Re: Call for Consensus: FPWD of Digital Credentials API spec from Nick Doty on 2025-05-19 (public-fedid-wg@w3.org from May 2025)

From: Nick Doty <ndoty@cdt.org>
Date: Mon, 19 May 2025 12:00:50 -0400
To: Martin Thomson <mt@mozilla.com>
Cc: Wendy Seltzer <wendy@seltzer.org>, public-fedid-wg@w3.org
Message-ID: <CA+tYtvGcH5DLgUeHNn4RrFTy-TR-+fXMpUeb-10i5n-deqhwoA@mail.gmail.com>

Thanks Wendy for a direct call for consensus on this question on the list.
And thank you Martin for clearly describing the concern.

As I mentioned on previous calls but wanted to confirm on list, I would
also object to publishing a First Public Working Draft of the current
editor's draft text, given the lack of documentation or mitigation of the
harms to privacy and free expression. For the purposes of horizontal
review, not having any substantive text in the various considerations
sections will make it infeasible to get a meaningful or successful privacy
or TAG review that doesn't just devolve into a pointer to those gaps.
Broadly deployed implementations of current drafts of the API without the
necessary mitigations introduce the direct harms to users and also make it
harder for design changes across the ecosystem to mitigate those harms.

I know we don't have our regular meeting today, but I'll plan to use this
time myself (and anyone else interested ping me on Slack) in detailing the
privacy, security and free expression concerns in more specific github
issues, and working on the related documents. I fear that there might be
some confusion, though, in thinking that the work is just documentation of
the privacy situation vs design changes and substantive mitigations. We as
a Working Group still have most of the work to do.

Thanks,
Nick

On Tue, May 13, 2025 at 7:18 PM Martin Thomson <mt@mozilla.com> wrote:

> Hi Wendy,
>
> On Tue, May 13, 2025 at 6:15 AM Wendy Seltzer <wendy@seltzer.org> wrote:
>
>> Following our WG hybrid meeting[1] and further issue resolution, we're
>> calling for a consensus to publish the editor's draft dated 5 May [2],
>> https://w3c-fedid.github.io/digital-credentials/
>> as First Public Working Draft of the Digital Credentials API. FPWD does
>> not mean all issues are resolved, but gives us a stable reference from
>> which to engage with outside groups for horizontal review.
>>
>
> We would prefer to see this decision delayed until there is more substance
> in the document.  In particular, the formal objection raised during the
> formation of the working group [1] raised some issues that this group
> agreed to address. Those are not addressed in the document presently.
> However, there is just enough detail in the specification to (probably)
> implement something.  That means that the harms might be deployed,
> unmitigated, based on the FPWD.
>
> As you say, a FPWD gives others a stable reference to use.  We would
> prefer that that not happen until basic safeguards are in place.  Within
> the W3C, there is at least an understanding that these important issues are
> yet to be addressed.
>
> The council report [2] makes several recommendations that we believe
> roughly cover what would be necessary; there is also an open issue on
> documenting privacy considerations that identifies the relevant sections
> [3].
>
> [1]
> https://lists.w3.org/Archives/Public/public-review-comments/2024Sep/0017.html
> [2] https://www.w3.org/2025/02/council-report-fedid-dig-cred.html
> [3] https://github.com/w3c-fedid/digital-credentials/issues/183
>

Received on Monday, 19 May 2025 16:01:08 UTC