broke for example under
our previous charter we didn't mention what's blanking on the spec we have
too many specs the one that we did that was the super set of DIDs the
control identifiers yes thank you that for example that spec was not
mentioned as part of our previous charter at all.
00:20:00
Manu Sporny: said control that
Brent Zundel: It wasn't technically in scope listed as the things but it
was originally part of the VC data model and then it was part of the
securing mechanisms and so we coalesed that out into its own recommendation
and Nobody was like hey your charter didn't specifically say you were going
to do controlled identifiers.
Brent Zundel: So I think we would be okay the same way we were okay, but I
think if we tried to push beyond that, people would be like, hey So that's
kind of the line that I'm seeing, but again, I'm happy to I mean, the group
is going to have to make those determinations. I don't make those decisions.
Joe Andrieu: Cool. Thanks, Brett.
Brent Zundel: Whether to try for it without rechartering or whether there's
enough in addition to confidence method and render method that would
justify a recharter. and so let's just mention them all in the new charter.
That's something the group's going to have to come to a determination on.
But my opinion is I think we'd be okay. any other questions or comments?
Any other conversations people want to have? I really expected these slides
to take longer to go through, but apparently I'm a little nervous.
Harrison Tang: Autumns.
Brent Zundel: Manu, what's up?
Manu Sporny: Hey, hey, Brent. plus one to everything that you said. I think
that's the correct read of the current charter. and so that's good. as you
know, we've been incubating other things in the CCG that are definitely not
in the charter. So some of the stuff's in the charter and we is covered by
the charter at least our expectation of the interpretation of the current
charter meaning confidence and render method. and then there are other
things that are totally not covered right that I think all of us believe we
would need a recharter to do.
Manu Sporny: plus one to the group taking a bit of a break as you mentioned
it was a lot of work and I think that it is good to let the group kind of
relax a bit before going into the next kind of branch of work which seems
to be confidence method and render method which is good I think that is
very much aligned with expectations. I would like to just glance over what
some of these other work items might be and, the type of things we would
need to potentially do to get those onto a standards track and maybe even
get some feedback from, the group on how those conversations might go at
the end of the summer.
Manu Sporny: But I don't want to derail things. If there are other things
that folks would like to talk about that would be good. But I thought while
we are talking about the future of the VCWG maybe we could bring up these
other other work items to get folks thoughts on them.
Brent Zundel: I'm happy for the conversation to go in that direction,…
Manu Sporny: That's it.
Brent Zundel: but also happy to ceue up other questions or comments people
have to make sure we get them covered. So if anybody else has something
else they want to talk about, we can agenda bash a little bit here and make
sure keep time for other things.
Brent Zundel: What's up, Joe?
Joe Andrieu: Yeah, I think one of the things we might want to do I don't
think it reads on the charter at all,…
Joe Andrieu: but just in terms of what are we going to do in this
maintenance mode is potentially a threat model for verifiable credentials.
I've been working with Simone over in the security group and they are
ultimately going to be asking any new specification to develop that and we
have some hooks into the DID resolution work where we talked about
architecture. That seems like the right place to start that work with DIDS
and…
Joe Andrieu: I think in the fullness of time we should figure out how to
get some of our attention on doing threat modeling for VCs.
Brent Zundel: Yeah, totally agree.
Brent Zundel: That's one of those things that had the security group been
able to, get organized a year before they did, we definitely would have
made sure that was done before we finished up. it was just a matter of
timing. we didn't even get the security review until we were in proposed
Rex. So yeah totally agree with that as a thing to work on it. Yes.
Manu Sporny: Yeah, plus one did that as well. I mean, part of their
security review was kind of like we would like you to rewrite the security
consideration section. and I think our response to that was exactly what
would you like it to look like? So, I think there's a really good
opportunity for us to work on that with the security group. of course that
will throw us once again into being guinea pig through a new process at W3C
which we are now expert at.
