Re: Chartering work has started for a Linked Data Signature Working Group @W3C

On Mon, 24 May 2021 at 16:47, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 5/24/21 11:06 AM, Dan Brickley wrote:
> > Please don't make email from me a precondition from engaging with
> Peter's
> > questions.
>
> Yes, the plan is to engage regardless... however, a number of us have been
> fetching rocks for the better part of the last 8+ years to just get a WG
> started, so I'd like to know when that ends and we get to "good enough to
> start a W3C WG Charter review".
>

Maybe your community was working towards a WG around something more
specific (e.g. securing Verifiable Claims / Credentials) and this
chartering effort has led to it being re-framed as a more general purpose
endeavour? That might explain some of the mixed expectations in these
threads.

If W3C has been preparing for 8 years for a Linked Data Security group,
that wasn't clear to me.



> All of our time is valuable. I'd just like to understand how much of a time
> commitment we're asking from each other -- when does it end -- how long is
> the
> list of "things that have to be addressed for each deliverable before a WG
> can
> be started" is in each of your heads?
>
> > If the issues have all been hashed out in previous fora, links would be
> a
> > good way to answer.
>
> Honestly, at this point, we're better off just re-explaining it to each of
> you. It would take me a very long time to go and find links, even if I had
> clearly formulated questions to go off of (which, except for Peter's
> email, I
> don't). For example, here's 834 emails from just public-credentials
> discussing
> LDS:
>
>
> https://www.w3.org/Search/Mail/Public/search?type-index=public-credentials&index-type=t&keywords=signature&search=Search&resultsperpage=100&sortby=date
>
> Peter's questions are easy enough to dive into, so we'll start there and
> see
> where it takes us.
>

Yeah. Peter picked up and ran with my main outstanding technical question
on the input documents which was about recursion.

There remain larger expectation-management questions along lines of who
should expect this WG's products to be relevant to their work - e.g. large
scale RDF publication, the Linked Open Data Cloud kinds of site, or
Wikidata, DBpedia, Yago, ... or ordinary sites publishing Schema.org
markup? Do we envisage
https://www.wikidata.org/wiki/Wikidata:Database_download#RDF_dumps being
improved by this work in a couple of years, for example?

My instinct is that there's a couple of quick wins here - get the
bnode-labelling stuff done, and
whatever-it-is-the-verifiiable-claimdentials folk want for the VC
ecosystem. And that a lot of our problem here is the sense that the latter
agenda is being mixed up with a broader "we're going to secure RDF in
general" sort of a project, which these may be important components for but
is a different kind of enterprise. I am convinced enough that VC has found
a niche that I wouldn't want to undermine any of its momentum, but suggest
that a WG more explicitly named, scoped, and focussed on VC's needs (and
design assumptions etc.) might be easier for all concerned.



>
> > What I would like to see is a high-profile public call for review of
> this
> > *draft* charter from W3C (e.g. blog, mail to security lists, IETF
> liaisons
> >  etc.) - blog post, tweet etc. Review shouldn't be happening on a semweb
> > list.
>
> That's the purpose of the AC Charter Review, isn't it? Isn't this asking
> for
> something quite non-standard? Isn't the purpose of the Coordination
> section of
> the charter to seek input from those groups you're concerned about?
>
> https://w3c.github.io/lds-wg-charter/#coordination
>
> You are correct that a security review shouldn't be happening on the semweb
> list... it should happen in a LDS WG


No - we're at the "Is this a sensible thing for W3C to be putting its
limited resources into?" stage. And only semweb folks are getting asked
that. There's a fatalism about even bothering to consult browser /
webplatform folks, I fear.


> and the liaisons mentioned in the
> Coordination section... but simultaneously, we're being asked to
> participate
> in one on the semweb list or risk the charter not even going out for
> review.
>
> Having a concrete list from each of you on "things that need to be done
> before
> AC Charter review" would help us avoid the random walk we're doing right
> now.
>

You can do an AC Charter review whenever you like. Peter's questions esp
around recursion would be good things to address.

Your comments earlier in the centi-thread about using quads rather than
triples were intriguing but I didn't quite follow your meaning.

Specifically you wrote (in
https://www.w3.org/mid/c525ef74-6599-3d33-2215-7009c6f8e8a1@digitalbazaar.com
):


*manu> "RDF Graphs" -- those are not what this group is focusing on,
they create all sorts of provenance issues with the signed
information... this is why we pushed hard for RDF Datasets back in the
day... we're focusing on canonicalizing and generating proofs (e.g.,
digital signatures) for RDF Datasets.*

A lot of the defences I've heard for why we can't just "sign the bits" of
an RDF serialization are along the lines of "what if Alice writes it in
Turtle, Bob in JSON-LD, and Carol in RDFa". All of which is couched in
terms of the RDF graph abstraction. We can imagine easily enough parsing
alice.ttl, bob.jsonld and carol.rdfa into similar triples, and
canonicalizing them into the same triples. But if they've signed quads, all
that canonicalization would be for nothing if the named graph URIs on each
triple were different in Alice's, Bob's and Carol's signing workflow. In
general W3C RDF and SPARQL leave it very open how to choose how to use
named graph URIs.

I can understand that the VC ecosystem may have well established
conventions for how to use the named graph field in the quads of an RDF
Dataset. But without that or something similar (currently not really
explained in the draft Charter) it is confusing how Graphs vs Datasets
plays out in the design. Some of the issues Peter is poking at in the
recursion thread, you could imagine handling differently via Datasets /
named graphs, for example.

cheers,

Dan



>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>

Received on Monday, 24 May 2021 17:43:33 UTC