[MINUTES] VCWG Barcodes and Data Integrity 2026-04-07 from meetings@w3c-ccg.org on 2026-04-08 (public-vc-wg@w3.org from April 2026)

From: <meetings@w3c-ccg.org>
Date: Tue, 7 Apr 2026 17:11:32 -0700
To: public-vc-wg@w3.org
Message-ID: <CA+ChqYdx53KDX2athX32chkwDJ8sXW7g3snM+=pK9aOKMLWFDQ@mail.gmail.com>
This meeting of the VCWG focused on organizational matters, the publication
process for working drafts, and technical considerations for Verifiable
Credential (VC) barcodes and data integrity. Key discussions revolved
around the process for publishing First Public Working Drafts (FPWDs),
including the administrative steps and the need for working group
resolutions. The group also addressed the technical aspects of post-quantum
hardening for VC barcodes and the privacy and security considerations for
these specifications, along with updates on the data integrity
specifications and their associated crypto suites.

*Topics Covered:*

   - *Meeting Organization and Time Slot Conflicts:* The group discussed
   the challenges of finding a suitable meeting time and the potential
   conflicts with other W3C community and working group calls, agreeing to use
   a poll to find a better slot.
   - *Process for First Public Working Drafts (FPWDs):* The requirements
   for publishing an FPWD were outlined, including the need for a group
   resolution and adherence to W3C publication guidelines, with the
   understanding that FPWDs do not signify final agreement but mark the
   initial official release of a document.
   - *Proposal to Move VC Barcodes to FPWD:* A proposal was made and
   contingently resolved to move the Verifiable Credential Barcodes v0.8
   specification to FPWD, pending a similar resolution from the full VCWG,
   with an aim to publish by mid-month.
   - *Data Integrity Specifications FPWD Process:* The group resolved to
   publish the base data integrity specification and EdDSA crypto suites as
   v1.1 FPWDs, contingent on a similar VCWG resolution, with the understanding
   that these initial FPWDs might be exact copies of their v1.0 predecessors
   to kickstart the W3C publication process.
   - *Post-Quantum Hardening For VC Barcodes:* The need to incorporate
   post-quantum hardening into the VC barcode specification was highlighted,
   with a proposal for a generalized fallback mechanism for key compromise
   defense, and acknowledgment that current post-quantum signature schemes may
   not fit within the size constraints of VC barcodes.
   - *Privacy and Security Considerations Guidance:* The group recognized a
   need to formalize the approach to privacy and security considerations
   sections in specifications, with a plan to invite a representative from the
   security group to clarify W3C's current guidance on threat modeling versus
   separate privacy and security sections.

*Action Items:*

   - *Schedule a Doodle Poll:* Wes and Elaine will organize and send out a
   poll to find a suitable meeting time for the group.
   - *Add Attendees to Task Force Mailing List:* Ivan Herman will add
   attendees who have provided their W3C email accounts to the task force
   mailing list.
   - *Inform VCWG of Barcode FPWD Proposal:* Wes will coordinate with Manu
   to disseminate the heads-up about the proposal to move the VC barcode
   specification to FPWD to the full VCWG.
   - *Invite Simone to a Future Call:* Phil Archer will invite Simone to a
   future call to clarify W3C's guidance on privacy and security
   considerations and threat modeling.
   - *Accelerate Handover of DI-Quantum-Safe:* Manu will suggest
   accelerating the handover process of the DI-Quantum-Safe work item from the
   CCG to this group.
   - *Review and Update DI-Quantum-Safe Spec:* Greg will continue to update
   the DI-Quantum-Safe specification, focusing on the security/privacy section
   and ensuring key sizes and signature lengths are clearly listed.

HTML:
https://meet.w3c-ccg.org/archives/w3c-vcwg-barcodes-and-data-integrity-2026-04-07.html

Video:
https://meet.w3c-ccg.org/archives/w3c-vcwg-barcodes-and-data-integrity-2026-04-07.mp4

[image: W3C] <https://www.w3.org/>
VCWG Barcodes and Data Integrity 7 April 2026 Attendees

Present

Benjamin Young, Dave Lehn, Dave Longley, Elaine Wooton, Greg Bernstein,
Ivan Herman, Kevin Dean, Manu Sporny, Parth Bhatt, Phil Archer, Phillip
Long, Ted Thibodeau Jr, Wesley Smith

Regrets

-

Chair

-

Scribe

transcriber
Contents

   1. Meeting Organization And Time Slot Conflicts <#02bf>
   2. Process For First Public Working Drafts <#9dec>
   3. Proposal To Move VC Barcodes To FPWD <#b2fb>
   4. Data Integrity Specifications FPWD Process <#cac4>
   5. Post-Quantum Hardening For VC Barcodes <#7ccd>
   6. Privacy And Security Considerations Guidance <#b3bb>
   7. Summary of resolutions <#ResolutionSummary>

Meeting minutes Meeting Organization And Time Slot Conflicts

Wesley Smith: Hey folks, Benjamin, do you know who is running this call

Benjamin Young: I do not has somebody chaired these in the past or…

Benjamin Young: have there been dedicated barcode calls in the

Wesley Smith: I don't think there have been dedicated barcode calls in the
past. Manu, I didn't think you were going to be able to make it. do you
know who's running this call today, Manu? Do you have somebody in mind?

Manu Sporny: you are or…

Wesley Smith: Okay, that's exciting.

Manu Sporny: lane you two are the editors that's typically the people that
run the calls.

Wesley Smith: All right,…

Manu Sporny: So, usually about 4 the hour,…

Ted Thibodeau Jr> FYI, this meeting slot collides with longstanding
Federated Identity Community Group (https://www.w3.org/groups/cg/fed-id/>)
and Federated Identity Working Group (https://www.w3.org/groups/wg/fedid/>)
calls. Might be worth reconsidering this new one.

Wesley Smith: sounds good. Yeah. how long should we wait before we get
started for folks to check in?

Manu Sporny: people trickle in by then.

Wesley Smith: So, I expect today is going to be largely process and talking
at a high level about the future. Manu, is that your expectation as well?

