Re: Call for Consensus: FPWD of Digital Credentials API spec from Johann Hofmann on 2025-06-14 (public-fedid-wg@w3.org from June 2025)

From: Johann Hofmann <johannhof@google.com>
Date: Fri, 13 Jun 2025 20:00:44 -0400
To: Simone Onofri <simone@w3.org>
Cc: Heather Flanagan <hlf@sphericalcowconsulting.com>, public-fedid-wg@w3.org, Wendy Seltzer <wendy@seltzer.org>
Message-ID: <CAD_OO4g2vk6uGJ+grVMQHP0MKMBg0mD-G+hQ9O3eEiJ5RW+f1w@mail.gmail.com>
Hi folks,

I’ve been working on documenting privacy considerations for the Digital
Credentials API to resolve the lack of consensus for FPWD. Simone Onofri is
also making progress working on the security considerations.

Given the time pressure that the group is operating under to align with
publication deadlines for the EUDI ARF, I met with Nick Doty to discuss a
pragmatic path to consensus within the month that nonetheless sets the API
up for constructive privacy reviews and improvements going forward.

First off, we see various mid- to long-term investigation areas for the
API, particularly in Privacy, including:


   -

   Informed explanations - How can we ensure verifiers / wallets / user
   agents can and will show the right disclosures to users?
   -

   Use case limitations
   -

      Better addressing use case limits for government credentials
      -

      Explore how this applies to non-government credentials
      -

      Work on a .well-known declaration file proposal
      -

      Integration of EUDI style access certificates
      -

   Abuse reporting


… and, while it’s important to recognize they are not addressable in the
short term, we would like to see the group start addressing these questions
in the near future.

For FPWD, we believe that our main objective should be that the publication
includes enough context for group-external reviewers to understand
identified risks, issues and design tradeoffs made. To ensure this, we’d
like to propose three small scoped final deliverables:


   1.

   Crucially - the design of the API as a “thin layer” seems to originate
   from a desire to compete with the flexibility offered by, and prevent
   immediate adoption of, worse solutions
   <https://github.com/w3c-fedid/digital-credentials/blob/main/custom-schemes.md>.
   This context is important as it justifies some of the fundamental design
   choices that result in inherent privacy tradeoffs, and as such we should
   make sure it gets properly documented in the specification. Between Rick’s
   and Simone’s documents
   <https://docs.google.com/document/d/1Ppaz_EnhzHqPOz5UusRJvbSunh-RXPWgJ3Np_TM2EE0/edit?tab=t.0>
   I believe there is good material that we can quickly adapt for the spec (
   #275 <https://github.com/w3c-fedid/digital-credentials/issues/275>).
   2.

   Existing privacy & security concerns that were flagged in GitHub issues
   should be called out inline in the spec. This involves reviewing both
   existing text and the PRs that are currently in flight, and making sure
   they refer back to the right GitHub issues.
   3.

   In our June 16th call, we would like to discuss an unresolved question
   of permission vs. consent
   <https://github.com/w3c-fedid/digital-credentials/pull/253#discussion_r2132917483>
   and whether the group considers it appropriate and enough to codify a
   requirement for protocols that verifiers and wallets must be able to share
   relevant information for consent.



While I’m not in charge of consensus calls, my recommendation to the chairs
would be to start another CfC once these things have happened, which could
be next week if we crunch a bit. :)

I’m happy to discuss this at our WG call on Monday, and I’m very happy to
get thoughts from y’all on this proposed plan.

Thanks,

Johann


On Tue, May 27, 2025 at 7:15 PM Simone Onofri <simone@w3.org> wrote:

>
>
> > Le 27 mai 2025 à 15:44, Heather Flanagan <hlf@sphericalcowconsulting.com>
> a écrit :
> >
> > Hearing strong objections to publication of the FPWD at this stage, this
> call does not have consensus. Thanks to both of you for documenting your
> concerns and helping the group to work through them. We also recognize the
> interest in timely publication. Addressing the Formal Objection introduces
> additional complexity to the DC API spec. However, given the importance of
> resolving this and the urgency of progressing the specification, we are
> proposing the following approach:
> >   We will reach out to Johann and Nick, who have volunteered to work on
> text for the privacy considerations section, to determine what they
> consider a reasonable timeframe for drafting proposed text to address the
> concerns raised, ideally within the next four weeks. Once the draft text is
> available, we will ask the editors to review and respond within one week.
> > Provided there are no outstanding concerns at that point, we will
> re-issue a Call for Consensus (CfC) to publish the First Public Working
> Draft (FPWD), incorporating the updated material.
> >   In the meantime, there is still plenty of work to do. If you ware
> interested in working on the security and privacy sections, please dive in!
>
> Hi Heather, all,
>
> With the Security Interest Group, we are actively working on the security
> aspect so that we can discuss it with the group. If anyone would like to
> join us, please feel free to contact me.
>
> We’re synching with Johann about it.
>
> Thank you,
>
> Simone
>
> >
> > Heather Flanagan (she/hers)
> > Principal, Spherical Cow Consulting
> >  hlf@sphericalcowconsulting.com
> >  sphericalcowconsulting.com
> >
> > On May 12, 2025 at 1:15 PM -0700, Wendy Seltzer <wendy@seltzer.org>,
> wrote:
> >> Hi FedID WG,
> >>
> >> Following our WG hybrid meeting[1] and further issue resolution, we're
> >> calling for a consensus to publish the editor's draft dated 5 May [2],
> >> https://w3c-fedid.github.io/digital-credentials/
> >> as First Public Working Draft of the Digital Credentials API. FPWD does
> >> not mean all issues are resolved, but gives us a stable reference from
> >> which to engage with outside groups for horizontal review.
> >>
> >> If we hear no objections by 19 May, one week from today, we will take
> >> that as consensus to publish the FPWD.
> >>
> >> We also propose that once the FPWD is published, we will enable
> >> auto-publication of Editors' Drafts.
> >>
> >> Please raise any questions or comments on this CfC by 19 May.
> >>
> >> Thank you,
> >> --Wendy, FedID co-chair
> >>
> >> [1]
> >>
> https://github.com/w3c-fedid/meetings/blob/main/2025/2025-04-11-hybrid-notes.md
> >>
> >> [2]
> >>
> https://github.com/w3c-fedid/digital-credentials/blob/1544b64f0f7231373bfa6991dab3806f5e3cec36/index.html
> >>
> >>
> >> --
> >> Wendy Seltzer -- wendy@seltzer.org +1 617.863.0613 <(617)%20863-0613>
> >> https://wendy.seltzer.org/
> >>
> >>
>
>
>
Received on Saturday, 14 June 2025 00:01:01 UTC