Re: Response to GSMA from the W3C

Moving out of markdown to provide feedback in purple :

**DRAFT, 2023-09-18**

**Not an official VCWG communication until authorized by Brent Zundel.**

Dear Hélène Vigué, *[other relevant recipients]*

*[Initial greetings, observations, statements etc. from the VCWG Chairs
and/or W3C Staff Contact Ivan Herman.]*

The VCWG would like to thank the GSMA and its representatives for
initiating this request for collaboration. Following is a summary of the
current status of multiple aspects of our work in response to the
actions that you requested in your statement, as well as specific offers
of support that I was asked to make on behalf of specific participants
of the VCWG.

Unlinkability, selective disclosure and canonicalization are all

Canonicalization is being worked on outside the W3C VCWG,
I don't think we should suggest that VCWG members have consensus that
canonicalization is "cutting edge", or a "good idea".

cutting-edge technologies that are being developed by the VCWG as part
of a suite of interoperable specifications for various authentication,
authorization and attestation use cases. An end-to-end technology stack
for typical privacy-preserving identity applications is likely to
involve a variety of components, including the BBS Signature Scheme of
the IETF/IFRT CFRG, our own Verifiable Credentials data model, and our
suite of Data Integrity specifications and cryptosuites, which in turn
are built upon the RDF Dataset Canonicalization specification written by
the W3C's RDF Dataset Canonicalization and Hash Working Group operating
in parallel to our own.

correct

The most recent draft of the BBS Signature Scheme, as developed by the
Internet Research Task Force (IRTF) Crypto Forum Research Group (CFRG),
was published two months ago, and we have on good authority that the
CFRG intends to bring this work to publication as an IETF document.

I'd frame this as "with or without further breaking changes at CFRG",
since breaking changes would make our work no longer compatible.

Although as the W3C we are unable to comment directly on the timeline
for an IETF release, most of our participants whose work involves the
BBS technology expect this to happen as early as 2024.

The ability for BBS-based cryptography to satisfy the privacy
requirements that you outline in your liaison request has been
demonstrated by a prototype implementation written by VCWG editor Greg
Bernstein of Grotto Networking. The VCWG is aware of least three other
early-stage implementations being developed in conformance to the latest
draft and expects these to progress alongside the specification drafting
in such a way as not to delay any BBS-related publications.

Is there a reason we are not citing or providing references to the early
stage work?

The blocking path I see is the following:
CFRG -> W3C VCWG CR -> Multiple Independent Implementations (3?) -> W3C TR

If things at the lower layers change, the upper layers are at risk.

There is general support from the participants of the VCWG for BBS-based
Verifiable Credentials Data Integrity. The Verifiable Credentials Data
Integrity specifications for ECDSA and EDDSA cryptography were approved
last week, without objection, to enter a Candidate Recommendation phase
in which they will be finalized for publication on the W3C
Standardization Track. BBS and unlinkability is considered to be a
natural next step for this work.

Digital Bazaar would like to offer their support to the GSMA in your use
of BBS and related technologies, and believe that cryptography experts
would be most beneficial in providing the relevant skillset and
knowledge to expedite the integration of BBS into the Verifiable
Credentials ecosystem through further drafting of the vc-di-bbs
document. We would appreciate an indication if possible as to whether
the GSMA would be able to assign such specialists to our Data Integrity
work, for which the Data Integrity chairs would be most grateful.

I don't think we have "Data Integrity chairs", we do have VCWG and RCH WG
chairs.
We have "Data Integrity Editors"...
I'm not sure we need to call out specific companies here, the working group
is expected to have consensus on work items.
If we do mention companies, it would be good to see more than 1 mentioned
in the liason statement.

Sebastian Crane would like to offer his direct collaboration as a point
of contact between the GSMA and W3C, including to provide any technical
and procedural guidance related to the coordination between our
respective stakeholders. This would be complementary and in addition to
any formal engagement as part of a Liaison between the W3C and GSMA.

Peter Altmann of the Swedish Civil Service and Sebastian Elfors of IDnow
have expressed optimism on the potential of hardware (potentially
smartcard-based) implementations of this technology for the EU Digital
Identity Wallet, and are keen to discuss with the GSMA the opportunities
in this regard.

The VCWG wishes to bring to your awareness our efforts related to
supporting the securing of Verifiable Credentials and Presentations
using the Object Signing and Encryption specifications for the JSON and
CBOR data formats, called JOSE and COSE respectively. We are developing
this capability in our Standardization Track vc-jose-cose document, and
invite you to explore the possibilities of using this for cases where
highly efficient, minimal selective disclosure is needed and where full
RDF processing may not be necessary. This can, for instance, be

I gather we don't know if they plan to do RDF processing or not...
and so we are assuming that they require JSON-LD RDF processing based on
interest in the work item,
and the work item not supporting BBS without RDF processing?

effective in securing existing JSON payloads within the Verifiable
Credentials ecosystem. We expect our JOSE/COSE work to proceed at
broadly the same rate as for BBS-based Data Integrity, serve a
comparable role in the VC/VP technology stack and have similar
dependencies on external efforts in the IETF.

