Minutes for VCWG telecon 2 April 2019

available at:
  https://www.w3.org/2019/04/02-vcwg-minutes.html

also as text below.

Thanks a lot for taking the minutes, Ganesh and Dave!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                    Verifiable Claims Working Group

02 Apr 2019

   [2]Agenda

      [2] https://lists.w3.org/Archives/Public/public-vc-wg/2019Mar/0030.html

Attendees

   Present
          Dan_Burnett, Dave_Longley, Ganesh_Annan, Justin_Richer,
          Manu_Sporny, Tzviya_Siegman, Brent_Zundel, Amy_Guy,
          Andrei_Sambra, Matt_Stone, Oliver_Terbu, Ken_Ebert,
          Dmitri_Zagidulin, Kaz_Ashimura, Ted_Thibodeau,
          Jonathan_Holt, Allen_Brown, Benjamin_Young, Joe_Andrieu,
          Brian_Ulicny, Kaliya_Young, Ned_Smith, Yancy_Ribbens

   Regrets
          David_Chadwick

   Chair
          Dan_Burnett, Matt_Stone

   Scribe
          dlongley, gannan

Contents

     * [3]Topics
         1. [4]Agenda review, Introductions, Re-introductions
         2. [5]PR review
         3. [6]Any other business?
     * [7]Summary of Action Items
     * [8]Summary of Resolutions
     __________________________________________________________

   <dlongley> scribenick: dlongley

Agenda review, Introductions, Re-introductions

   burn: We're going to start with reviewing PRs. Then we'll look
   at issues, we won't start with assigning names to issues and
   I'll give background on that in a moment. Anyone joining for
   the first time today?
   ... Manu would you like to reintroduce yourself?

   manu: Hi, I'm Manu Sporny. I work at Digital Bazaar. We've been
   involved in the VC stuff for quite a while, a number of our
   products utilize the tech. We work with large gov't, banking,
   finance, etc customers. Look forward to the spec reaching REC
   this year.

   burn: The chairs and editors have has some more conversations
   and we'd like to cover a few important points.
   ... The spec was published as CR last Thursday, yay!

   <manu> yaaay! to CR being published :))))

   burn: In addition, the group has been extended to the end of
   September, congratulations to everyone.

   <dmitriz> yayyyy!!!

   <manu> yaaay! for administrative Charter extension!!!!

   burn: This is what we were hoping for and it's confirmed now.
   ... At this stage, our groups work and the status of our spec
   is a little at risk. I will put this bluntly. It is at risk
   from two kinds of people. Those that wish the group to fail and
   those that believe that what they want is more important than
   having the group succeed.
   ... There are 4 ways this can manifest. 1. Trolling of the
   issues list. Intentionally or unintentionally splitting the
   group over some issue that's not worth destroying the spec
   over.
   ... 2. Trolling of our issues list by proposing unnecessary
   normative changes that would force us to have another CR.
   ... 3. Responding slowly to discussions or at the very last
   moment. Malicious responders will do this to make the group go
   past its charter time. It can also happen if the group loses
   focus.
   ... 4. Someone arguing that someone has not addressed the issue
   after the group has considered it and made a decision. That can
   happen sometimes but people who wish the group ill will tend to
   do this. We have some suspicion that there are people that do
   feel that way about the group.
   ... I'm going to go over some more about this. At this point a
   single normative change will require a new CR. To issue a new
   one we would need a successful publication vote near the end of
   May. We'd need wide review by the end of April.
   ... Here are the guidelines and rules that we plan to follow.
   Our goal is to not make any normative changes unless absolutely
   necessary. If we MUST then we need to make them right away. If
   there's something that really must happen, don't wait.
   ... For every issue, we will either request or propose
   non-normative spec changes if possible.
   ... The reason for this is to provide that we have indeed
   considered the issue. We will be going from a 14-day default
   close to a 7-day default close. I'm not happy about this but I
   think it's the way we'll have to go.
   ... It doesn't mean that if there is strong objection to the
   close and that person is on vacation we can't make exceptions.
   ... But in order to keep the work moving it's dangerous for 14
   days ... if you don't respond to close it because people might
   wait 14 days and then give a comment and then do it again and
   then we're over time.
   ... We will open a closed issue but only if new information is
   brought. This is appropriate at this stage, it is what CR
   means.
   ... Ok, thank you.
   ... Looking for a new scribe...

