- From: <meetings@w3c-ccg.org>
- Date: Thu, 22 Jan 2026 06:09:14 -0800
- To: public-vc-wg@w3.org
- Message-ID: <CA+ChqYc0gi+j9sy6Rr2FNo87pzZZw_AeEhadK47vMEDHuBehSA@mail.gmail.com>
VCWG Spec Refinement - 2026/01/21 11:00 EST - Summary *Attendees*
Benjamin Young, Dave Longley, Denken Chen, Dmitri Zagidulin, Elaine Wooton,
Hiroyuki Sano, Ivan Herman, Joe Andrieu, Kevin Dean, Manu Sporny, Michael
Jones, Patrick St-Louis, Phil Archer, Phillip Long, Ted Thibodeau Jr, Will
Abramson
*Topics Covered*
- *Recording Infrastructure and Transcription Improvements*
- *Issue Discussion and Prioritization for PR*
- Issue 12: Confidence levels not sufficient on its own
- Issue 14: Biometrics (Ready for PR, needs discussion)
- Issue 16: Confidence levels and Charter alignment
- Issue 17: Passkey support (Open discussion)
- Issue 20: Decentralized Identifier Document for Confidence Method
- Issue 21: Privacy concerns for biometrics
*Key Points* Recording Infrastructure and Transcription Improvements
- *Recording Consent:* The standard W3C process for recording consent
(clicking "okay" upon joining) is presumed to be sufficient, but
clarification from Brent or W3C process experts is desired. Phil Archer
suggested a verbal confirmation at the start of the meeting is adequate if
no objections are raised.
- *Off-the-Record Discussions:* Chairs can create breakout rooms which
are not recorded, allowing for off-the-record conversations. While
functional, this is considered a higher threshold than a simple "scribe,
stop scribing" option.
- *Linking Issues and Minutes:* A proposed improvement involves the bot
scanning the chat for GitHub links and injecting them into the transcript
at the appropriate timestamp. This would then allow tools like Avo PA's to
link these to GitHub issues.
- *Topic Sectioning:* A mechanism for manually controlling sectioning
and adding links, similar to IRC topics, was discussed. Ivan Herman
suggested that if topics and URLs can be pulled into generated minutes,
Panton's script might be able to handle the linking.
- *VCDM and Confidence Method:* Manu Sporny suggested that the
LLM-generated topics could be reverted to manual mode, allowing explicit
"topic: subtopic:" formats in GitHub issues to function as they do now.
Ivan Herman clarified that this works with older scripts and the current
tools might not support pulling titles back from issues for normal titles.
- *Resource Allocation:* Manu Sporny offered to implement infrastructure
upgrades in his spare time but emphasized the need for assurance that these
changes will be adopted. Joe Andrieu suggested a discussion with Kanttoan,
who maintains the relevant script written in Rust.
Issue Discussion and Prioritization for PR
-
*Issue 12: Confidence levels not sufficient on its own*
- The issue is about adding examples for the possibility of delegating
mechanisms or relationships between different subjects within a VC (e.g.,
family members for medical prescriptions).
- The consensus is that VCDM already supports multiple credential
subjects, and the focus should be on adding illustrative examples rather
than changing the core specification, thus avoiding charter conflicts.
- Ivan Herman clarified that a recent charter change allows
modification of published recommendations, but it's important to
ensure new
recommendations don't require convoluted changes.
- Phil Archer noted that while VCDM can be updated, it requires a
full process including Candidate W implementation reports, so
such changes
should be well-justified.
- The group agreed that adding an example based on existing VCDM
structure is feasible.
-
*Issue 14: Biometrics (Ready for PR, needs discussion)*
- Concerns were raised about the complexity of biometric features,
especially regarding privacy and potential patent issues with templates.
- Engagement with MOSIP was deemed crucial as they have
production-level deployments.
- *Facial Portraits:* The initial scope will be limited to facial
portrait images, which are already encoded in base64 in the draft.
- *Splitting PRs:* It was suggested to split the work into two PRs:
one for a simple facial biometric method and another for deeper
engagement
with MOSIP.
- *Selectively Disclosable:* Manu Sporny strongly advocated for
mandating selectively disclosable confidence methods, especially for
biometrics, to mitigate tracking risks. He also highlighted the
difficulty
of ensuring true privacy with facial images due to LLM capabilities and
potential third-party vendor data handling.
- The general position for biometrics should be "don't share by
default."
- Referencing the EFF's response on online age verification was
recommended.
-
*Issue 16: Confidence levels and Charter alignment*
- The discussion revolved around changing the spec title from
"Confidence Methods" to "Confidence."
- Ivan Herman stated that changing the title is not strictly a
charter issue and can be done by the working group at any time.
However, if
a charter change is desired, there is a limited window (about a week)
before it moves to AC vote.
- Manu Sporny suggested removing "method" and making "mechanisms"
plural to better reflect the scope.
- Dave Longley proposed changing the singular "mechanism" to
"mechanisms" in the charter text for broader scope.
- The group decided to comment on the charter text to reflect this
change.
-
*Issue 17: Passkey support (Open discussion)*
- This issue remains open for discussion, with a note that Brent would
like to explore passkey support.
