Re: More questions about the VC Document 2.0 (part 2) from Manu Sporny on 2023-10-31 (public-vc-wg@w3.org from October 2023)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 31 Oct 2023 10:26:01 -0400
To: ステファニータン（SBIホールディングス） <tstefan@sbigroup.co.jp>
Cc: W3C Credentials CG <public-credentials@w3.org>, W3C VC Working Group <public-vc-wg@w3.org>
Message-ID: <CAMBN2CSgeJ4eyuyd3GUeYLuU8Kud-FaC06dwbCM++eDcjV55uA@mail.gmail.com>

On Tue, Oct 31, 2023 at 9:51 AM Orie Steele <orie@transmute.industries> wrote:
>> In the document, there is this line about multiple issuers in a VP: "The data in a presentation is often about the same subject, but might have been issued by multiple issuers. The aggregation of this information typically expresses an aspect of a person, organization, or entity. "
>> Has anyone here experimented with it before?
>
> Multiple issuer's use case is not supported by the current drafts, and having been a part of those discussions, it seems unlikely to be supported in the future.

That sentence is about the ability for a VP to carry multiple VCs.
Each VC can be about the same subject, but signed by different
issuers.

> Some people are still working on BBS at W3C, I will let them speak to that topic.

Work continues on both the selective disclosure mechanism for ECDSA:

https://w3c.github.io/vc-di-ecdsa/#ecdsa-sd-2023

... and a selective disclosure mechanism using BBS (but that trails
the work above). At present, there seems to be support for SD-JWT, but
not a lot of deployment experience w/ VC v2.0 data model secured using
SD-JWT (though, we see no reason a profile of SD-JWT focused on VC
v2.0 data model wouldn't work). There are some gotchas there (like
selectively disclosing `@context` values, `id` values, and `type`
values)... but I'm sure those suggesting usage of SD-JWT for securing
VCs will get that language right as they document that profile.

> In my opinion, W3C should drop the vc-jose-cose item entirely, or should fix the core data model so that it does not lead to the conclusion that data integrity proofs are required.

... or put more work into vc-jose-cose to bring it up to par with
what's necessary for a production usage of the technology as applied
to VCs. If you'd like to help with that work, please join the group
and help those working on vc-jose-cose to advance that spec. I agree
with Orie that engagement has not been great on that spec, but people
continue to use JOSE w/ VCs, so we do need to (as a community)
document how to properly use it and the traps/pitfalls to watch out
for when implementing using things like SD-JWT. It's not rocket
science, we just need more people that have an interest in moving that
work forward involved in moving that work forward.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Tuesday, 31 October 2023 14:26:42 UTC