Manu Sporny: And I think we can, get agenda ideas from everybody. I've got
a couple before we start

Wesley Smith: And then Greg, are you running the data integrity half of the
call or who is running that?

Greg Bernstein: I Dan or…

Greg Bernstein: whoever else like to get involved. But I did put down some
notes.

Wesley Smith: Yeah, I'd be happy to run from a process perspective,…

Wesley Smith: but I don't have insight into the current state of that work
as you do.

Greg Bernstein: Okay. I put down is happening or…

Greg Bernstein: what's on the plate there.

Wesley Smith: Okay, Ted,…

Wesley Smith: I see your note in chat. Monty, you scheduled this call, I
believe. Was this a difficult to find slot?

Manu Sporny: No. I just picked it because it's the one that we had been
meeting on for another call. I mean, these time slots are incredibly
difficult. 10:00 a.m. and 11:00 a.m. Eastern are always conflict with
something else. So, …

Greg Bernstein: Thanks.

Manu Sporny: if there are folks that need to be at the federated,…

Manu Sporny: group calls, then let us know if it's a conflict for you
directly. it's just going to be impossible to find anything that works for
everyone, right? …

Ted Thibodeau Jr: Yeah, I recognize that to be the case,…

Ted Thibodeau Jr: but I don't know how many others might have the same
conflict. I will be bailing out on this one shortly and we'll be there.
Manu Sporny:

Manu Sporny: Plus one. we can send out another doodle poll and see what
people say and…

Ted Thibodeau Jr: Yeah, hopefully I'll see it. All right.

Manu Sporny: then go ahead Elaine you got your hand up but Wes I think Yeah.

Elaine Wooton: considered Monday also.

Elaine Wooton: Mondays just tend to be People travel or whatever, but that
was another slot that we considered. I think Manu was Monday at the same
time. So, I don't…

Elaine Wooton: if that's better or ask people

Manu Sporny: Yeah, we'll just send a poll out,…

Manu Sporny: it'll and see what for the folks that need to be on these
meetings, what works. And we've got 11 today. That's a pretty good turnout
for something as esoteric as barcodes and digital signatures. but yeah, how
about this? I have very little spare time these days. since Wes, Elaine,
Greg, y'all are kind of the lead editors for these things, y'all should
probably arrange and send the poll out and that sort of

Wesley Smith: Sounds Happy to do that. so we waited a few minutes. We have
a good number of people here.

Wesley Smith: Mont, you said you had a preliminary agenda that you wanted
to work off of today.

Manu Sporny: just some suggestions.

Greg Bernstein: What's that?

Manu Sporny: There are a number of administrative items we should cover. so
that would be just an agenda plus for those administrative items like the
specs moved over, what's our work mode? we need to talk about publishing a
first public working draft and see what the timeline for that is. We need
to establish, the timeline that the group believes they're on, things high
level things like that for both the barcode spec and the quantum safe data
integrity suite as well as the other data integrity things.

Greg Bernstein: I'm sorry.

Greg Bernstein> (a) DI spec update plans: moving selective disclosure
functions -- https://github.com/w3c/vc-data-integrity/issues>, (b)
DI-Quantum Safe -- Quantum-Safe Cryptosuites v0.3
<https://w3c-ccg.github.io/di-quantum-safe/> updated, working
security/privacy. Main issue BUFF features -- BUFFing signature schemes
beyond unforgeability and the case of post-quantum signatures
<https://eprint.iacr.org/2020/1525> (cited by NIST), (c) Selective
disclosure for quantum safe signatures with larger signature sizes (or
higher computation costs). (d) BBS status.

Wesley Smith: Okay, that sounds good.

Wesley Smith: And thank you for the reminder. I need to get an IRC myself.

Manu Sporny: Just to be clear, we don't use RC for this call.

Wesley Smith: Sorry. okay.

Manu Sporny: when we're auto transcribing and auto recording.

Wesley Smith: What is the agenda plus mechanism you're referring to?

Manu Sporny: I'm saying I'm requesting those items be added to the agenda
to the people that are running the call, which would be you and Elaine and
Greg. And you can say,…

Wesley Smith: Understood. That sounds good.

Manu Sporny: "Nope, we're not going to talk about that today.

Wesley Smith: Ivan, you have your hand up.

Ivan Herman: Yes, I have still on the practicalities. I don't know from the
top of my head, but I can look it up. Who of you are already officially on
the task force?

Wesley Smith: Hey,

Ivan Herman: I know you Was Lea, Greg, Manu, I'm sure probably Ted and
myself and Phil Archer and Brent. The others may not. please send me an
email with your email account that you use on W3C and then I will put you
on the list. And that means that for example and if anyone else whom you
take the responsibility of putting him or her on the list then send me that
as well.

Ivan Herman: There is a mailing list which is task force specific that you
can use to do things like setting up the dial in details and timing etc.
yeah that's it. So please give me your credentials to be able to do that.

Wesley Smith: Okay, thanks Greg, sorry. Did I interrupt you?

Greg Bernstein: Nope. Nope.

Wesley Smith: Okay, excellent.

Greg Bernstein: I guidance for the DI part of the call in the chat.

Greg Bernstein: Wait, that's for the DI portion. Wesley Smith:

Wesley Smith: Okay, that sounds good. all right. So, with respect to some
of the process items that you mentioned, Manu, can you or Ivonne or
somebody else speak to what is required in order for first working drafts
for these documents to be released, specifically the VC barcodes and data
integrity specifications?

Ivan Herman> For info, this is the list of current participants Participants
| VC Barcodes and Data Integrity | Task Forces | Discover W3C groups | W3C
<https://www.w3.org/groups/tf/vc-bcdi/participants/>
Process For First Public Working Drafts

Manu Sporny: So we would need to resolve to publish them. the first public
working draft is kind of the first official document that we are publishing
as a group. It doesn't mean we agreed to all the content in it. it doesn't
mean any of that stuff, but we just kind of need to get a document out
there on what's called the technical report space at W3C. usually what
happens is someone makes a proposal to publish a first public working draft
of for example the VC barcode spec we have to pick a short name like
barcodes which is the current short name and then we'll see some discussion
and a bunch of pluses or minus1's or whatever to publish.