   <scribe> scribenick: gannan

PR review

   <manu> [9]https://github.com/w3c/vc-data-model/issues/492

      [9] https://github.com/w3c/vc-data-model/issues/492

   manu: We're going to reference the issues first and then talk
   about the PRs

   <burn>
   [10]https://github.com/w3c/vc-data-model/issues?utf8=%E2%9C%93&
   q=is%3Aissue+is%3Aopen+-label%3Adefer

     [10] https://github.com/w3c/vc-data-model/issues?utf8=✓&q=is:issue+is:open+-label:defer

   <manu> [11]https://github.com/w3c/vc-data-model/pull/510

     [11] https://github.com/w3c/vc-data-model/pull/510

   manu: Tony Nadalin raised a concern that issues about private
   browsing mode in different browsers and he wanted to point out
   that each browser may or may not have private browsing mode
   ... Brent addressed the issue in his PR with a non-normative
   change
   ... Any objections? If not I will make a proposal.

   <manu> PROPOSED: Merge non-normative PR #510 in order to
   clarify private-browsing mode concerns raised in issue #492.

   <dlongley> +1

   burn: Focused on closing issues and minimizing discussion. We
   want to be clear with our resolutions so that they're entered
   into the minutes.

   <brent> +1

   <ken> +1

   <TallTed> +1

   <deiu> +1

   <tzviya> +1

   <stonematt> +1

   <burn> +1

   <oliver_terbu> +1

   <manu> +1

   manu: Ensure that only one representative from the company is
   adding a +1.

   TallTed: In a working group this is not the case, it is one
   person, one vote.

   <stonematt> +1 to call for objections in following resolutions

   burn: I would rather not do a vote and just call for
   objections.

   RESOLUTION: Merge non-normative PR #510 in order to clarify
   private-browsing mode concerns raised in issue #492.

   <manu> [12]https://github.com/w3c/vc-data-model/issues/493

     [12] https://github.com/w3c/vc-data-model/issues/493

   <manu> [13]https://github.com/w3c/vc-data-model/pull/499

     [13] https://github.com/w3c/vc-data-model/pull/499

   manu: Next PR has to do with security considerations section,
   issue 493. Tony is asserting that there are lowercase musts in
   a non-normative sections. Chaals created a PR with
   non-normative changes to address Tony's concerns. It changes
   text from "must" to "needs to"

   <manu> PROPOSED: Merge non-normative PR #499 in order to
   clarify that existing 'must' was not a normative statement,
   which was raised in issue #493. Close issue #493 after the
   merge.

   manu: any objections to that proposal?

   RESOLUTION: Merge non-normative PR #499 in order to clarify
   that existing 'must' was not a normative statement, which was
   raised in issue #493. Close issue #493 after the merge.

   <manu> [14]https://github.com/w3c/vc-data-model/issues/495

     [14] https://github.com/w3c/vc-data-model/issues/495

   manu: PR for token binding, issue 495

   <manu> [15]https://github.com/w3c/vc-data-model/pull/497

     [15] https://github.com/w3c/vc-data-model/pull/497

   manu: ... Tony is requesting we link to RFC ???, we have a PR
   that updates a link to the specification

   <manu> PROPOSED: Merge non-normative PR #497 in order to update
   to an informative reference to RFC8471 raised in issue #495.
   Close issue #495 once the PR is merged.

   manu: any objections?

   RESOLUTION: Merge non-normative PR #497 in order to update to
   an informative reference to RFC8471 raised in issue #495. Close
   issue #495 once the PR is merged.

   <manu> [16]https://github.com/w3c/vc-data-model/issues/482

     [16] https://github.com/w3c/vc-data-model/issues/482

   manu: Next item, issue 482. Tony asserts that the introduction
   is misleading because it talks about digital signatures...
   ... ...our specification doesn't standardize on proof formats

   <manu> PROPOSED: Add more clarifying text to the specification
   noting that while the specification does not standardize on
   signature format, the WG is aware of at least three mechanisms
   (JWTs, LD-Proofs, and ZKPs) that are capable of protecting the
   contents of the data model at the time of publication that are
   being used in deployments of the technology and expects those
   mechanisms to mature independently as well as new mechanisms to
   become standardized.

   manu: ...we would make a non normative clarification to the
   spec
   ... ...the spec already states that we are not choosing one
   signature mechanism, we are proof agnostic
   ... any objections?

   Justin_R: no objections, I think it is the right way to go. I
   want to make sure that the existing text does veer towards LD
   as the base model...
   ... ...and everything else is an expression of the LD model

   <jonathan_holt> 1+

   manu: can you suggest in the issue or in the PR some concrete
   non-normative spec changes?