00:25:00
Manu Sporny: A plus one that work I think it would be really worthwhile to
because I think it's really fertile ground meaning that the type of
thinking that this community and the BCWG has been doing over the past five
plus whatever 10 plus years however long it's been now it lends itself well
to the type of threat modeling that Simony and the rest of the security
group, really want groups to be doing. And I think we can hopefully provide
a really good example that potentially other working groups could follow in
doing that work and…
Manu Sporny: and we have lots of time to do it like it, until 2026. Not
that I hope it takes that whole amount of time. That's it.
Brent Zundel: All right.
Brent Zundel: So, I'm going to switch over to the issue 250 so we can go
through these additional work items that could be promoted to VC working
group just so folks haven't been nined and are aware of what all that work
is. I also want to save a few minutes so that we can talk about the meeting
that's coming up in Geneva. just so folks are aware of what that is and
some of the conversations that'll be had there so that those of us who are
heading to that can make sure and try to represent the views of those who
aren't able to attend and make sure that the conversations had that need to
be had.
Brent Zundel: so here, if I got it right, is the 2025 work item promotions.
so I read through this and thought this is This is a huge amount of
potential work. And also part of me was like, no, we're not ready to do a
huge amount of work again. so like we said the render method and the
confidence method we would be able to bring in no problem. I honestly like
credential refresh might even be able to technically be able to fit
somewhere in there because we do have that extension point or we've had
that extension point in the past so that wouldn't be as big of a stretch.
Brent Zundel: But some of these others, particularly the VC API would
definitely require a recharter…
Brent Zundel: because our charter currently says we will not do any APIs
and so we'd have to take out that line. Joe, what's up?
Joe Andrieu: Yeah,…
Joe Andrieu: some of those links are 404ing. just a heads up,…
Joe Andrieu: I try to click through the confidence method, so I'm not sure…
Manu Sporny: That's my bad.
Joe Andrieu: how to fix it.
Manu Sporny: I just renamed that two days ago.
Joe Andrieu: Okay.
Brent Zundel: Okay, thanks for the heads up,…
Brent Zundel: So I would love it if could we take two minutes for each of
these and give a little what is verifiable credential barcodes for example?
jump up and go ahead.
Manu Sporny: Yes, I'm happy to run through those.
Manu Sporny: And Brent, let me know how you want me to go through them. I
can just do a quick blurb break.
Brent Zundel: Yeah, just do a little time just a couple minutes tops for
each just so that folks are like,…
Brent Zundel: That's cool." We can get people excited about finishing them
up and moving them over.
Manu Sporny:
Manu Sporny: Sure thing. So, verifiable credential barcodes is a kind of
what it sounds like, it's taking a verifiable credential and then
converting it into a barcode that can be printed out on a piece of paper.
the reason that's important so onto the back of a physical driver's license
or onto a birth certificate or onto a shipping container or onto a vehicle.
These are all use cases that are in pilot or going out to verifiable
credential barcodes by the end of the summer will be in production on the
back of driver's licenses in the United States to the tune of several tens
of millions of people.
Manu Sporny: So this is an example of we're a little late getting it into
the standardization process because it is going to go out in production
before we even are able to kind of recharter but that's good because the
spec is much more mature than what we would normally have it at before we
move it into the VCWG. and then it also depends on the seabore LD stuff
with which the JSON LD working group is working on. So what this allows you
to do is allows you to take the digital version of verifiable credential
put it into a barcode and then put it on a physical thing and that has been
one of the use cases that people seem to be interested in.
00:30:00
Manu Sporny: next one. The rendering method is has to do with if you as an
issuer want your credential to look a very specific way or you want to be
able to again print your credential on a print to PDF. that is one of the
things that the verifiable credential rendering method does. that
specification currently has three different broad strategies on doing it.
One of those mechanisms is in production in Singapore and the Pacific
region. how to render a education certificate or how to display a diploma
or how to display a trade document or how to display a driver's license or
an employee ID card.