Manu Sporny: We can also decide it's too early and people want to review
the document before we publish an FPWD. once that's done presuming that
people are supportive of publishing the first public working draft then
there is a process that Avon performs to raise a request and do the
publication and that sort of thing. I'll also note that there's a
publication moratorum coming up towards the latter part of this month.
which basically means we can't publish anything during that time frame. but
that's it from a first public working graph perspective. I think the only
one we're ready for FPWD on is VC barcodes. The data integrity stuff we can
talk about. Greg, I don't know if you feel like we're ready there.

Manu Sporny: There's the postquantum suite which we might discuss today
isn't even moved over from the CCG. So we have to have a discussion about
that. it is one of the things we could work on but it hasn't been moved
over yet.

Manu Sporny: So I'll just stop there. That's kind of some of the
administrative background on what we'd need to do for an FPWD.

Wesley Smith: Yeah, thanks.

Wesley Smith: And sort of quick question,…

Wesley Smith: apologies for my ignorance, but if we're not using IRC,
what's the mechanism by which we take a consensus vote? Just the Google.
understood.

Manu Sporny: you can use chat just put it in the chat channel it would be
and…

Manu Sporny: I'm not saying do this now but we use all the same commands we
use in IRC so you would do all caps proposal colon and then the proposal
which would be like publish VC barcodes as a first public working draft
using the barcodes shortname right as an example and then the rest of us
would plus one minus one whatever that in the chat channel. and then if
there's consensus you put resolved or…

Manu Sporny: resolution all caps colon and then the exact same thing again
if there were no modifications to it.

Wesley Smith: Understood. Thanks.

Wesley Smith: Ivon, you have your hand up.

Ivan Herman: Yeah. …

Ivan Herman: one thing that I think Manu did not say but the document
itself may need some care to be along the publication guidelines of W3C. So
that may require some editing. I haven't looked at this document yet so I
don't know in which state it is now but usually there are minor things that
have to be done to the respect preamble to be correct. it has to go through
the pub rule checkers which will shout at you if something is not correct.
you have to go through HTML.

Ivan Herman: You have a pub rule checker that will tell you whether the
HTML is correct or not. You have a link checker. So, there are some
mechanism that have to be followed before it can go to publication.
actually be preferably before I raise the issues for transition requests.

Wesley Smith: Thanks, Savon. So, just to be clear,…

Greg Bernstein: Okay.

Wesley Smith: those things are things that can happen after the group votes
on moving to first working draft.

Manu Sporny> I can help w/ all the pubrules stuff :)

Wesley Smith: All right. thanks very much, Phil.

Ivan Herman: This is correct.

Phil Archer: Thank you.

Phil Archer: Task forces have a lot of agency and can do all sorts of
stuff. you can resolve to change this and accept that merge request or
whatever it can be. When it comes to things like resolving to do a first
public working draft, that needs to be a full working group resolution.
same for candidate reckoning, that kind of transition. so I would ask that
if this task force resolves to go to first public working drop which is
completely uncontentious and everyone hopes it's going to happen that's
going to be contingent on the same resolution being taken at a full working
group meeting on Wednesday and please let the group know in advance hey
this week we're going to be asking you to we want to transition this
document here to first of all the working draft candidate record whatever
it may

Phil Archer: The group needs a bit of advanced notice. given that today is
the first working day for most Europeans since Thursday, if you want to
send it out today saying we're going to put it on the call for tomorrow in
the task force section, that's fine. I'm not going to worry about that. But
it does need to be a working group,…

Wesley Smith: Absolutely. Thanks, Greg.

Phil Archer: an all working group resolution to make a document transition.
Please

Greg Bernstein: Ivan could you somehow send us up to those various checks?
I've been cleaning up the safe stuff and it had a lot of different authors
and so there's a lot of things that I've fixed but as I'm going through and
get getting in shape. So I may not have used the right such like that. So
if you could kind of send a link chat run those sooner and…

Greg Bernstein: fix those things. Yes.

Ivan Herman: Greg, I think you were addressing me.

Manu Sporny> Your audio is dropping pretty badly Greg -- can still
understand you, but it's difficult.

Ivan Herman: As money put it on IRC, the audio was pretty bad. but I think
I got the sense of it. But I believe that Manu has already proposed to help
with the Pabru stuff. So you will get the right help at the start. And if
money for whatever reasons is out of circulation, then I can jump in as
well. But it's better…

Greg Bernstein: What's

Ivan Herman: if he does it because he knows better I haven't seen the
document at all yet, which is my fault to be honest.

Phillip Long> Sounds like vox is clipping the audio

Wesley Smith: Thanks everybody for useful perspective and feedback. I guess
at this point I would like to move to talking specifically about the VC
barcode specification and moving that to FPWG. so does anybody else have
any points they'd like to make about process or guidelines we should follow
here? Anything along those lines? Hearing none. so before I put forward a
proposal in front of the group, I'd like to open up the floor to talk a
little bit about the V VC barcode spec specifically. so I'm one of the
authors and editors of that specification.

Wesley Smith: I believe the specification is in the shape required to be a
first public working draft. It is not finalized but it's in pretty good
shape both the kind of informative and normative aspect of the
specification. I think that I don't see any reason why we would not want to
entertain a proposal to move it to first working draft today. but I'd be
happy to hear if anybody has a different perspective then hearing none, I
will type up a proposal in chat. I suppose I should link to how should I
indicate or…

Manu Sporny: You can include a link or you can just name it. It should be
pretty clear which one we're talking about. But including a link to the
actual spec.

Wesley Smith: to not be circular with a short name or something.

Manu Sporny: Barcodes. I can try to get that.

Wesley Smith: I got it.

Wesley Smith: Is the correct link or does it matter? the SER page github.io
link.

Manu Sporny: You can use the served page. So, this one. That one's probably
good.

Wesley Smith: Okay, bear with me folks. Thanks for your patience.

