[w3ctag/design-reviews] Specification review request for Verifiable Credential Data Integrity (Issue #850) from Manu Sporny on 2023-05-28 (public-webapps-github@w3.org from May 2023)

From: Manu Sporny <notifications@github.com>
Date: Sun, 28 May 2023 12:11:15 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/850@github.com>
The Verifiable Credentials Working Group requesting a TAG review of Verifiable Credential Data Integrity and two Data Integrity Cryptosuite specifications (EdDSA and ECDSA).

These specifications describe mechanisms for ensuring the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs. Cryptographic proofs enable functionality that is useful to implementers of distributed systems. For example, proofs can be used to:

* Make statements that can be shared without loss of trust, because their authorship can be verified by a third party, for example as part of Verifiable Credentials [[VC-DATA-MODEL-2.0](https://www.w3.org/TR/vc-data-integrity/#bib-vc-data-model-2.0)] or social media posts.
* Authenticate as an entity identified by a particular identifier, for example, as the subject identified by a Decentralized Identifier (DID) [[DID-CORE](https://www.w3.org/TR/vc-data-integrity/#bib-did-core)].
* Delegate authorization for actions in a remote execution environment, via mechanisms such as Authorization Capabilities [[ZCAP](https://www.w3.org/TR/vc-data-integrity/#bib-zcap)].
* Agree to contracts where the agreement can be expressed as a digital signature that can be verified by another party.

Additionally, many proofs that are based on cryptographic digital signatures provide the benefit of integrity protection, making documents and data tamper-evident. The specifications in this review request enable these features in ways that were included in the W3C Verifiable Credentials Working Group charter. 

  - Explainer: [Data Integrity: Introduction](https://www.w3.org/TR/vc-data-integrity/#introduction), [Data Integrity: Goals and Rationale](https://www.w3.org/TR/vc-data-integrity/#design-goals-and-rationale), [Data Integrity: Examples](https://www.w3.org/TR/vc-data-integrity/#example-a-simple-json-data-document)
  - Specification URL: [Verifiable Credential Data Integrity](https://www.w3.org/TR/vc-data-integrity/), [EdDSA Cryptosuite v2022](https://www.w3.org/TR/vc-di-eddsa/), [ECDSA Cryptosuite v2019](https://www.w3.org/TR/vc-di-ecdsa/)
  - Tests: Test suites are under development
  - User research: [Jobs for the Future Interoperability Results using VC Data Integrity](https://docs.google.com/presentation/d/19GmJ3bLMrbVadesnkmsWaaUr-U71Y9Kr775tZvgs-xI/edit#)
  - Security and Privacy self-review: https://github.com/w3c/vc-data-integrity/issues/98
  - GitHub repo (if you prefer feedback filed there): 
    - https://github.com/w3c/vc-data-integrity/issues/
    - https://github.com/w3c/vc-di-eddsa/issues/
    - https://github.com/w3c/vc-di-ecdsa/issues/
  - Primary contacts (and their relationship to the specification):
      - Manu Sporny (@msporny), Editor, Digital Bazaar
      - Dmitri Zagidulin (@dmitrizagidulin), Editor, MIT Digital Credentials Consortium
      - Marty Reed (@martyr280), Editor, RANDA Solutions
      - Dave Longley (@dlongley), Author, Digital Bazaar
      - Brent Zundel (@brentzundel), VCWG Chair, Gen
      - Kristina Yasuda (@Sakurann), VCWG Chair, Microsoft
      - Ivan Herman (@iherman), VCWG Staff Contact, W3C
      - Phil Archer (@philarcher), RCHWG Chair, W3C
      - Markus Sabadello (@peacekeeper), RCHWG Chair, W3C
      - Pierre-Antoine Champin (@pchampin), RCHWG Staff Contact, W3C
  - Organization(s)/project(s) driving the specification: [W3C Verifiable Credentials Working Group](https://www.w3.org/2017/vc/WG/) and [W3C RDF Dataset Canonicalization and Hash Working Group](https://www.w3.org/groups/wg/rch)
  - Key pieces of existing multi-stakeholder review or discussion of these specifications:
    - [Inclusion of the work in the VCWG and RCHWG Charters](https://github.com/w3c/vc-wg-charter/issues/21#issuecomment-979892420)
    - [Jobs for the Future Interoperability Plugfest #2 using VC Data Integrity](https://docs.google.com/presentation/d/19GmJ3bLMrbVadesnkmsWaaUr-U71Y9Kr775tZvgs-xI/edit#)
  - External status/issue trackers for these specification (publicly visible, e.g. Chrome Status):
    - https://github.com/w3c/vc-data-integrity/issues/
    - https://github.com/w3c/vc-di-eddsa/issues/
    - https://github.com/w3c/vc-di-ecdsa/issues/

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: The VCWG is planning to take these specifications to Candidate Recommendation in September 2023 (at W3C TPAC), reviews before that time frame (ideally, by the end of July 2023) would be ideal.
  - The group where the work on this specification is currently being done: [W3C Verifiable Credentials Working Group](https://www.w3.org/2017/vc/WG/) and [W3C RDF Dataset Canonicalization and Hash Working Group](https://www.w3.org/groups/wg/rch)
  - Major unresolved issues with or opposition to this specification:
    - Addition of unlinkable cryptosuite (in process)
    - Addition of selective disclosure cryptosuite (in process)
    - No registered opposition (no "intent to formally object" on any of the specifications)
  - This work is being funded by: The members of the W3C VCWG and W3C RCHWG that are actively participating in the development of these specifications including funding from the US Federal Government, the European Commission, and the Canadian Federal Government.

You should also know that...

* This work intersects heavily with the [Verifiable Credentials v2.0](https://www.w3.org/TR/vc-data-model-2.0/) work, which is also something that the TAG will be actively reviewing around the same time.
* The W3C RCH WG is also [doing some foundational work](https://www.w3.org/TR/rdf-canon/) that these specifications rely on, and which TAG will be actively reviewing around the same time.
* There is active work on selective disclosure cryptosuites and unlinkable digital signature cryptosuites, which are important to understand in order to get the full picture of what this work is attempting to achieve (on the whole).

We'd prefer the TAG provide feedback as:

 ☂️ open a single issue in our GitHub repo **for the entire review**


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/850
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/850@github.com>
Received on Sunday, 28 May 2023 19:11:22 UTC