Manu Sporny: if you want certain graphics and colors and things like that
to show up on it, that's what the rendering method thing is about. the
quantum safe crypto suites is so when we did the data integrity work in the
verifiable credential working group we use traditional cryptography that
was approved by national institute of standards and a lot of other nation
state cryptography groups but the postquantum stuff was new enough where it
wasn't really in the charter and so this is just a set of data integrity
suites that support the postquantum signature schemes and selective
disclosure for postquantum and stuff like that.
Manu Sporny: they're fairly mechanical updates but it's important work that
needs to be done before the switch over which is the year 2030 so in 5
years and then the mandatory switch over suggested is 2035 where we have to
be completely off of elliptic curve cryptography. verifiable credential API
is about credential life cycle management. not just delivery which is what
open ID4 oid for VCI and OID4 VP is about delivering credentials from a
wallet to a system. The VC API is more broad than that.
Manu Sporny: It deals with credential life cycle management how do you
mechanically issue a credential? How do you change the state of that the
status from issued to revoked? what are the APIs you use to do that. it's
inclusive of oid4 so you can run oid4 over the VC API. but it's about life
cycle management. and it's about the issuance of not only these verifiable
credentials but the QR code version of them and other things of that
nature. the next one verifiable presentation request is just the query
language that can be used with VC API. there's also options of presentation
exchange or DCQL or other things like that.
Manu Sporny: verifiable issuers and verifiers are around how does an entity
such as na a nation state publish all of the entities that should issue
their driver's licenses or education certificates or things of that nature.
So that's about how do you know who the issuers of a certain type of
credential should be and how do you know who the verifiers of a certain
type of credential should be? Again, it's an in thing. It's not like, a
mandatory you have to use this, but that's work that David and Isaac have
been doing for a number of years now.
Manu Sporny: verifiable credentials over wireless is just how do you take a
verifiable credential and how do you move it over NFC or Bluetooth. so this
has come up in some of the first responder use cases where you might have
no network connectivity and you need to be able to transmit this stuff. it
also has to do with some of the p transit pass use cases where you might
have a digital version of your transit or metro pass. but the NFC mechanism
they use is super old. and you need to be able to tap into those old style
kiosks using some of these newer credentials. So that's what the verifiable
credential over wireless is just transmitting it wirelessly instead of
optically like the QR code.
00:35:00
Manu Sporny: confidence method is how do you raise your confidence that the
person presenting this credential is in fact the same entity or related to
the same entity that the issuer saw. So think of when you get your driver's
license, you go in, you take the test, you meet someone face to face
typically and then you get your driver's license issued to you. And so when
you go away and you use that driver's license elsewhere, people usually use
your picture to figure out if you're the same person. But we want more
privacy preserving mechanisms.
Manu Sporny: And so a cryptographic key could be one such mechanism that a
verifier could use to know that the same person that picked up the driver's
license at the DMV is now effectively the same person in front of me
because they're proving that they have the same cryptographic key material
that they used when they picked it up for example. so that's confidence
method. we can also do pictures there.
Manu Sporny: there's some biometric portions that we could say one way you
could raise the confidence that the subject is here's a picture of them
right so that's confidence method and then credential refreshes one of the
things as a number of us are deploying this stuff in production we're
finding out is that issuers have taken a pretty careful approach like
they're like what? We're going to issue credentials, but we're only going
to issue them for 30 days at a time because this is new technology and
we're concerned that if we issue something for 3 years and something bad
happens that we won't be able to claw it back. Meaning they haven't quite
figured out how to use the status list stuff yet and they just want to
issue things like 30 days at a time.