   Justin_R: sure, could you tag me as a reviewer so I can look at
   it. To prevent stepping on each others toes.

   burn: Let's make sure we can do that.

   Justin_R: Or a comment.

   manu: Taking note of that.

   Justin_R: Thank you.

   manu: any objections?

   RESOLUTION: Add more clarifying text to the specification
   noting that while the specification does not standardize on
   signature format, the WG is aware of at least three mechanisms
   (JWTs, LD-Proofs, and ZKPs) that are capable of protecting the
   contents of the data model at the time of publication that are
   being used in deployments of the technology and expects those
   mechanisms to mature independently as well as new mechanisms to
   become standardized.

   <manu> [17]https://github.com/w3c/vc-data-model/issues/483

     [17] https://github.com/w3c/vc-data-model/issues/483

   manu: next, section 4.1 @context... issue 483
   ... ...tony has asserted that there is no reason to have a
   @context, it should be removed or made optional
   ... ...there has been a lot of discussion around interop
   between json only and json-ld processors
   ... ...we've been discussing this for a long time and the
   points that Tony raised has been discussed by the working group
   ... ...the working group made a vote to make @context mandatory
   in our f2f meeting with broad agreement
   ... ...you do not need to process @context when using a JSON
   only processor

   <manu> PROPOSED: The VCWG had considered all points raised by
   issue #483 throughout the lifetime of the WG's operation, no
   new information was provided by issue #483 to convince the WG
   to change @context being mandatory (which has broad support in
   the WG with no objections), and thus the issue should be closed
   with no changes to the specification.

   manu: any objections?

   jonathan_holt: It goes into the mime-type discussion we had in
   Barcelona, we should require @context

   manu: To be clear you are saying that this is part of the
   conversation, you are not rejecting the proposal
   ... that is a formal objection, we are requiring @context

   <dlongley> the `@context` is on the `vc` .. not on the JWT. ...
   is this a clarification we need?

   jonathan_holt: we should be specific on when @context is
   required

   manu: we need some spec text

   jonathan_holt: I'll bubble up my issue

   <Zakim> brent, you wanted to say text clarification that
   explicitly points out that if the data model is encoded as a
   JWT, no processing of the @context is expected may be helpful

   burn: It might be more efficient to have a conversation

   brent: I think it we added some text that clarifies if the data
   model is processed as a JWT then no processing of @context is
   needed
   ... @context needs to be present but need not be processed by
   their processor

   manu: we can't proceed... need to have a conversation with
   jonathan_holt... brent go ahead and write a PR with this issue
   and potentially others

   TallTed: what I'm seeing in this issue thread, is not an issue
   about processing the @context content. It's about someone
   working exclusively with JWT's and do not want to have @context
   in their credential and they have no care for JSON-LD

   manu: It's necessary for the data encapsulated in the JWTs, if
   it's not in the VC then it's semantically ambiguous

   TallTed: That needs to be addressed

   manu: That is addressed in issue 491

   <dlongley> +1 it's not about JWT, it's about the payload IN the
   JWT.

   TallTed: We need to address what others that don't understand,
   @context should be in the payload in the JWT

   manu: We'll refer to this in the issue

   Justin_R: It sounds like that fundamentally a VC is JSON-LD doc
   with many types of expression
   ... ... if that's the case then we need to be explicit, if not
   then these issues do have merit

   manu: It's not just a JSON-LD document, it's a hybrid. We have
   something that could just use JSON processing or JSON-LD
   processing

   <manu> [18]https://github.com/w3c/vc-data-model/issues/494

     [18] https://github.com/w3c/vc-data-model/issues/494

   manu: this needs more discussion
   ... In the next issue, has to do with content integrity
   ... Tony says there is no need to have content integrity in
   JWTs
   ... This is talking about links in documents, we warn that
   outgoing links need content integrity, JWTs do not solve that
   problem

   <manu> PROPOSED: The content-integrity section of the
   specification describes how outgoing links from a document may
   be protected. Issue #494 asserts that JWTs provide
   content-integrity protection for outgoing links, which is
   false.The VCWG is also supportive of the use of @context as a
   core part of the data model. Issue #494 should be closed with
   no changes to the specification.

   manu: Basically, no change to the spec. It's a non-normative
   section, we are not saying you need to have content integrity
   for outgoing links but recommend a few mechanisms to achieve
   this
   ... any objections?