- The current focus is on the first draft of the facial image
biometric.
-
*Issue 20: Decentralized Identifier Document for Confidence Method*
- The example needs to define a new type for the confidence method and
specify its vocabulary, likely within the security or verifiable
credential
vocabulary.
- The example should explicitly mention DID authentication protocols.
- Joe Andrieu will be drafting the PR for this issue.
-
*Issue 21: Privacy concerns for biometrics*
- This issue reiterates the privacy concerns raised in Issue 14,
emphasizing the need for selectively disclosable confidence methods.
- Discussion focused on the tracking vector of biometric images, the
challenges of verifiable fuzzing, and the importance of
understanding data
retention policies and upstream vendor practices.
- A strong recommendation to not share biometrics by default was
reiterated.
*Next Steps*
- Joe Andrieu will draft a PR for Issue 20.
- Joe Andrieu will comment on the charter text for Issue 16.
- Further discussion and PRs will be needed for other issues,
particularly those involving biometrics and MOSIP integration.
- The next VCWG meeting is scheduled for February 4th.
Text:
https://meet.w3c-ccg.org/archives/w3c-ccg-vcwg-spec-refinement-2026-01-21.md
HTML:
https://meet.w3c-ccg.org/archives/w3c-ccg-vcwg-spec-refinement-2026-01-21.html
Video:
https://meet.w3c-ccg.org/archives/w3c-ccg-vcwg-spec-refinement-2026-01-21.mp4
*VCWG Spec Refinement - 2026/01/21 11:00 EST - Transcript* *Attendees*
Benjamin Young, Dave Longley, Denken Chen, Dmitri Zagidulin, Elaine Wooton,
Hiroyuki Sano, Ivan Herman, Joe Andrieu, Kevin Dean, Manu Sporny, Michael
Jones, Patrick St-Louis, Phil Archer, Phillip Long, Ted Thibodeau Jr, Will
Abramson
*Transcript*
Joe Andrieu: Yeah, I did not see that as I was looking in other chat
channels. we can go get started. our plan was to just go through our issues
together. go to any final decisions on labels we might need. specifically,
to the version of the first that's going to go to CR. so let me pull that
up and share screen. Does anyone else have anything to add to the agenda
other than reviewing issues?
Joe Andrieu: Go ahead, Manu
Manu Sporny: I have one thing on a request from Ivan about the recording
infrastructure.
Manu Sporny: Just a very quick three minute update on that.
Joe Andrieu: that would be great. I was actually curious. I saw that Jim
and I asked we wanted to transcribe stuff. So, let me get an update.
Manu Sporny: So, that was the first thing. when you join the meeting, it
asks you if you're okay with recording or not. I don't know if that
replaces or does anyone object to recording the meeting thing. that's a
question for Brent probably or one of the Phil W3C process is not clear on
what exactly is acceptable does you clicking on a button saying that the
meeting's being clicking okay mean that you're okay with it? would imagine
so but that's the first question.
00:05:00
Manu Sporny: but Joe, I'd just probably do the standard, is until we have
an answer, just ask if anybody objects to the recording. the other update
is that one of the things that was a challenge was not being able to say
things off the record. I found out that if the chairs create a breakout
room, you can say things off the record. So, you go into the breakout room,
the breakout room is not recorded. it does not show up. In fact, all of us
can jump into the breakout room. Someone can say, we can have a whole
discussion off the record and then once we're done with the discussion, we
can come back into the main room. that is not nearly as nice as just
telling the scribe to stop scribing, but it is possible. So, I don't know
if that meets your saying things off thereord concern.
Manu Sporny: and then the final concern is getting the issues and the
minutes linked together with topics. I'm still thinking about the best way
to do that. the only option I can think of is that as people drop issues
into the chat channel, they are timestamped. we can have the bot scan
through the links that people posted and inject them into the minutes. and
at that point, I think the issue the script that we have might be able to
pick up on that and do the appropriate linking.
Manu Sporny: So I think those are the proposed upgrades to the
infrastructure that would hopefully meet upon your remaining concerns about
using the infrastructure and…
Manu Sporny: everyone else's, I mean, it's not just with the concerns. so
I'll stop there. people yeah that would be just the chat channel in Google
Meet,…
Joe Andrieu: I have a question about the last bit you said I heard you say
there's a mechanism whereby someone on the call could list an issue in some
chat channel and…
Joe Andrieu: that would be processed. Could you just walk through what that
flow is again? Yeah.
Manu Sporny: so we're meeting right now and then there's a little text box
in the bottom right of the screen. You click that, you paste the link in
there and that goes into a separate file for whatever reason. It goes into
a separate file. We would have to update. Currently, we totally ignore that
file. it's just dropped on the floor, And then deleted after 30 days. and
nobody has access to it but the meeting organizers. we can modify the
process so that the bot retrieves that file and it only looks for GitHub
links or it just looks for URLs and if it finds a URL it'll inject that URL
at the appropriate timestamp in the transcript.
Manu Sporny: So it will show up in the transcript and then if it shows up
in the transcript I think Avo PA's tool can then do the appropriate linking
to the GitHub issue for example. Yep.