Wesley Smith: Does that look about what folks are expecting or…

Manu Sporny: Yeah, that looks good at you can put whatever you want to in a
proposal.

Wesley Smith: contingency? The claus is legal in proposals.

Manu Sporny: And then if we don't see any minus ones then it's basically
copy paste the same text but you put resolved or you can also put
resolution in the same Text.

Wesley Smith: Right. is Phil Archer, I'm going to call you out specifically.

Manu Sporny> Verifiable Credential Barcodes v0.8
<https://w3c.github.io/vc-barcodes/>

Wesley Smith: Is this compliant with…

Wesley Smith: what you were suggesting?

Phil Archer: very happy.
Proposal To Move VC Barcodes To FPWD

Wesley Smith> PROPOSAL: Move the Verifiable Credential Barcodes v0.8
<https://w3c.github.io/vc-barcodes/> specification to First Public Working
Draft, with short name "vc-barcodes" contingent on a similar resolution
being passed by the full VCWG.

Phil Archer: Yes, of course. Yes. Yes. Yes. I don't want to be an ogre. I'm
just trying to make sure all the eyes are dotted. Sorry. No.

Manu Sporny> +1

Wesley Smith: No, no, no. you raised an excellent point. I want to make
sure that what we're doing here lines up with that.

Ivan Herman> +1

Phil Archer: Spot on. Thank you.

Phillip Long> +1

Wesley Smith> +1

Dave Longley> +1

Wesley Smith: All seeing lots of plus ones and no minus ones, I'm going to
go ahead and…

Greg Bernstein> +1

Parth Bhatt> +1

Wesley Smith: call that contingently resolved. Manu, I will chat with you
probably offline about how to disseminate the heads up about the proposal
to the VC working group. so, Ivon, go ahead.

Ivan Herman: Yeah, I mean something that it's worth discussing think now is
the timing of all this.

Dave Lehn> +1

Benjamin Young> +1

Ivan Herman: I'm looking at the calendar here and we have to know that the
publications for these kind of drafts happens on Tuesdays and Thursdays.
this is when we can publish something like a first public workinging draft
and before that I have to get a transition request in and it has to be
approved. So there is an administrative step to do we get the I'm thinking
out loud here.

Ivan Herman: We have the resolution probably hopefully tomorrow. I can
raise the transition request tomorrow evening or on Thursday at the latest
Friday. Maybe we get a plus one. We were surprised Manu and I to have a
very quick turnaround with the VC draft last time. So maybe it happens
again. There are wonder it is not impossible to get it published on the
16th of Thursday but it's close to a wonder if we can. manu you will take
care of the final version of the document with changing dates etc. Yeah.

*RESOLUTION:* Move the Verifiable Credential Barcodes v0.8
<https://w3c.github.io/vc-barcodes/> specification to First Public Working
Draft, with short name "vc-barcodes" contingent on a similar resolution
being passed by the full VCWG.

Dave Longley> ^this text doesn't get saved, though, right? do we have a
tool that will parse and save it later if we want?

Manu Sporny: Yeah, I'll work with Wes. I'd say let's try for the date and
if it doesn't happen, that's fine. We can just update the date.

Ivan Herman: So we can try for the 16s and if it is not that one then it
will be the 23rd or the 28. That's just for the records. We will try to
wait go for the next week, but promises.

Elaine Wooton> +1

Wesley Smith: All right, that sounds good. Thanks folks. All right. with
that out of the way, I guess maybe Greg, I'll pass it over to you. I don't
know if there are any process or similar items you wanted to do with the
data integrity specification before we move over to more technical items.

Manu Sporny> The text gets saved now

Greg Bernstein: That's easy.

Manu Sporny> (and integrated into the minutes)

Dave Longley> oh, ok, good to know, thanks!

Wesley Smith: Manu, you have your hand up.

Manu Sporny: Just real quick for the barcode spec. over the last week, Avon
and I moved it over to the repository, updated the respec headers, aligned
the editors with the current editors, and did I think everything we needed
to get it into shape. So just reporting that we think it is in good working
group shape at this point and the expectations are the FPWD will go forward
and then Avon and Avon has to set up Akidna which is the autopublisher
mechanism which then means that any new change that we push to the main
branch for the spec will automatically be pushed as a working draft

Manu Sporny: to the technical report space at W3C. So, it kind of automates
the process and makes it really easy from then that point on. we'll have a
chance to talk about that in upcoming meetings, but that's kind of just to
set expectations. We're on a good trajectory with the end. That's it.

Wesley Smith: All right, thanks very much. Greg, over to you. Anything you
want to talk about process-wise for data integrity?

Greg Bernstein: process wise.

Greg Bernstein: We have a few different types of things going on. We've had
a desire to refactor and clean up some of the existing specs.

Greg Bernstein: So is right now all our selective disclosure function
actually defined in the ECDSA crypto suite spec and those are actually
reused by the BBS as we'll see we're going to probably want to reuse some
of with the postquantum stuff. So, kind of upgrading or I'm not sure
exactly how that in a set of issues about that suggestions back like
January.

Greg Bernstein: Then we have the quantum safe. So part of the process was
how do you know these are very different things updating and…

Greg Bernstein: one is new specs. Wesley quite …

Wesley Smith: Yeah, thanks.

Wesley Smith: I just wanted to know that your audio is cutting out quite
badly, so I was going to suggest that interest of having kind of functional
meeting minutes, maybe after you finish, you could type up a brief overview
of what you were saying in the chat. but yeah, that was it. I didn't have
anything to say directly about the points you were making.

Greg Bernstein: this is bad.

Greg Bernstein: I've not had audio problems before.

Wesley Smith: It almost sounds like you're using a microphone with some
very aggressive noise suppression on it.

Wesley Smith: It's kind of hard to tell.

Greg Bernstein: H I'm gonna talk.

Greg Bernstein: Does that help? I did upgrade my OS so I apologize. I
haven't had problems like this before. So I will investigate mic.

Wesley Smith: Manu, go ahead.