Manu Sporny: but that's all that ends up being kind of a pain to people and
so meaning it's kind of a bummer when you open your app up and all of your
credentials have expired because you haven't used them in 30 days. So
credential refresh is a way of giving the wallet a way of just
automatically refreshing the credential when it comes close to expiring. So
you're never in a situation where you open up your wallet, your credentials
are expired, and you have no network connection, right? And so you can't
even do an NFC tap to verify with it. okay, that's a high level on kind of
everything we're working on right now. Hopefully that was okay.
Brent Zundel: Yeah, thank you, That was great.
Brent Zundel: Hey, Harrison.
Harrison Tang: Yeah, manu can you clarify again what's the difference
between VC API and…
Harrison Tang: verifiable presentation requests because shouldn't
verifiable presentation request just part of the VC life cycle management?
Manu Sporny: That is an excellent point, Harrison, and we are currently
discussing whether or not we should just merge the two. I think one of the
things we're kind of seeing, especially, the number of us are implementing
OID4 VP and OID4 VCI and, there is now this switch from presentation
exchange to the new DCQL stuff. and some of us are implementing, the DCQL
stuff. and the concern here is just like we're still kind of trying to
figure out the query languages here. And we're concerned that by strongly
binding the query languages or the credential formats to the protocols that
we may be doing it prematurely. So that's why we have it separate.
Manu Sporny: We're trying to force ourselves to design it in a way where
maybe verifiable presentation request goes away in time. Maybe it's
replaced by DCQL, maybe something else, better comes along in two years.
But we're trying to get the layers of abstraction right so that the query
language can be somewhat separable from the underlying protocol.
Harrison Tang: All right.
Manu Sporny: So, I think that's the theory. I don't know if it's really
working out in practice, but that's why it's separate for now.
00:40:00
Harrison Tang: Thank you.
Brent Zundel: I had a question,…
Brent Zundel: Can you outline the key differences between the VC API, which
is a work item of the CCG, and the digital credentials API, which is a work
item of the Fed ID working group?
Manu Sporny: Yes, excellent question. so the digital credentials API is a
browserbased API, meaning that the digital credential API that's being
worked on at W3C is meant to be implemented in the browser. So, Apple's
working on it, Google's working on it, Samsung I'm sure it's going to be in
there. and what it does is it is a mechanism that will route requests for
credentials in theory in any format over any protocol. So that DC API is
really trying to be protocol and data format agnostic.
Manu Sporny: They're just kind of like if a website asks for a credential
the DC API the browser will get that request over to the wallet whatever
wallet can answer it right and it is trying to stay out of the way from a
protocol and data format perspective it's trying to be agnostic to that so
the DC API lists like these are all the protocols that you can speak over
DC API and in theory there's going to be more than one of them. open ID is
OID4 is one of the ones that's being focused on now. the presumption is VC
API could be and anyone else in the world, any other standards group in the
world can come up with their own kind of credential protocol if they want
to and register it in this, protocol registry in DC API.
Manu Sporny: So DC API browser only and it is supposed to delegate the nuts
and bolts of the protocol to other specifications. At least that's my
understanding of it where it is today.
Brent Zundel: and the VC API would fit within that.
Manu Sporny: Yes. It would Yeah. Sorry.
Brent Zundel: Hey, Harrison.
Harrison Tang: Yeah, by the way,…
Harrison Tang: You're correct. And I would just like to add that BC API is
also going to work on support for wallets in this case Apple wallet and
Google wallet. So you'll go outside the browsers they will also work with
other than that…
Harrison Tang: what manu said is all correct. it's kind of like a wrapper.
It's a basically protocol agnostic.
Brent Zundel: Yeah, thank you for clarifying that.
Brent Zundel: I just know that, when the time comes that VC API gets listed
in the charter, everybody who is familiar with DC API is going to go, "Wait
a minute, what's the difference here?" And we're going to have to be able
to readily answer that question and should plan on doing that when we reach
harder.