Joe Andrieu: Cool. Thanks,…
Joe Andrieu: Okay.
Phil Archer: Just very briefly,…
Phil Archer: I think what Brent said about this was as long as you say at
the start of the meeting, this is what we're doing. This is how we're
recording Any objections? and if there are no objections, you're good to
Carry on. I think it's as simple as that. But I think you do need to say it
out loud every time.
Joe Andrieu: Appreciate that, Phil.
Ivan Herman: Yeah. …
Ivan Herman: two questions. So, I try to answer both. I don't really know
what it means to go to another room. I mean, maybe we will find some time
to test it. Not necessarily today, but at some point. I mean it sounds very
convoluted. does it mean that some people will leave this chat and going to
another one so we don't hear them anymore or I don't know what it means.
but it sounds extremely convoluted in any case. The other thing with the
URL that's not necessarily enough because we need two things. one is in
some way or other control the sectioning and then the adding of the links.
Ivan Herman: the adding of the links okay you can do that and that's great
and that's part of the answer but what Pant one script does is at the
moment I think that he picks the link at the very beginning of a section
either in the section title or in the first line of that section and then
he copies the section itself into the GitHub. at the moment, the sectioning
is a bit Yeah, I see Dave Longlin do that. So, that we could use the topic
like we do it in the usual IRC channel and add the URL into the topic or
right after the topic.
00:10:00
Ivan Herman: If you can pick these two things together and pull it into the
generated minutes, then I think that Panton's script will roll.
Ivan Herman: And I haven't written that one, so he is the final arbiter on
that, but I think it would work.
Joe Andrieu: Okay, thanks Ivon.
Joe Andrieu: Let me interrupt myself. I should have done this as soon as
you recommended it, Phil. I do think we're recording this. So, this is
notice that we are recording this and your continued participation is
acceptance of that fact. So, thank you for being on the call and Phil,
thanks for mentioning that and saying that's what we should do. back to
you, You're next.
Manu Sporny: Yes. So, what Dave said is what we could do. I think that
would address the concern or, it would address that. Right now, the topics
are autogenerated by the LLM. So the LLM reads the entire transcript and
then it breaks it into four to six topics and then bunches stuff as it sees
fit. we can get that back into a manual mode so that if somebody explicitly
puts topic subtopic colon in a GitHub issue, it'll have the same function
as it does today.
Manu Sporny: As far as the meeting,…
Ivan Herman: The you said GitHub issue.
Ivan Herman: You mean put the topic into the meeting chat?
Manu Sporny: that's correct. Yeah, but I think…
Ivan Herman: That's not…
Manu Sporny: if you put subtopic colon in the GitHub link,…
Ivan Herman: what you said.
Manu Sporny: it will go and create a subtopic and title it appropriately
and all that kind of stuff. I think that works with one of the tools. I
don't know which one. sure.
Ivan Herman: That works only the old one. that's the whole script which I
put aside. so you cannot get the title back from the issue and generate the
normal title or you have to somehow compromise P want to do the work for
that because he took that over yeah of
Manu Sporny: I mean it's all software.
Manu Sporny: we can add the feature where right it's clear how to do the
technical implementation we just need to find out who gets to carry that
ball. the other thing about breakout rooms it's not really that complicated
that the chair there's a little button in the bottom right see all those
little dots right by the padlock icon.
Ivan Herman: Come on.
Manu Sporny: the chair would click meeting tools, they would click breakout
room, and they would force all of us into the room if somebody wants to say
something off the record. it is more involved. but, I don't think it's
complicated. It's just, the chairs push, someone says, "I want to say
something off the record." they type that into the chat, the chairs see it.
Manu Sporny: the chairs force everyone into a breakout room or even a
subset you can pick a subset of people and then once the conversation's
over the chairs close the breakout room and…
Ivan Herman: Okay.
Manu Sporny: we're all pushed back into this room. So it's just the chairs
clicking two buttons that does that process.
Manu Sporny: That's it.
Joe Andrieu: Okay. …
Joe Andrieu: I wanted to add two things. one, I agree with most of what you
just said, Manu, about the breakout rooms. It's not as complicated as it
sounds, but I do think it's a really high threshold compared to, hey, I
need to say something that's off the record. and so that's just
unfortunate. but if we have a topic that we're getting heated about, we
could say, "Hey, let's move this to off the record so we have that option
at least. it's just not ideal." But it sounds like we have some general
consensus towards let's mine the chat log and we'll figure out how to
leverage some of the tools and techniques in that we've been using in IRC
over there. But my question is how do we prioritize and resource that work?
Joe Andrieu: as Ivon mentioned, we have to get PA to help or someone else
to help. Someone's got to actually write some code.
Phillip Long: Oops.
Manu Sporny: I can always do it in my spare time which is how we're
currently using the system we have now that doesn't mean that I can commit
to a timeline would love some help if somebody else wanted to jump in but
if not it'll just happen when it happens especially I just need to know
that, if I go to the effort of building this thing that we're actually
going to end up using it.
00:15:00
Manu Sporny: I don't want to spend a bunch of time building something and
then find out that someone's going to object to, the upgrades. That's it.