Benjamin Young> Sounds more like lag

Manu Sporny: Right. So on the data integrity specs and the quantum safe
specs. So, just to kind of recap what Greg said, the data integrity specs
are version 1.1 specs, we're supposed to be in maintenance mode with them
with a caveat that we can add new things related to security issues, and we
can make editorial e changes.

Manu Sporny: The stuff Greg mentioned about refactoring it and moving the
selected list disclosure algorithms from the ECDSA spec to the core data
integrity spec so that we can then reuse them across a bunch of different
specs. those changes I'll assert are editorial changes, it is a pretty big
kind of restructuring, but We're not removing features. We're just changing
where the content's going. so I suggest it's important to make those
changes. It's a good cleanup. I suggest we make those changes as quickly as
we can and then reuse it.
Data Integrity Specifications FPWD Process

Manu Sporny: Which means that we are going to want to propose FPWDs for
data integrity, EDDDSA, at least just those three. We can't do the quantum
safe one yet because that spec is still in the CCG. It has not been handed
over to this group yet. So, we would need to have a separate discussion on
when the timing for that is and all that kind of stuff. We should talk
about the new Google announcement that they moved up their quantum safe,
deadline. There's been some scary postquantum security papers published in
the past two months that we think Google's acting on.

Manu Sporny: So we may want to have a little bit of that discussion. But
maybe what would be good is for us to just get FPWDs for the data integrity
version 11 one specs done and…

Manu Sporny: then we can talk about what to do about the quantum safe
thing. That's it.

Greg Bernstein: So that means Manu,…

Greg Bernstein: we would have to refactor documents ready to go.

Manu Sporny: We can make a proposal and…

Dave Longley> do we still need to move di-quantum-safe to w3c github space
and should we also vote to do a FPWD when that's done?

Manu Sporny: resolution that we're going to do it and…

Greg Bernstein: Okay.

Manu Sporny: then we can refactor. I don't know. I thought the refactoring
had already been done if let me put it this way. It would be good for us to
do an FPWD because we have to do that no matter what. And if the
refactoring is in there, If it's not, and there's still some work that
needs to be done, that's also fine.

Greg Bernstein: Ivan's got his hand up.

Manu Sporny: But let's get the FPWDs out, I guess, is what I'm trying to

Wesley Smith: Please. Yeah.

Ivan Herman: May I Wes?

Ivan Herman: I have one sort of technical comments and then another which
is more administrative. The technical thing that for the refactoring I am
all in favor of it. So that's not the issue. But we had a slightly similar
issue coming up. I may be wrong, but I believe it was on the that the
render method task force was referring and using an algorithm which was in
I think it was the ECDSA but I am maybe the EDDDSA.

Ivan Herman: Dave will remember that I sume. so that was also then
discussed that we should take it out and put it in some other place because
it looks odd for a render method to refer to a crypto suit when it is not
talking about crypto at all. So that should probably be done together
unless what you propose Greg already covers that I don't know the technical
details about all that. the other thing which is much more administrative
I'm sorry but that's also my job. is it so officially that this task force
will take care of the maintenance of the DI and the DIP spec and the crypto
in general?

Ivan Herman: It's But then I will have to add some things to make it sure
for the task force description that this task force takes care of those as
well as Okay.

Wesley Smith: money.

Manu Sporny: I believe the answer to that is that this group would handle
maintenance and the quantum safe DI crypto suites. Yes, correct. Yeah.
Yeah. everything all the DI specs this group as well as Marcus.

Ivan Herman: That's fine with me. I didn't realize that. So, I will take
care of that. I don't know this week.

Manu Sporny: On your other point Avon plus one to what you're saying yes we
have stable links to the 10 specs, right? So we're not going to destabilize
anything by moving these things around. We're going to, all of the changes
that we're talking about are in the new specs, not in the old specs.

Benjamin Young> it's in ECDSA

Manu Sporny: So we're talking about one specs for all the maintenance specs
and version 10's for the barcode and quantum safe specs. so I think that's
fine and we can make those changes over time. I don't think there's any
sequencing issues that we have right now. I will also mention that the VC
barcode spec has a crypto suite in it as well and that is also weird. and
we may want to move that into the data integrity ECDSA crypto suite,…

Manu Sporny: but there's a kind of a question mark there around are we
allowed to do that? I'm thinking probably but we should kind of talk about
that in a future call. if we can't do it, then we just leave it in DC
markets, so that's the fall back position.

Ivan Herman: For once,…

Benjamin Young> specifically Data Integrity ECDSA Cryptosuites v1.1
<https://w3c.github.io/vc-di-ecdsa/#selectjsonld>

Ivan Herman: putting the administrative aspect aside for a moment. isn't
there a danger that it will turn the DIP spec into a huge monster which
will be very difficult to maintain and would it be an option we can see the
administrative things later to have it as a nor separate document I don't
know DI algorithm or whatnot I just

Ivan Herman: don't remember now all the details and I don't know how much
it will increase the size of the DI but the DI is already a pretty big one
just wondering Mhm.

Wesley Smith: Money.

Manu Sporny: the stuff for so I think it'll be fine meaning the DIP spec I
don't remember it the ECDSA one is big that's the big one right and…

Manu Sporny: and we are talking about moving one of the big algorithms from
ECDSA to the DIP spec spec. I don't think it'll be unwieldy. I think having
yet another DI spec would be more unwieldy.

Ivan Herman: Okay. Just

Manu Sporny: The other thing we're talking about moving is the ECDSA
signature algorithm from barcodes to the ECDSADI crypto suite. Meaning the
algorithm in barcodes would move to the o The refactoring that Greg is
talking about is moving the selective disclosure generalized algorithms
into the core DI spec.

Manu Sporny: So I think we're okay with the current specs that we have.

Ivan Herman: There is an entry in the charter…

Manu Sporny: The only question is the fairly esoteric one around are we
allowed to move a crypto suite from a work item that we have adopted in the
working group into a maintenance specification. up. Yeah,…

Ivan Herman: which said we are allowed to touch the document when there's a
security issue coming up and b I don't remember the exact formulation but
when it is necessary for the newly adopted documents to be finalized or
something of that amount.