Manu Sporny: Yes, plus one to that, Brent. I mean, it's like, we named this
thing three years ago and it's confusingly named now. so I think that let's
see we've got to come up with a picture to explain all this, but there even
two parts of VC API. there's kind of the back office parts of VCAPI and
that wholly has to do with preventing vendor lock within a organization.
Manu Sporny: So let's say a DMV or the US federal government or someone
decides that they want to utilize these technologies and they want to go
out and buy this stuff from a technology from a vendor all the life cycle
management that their internal systems have to do issuing verifying a
credential changing the revocation status of it or any other types of
statuses those are wholly outside
Manu Sporny: of actually delivering that credential to a person or another
organization that's just like back office management stuff and covers a
good chunk of that. VC API also covers kind of delivery what the oid4 stuff
does but in a different way in a way that allows you to chain things
together more and that's kind of the stuff that we're using in the retail
tor for retail sales. So digital receipts and loyalty cards and payment
instruments and all that kind of back and forth communication we're using
VC API4 in the retail sector.
00:45:00
Manu Sporny: and on top of that and this is where it gets really confusing
VCA we also implement OID4 over VC API meaning that VC API is agnostic
enough to run other protocols within its structure. So, we have VC API
implementations that do all of the back office stuff, but they also do the
credential delivery stuff through OID4 VCI and OID4 VP. and all of the
delivery stuff can work with the DC API. again, in theory, we have to
actually demonstrate that it has that, flexibility. so VC API does,
Manu Sporny: more things than just delivery. And we're going to have to
figure out a way of very clearly communicating like it totally doesn't do
what DC API does. It does management stuff that oid4 doesn't do,…
Brent Zundel: Philip
Manu Sporny: but it also does oid4 stuff. And I think that's the thing
that's, really confusing to everyone. plus one figuring out how to explain
Philippe Le Hégaret: I had a completely unrelated questions. you list
barcode in terms of specs ready for promotions. but you don't list anything
about QR codes. What's happening with that?
Manu Sporny: Yeah a QR code is a type of barcode and in the barcoding
industry I wish Phil Archer was here from GS1. So a QR code is what is
called a 2D barcode and we tried to be generic and just say this is about
barcodes but It's about PDF 417 barcodes. it's about MRZ data which is what
you find on your passport which weirdly enough is called a barcode even
though it's consists of machine readable letters. the matrix codes there 20
different types of barcode formats and this is meant to be generic. It can
be encoded in many of those types of barcode formats including codes.
Brent Zundel: All right.
Philippe Le Hégaret: Thank you for the clarification.
Philippe Le Hégaret: I'm learning something every day.
Brent Zundel: So, I'm happy to take any other questions that folks have and
hang out, but I also love ending meetings early. So, turning things back
over to Harrison. You're in charge, …
Harrison Tang: Any other question? Mamu, did your earlier question answer?
Mahmoud Alkhraishi: Yes, I'm great.
Harrison Tang: Any other questions?
Manu Sporny: Brent, there was something you said you wanted to cover, and I
don't know…
Brent Zundel: right right.
Manu Sporny: if we did that.
Brent Zundel: I completely forgot my own agenda item. so early in July I
believe it's the second and third of July there is a meeting I believe
hosted by the open wallet foundation in conjunction with W3C and other
SDOS's to talk about the state of wallets and credentials in those wallets.
I am planning to attend that meeting so that I can talk about BC data
model. I know that folks from OIDF are going to be there and folks from
IETF are going to be there and so a whole bunch of people are going to be
getting together. and Julie I'd love if you give a little bit more color
into what the meeting is going to be all about.
Philippe Le Hégaret: So the meeting is organized by the Swiss government
and the open wallet foundation has been the main tractor and bringing
things together on that. It involves 20 to 30 different organizations and
WC is only one of those 20 to 30. by the way, Open ID is also involved. we
from ITU. we have several governments involved. The goal was to put the
entire industry around the same table because there are so many efforts
happening in parallel in several organizations that it's really hard for
outsiders to find their ways into that sea of efforts being done.