   RESOLUTION: The content-integrity section of the specification
   describes how outgoing links from a document may be protected.
   Issue #494 asserts that JWTs provide content-integrity
   protection for outgoing links, which is false.The VCWG is also
   supportive of the use of @context as a core part of the data
   model. Issue #494 should be closed with no changes to the
   specification.

   <manu> [19]https://github.com/w3c/vc-data-model/issues/498

     [19] https://github.com/w3c/vc-data-model/issues/498

   manu: next is issue 498, Tony says that there are no
   interoperable parts of the spec that makes it verifiable

   <TallTed> TallTed: "JWTs provide content-integrity protection
   for outgoing links" = true. "JWTs provide content-integrity
   protection for content of outgoing links" = false.

   manu: ...remove verifiable from the spec and make JWTs the
   normative way of expressing credentials
   ... ...the issue is about the title of the specification and
   removing the word verifiable

   <manu> PROPOSED: The specification clearly defines the meaning
   of "verifiable credential" and the VCWG has spent a
   considerable amount of time discussing and running surveys on
   the proper name for the specification. The VCWG believes the
   name of the specification is appropriate. Issue #498 should be
   closed with no change to the title of the specification.

   manu: ...the group has had a long discussion and agreed that it
   should be the "Verifiable Credentials" data model
   ... any objections?

   RESOLUTION: The specification clearly defines the meaning of
   "verifiable credential" and the VCWG has spent a considerable
   amount of time discussing and running surveys on the proper
   name for the specification. The VCWG believes the name of the
   specification is appropriate. Issue #498 should be closed with
   no change to the title of the specification.

   <dlongley> [20]https://github.com/w3c/vc-data-model/issues/502

     [20] https://github.com/w3c/vc-data-model/issues/502

   manu: next is a charter comment. Tony is mentioning that the
   web-authn should have been a liason in the charter. He wants to
   have a charter update. We just got a charter extension so we
   can't change the charter. Tony is the co-chair of the group and
   has made a full review of the specification already. The Web
   Authn group has the ability to do any additional reviews

   burn: we are not changing the charter
   ... we do not need a formal liason relationship for comments to
   be made on the specification

   <manu> PROPOSED: The VCWG notes that the charter cannot be
   changed at present and thus new Liaison relationships cannot be
   added. The VCWG also notes and is thankful of the review of the
   specification that has been performed by Tony Nadalin, who is a
   co-chair of the WebAuthn WG, and welcomes comments from all
   interested Working Groups. Issue #513 should be closed with no
   change to the specification.

   manu: this is the new re-worked proposal?

   burn: any objections?

   RESOLUTION: The VCWG notes that the charter cannot be changed
   at present and thus new Liaison relationships cannot be added.
   The VCWG also notes and is thankful of the review of the
   specification that has been performed by Tony Nadalin, who is a
   co-chair of the WebAuthn WG, and welcomes comments from all
   interested Working Groups. Issue #513 should be closed with no
   change to the specification.

   <manu> [21]https://github.com/w3c/vc-data-model/issues/513

     [21] https://github.com/w3c/vc-data-model/issues/513

   kaz: The first two proposals should be removed from the minutes
   later because they're overridden by the third proposal

   manu: correct

   (Originally there were three proposals made during the call,
   but the first two proposals have been removed and only the
   final proposal confirmed is recorded above)

   manu: Tony says that JWKs should be listed as a normative
   reference, brent and oliver had a back and forth in the
   comments. It seems that JWKs are not listed

   <manu> PROPOSED: Add non-normative text to the specification
   that makes an informative reference to the JWK specification
   and notes that key discovery can be performed in a variety of
   ways including the use of JWK and DID-based key discovery.

   manu: ...the suggestion is to make a non-normative spec change
   that points to JWK as a way to describe keys but not the only
   way
   ... any objections to that proposal?

   <Justin_R> +1 informative references to examples are good

   <Justin_R> (I had raised this previously)

   RESOLUTION: Add non-normative text to the specification that
   makes an informative reference to the JWK specification and
   notes that key discovery can be performed in a variety of ways
   including the use of JWK and DID-based key discovery.

