Re: Call for Consensus: FPWD of Digital Credentials API spec from Rick Byers on 2025-06-14 (public-fedid-wg@w3.org from June 2025)

From: Rick Byers <rbyers@google.com>
Date: Fri, 13 Jun 2025 20:08:20 -0400
To: Johann Hofmann <johannhof@google.com>
Cc: Simone Onofri <simone@w3.org>, Heather Flanagan <hlf@sphericalcowconsulting.com>, public-fedid-wg@w3.org, Wendy Seltzer <wendy@seltzer.org>
Message-ID: <CAFUtAY_4rSHUr4C9Dk7xhH1bwJ3E3ZdW+HUfR39ONu80UgXQOw@mail.gmail.com>
Thank you Johann. This plan sounds great to me.

On Fri, Jun 13, 2025 at 8:01 PM Johann Hofmann <johannhof@google.com> wrote:

> Hi folks,
>
> I’ve been working on documenting privacy considerations for the Digital
> Credentials API to resolve the lack of consensus for FPWD. Simone Onofri is
> also making progress working on the security considerations.
>
> Given the time pressure that the group is operating under to align with
> publication deadlines for the EUDI ARF, I met with Nick Doty to discuss a
> pragmatic path to consensus within the month that nonetheless sets the API
> up for constructive privacy reviews and improvements going forward.
>
> First off, we see various mid- to long-term investigation areas for the
> API, particularly in Privacy, including:
>
>
>    -
>
>    Informed explanations - How can we ensure verifiers / wallets / user
>    agents can and will show the right disclosures to users?
>    -
>
>    Use case limitations
>    -
>
>       Better addressing use case limits for government credentials
>       -
>
>       Explore how this applies to non-government credentials
>       -
>
>       Work on a .well-known declaration file proposal
>       -
>
>       Integration of EUDI style access certificates
>       -
>
>    Abuse reporting
>
>
> … and, while it’s important to recognize they are not addressable in the
> short term, we would like to see the group start addressing these questions
> in the near future.
>
> For FPWD, we believe that our main objective should be that the
> publication includes enough context for group-external reviewers to
> understand identified risks, issues and design tradeoffs made. To ensure
> this, we’d like to propose three small scoped final deliverables:
>
>
>    1.
>
>    Crucially - the design of the API as a “thin layer” seems to originate
>    from a desire to compete with the flexibility offered by, and prevent
>    immediate adoption of, worse solutions
>    <https://github.com/w3c-fedid/digital-credentials/blob/main/custom-schemes.md>.
>    This context is important as it justifies some of the fundamental design
>    choices that result in inherent privacy tradeoffs, and as such we should
>    make sure it gets properly documented in the specification. Between Rick’s
>    and Simone’s documents
>    <https://docs.google.com/document/d/1Ppaz_EnhzHqPOz5UusRJvbSunh-RXPWgJ3Np_TM2EE0/edit?tab=t.0>
>    I believe there is good material that we can quickly adapt for the spec (
>    #275 <https://github.com/w3c-fedid/digital-credentials/issues/275>).
>    2.
>
>    Existing privacy & security concerns that were flagged in GitHub
>    issues should be called out inline in the spec. This involves reviewing
>    both existing text and the PRs that are currently in flight, and making
>    sure they refer back to the right GitHub issues.
>    3.
>
>    In our June 16th call, we would like to discuss an unresolved question
>    of permission vs. consent
>    <https://github.com/w3c-fedid/digital-credentials/pull/253#discussion_r2132917483>
>    and whether the group considers it appropriate and enough to codify a
>    requirement for protocols that verifiers and wallets must be able to share
>    relevant information for consent.
>
>
>
> While I’m not in charge of consensus calls, my recommendation to the
> chairs would be to start another CfC once these things have happened, which
> could be next week if we crunch a bit. :)
>
> I’m happy to discuss this at our WG call on Monday, and I’m very happy to
> get thoughts from y’all on this proposed plan.
>
> Thanks,
>
> Johann
>
>
> On Tue, May 27, 2025 at 7:15 PM Simone Onofri <simone@w3.org> wrote:
>
>>
>>
>> > Le 27 mai 2025 à 15:44, Heather Flanagan <
>> hlf@sphericalcowconsulting.com> a écrit :
>> >
>> > Hearing strong objections to publication of the FPWD at this stage,
>> this call does not have consensus. Thanks to both of you for documenting
>> your concerns and helping the group to work through them. We also recognize
>> the interest in timely publication. Addressing the Formal Objection
>> introduces additional complexity to the DC API spec. However, given the
>> importance of resolving this and the urgency of progressing the
>> specification, we are proposing the following approach:
>> >   We will reach out to Johann and Nick, who have volunteered to work on
>> text for the privacy considerations section, to determine what they
>> consider a reasonable timeframe for drafting proposed text to address the
>> concerns raised, ideally within the next four weeks. Once the draft text is
>> available, we will ask the editors to review and respond within one week.
>> > Provided there are no outstanding concerns at that point, we will
>> re-issue a Call for Consensus (CfC) to publish the First Public Working
>> Draft (FPWD), incorporating the updated material.
>> >   In the meantime, there is still plenty of work to do. If you ware
>> interested in working on the security and privacy sections, please dive in!
>>
>> Hi Heather, all,
>>
>> With the Security Interest Group, we are actively working on the security
>> aspect so that we can discuss it with the group. If anyone would like to
>> join us, please feel free to contact me.
>>
>> We’re synching with Johann about it.
>>
>> Thank you,
>>
>> Simone
>>
>> >
>> > Heather Flanagan (she/hers)
>> > Principal, Spherical Cow Consulting
>> >  hlf@sphericalcowconsulting.com
>> >  sphericalcowconsulting.com
>> >
>> > On May 12, 2025 at 1:15 PM -0700, Wendy Seltzer <wendy@seltzer.org>,
>> wrote:
>> >> Hi FedID WG,
>> >>
>> >> Following our WG hybrid meeting[1] and further issue resolution, we're
>> >> calling for a consensus to publish the editor's draft dated 5 May [2],
>> >> https://w3c-fedid.github.io/digital-credentials/
>> >> as First Public Working Draft of the Digital Credentials API. FPWD does
>> >> not mean all issues are resolved, but gives us a stable reference from
>> >> which to engage with outside groups for horizontal review.
>> >>
>> >> If we hear no objections by 19 May, one week from today, we will take
>> >> that as consensus to publish the FPWD.
>> >>
>> >> We also propose that once the FPWD is published, we will enable
>> >> auto-publication of Editors' Drafts.
>> >>
>> >> Please raise any questions or comments on this CfC by 19 May.
>> >>
>> >> Thank you,
>> >> --Wendy, FedID co-chair
>> >>
>> >> [1]
>> >>
>> https://github.com/w3c-fedid/meetings/blob/main/2025/2025-04-11-hybrid-notes.md
>> >>
>> >> [2]
>> >>
>> https://github.com/w3c-fedid/digital-credentials/blob/1544b64f0f7231373bfa6991dab3806f5e3cec36/index.html
>> >>
>> >>
>> >> --
>> >> Wendy Seltzer -- wendy@seltzer.org +1 617.863.0613 <(617)%20863-0613>
>> >> https://wendy.seltzer.org/
>> >>
>> >>
>>
>>
>>
Received on Saturday, 14 June 2025 00:08:37 UTC