Manu Sporny: it's supportive of work that the group has taken on or
something to that effect.

Ivan Herman: Yes. …

Ivan Herman: this is a bit of a borderline, but I don't think that it will
be a big problem.

Wesley Smith: Okay, thanks folks.

Wesley Smith: Going back to the broader agenda were any of the points
discussed about actions that need to be taken for the various data
integrity works. Does anything need to happen today or is anybody hoping
that things will happen today to that effect or is that in the near future?

Wesley Smith: Okay.

Manu Sporny: I think ideally we propose to publish the base data integrity
spec in EDDDSA as version 1.1.1 First public working drafts.

Wesley Smith: Greg, do you want me to handle this pushing the buttons?

Wesley Smith: All Can you go ahead and drop me the links I need then in the
chat? Dave, go ahead. Okay.

Dave Longley: I was going to wait until after. we should consider doing a
proposal to also publish first public working draft of the quantum crypto
safe suites once it's moved over from CCG.

Dave Longley: We could just do the vote, I would think. but there's still
work that has to

Ivan Herman: I would prefer to do that when it has been moved and…

Ivan Herman: and pushed it into the bin at the working group level so to
say. let's not push things. if people want to kick us in the backside and
don't give them the possibility

Dave Longley: Okay.

Greg Bernstein: I have a little pro u process right now. The 1.1 specs and
the crypto suites haven't been changed much. You're saying we do this first
public E1 ones even…

Wesley Smith: Morning.

Greg Bernstein: though they don't look that different from the ones. I'm
trying to understand the process here.

Manu Sporny: Yes, one can be an exact copy of the version 10 spec. All
we're doing is we're kickstarting the W3C process so that we get them
published. There is a clear announcement to the public we have started the
111 work. it kickstarts the patent and IPR commitment stuff. it kickstarts
Akidna autopublishing. By doing an FPWD, we're like setting all of those
things up. But the delta between the 10spec and…

Greg Bernstein: That also helps.

Manu Sporny: the 11 one can be zero, right?

Greg Bernstein: Am I changing if I go start moving algorithms from one spec
to another because that was part of the thing it's like I can start right
out…

Wesley Smith: Am I on?

Greg Bernstein: but yeah it was like I can't mess with one so yeah okay if
we have the one's official number

Ivan Herman: Yeah. …

Ivan Herman: if we decide to publish it quickly, then it's better to have a
stability of the document, Greg. So, keep your horses and wait until it's
published as I want one and then you can do whatever you want. but I put in
a request with a document which is on GitHub. I don't want it to change
until it is officially published.

Manu Sporny> Verifiable Credential Data Integrity 1.1
<https://w3c.github.io/vc-data-integrity/> Data Integrity ECDSA
Cryptosuites v1.1 <https://w3c.github.io/vc-di-ecdsa/> Data Integrity EdDSA
Cryptosuites v1.1 <https://w3c.github.io/vc-di-eddsa/>

Greg Bernstein: That sounds great. Yes. Yes. and…

Wesley Smith: sounds good.

Wesley Smith: All right.

Greg Bernstein: I'm highly constrained as to what we can do under the
charter.

Ivan Herman: You can do everything you want on your machine. Just don't
commit it.

Wesley Smith: All right, sounds good. Couple things. Number one, I expect
this is also a resolution that we want to be contingent on a similar
resolution being passed by the full working group. number two, could
somebody please give me the existing short names for the 1.0 versions of
these specifications tell me if they should be different, but I expect they
should be the same.

Ivan Herman: Yes.

Wesley Smith: And if they should be the same what they are. Okay.

Manu Sporny: That was an excellent I totally forgot. we are going to need
new short names of So VC data integrity-1.1 and then 1.1 and then 1.1.
Those are the short names I think we want.

Wesley Smith: There's a word missing in there. Specifications is missing.
I'll run it back. Can I delete that or can I just ignore that? Okay.

Manu Sporny: If it's editorial you can change it in the resolution.

Wesley Smith: I'm only seeing about half the people voting. If we could get
some more, plus ones, zeros if you don't know or don't care, minus ones if
you do care, don't like it. All right, that's pretty close to the number of
folks on the call.

Manu Sporny> vc-data-integrity-1.1 vc-di-ecdsa-1.1 vc-di-eddsa-1.1

Wesley Smith: So I'm going to go ahead and call that resolved and Manu, we
will roll this update into the existing update about the other resolution
that needs to happen on the group call. What was missing? the word that was
missing. Specifications 1 fresh. Okie do. Thanks folks. any other process
stuff that needs to be done? if there is not other process work that needs
to be done, I'd be happy to spend a little bit of the rest of our time
today kind of doing a temp check on the VC barcode spec, talking about
where I think it is, what I think we need to do with it, that sort of thing.

Wesley Smith> PROPOSAL: Publish the https://w3c.github.io/vc-data-integrity/>,
https://w3c.github.io/vc-di-ecdsa/>, and Data Integrity EdDSA Cryptosuites
v1.1 <https://w3c.github.io/vc-di-eddsa/> as v1.1 First Public Working
Drafts with short names "vc-data-integrity-1.1", "vc-di-ecdsa-1.1", and
"vc-di-eddsa-1.1" respectively, contingent on a similar resolution being
passed by the VCWG.

Wesley Smith: All right, hearing I will say some words about barcodes. I
can share my screen as normal in these calls, It's recorded, but I can
Okay, let me go ahead and do that. Can everyone see my screen? And also am
I streaming the issues list of VC barcodes?

Manu Sporny> +1

Manu Sporny: Yes. Yep.

Elaine Wooton> +1

Wesley Smith> +1

Greg Bernstein> +1

Phillip Long> +1

Wesley Smith: So I'll briefly talk about what issues are currently
outstanding and what the delta is between what the issue list is and where
we need to be as I understand it. And then Elaine you raised a couple of
issues a few days ago.