   <Justin_R> np

   <manu> [22]https://github.com/w3c/vc-data-model/issues/490

     [22] https://github.com/w3c/vc-data-model/issues/490

   Justin_R: going to tag you in the resolution, since you had
   some concerns

   manu: issue 490, this is about the Trust Model. Section 5.2
   which is non-normative. We talk about what the Trust Model
   should be, it's not the only one
   ... tony suggests that this should be put at-risk, I've seen no
   spec that has put non-normative text as at-risk
   ... nothing in this section has implementation burden so
   there's no reason to mark it at risk

   <manu> PROPOSED: Section 5.2: Trust Model is a non-normative
   section on the specification. Issue #490 asserts that it should
   be marked at risk. Non-normative sections contain no normative
   statements and thus are not at risk during or after the
   Candidate Recommendation phase. Issue #490 should be closed
   with no changes to the specification.

   manu: it's a no change to the specification

   <TallTed> +1 non-normative, so no implementation expected, so
   can't be at-risk

   burn: at risk as I understood it during my 20years, at risk
   means at risk from removal from the specification due to
   insufficient implementation

   kaz: just want to confirm that the feature we're discussing
   wouldn't impact implementations

   (burn agrees that is a good point, and doesn't think it would
   impact implementations)

   manu: any objections?

   RESOLUTION: Section 5.2: Trust Model is a non-normative section
   on the specification. Issue #490 asserts that it should be
   marked at risk. Non-normative sections contain no normative
   statements and thus are not at risk during or after the
   Candidate Recommendation phase. Issue #490 should be closed
   with no changes to the specification.

   manu: do the chairs want to wrap up or process one more issue?

   burn: it'd be good to wrap up

Any other business?

   Kaliya mentions she and Heather have published a book which has
   a chapter on Verifiable Credentials

   burn: any questions or comments before we end the call?

   yancy: just wanted to say I raised a few issues on the test
   suite, would like some responses

   burn: we need to discuss this, test could change because they
   were implemented incorrectly or there was an update to
   normative references

   dmitriz: can we work on it next call?

   burn: would prefer to continue it offline
   ... to short notice, but the chairs can talk about a way too
   have more working calls between our meetings
   ... thank you everyone, bye

Summary of Action Items

Summary of Resolutions

    1. [23]Merge non-normative PR #510 in order to clarify
       private-browsing mode concerns raised in issue #492.
    2. [24]Merge non-normative PR #499 in order to clarify that
       existing 'must' was not a normative statement, which was
       raised in issue #493. Close issue #493 after the merge.
    3. [25]Merge non-normative PR #497 in order to update to an
       informative reference to RFC8471 raised in issue #495.
       Close issue #495 once the PR is merged.
    4. [26]Add more clarifying text to the specification noting
       that while the specification does not standardize on
       signature format, the WG is aware of at least three
       mechanisms (JWTs, LD-Proofs, and ZKPs) that are capable of
       protecting the contents of the data model at the time of
       publication that are being used in deployments of the
       technology and expects those mechanisms to mature
       independently as well as new mechanisms to become
       standardized.
    5. [27]The content-integrity section of the specification
       describes how outgoing links from a document may be
       protected. Issue #494 asserts that JWTs provide
       content-integrity protection for outgoing links, which is
       false.The VCWG is also supportive of the use of @context as
       a core part of the data model. Issue #494 should be closed
       with no changes to the specification.
    6. [28]The specification clearly defines the meaning of
       "verifiable credential" and the VCWG has spent a
       considerable amount of time discussing and running surveys
       on the proper name for the specification. The VCWG believes
       the name of the specification is appropriate. Issue #498
       should be closed with no change to the title of the
       specification.
    7. [29]The VCWG notes that the charter cannot be changed at
       present and thus new Liaison relationships cannot be added.
       The VCWG also notes and is thankful of the review of the
       specification that has been performed by Tony Nadalin, who
       is a co-chair of the WebAuthn WG, and welcomes comments
       from all interested Working Groups. Issue #513 should be
       closed with no change to the specification.
    8. [30]Add non-normative text to the specification that makes
       an informative reference to the JWK specification and notes
       that key discovery can be performed in a variety of ways
       including the use of JWK and DID-based key discovery.
    9. [31]Section 5.2: Trust Model is a non-normative section on
       the specification. Issue #490 asserts that it should be
       marked at risk. Non-normative sections contain no normative
       statements and thus are not at risk during or after the
       Candidate Recommendation phase. Issue #490 should be closed
       with no changes to the specification.

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [32]scribe.perl version 1.154 ([33]CVS log)
    $Date: 2019/04/07 15:41:39 $

     [32] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [33] http://dev.w3.org/cvsweb/2002/scribe/

Received on Sunday, 7 April 2019 15:44:52 UTC