Joe Andrieu: Yeah, that makes sense.
Joe Andrieu: So, let me ask the group. is there anyone…
Ivan Herman: Sorry I wanted to answer money.
Joe Andrieu: who has any concerns about using the chat in this way? I see
Ivon's on the queue. Go ahead, Ivon.
Ivan Herman: So I would propose with you or you and I as you prefer money
talk to Kanttoan because he does maintain that script which is also an
action which is used on various different working groups and some of the
changes that he did was because so he is answering to pushes in some sense.
Ivan Herman: So if we talk to him and he will tell us the whole thing is
written in rust. I don't know whether that's a problem.
Joe Andrieu: That's great.
Joe Andrieu: Okay, thanks Ivon. So this feels like we have a direction.
Phillip Long: Okay.
Joe Andrieu: We have folks who are interested in making it happen in Manu
and we have resource constraints issues. So we'll put it on the queue but
not expect it tomorrow. Manu I know it'll take Any other thoughts on that?
All right. Let's move on to the issues. we have cherry picked a few of them
although we don't have them flagged for that. But the first one is 12.
confidence levels not sufficient on its own.
Joe Andrieu: Dan, why did we choose this one to talk about today? He said
blocked by charter.
Denken Chen: Yeah, let me take the look at this. So we had a agreement to
add multiple subjects in the VCDN for more example description about the
possibility of delegating mechanism or any relationship between the
different subjects within the VC. So for example, I could add my family
members to my medical pre prescriptions. So any of my family could hold
that VC and present it to the drugstore to help me to get a drugs medicine.
Denken Chen: So I think it's blocked by we need a next VC charter to have
some modification within BCDM.
Denken Chen: Yeah, that's it.
Joe Andrieu: …
Joe Andrieu: I thought we were just going to add some examples in our
document. And it seems to me, at least as I am understanding how we're
going to tackle this, we are not changing anything that's conformant. just
giving an example. So, where did we get into trouble with the charter? I
see Evvon. Are you still on the queue? Or is that old? Ivon, you're both
muted and you have your hand raised, but I'm assuming that's old.
Joe Andrieu: they can do I'm not sure why there would be a charter conflict
if we're just adding an example into the confidence method spec.
Denken Chen: Is it reasonable to lead in the competence method because it
probably …
Denken Chen: how do we describe the mechanism in the confidence method
about different credential subjects.
Joe Andrieu: So today the VCDM has support for multiple credential subjects.
Joe Andrieu: It's not usually led with.
Denken Chen: Yes. Okay.
Joe Andrieu: So some people don't understand that and are like, " how do I
do these complex use cases that have different subjects involved? so the
mechanism is already there as I understand it in VCDM. What do you think
would need to be changed? Thank you.
Denken Chen: So I'm thinking about what to describe for this confidence
method. So for example, we already have spouse description in the
credential subject in example 10 of VCDN. So we could take that example and
describe more use cases in the compet in a new competence method. Right? Is
that your visioning?
00:20:00
Joe Andrieu: So, right, we could build an example based off of example 10.
So, I agree with that.
Joe Andrieu: Not sure yet where the charter is getting involved. Ivonne, I
see that you're off mute and you reactivated your raised hand, so please go
ahead.
Ivan Herman: Yeah, I am sorry for the previous step.
Ivan Herman: I was looking for the charter and got messed up with the
windows.
Phillip Long: Okay.
Ivan Herman: So, there was a recent change on the charter proposal. I don't
remember exactly when and that recent change allows us to change the
already published recommendations. so I will read out loud. no, put it in
the chat to make it clear. This is what the charter says about in this case
VCDM.
Ivan Herman: And I draw your attention to the point that if to support the
new recommendations produced by the group. So put it clearly we have the
right under the new charter to modify in this case the VCDM…
Joe Andrieu: Go ahead, man.
Ivan Herman: if the new recommendations which is the one they are
discussing require that convoluted way to say that we don't have to do
anything with the chartered proposal in my view.
Manu Sporny: Yeah, plus one. I don't think there are any charter issues.
with addressing this, I think we are ready for R in looking at the example
on the screen. I think if we wanted to add a confidence method and
associated with each spouse or sorry we just put it in each object the
Jaden do would have a confidence method that would allow them to assert
that they're that subject and then you'd have a confidence method for
Morgan Doe as well.
Manu Sporny: and it would allow either one of those people to say that
they're the holder and then assert, that they're also that particular
credential subject. so I hope this is a fairly straightforward thing. I
think we have everything that we need to create an example here. That's it.
Joe Andrieu: Thanks, V. I wrote down something that doesn't make any sense
to me. my question was for you, ne. obviously if I looked at the charter
text, I might be able to figure it out, but this says no new normative
feature for those specifications. are render method and competence method
in the set of those or are the things that really we haven't even quite
gotten to a full 1.0 still open to normative changes?
Joe Andrieu: I no that's a good point.
Ivan Herman: Phil was in the queue or…
Ivan Herman: do you want to answer me right now? so no those refer to we
are maintaining a bunch of recommendations the ones that we had published
about a year ago and…
Phil Archer: Go forever.
Joe Andrieu: Okay go ahead.