Ivan Herman> +1

Dave Longley> +1

Wesley Smith: if you can briefly say a couple words about those issues and
that sort of thing. So there are a handful of issues on the specification.
most of them are small and editorial or they are sort of polished. So there
are a lot of things like improve the examples and the test vectors and
things like polishing extension points things like allow PDF47 barcode
types beyond AMPA driver's license. Obviously we don't want to overly
couple the design of the specification to our current use cases and so we
want to make sure that we're providing the appropriate extension points and
so on and so forth. these are fairly small.

Benjamin Young> +1

Parth Bhatt> +1

Dave Lehn> +1

Wesley Smith: With that said, there are a couple items that will require a
bit more work. some of which are what Elaine directly raised a couple of
days ago. So, Elaine, do you want to briefly talk about this issue you
raised about postquantum Yeah,…

Elaine Wooton: That one I think we put in there because you and I talked
about it, but obviously we need to either address it or it needs to be
addressed somewhere else and referred to, right?

*RESOLUTION:* Publish the https://w3c.github.io/vc-data-integrity/>,
https://w3c.github.io/vc-di-ecdsa/>, and Data Integrity EdDSA Cryptosuites
v1.1 <https://w3c.github.io/vc-di-eddsa/> specifications as v1.1 First
Public Working Drafts with short names "vc-data-integrity-1.1",
"vc-di-ecdsa-1.1", and "vc-di-eddsa-1.1" respectively, contingent on a
similar resolution being passed by the VCWG.
Post-Quantum Hardening For VC Barcodes

Wesley Smith: So, as Manu alluded to, quantum is coming. We have known this
for a long time. signals from the research and industry communities seem to
suggest that it is somewhat accelerating the pace at which we are
approaching a cryptographically relevant quantum computer.

Wesley Smith: And so I think it would be good for us to get at least some
sort of postquantum hardening feature into the VC barcode spec before it is
its V1.0. if it gets a recommendation and so on. But while we're developing
the spec before it is standardized, we should at least get some sort of
postquantum hardening in there. we've talked a little bit about what this
might look like and I think we can actually usefully generalize the
addition of such a feature to be not at all quantumspecific but instead be
a fallback mechanism for defense against key compromise.

Phil Archer> (I'll remain neutral on such votes. Not that I don't care, I
do, but those decisions are for the specialist task force members to make).

Wesley Smith: And this key compromise might be in the form of quantum
computers allow you to do forgery which is effectively a key compromise for
digital signatures or it could be an actual key compromise right somebody
breaks into some hardware enclave somehow and steals your key. So that is
the only kind of major feature that I know of today that we probably want
to work through and add in this group. Elaine, you also had raised an issue
about adding privacy considerations. that's an excellent point. right now
there's basically a hole in the specification where privacy considerations
go and as you point out there are aspects unique to this particular medium
that we need to talk about.

Wesley Smith: you can read a barcode with a optical scanner or a powerful
camera or something to that effect that you can't do with lots of the ways
in which verifiable credentials are used. so that's sort of it. I think
there's a fair amount of polish and updating. There is one major
outstanding feature that we need to do some design and testing and
implementation around which is how do we add an effective key compromise
hardening mechanism. and then there's a lot of editorial stuff. sorry I've
been tabbed out for a million years so I've missed hands.

Wesley Smith: Elaine you have your hand up.

Elaine Wooton: Yeah. …

Elaine Wooton: I just want to add just part of the reason that I'm
participating is that I've got a pretty idea what's going on, in the
implementation zone for this stuff. And I'll tell you whenever I talk about
any kind of barcode that's cryptographically signed, somebody in the
audience says postquantum. So it's got to be in there because that's what
people are interested in. and then the other issue that people always ask
about is the privacy consideration. So obviously when you all worked on
this before, you knew that was a gap that we needed to fill, but I'm just
saying that's an issue for sort of regular people driving up to this spec.
These are issues that they raise anyway.

Elaine Wooton: So we need to address them.

Wesley Smith: Yeah, heard and…

Wesley Smith: your perspective coming from those communities is really
useful as we put this spec together. Manu, go ahead.
Privacy And Security Considerations Guidance

Manu Sporny: Yeah, plus one on that. a couple of random thoughts. I'll
start with the privacy considerations So Phil Avon, this may be a question
we want to raise on the main call. I specifically wrote the security group
and ping and I was like I thought we were doing threat models. Now, we're
just going to do a threat model and we're going to say and point the
privacy and security considerations section over to the threat model which
is supposed to cover the privacy and security considerations for the
system. and Simone and I went back and forth a number of times. I asked the
question, I feel like in three different ways, and I'm not getting a clear
answer back.

Manu Sporny: I thought the new specs we were doing could only have a threat
modeling section in it and it would address privacy considerations and
security considerations. but what I got back was you could do it in a whole
bunch of different ways which is not the type of guidance we want. I don't
know if we need to find out are we the worst possible answer that could be
provided to us is no you are now doing a threat model and you're doing a
privacy consideration section and you're doing a security consideration
section at which point I'm kind of like those are duplicative of each
other. I don't know what we're doing.

Manu Sporny: I don't know what the whole purpose of, W3C going with threat
modeling was if we're adding that as yet another thing we have to produce.
I think we can answer all the questions with the threat modeling section. I
think it is the right direction for W3C to take. I would like the VC
working group at this point to ask officially to the security group and the
privacy group, you need to tell us exactly what you want because we're
getting ready to do a lot of work and we don't want to do the work and then
have to throw it out. That's it.

Wesley Smith: Greg, you have your hand up.

Greg Bernstein: the updated quantum safe spec. I made sure I links of
signature are shopping for a post cryptography signature. You can look at
the di size of those keys and signatures and the bill. And you can also see
which ones are more for Very nice small signatures, but one of the less
mature one, MLDDSA and things like that. so it includes that information so
it's easier for people to find.

Wesley Smith: Okay. Thanks. You had some audio issues, but I think I caught
the gist of what you were saying. fail you have your hand up.

Phil Archer: Yes,…

Phil Archer: thank I just want to respond to Manu. I don't know the answer
to your question, and Ivan hasn't put his hand up, but suggests he hasn't
got a clear idea either. It's possible Brent does know, but what I'm going
to suggest next time I speak to Brent is that we invite Simony to one of
our calls and he answers you directly and gives us a clear answer. Would
that be okay?