Philippe Le Hégaret: from our We get a request every two or three weeks to
go and present the work around digital identity from outside organizations.
it's a little bit crazy. one of the advantage of this conference is a lot
of the governments are going to be there. So we don't have to repeat oursel
10 different types of times. as such it's seen as a neutral ground as we're
not here to say that this protocol or this format or this API is the best
and all of the alternative are not but we have four sessions organized by
people are by the team and with some help of some of you.
00:50:00
Philippe Le Hégaret: Piertoan is going to do a 30 minutes session on what's
new with verifiable credentials with a recent release of VC 2.0. We thought
it was appropriate to do a little session to if people are interested to be
brought up to speed on what's new with VC. then Simony is going he's doing
two session on the stress models threat ing. so Joe mentioned earlier the
threat modeling and thing I could say on that another reason why it's very
important for WC to look that is because of The
Philippe Le Hégaret: resilience act happening in Europe and the need to
make sure that cyber security is done right and so we expect that to be a
major shift in the software industry in the upcoming years since it's
shifting the responsibility for security bugs to the company shifting the
software similar to what was done in the automotive industry and while as a
standard organizations we're not directly impacted by that we expect a lot
of our members to be impacted by those legislations. so that's also another
motivation for moving forward the work on threat modeling as a whole. and
then the last session is organized around the digital credential API which
is a browser API.
Philippe Le Hégaret: A lot of organizations are looking at this API because
they're all going to want to exchange digital identity on the web and this
API is going to be one of the major way to do that to talk with the digital
wallets installed on the devices of people as such. So we thought we should
organize a session on where we are at with that and listen to governments
and other organizations on what they think that API ought to be as so the
conferences the first day is a plenary session set of plenaries the program
has already been published on various platforms.
Philippe Le Hégaret: The second day is similar to the tip breakouts where
it's a lot of session in parallel and that agenda hasn't been published
quite yet and unfortunately I was not able to participate in the core
organizer call earlier today. So I don't have the latest news on that front
but I know that there is a website…
Philippe Le Hégaret: which is going to be put up to plate if not already
the case as well. I'll stop there. so sorry I said…
Brent Zundel: Thank you,…
Brent Zundel: That was great. so with all of that flood of information, is
there something that folks from CCG want to make sure those of us attending
keep in mind? And Philip, you've got your hand up.
Philippe Le Hégaret: what I wanted to say so I should lower my hand.
Manu Sporny: I do think it's difficult to kind of understand what's going
to happen at the event. me meaning it's a lot of organizations and it's a
lot of really big organizations and I don't know I mean I think it's really
great that this is being identified as a big part of societal change and
everyone needs to get together and build systems that meet the challenges
here. but I think Brent, it's really hard to kind of provide
Brent Zundel: Yeah.
Manu Sporny: what do we want to convey here when it's kind of like we don't
really know what to expect. And so I would imagine it's just kind of like
sit and listen and figure out how we can u be a part of the conversation
and contribute positively and that sort of thing, I mean may maybe let
people know that there is and I'm sure this is like you already know this
and so does Philipe we just want to convey hey there is active work going
on here and we would really like more participation from broader
communities always and so please join us right I mean it doesn't have to
end at the July event like there's
00:55:00
Manu Sporny: ongoing work. rechartering. We're talking about threat
modeling. We want this to be, a net positive benefit to society.
Brent Zundel: I'm going to try
Manu Sporny: So, please join us if you are interested in contributing,
which I'm sure you were all already going to do, Brent. That's it.
Joe Andrieu: Plus one to…
Joe Andrieu: what Manny just said. I think who knows what the real pivot
points of the conversation are going to be. One thing that I've noticed in
conversations both with the DC API folks and with some of the folks with
more of a European context that's different from what I think we've done
that's important is democratizing the issuance of verifiable credentials.
we've done a lot to really make sure that the specification works if
everyone on the planet is issuing credentials as a normal course of
operations. a parent issuing a VC as a doctor's note, to the school about
why their kid was out yesterday. and I think a lot of the infrastructure
players are thinking about it in terms of how do we enable driver's license
issued by the state. And so that leads to different trade-offs.