Phil Archer: Don't worry.
Joe Andrieu: Thanks. Okay.
Ivan Herman: there are those original restriction that no new normative
features will be introduced for the VCDM. So in this case the one that we
are allowed to modify for these things is the VCDM.
Phil Archer: So the confidence method or any of the other ones that are
already in flight or planned we have the ability to update VCDM if we need
to. but there will be screams around the room if we do that because if we
need to update this BCDM and let's be honest we might but you've got to go
through the whole process again with all the candidate w implementation
reports and everything else. So yes, if we're working on a new
specification which includes the confidence method, we can make it changes
to the VCDM, but you got to be really sure you need to before you do that.
Joe Andrieu: Okay, thank you, Phil.
00:25:00
Joe Andrieu: Okay, I think that's a great closure on this. I think I
captured it on screen. Thanks, Phil. Any other thoughts on this issue?
Otherwise, we'll move on to the thanks folks. Next one is 14 which we have
as ready for PR and needs discussion.
Joe Andrieu: Dacon, did you want to talk about this today or just review
its status as we need to set up a deeper call? Thank you.
Denken Chen: Okay, sorry. Okay. So, I'm just want to make sure the status
like wait make it ready for today or do I need to prepare some early
example for the spec before label it into ready for PR.
Joe Andrieu: That is a great question. I'll give you my first blush
response and people can chime in. I think if you see a clear path that
makes sense to you that doesn't feel controversial, you can go and do a PR
and my sense of it. But if you want feedback because there are choices you
have to make and you'd like to get some input from the group before you
commit to specex then we can talk about it some more. Manu go ahead.
Manu Sporny: Yes, plus one to that. I don't think we should raise a PR
before we talk to MOSIP about this because they have work in flight, that
they are deploying in production. and if this doesn't work for them, then
we're not doing the right thing, in my opinion. So we really need most
engagement on this. I will also note that the biometric stuff is not as
simple as it seems on the surface. There are all kinds of privacy concerns
that It is probably going to be one of the most difficult features that we
would do for confidence method. So I don't think we should underestimate
how difficult this thing is going to be.
Manu Sporny: for example, if we look at the MOSEP thing, there's a choice
that you need to make around biometric templates. Which ones are you going
to use? They are including things like iris template, all fingerprints,
facial template, that makes me nervous. but it's the only way that they can
identify some of the people that are in rural areas because those
individuals have no other legitimate or government issued ID and they're
not going to right yet they need to receive aid from the government to
plant crops and raise livestock and things of that nature.
Manu Sporny: So, all that to say, this is not a simple PR. and we should
talk to MOSIP and we should try to see if we can align with them. And
ideally, they would be the one proposing it. and ideally we start out with
something easier. I don't know what an easy biometric is. I mean even the
template formats there are multiple different template formats for
everything Iris has three different standards facial templates have 50
different standards then so on and so forth.
Manu Sporny: So just some feedback on this. this is not an easy thing. and
it may be something that we want to wait until we pick some super simple
thing and…
Joe Andrieu: I want to plus one that last thought you had and…
Manu Sporny: then wait for all the other complicated things in a next
revision. that's it.
Joe Andrieu: I think it moderates what I was expecting you might do. Denin
I think with the Taiwan's digital ministry you are working on digital
biometrics and so it may be that the incorporating MOSIP in that work may
be too early but we can go to PR on your proposal for what would work for
you in that context as a starting point and that feels like what you just
said man let's do a simple one and…
Joe Andrieu: then we can tease out how we might plug in MOSIP because they
are dealing
00:30:00
Joe Andrieu: with far more complexity than most of us have had exposure in
this space. Thank you.
Denken Chen: So I think today I will try to limit the scope to face
portrait.
Denken Chen: I mean in this draft we already have a biometric portrait
image encoding the image in base 64 and most has a type of biometric for
person's face biometrics.
Denken Chen: So I think that's one I will look at as a first example to
incorporate into our competence method. in our case we are mostly concerned
about using the face portrait image.
Joe Andrieu: does it make sense to create another PR that is this first
pass at a biometric method and…
Joe Andrieu: and have it be distinct from this let's reach out to MOSIP
let's get a deeper sort of engagement and support that because that seems
like a simpler PR to work with. Thank you.
Denken Chen: I think it's also available in most of the government issued
credentials and I have a regular meeting with most now so I will reach out
to them for advice or comments.
Joe Andrieu: Okay. go ahead, man.
Manu Sporny: Yeah, a plus one to what you said, Joe, plus one to what Denin
said. I do think facial biometric is the easiest one. and a picture is it
definitely makes it much easier. things to avoid there are biometric facial
vector templates that are a patent minefield. anytime you get into
biometric, templates, it's like patent minefield, right? So we would have
to do some pretty good due diligence to pull those in. but a picture of a
person fairly easy, to Denin, one of the other things plus one to splitting
it and working in two different PRs and just focusing ultra focusing on
just facial picture.
