Response to 'Call for Review: Verifiable Credentials Working Group Charter' from Denis on 2024-09-19 (public-review-comments@w3.org from September 2024)

From: Denis <denis.ietf@free.fr>
Date: Thu, 19 Sep 2024 20:31:56 +0200
To: public-review-comments@w3.org
Cc: spice@ietf.org, Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
Message-ID: <8058b6ca-e5fe-4ce5-8109-24780eaf9eb5@free.fr>
The timelines in the charter are unrealistic.

    January 2025   : Publication of all Recommendation Track documents
    February 2025 : Working Group starts operating in maintenance mode.

The charter is lacking to identify the whole picture, in particular the 
components of the ecosystem.
It focuses on data structures and cryptography which are indeed 
important, but are not sufficient.

A system cannot be secure unless considering the underlying _physical_ 
infrastructure, in particular TEEs and TAs,
that support the holder (application). Protecting cryptographic keys is 
indeed necessary but additional characteristics
will be absolutely necessary. Verifiers MUST be able to know these 
characteristics so that they can to decide
whether they are sufficient/appropriate or not.

The vocabulary used in VCDM 2.0 will need to be reconsidered, in 
particular the definition of an holder:

    "A role an entity might perform by possessing one or more verifiable
    credentials and generating verifiable presentations from them.
    A holder is often, but not always, a subject of the verifiable
    credentials they are holding. Holders store their credentials in
    credential repositories".

A Holder is an application. It is NOT an "entity." A Holder 
(application) is placed under the control of an End-User.
The End-user will need to be involved to approve or to deny some 
operations that the holder (application) is wishing to perform.
It is fundamental to make the difference between the holder 
(application) and the End-User.

Holders do not store their credentials in "credential repositories", but 
in digital identity wallets, i.e. in their holder application.

The W3C model needs to be corrected.

Collusions between End-Users and hence between holder (applications) 
need to be considered and addressed.

A summary of the "desirable" privacy and security characteristics should 
be done.

A gap analysis between what exists today and what is needed should be done.

The ease of use of End-users is not addressed.

    Under which conditions will an End-user be able to build a back-up
    of his operational holder application ?
    Under which conditions will an End-user be able to use a back-up of
    his operational holder application ?

Request of digital credentials to an Issuer need to be addressed.

Suspension and revocation of digital identity wallets need to be addressed.
Suspension and revocation of digital credentials need to be addressed.
Both cases CAN be addressed WITHOUT using CRL-like or OCSP-like mechanisms.

The IETF has currently two WGs dealing with some of these topics: the 
OAuth WG and the SPICE WG.
The CFRG has issued the following draft: 
draft-irtf-cfrg-bbs-signatures-04: The BBS Signature Scheme.

Duplication of work should be avoided ... but there are gaps.
These gaps need to be identified so that they can be addressed sooner or 
later by a WG.

Once again, what is first needed is NOT to develop the series documents 
proposed in the charter but to write a Technical Report
to identify all the components of the ecosystem and all the protocols 
that will be necessary to support the whole ecosystem.

Denis

PS. Thank you Paul for forwarding the original e-mail.

> FYI,
>
> Paul
>
>
> ---------- Forwarded message ---------
> From: *xueyuan* <xueyuan@w3.org>
> Date: Wed, Aug 21, 2024 at 12:48 AM
> Subject: [new-work] Proposed W3C Charter: Verifiable Credentials 
> Working Group (until 2024-09-18/19)
> To: <new-work@ietf.org>
>
>
> Hello,
>
> Today W3C Advisory Committee Representatives received a Proposal
> to review a draft charter for the Verifiable Credentials Working Group:
> https://www.w3.org/2024/08/proposed-vc-charter.html
>
> As part of ensuring that the community is aware of proposed work
> at W3C, this draft charter is public during the Advisory
> Committee review period.
>
> W3C invites public comments through 03:59 UTC on 2024-09-19
> (23:59, Boston time on 2024-09-18) [0] on the proposed charter.
> Please send comments (use the group name as subject line) to
> public-review-comments@w3.org, which has a public archive:
> https://lists.w3.org/Archives/Public/public-review-comments/
>
> Other than comments sent in formal responses by W3C Advisory
> Committee Representatives, W3C cannot guarantee a response to
> comments. If you work for a W3C Member [1], please coordinate
> your comments with your Advisory Committee Representative. For
> example, you may wish to make public comments via
> public-review-comments@w3.org and
> have your Advisory Committee Representative refer to it in their formal
> review.
>
> If you should have any questions or need further information, please
> contact Ivan Herman, Team Contact for the Verifiable Credentials
> Working Group, at <ivan@w3.org>.
>
> Thank you,
> Xueyuan Jia, W3C Marketing & Communications
>
> [0]
> https://www.timeanddate.com/worldclock/fixedtime.html?iso=20240918T2359&p1=43 
> <https://www.timeanddate.com/worldclock/fixedtime.html?iso=20240918T2359&p1=43>
> [1] https://www.w3.org/membership/list/
>
>
>
> _______________________________________________
> new-work mailing list -- new-work@ietf.org
> To unsubscribe send an email to new-work-leave@ietf.org
>
Received on Thursday, 19 September 2024 18:35:26 UTC