Joe Andrieu: So I just want to make sure we point out that distinction and
that there's an aspiration here to democratize issuance and that, we would
like to see some attention to alignment with that. I mean,…
Brent Zundel: Yeah, that's a good man.
Joe Andrieu: I'm going to be there, but I just want to raise that as one of
our possible issues.
Brent Zundel: I'm looking forward to Geneva even more now. I get a hand.
Joe, I think Mon, you got your hand up.
Manu Sporny: Yeah, plus one to what Joe said. I think that there are a
number of things that we're a little concerned about I mean plus one for
there being government wallets and them doing governmenty things but not at
the expense of there being kind of an open market and open kind of
competition for digital wallets and things like that. I think that there
are some dangers there around government tracking of credential usage for
example things that we have been very aware of but don't seem to be a part
of the discussion when governments are saying they're going to do
government- based wallets.
Manu Sporny: most recent example being, the UK announced that they're going
to support W3C verifiable credentials and MDOC and SDH and all those
things. But they were like, but for the government credentials, we're going
to have a government wallet. So all the government agencies should issue
into our wallet.
Manu Sporny: And the danger there is all right, pervasive tracking. How are
you proving that it's not phoning home? that sort of thing. That's it.
Brent Zundel: Yeah, I think I and…
Brent Zundel: I really think making sure that the threat modeling
conversation touches those points is going to be key.
Philippe Le Hégaret: Yes,…
Philippe Le Hégaret: if I may add to that in terms of things that are very
important for you see at this conference and keep in mind we committed this
year, it doesn't mean that we go back. because it's organized unconference
style. The fact that we're not quite sure what's going to happen is we're
the same situation as well. but privacy has been so Seth Doss the CEO of WC
part in a panel organized by the open wed foundation on the side of the
Davos conference back in January. That's where this idea of doing this
Geneva conference came from and Seth was the only one who mentioned privacy
during that panel and that kind of raised some alarms in our mind.
Philippe Le Hégaret: we see a lot of government going into that space and
they're rushing into it and we're kind of like hold on do you realize what
you're doing in terms and deploying that on the web as well you could be
creating a surveillance states from facilitating the work of all of those
scammers all around the world as well on that so the threat modeling is
very important for us. That's why we're doing a dedicated session to that
and Simony is going to be there. He's the one organizing it. you're welcome
to reach out to him if you want to participate and in the organization of
the session. By the way, Tara Wen the privacy lead is also going to be
there.
Brent Zundel: Hey, Cle.
Philippe Le Hégaret: As well, we are very afraid of what's going to happen
on private related to privacy and the web.
01:00:00
Kaliya Identity Woman: Hi there. I of course agree with all the concerns
about privacy. On the other hand, I think those of us who are working in
the space need to run faster, communicate better because there are bigger
threats than those things. Someone just sent to me the cover of Time
magazine this week is World's Orb and we can quote unquote be more
cautious. I think we have been cautious and we need to figure out how we
communicate better about what we are doing to solve the problems that are
surfacing around AI and humanness and stuff.
Brent Zundel: Amen Yeah,…
Harrison Tang: All Any other questions or comments? All right. Thank you.
Thanks, Brent for leading a great conversation and thanks everyone for
adding your comments. this is definitely an interesting discussion.
Brent Zundel: it's good to be here.
Harrison Tang: All right, we're at time.
Brent Zundel: Thanks everybody.
Harrison Tang: So this concludes this week's CCG meeting. Thanks a lot.
Meeting ended after 01:01:57 👋
*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Tuesday, 27 May 2025 22:05:42 UTC