Manu Sporny: Denin, one of the other things that I'm hoping that you would
put in there is I'm wondering if we should put some kind of mandate that
you should make it selectively disclosable. Meaning you should not have to
just hand over a picture of yourself whenever you're disclosing these
things. And we should really start pushing the industry towards selectively
disclosable confidence methods in general. I might maybe that that's a
general confidence method thing like all confidence methods should be
selectively disclosable. we'd love to go The only reason I think we might
not want to go to must is because some people are just using technologies
where you just don't have the selectively disclosable option.
Manu Sporny: …
Joe Andrieu: Cool. Thanks,…
Manu Sporny: but maybe we should do a little bit of lecturing in the
specification of you really should be making these selectively disclosable
if you can. That's it.
Joe Andrieu: Okay, this sounds straightforward. thanking that suggests
we're going to create a new issuer PR for the simple version.
Joe Andrieu: Do you want to take that on or would you like me to? One of us
should.
Denken Chen: Yeah. Yeah.
Denken Chen: Just take that.
Joe Andrieu: Okay, And I'm not closing the issue, but we'll close this
stage of the agenda and move on to the next issue.
Joe Andrieu: Okay, the next one was 16 and Dan, you had also thought this
was blocked by recharter. and your notes that you sent me charter PR to
change from confidence methods to confidence. I think this is on me so you
have charter PR to change from confidence methods to confidence. I remember
having that discussion and then adding assurance le level as an evidence
field in the VCDM.
Joe Andrieu: Okay, I'm remembering that now. Thank Anyone speak to
Denken Chen: So we had a discussion about whether to put this confidence
levels.
Denken Chen: So in the discuss discussion we agreed that this should be one
confidence level or one assurance level corresponding to one VC. So that
would be VC level of things and the most appropriate way to express that is
in the evidence field in BCDN. So I think the most proper way is to
describe how we could use the field evidence property to express that level
of assurance. Yes.
00:35:00
Denken Chen: So we should make it clear that whether we should wait for the
recharter of the VC
Joe Andrieu: I feel like this should have been assigned to me.
Joe Andrieu: I think I verbally said I would take care of that. Ivonne, go
ahead. in this case we wanted to change the title of the spec from
confidence methods to confidence…
Ivan Herman: Before I don't fully understand…
Ivan Herman: what is the charter issue here. I have two reactions on that.
Joe Andrieu: which lets us open the scope a little bit. So it's just that
one word
Ivan Herman: It's not strictly necessary because the working group has the
right to change the specification title at any time.
Joe Andrieu: okay.
Ivan Herman: This is not a chartering issue and the document has already
been published in the first public draft with the current title. So that
would be necessary anymore. the second answer independently of the previous
one. if you want to change something in the charter proposal then you have
about a week because I have gathered all the green light to move on to the
AC vote and…
Ivan Herman: I plan we will have to discuss with the chairs to Friday but I
plan to move on to the AC sometimes next week but as far as I am concerned
I don't think that you need to change distractor.
Joe Andrieu: Okay, great.
Joe Andrieu: I think I'm keen to just close this then. anyone think that's
crazy? Go ahead, Manner.
Manu Sporny: not crazy and I certainly won't stand in the way. it's good to
have the charter is going to stick around for a long time and we sometimes
refer other people to the charter and it's good to align as much as
possible before the thing set in stone and we definitely can't change it,
So, we have an opportunity here to change some words to make it easier for
people to kind of understand what we're working on.
Manu Sporny: I suggest we do that since we have a week to do it
Joe Andrieu: Okay, I'll assign this to me.
Joe Andrieu: Whoops. That was not how I do that. and I think this is
something I can probably do today now that I'm on the other side of the
threat modeling Any other thoughts? I think we can move on. go ahead, Will.
Correct.
Will Abramson: Yeah, just something You said you're going to rename it to
confidence. I think there's another issue linked here maybe verifiable
credential confidence.
Will Abramson: I think just having a spec called confidence feels a bit
strange to me.
Joe Andrieu: Yeah that's a valid point.
Joe Andrieu: My thought is this is much broader than VCs. right I can see
confidence levels is simply being part of how you do authentication with a
DID right independent of a VC. that said the spec is called VC confidence
method as a short title. maybe the long title should also have it. Manny
Manu Sporny: Yeah, I thought we were just going to remove the word method
and then we would expand it to say defines mechanisms. So it's strike the
word meth from the charter strike the word method and make mechanisms
plural.
Manu Sporny: And that was the change we were talking about.
Joe Andrieu: Hey, Could you restate that?
Ivan Herman: Yeah. Getting to follow up to one…
Ivan Herman: what money said if getting to the way of saying that this goes
beyond the verifiable credentials etc. that would raise a lot of eyebrows.
I would not go there even if it's on long term your intention but let's not
go that way because then it becomes a totally different ball game.
Joe Andrieu: I didn't follow what you were.
Ivan Herman: You said that this is something that goes beyond the
verifiable credentials. I would not put anything into the charter that
would suggest that because that would raise lots of eyebrows.
00:40:00
Joe Andrieu: Plus one. I appreciate that, Dave.
Dave Longley: Yeah, I was about to put my hand back down. I think it's been
covered now. but I'll just reiterate. I think changing the singular a
mechanism that's in the current charter text to mechanisms would be
sufficient because then it would read that this spec defines mechanisms
that can be used with the BCDM to increase a verifier's confidence about a
particular subject identified in a verifiable credential.