Phil Archer: Okay, that's Yes,…

Wesley Smith: That's a great idea and…

Wesley Smith: it also removes the need for my next question which is what
we're actually going to do about that. So you are handling inviting Simone
to one of Excellent.

Phil Archer: I will. Yeah, sure.

Wesley Smith: Thank you very much l. I'm down deep in the call stack again.
What are we talking about? we were talking about VC barcodes. Man, you
raised the general point regarding privacy and security considerations that
we need to formalize exactly what that needs to look like in these
specifications. Okay, I think that's all outstanding points resolved. I
have gone over the discussion I wanted to have about the sort of temp check
for VC barcodes. what do these calls wrap up at 5 minutes to the hour or on
the hour?

Manu Sporny: your prerogative, but usually five tilts.

Wesley Smith: All so Greg, I will hand it over to you. Do you got three to
five minutes? Do you want to say anything else about the specifications
that you're working on?

Wesley Smith: What needs to be done? Anything like that?

Greg Bernstein: Yes. on the DI quantum safe,…

Greg Bernstein: please take it's been uped extensively. It's got a lot more
helpful information and it's got a full suite of effects that nobody else
has checked against yet. It also has spies refactored way of e of the
algorithms that may be helpful in others.

Greg Bernstein: I am currently working on the privacy and security
consideration sections and u some of that's similar to what happened with
EDDDS extented features security features a list of topics and things like
that and that's about it. I will get a microphone.

Wesley Smith: Man, go ahead.

Ivan Herman: I'm sorry,…

Ivan Herman: Greg. I just

Manu Sporny: Yeah, Greg,…

Manu Sporny: it sounds more like a network stack issue to me, you're
dropping packets. not necessarily audio hardware, but we're all guessing.
on the quantum safe crypto suite. we remember it's the CCG work item still.
We have no authority over that document until it's handed over to us. I
think we should accelerate the handover process. plus one Greg asked people
should look at it and review it. Greg's done a bunch of really good work
lately just updating test vectors and becoming really clear about all of
these things.

Greg Bernstein> The DI-Quantum-Safe spec now has key sizes and signatures
lengths explicitly listed for ease of use.

Manu Sporny: But we need to make a decision on whether or not we want to
pull that work into this group sooner than later given the new postquantum
time frame. I would suggest we pull it in so that we just signal very
clearly, hey, we're working on this nobody needs to freak out. We're aware
of the timeline and we've got some good solutions already in place. I will
also mention that the barcode postquantum signature thing is not as simple
as it sounds. even if we use the smallest postquantum signature on the
driver's license solution it will not work for the size constraints that we
have.

Manu Sporny: We have to basically fit the entire verifiable credential
including digital signature in something like Wes correct me if I'm wrong
here but 145 to 185 bytesish and so we need a different kind of solution
for it what Wes mentioned we have a solution we have a design for a
solution and it doesn't use bleeding edge new cryptography or anything like
that but we shouldn't think that the quantum safe crypto suite solution is
going to work for every barcode. It'll work for some of them, but not for
all of them. but sorry, going back to the original, I think we should pull
in the quantum safe thing. Maybe during the next meeting and the meeting
after that, we make a resolution and I think that might be something that
the main group needs to make a resolution on. that's

Wesley Smith: Avon, your hand up.

Ivan Herman: Yeah, I'm more back to the administrative things or…

Ivan Herman: partially. First of all, I have made a screen dump of this
call and I will put everybody who is on the call on the task force list so
you can assure it will happen. I have a question to Greg. what is the
status of Because we have as part of the charter the point of finalizing
whenever BBS is ready.

Ivan Herman: And I get questions sometimes that I don't have an answer on
what's going on with that.

Greg Bernstein: I'm going to Try talking here.

Greg Bernstein: You can hear PBS. We are waiting for CFR C panel review to
finalize.

Greg Bernstein: We are updating the extra specs that provide some of the
extra features we want. So we are waiting for essentially.

Ivan Herman: So that's the status I always answer and…

Ivan Herman: I am not wrong. Okay. that's good.

Wesley Smith: All we are about out of time folks. Thank you all for being
here. and looking forward to getting into some of these work items in
earnest. I will see you all next time.

Elaine Wooton: Thanks. Bye.

Wesley Smith: Yeah, thanks. Manu, any buttons I need to press to end the
call?

Manu Sporny: Nope. It's all automatic.

Wesley Smith: All right. Thanks so much, folks. Talk to you next week.
Meeting ended after 00:59:17 👋 This editable transcript was computer
generated and might contain errors. People can also change the text after
it was created.

Phil Archer> Need to drop. Speak tomorrow

Greg Bernstein> Sorry. See the revised quantum safe spec! Working on
security/privacy section.

Greg Bernstein> Note that ML-DSA and SLH-DSA are FIPS specs now.

Greg Bernstein> Yikes

Wesley Smith> I'll speak more to what post-quantum solutions for
vc-barcodes might look like next time :)

Greg Bernstein> Waiting for CFRG at IETF
Summary of resolutions

   1. Move the Verifiable Credential Barcodes v0.8 specification to First
   Public Working Draft, with short name "vc-barcodes" contingent on a similar
   resolution being passed by the full VCWG. <#bcf2>
   2. Publish the https://w3c.github.io/vc-data-integrity/,
   https://w3c.github.io/vc-di-ecdsa/, and Data Integrity EdDSA Cryptosuites
   v1.1 specifications as v1.1 First Public Working Drafts with short names
   "vc-data-integrity-1.1", "vc-di-ecdsa-1.1", and "vc-di-eddsa-1.1"
   respectively, contingent on a similar resolution being passed by the VCWG.
   <#5460>

This transcription was generated by a large language model (LLM) and might
contain errors. When in doubt, check the audio recording. This page was
formatted by scribe.perl <https://w3c.github.io/scribe2/scribedoc.html>
version 248 (Mon Oct 27 20:04:16 2025 UTC).
Received on Wednesday, 8 April 2026 00:11:41 UTC