I sure hope it progresses at the same speed, currently getting its but
kicked by the pace of data integrity work : )

I'm not sure why we really need this section.
vc-jose-cose does not call out JWP, and can't support unlinkability with
the current industry standard envelopes from IETF.

*[Concluding remarks, observations or statements from Chairs and/or Staff
Contact.]*

*[Closing and signature by Brent Zundel.]*

Overall, I think this is long winded, but not that far off from something I
would support the working group sending.

Thanks for taking the time to write it up. I don't have any blocking
feedback,
I think it's for the chairs to consider changes, based on the comments they
get from the working group.

On Tue, Sep 19, 2023 at 2:09 AM Sebastian Elfors <sebastian.elfors@idnow.de>
wrote:

> Dear Sebastian,
>
> Thanks for the write up. It looks good to me, but I've made some edits to
> this section for your consideration:
>
> "Peter Altmann of the Swedish Agency for Digital Government and Sebastian
> Elfors of IDnow have expressed optimism on the potential of hardware
> (potentially smartcard-based) implementations of BBS+ technology for the EU
> Digital Identity Wallet in Type 2 configurations, and are keen to discuss
> with the GSMA the opportunities in this regard. As a reference, you may
> also read their ETSI TR 119 476 report on selective disclosure technologies
> for the EUDI Wallet."
>
> Kind regards,
> Sebastian Elfors
>
> -----Original Message-----
> From: Sebastian Crane <seabass-labrax@gmx.com>
> Sent: Tuesday, 19 September 2023 01:31
> To: Brent Zundel <Brent.Zundel@gendigital.com>
> Cc: W3C VC Working Group <public-vc-wg@w3.org>; Ivan Herman <ivan@w3.org>;
> Kristina Yasuda <Kristina.Yasuda@microsoft.com>; Wayne Cutler <
> wcutler@gsma.com>; Liaisons, <team-liaisons@w3.org>; Helene Vigue <
> hvigue@gsma.com>
> Subject: Re: Response to GSMA from the W3C
>
> CAUTION: This email originated from outside the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> Dear Brent,
>
> Following my earlier email on this topic, I have drafted a letter in
> response to the GSMA liaison statement, which I believe takes into
> consideration all the various positions, facts and offers of support that
> have been voiced so far in this thread. This is for you to send if and when
> you deem appropriate, following the protocol that Ivan outlined. As
> mentioned during the session at TPAC, it is of great importance that the
> correspondence is both comprehensive and welcoming considering the positive
> impact that this collaboration could have on European adoption of
> Verifiable Credentials. I think you will find the letter most 'ausführlich'!
>
> Attached to this email is the letter as I have drafted it.
>
> Best wishes,
>
> Sebastian
>
>
> On Fri, Sep 15, 2023 at 05:21:51PM +0100, Sebastian Crane wrote:
> >
> > Dear Brent,
> >
> > Thank you for finding time during the TPAC meeting to discuss the GSMA
> > liaison request. Since I was on the queue to speak when the meeting
> > closed, I shall instead write my thoughts below.
> >
> > The GSMA's offer for collaboration in our BBS-based data integrity
> > specification is a significant vote of confidence in the ability of
> > Verifiable Credentials to provide the desired privacy enhancements for
> > the EU's Digital Identity programme. The resources that will become
> > available to the VCWG from this collaboration are to be considerable.
> >
> > I believe it would be appropriate for the VCWG to collaboratively form
> > a response for you to send, as this will give us the opportunity to
> > present the diversity of expertise that we possess as a group, and as
> > a result will best communicate to the GSMA which of our participants
> > are able to inform them in specific areas of interest. Considering the
> > saturation of our available meeting time, I suggest a CryptPad or
> > GitHub document could be used for this purpose in order to conclude
> > such drafting efficiently.
> >
> > Additionally, as a European myself and a keen advocate of the
> > Self-Sovereign Identity efforts, I would like to volunteer myself as
> > an individual who will be able to help guide their collaboration in a
> > way which is effective between the stakeholders (in this case,
> > primarily the W3C, IETF, GSMA, European Commission and of course the
> > citizens and residents of Europe who stand to benefit from this work).
> > I would be grateful if you could include my offer directly in your
> > correspondence with the GSMA's contacts.
> >
> > Best wishes,
> >
> > Sebastian
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>