Dave Longley: I think that includes defining new evidence mechanisms or
evidence extensions which there's already an extension point in the VCDM
for evidence. We can define evidence types in this new spec that would have
whatever is needed.
Joe Andrieu: Okay, cool.
Joe Andrieu: All right, I'm going to go and comment on this and we can move
on to the next issue and I will make an effort to subtopic before we start
typing. Sorry about that. so the 17 is next and I'll let you introduce it
Dan. It seems like you mostly just wanted to have a conversation.
Denken Chen: Yeah, I would like to keep this as the open discussion. I'm
probably not going too deep today. but one thing I would like to highlight
is in the last meeting Brent mentioned he would love to in include pass key
support for this or at least do some early research on it and so we can
keep human eye on it. And so for now today we try to understand our first
draft. The scope will probably limited to the first one is a facial image
and the second one we will talk about it later. Yeah.
Denken Chen: So that's why I would like to share and so I suggest that we
today should really go through all of the issues and…
Denken Chen: make final decision for our first draft. Yeah. this one just
keep it or…
Joe Andrieu: Okay. I'm not sure…
Joe Andrieu: what the decision is you're looking for on this one.
Denken Chen: need discussion as is.
Denken Chen: So I think if there is anything that people would like to talk
about this issue please raise your hand or I suggest we go through all the
issues today.
Joe Andrieu: All right.
Joe Andrieu: So, this is a heads up for folks to dive into this if you care
about these items and we will be revisiting this discussion likely in the
future. All right. We'll move on to the next one.
Joe Andrieu: Okay. 20.
Joe Andrieu: You want to introduce this one? Thank you.
Denken Chen: Yeah, I think we talked about this to added also a initial
competence method example and…
Denken Chen: Joe you will be drafting the first PR. So we could remove the
need discussion and…
Joe Andrieu: Excellent. …
Denken Chen: just make it ready for unless there's other concerns.
Joe Andrieu: I think this is ready for PR. let me see if the conversation
suggests otherwise. And I see Manny raised his hand. Go ahead, Manny.
Manu Sporny: Yeah, I mean plus one. I'm looking at Denin's proposal down at
the bottom and it looks good. the only thing that I was wondering about was
the last part of your example Denin where we use a decentralized identifier
document. that might need to be just decentralized identifier and then the
question becomes which one of the verification methods are you going to use
I would presume it's authentication and maybe that's what we say in both of
these cases the expectation is that it is used in some kind of
authentication process the other thing about specifying a multi
Manu Sporny: key is you have to run it over a protocol and we should
probably talk about the protocols where you can utilize these confidence
methods. So we have one protocol that is in scope for our next charter VCOM
it does specify how you do a D off in it. so we should at least reference
that. other things to consider are JSON web keys and the DOP stuff that you
can do over OOTH. I don't know if we're going to say anything about that
either.
00:45:00
Joe Andrieu: Go ahead. I
Manu Sporny: And I would expect we would have to say that at some point for
people to be able to actually use confidence method within a protocol.
Manu Sporny: That's it.
Ivan Herman: So I'm looking at that example and…
Ivan Herman: that rings a more generic bell for me. It uses in this case
Who defines that type? Where is it defined? Is it an example this
definition or just it come out of the blue air? remember that I am the one
who is always shouting about the proper vocabulary and this is in the
vocabulary area where does it come from and this is not only on this
example in general both documents that we are working on have this kind of
examples…
Ivan Herman: where I don't know what is formally defined I don't know is
there for the purpose of an example or it comes from elsewhere and that
always bothers me.
Joe Andrieu: cool. Thanks,…
Joe Andrieu: Ivon. I agree that, yes, we are going to have to create a new
type. We're going to have to do all the work that entails. and we have not
yet done this. I actually think this type probably did or it's u
verification method. and I think that's one of the things that's missing
here, Denin, is that I think the identifier for the confidence method in
example the second layer here doesn't have the details to get to a specific
verification method.
Joe Andrieu: to Manu's point what are we supposed to just use any
authentication method in that did document I think that's probably not as
appropriate as the first one which points to a specific key although I want
something in here that says this is a did off confidence method so that's
my feedback go ahead manu
Manu Sporny: Plus one to what you just said, we probably do want it to
speak to I guess a protocol more than I mean although the verification
method thing sounded fine to me as well which is not necessarily protocol.
So that's interesting. we can try and sort it out in the PR, but I don't
want Denin to put in the time to put in a, that, is going to be pushed back
against. So maybe more discussion As for, Ivon, yes, we need a new type. My
expectation is that it would go in the security vocabulary.
Manu Sporny: I don't think we should have a separate confidence method
vocabulary. That feels like it would be kind of ick. security vocabulary
and then if we can't fit it in security vocabulary, the verifiable
credential vocabulary, but again, I think that's the second option. and
then we would need to include it in the next the VC21 context or the 20
context or whatever we end up doing. but I think there's a semi clear path
there. The we'll work out the details, but I think we can go in that
general direction with the vocabulary
Manu Sporny:
Joe Andrieu: Plus one for that.
Joe Andrieu: That seems to make sense. I wanted to add that I think that
the way I'm approaching this particular one I think this should be assigned
to me. so I think I'm the one stuck with the PR man. is at least for did o
I'm approaching that as conceptually free but I will mention two protocols
as examples and one is hey you may have gotten this in a VP and the
signature on the VP is one way to have that confidence and then separately
you have this verification method you can engage in any protocol you want
and I think at that stage it's also appropriate to pull in BCOM to the
extent that
00:50:00
Joe Andrieu: that's mature enough to reference. but I think in essence the
verification method itself is like an atomic element that however you
manage to interact around it is sort of at another layer in my thinking. So
I saw a thumbs up from so maybe that's So this seems straightforward for
me. I just need to wrap my head around what all do I need to write for the
did off but otherwise I think it's on me and I think the issue labels I
don't know that we need any more discussion. Does anyone feel we need to
keep talking about this? We can revisit in a future call but feels like I
could remove that label and the roaring science endorses my executive
decision.
Joe Andrieu: So, let me go and get rid of the needs discussion. Thanks,
next up then 21. And I see Danken that you queued up for that.
Denken Chen: Yeah, I will address privacy concern including suggesting that
all competence methods should be selective disclosable. I think it's a good
reminder from Ted and also Manuel mentioned it as well. Yes. So I think if
there's anything others we would like to be included please have a
discussion here or…
Joe Andrieu: Go ahead, man.
Denken Chen: we can just take it as ready for PR.
Manu Sporny: Yeah, plus the selectively disclosable thing. I think we
should also maybe speak to what happens if you don't selectively disclose
this, I mean, it is a tracking vector. for example just because an MDL
portrait image is selectively disclosable the second you disclose those
unique bytes are a unique token which can be used to track you globally
right so the next time you present that same thing the identifier is the
same even if the signature is different even if it's a totally different
thing unless there's some fuzzing that's done on the biometric image which
we are not talking
Manu Sporny: about doing that creates a unique thing. so there is I think
future R\&D to be done around verifiable fuzzing of biometric portraits so
that when you do show it over and over again it's not the exact same bite
sequence. but even if we are successful in doing that and get there it
doesn't matter. LLMs are way good enough at recognizing faces now that no
amount of fuzzing that we do is going to probably protect an individual
once they've shown their biometric photo through the credential.
Manu Sporny: So, we should talk about, what happens when you do share,
images of yourself. and maybe focus on some of the less known kind of
dangers, global tracking and again I mean the harms are different than you
just going to the grocery store and using a selfch checkckout kiosk you
don't necessarily know what they're doing with those images or your face so
we should say a lot about using biometric portraits and photos in these
credentials and I think the general position of
Manu Sporny: the specification should be don't share it by default don't
share it right and then if you do share it you should really understand
what the policy on the other side is clearly like the general population
can't do that and so understanding something like retention policy right
lambd has we promise we're not going to retain this thing although I don't
know necessarily how that sort of thing becomes important right intent to
retain intent to use that sort of thing.
00:55:00
Manu Sporny: we should also probably mention what hap you can have an
entity where its intent to retain is they don't intend to retain it but
they pass it to an upstream vendor who may not follow that same policy
right to do the betting these biometric things go through third party
vendors not every single one of them has the same privacy policy so we
should speak to
Manu Sporny: those dangers as we should probably also refer to the EFF's
latest response on online age verification and the things to look out for.
they specifically mention a company and their policies that are concerning
and problematic. That's it.
Joe Andrieu: Do you have a URL for that That would be great.
Manu Sporny: I will find it.
Joe Andrieu: Okay. I think I captured all that. I one of the things I want
to honor is trying to wrap up five minutes before the end because that Zoom
insanity that happens when you're back to back. but before we actually
wrap, Denin, did you have anything else you wanted us to discuss before we
do that?
Denken Chen: Yeah. No, the remaining issues are minors. So, okay.
Joe Andrieu: Anyone else have anything to add to the agenda or we will
yield the last few minutes of the hour. I do manage link so I will get that
into the comment. Thanks I think that's a wrap then. Thank you all very
much. Danken, thanks for the prep work and…
Joe Andrieu: the help running this. And we will see folks. When's our next
one, Danken? I guess that's a good question.
Denken Chen: I think next week is for rendering method and…
Denken Chen: we will be the week after next week.
Phil Archer: the fourth.
Joe Andrieu: So, the 4th of February,…
Phil Archer: Yeah. Yeah.
Joe Andrieu: Phil, is that right with regard to the rest of the ECWG
meetings?
Phil Archer: And then 11th is full working group meeting that I can't
attend for reasons I won't bore you with. so I guess then it'll be render
method on the 18th and…
Phil Archer: then confidence again on the 25th. I think that's the way
it'll be.
Joe Andrieu: Okay, excellent.
Joe Andrieu: Thank you all very much. That's a wrap and we will see you on
those dates, I hope. Cheers, folks.
Phil Archer: Thanks. Thanks everyone.
Meeting ended after 01:01:47 👋
*This editable transcript was computer generated and might contain errors.
People can also change the text after it was created.*
Received on Thursday, 22 January 2026 14:09:24 UTC