W3C

VCWG Spec Refinement

2026-01-21

Attendees

Present
benjamin young, dave longley, denken chen, dmitri zagidulin, elaine wooton, hiroyuki sano, ivan herman, joe andrieu, kevin dean, manu sporny, michael jones, patrick st-louis, phil archer, phillip long, ted thibodeau jr, will abramson
Scribe
your robot overlords

Meeting minutes

Recording Infrastructure Updates

Joe Andrieu: Yeah, I did not see that as I was looking in other chat channels. we can go get started. our plan was to just go through our issues together. go to any final decisions on labels we might need. specifically, to the version of the first that's going to go to CR. so let me pull that up and share screen. Does anyone else have anything to add to the agenda other than reviewing issues?

Joe Andrieu: Go ahead, Manu

Manu Sporny: I have one thing on a request from Ivan about the recording infrastructure.

Manu Sporny: Just a very quick three minute update on that.

Manu Sporny: So, that was the first thing. when you join the meeting, it asks you if you're okay with recording or not. I don't know if that replaces or does anyone object to recording the meeting thing. that's a question for Brent probably or one of the Phil W3C process is not clear on what exactly is acceptable does you clicking on a button saying that the meeting's being clicking okay mean that you're okay with it? would imagine so but that's the first question.

Manu Sporny: but Joe, I'd just probably do the standard, is until we have an answer, just ask if anybody objects to the recording. the other update is that one of the things that was a challenge was not being able to say things off the record. I found out that if the chairs create a breakout room, you can say things off the record. So, you go into the breakout room, the breakout room is not recorded. it does not show up. In fact, all of us can jump into the breakout room. Someone can say, we can have a whole discussion off the record and then once we're done with the discussion, we can come back into the main room. that is not nearly as nice as just telling the scribe to stop scribing, but it is possible. So, I don't know if that meets your saying things off thereord concern.

Manu Sporny: and then the final concern is getting the issues and the minutes linked together with topics. I'm still thinking about the best way to do that. the only option I can think of is that as people drop issues into the chat channel, they are timestamped. we can have the bot scan through the links that people posted and inject them into the minutes. and at that point, I think the issue the script that we have might be able to pick up on that and do the appropriate linking.

Manu Sporny: So I think those are the proposed upgrades to the infrastructure that would hopefully meet upon your remaining concerns about using the infrastructure and…

Manu Sporny: everyone else's, I mean, it's not just with the concerns. so I'll stop there. people yeah that would be just the chat channel in Google Meet,…

Joe Andrieu: I have a question about the last bit you said I heard you say there's a mechanism whereby someone on the call could list an issue in some chat channel and…

Joe Andrieu: that would be processed. Could you just walk through what that flow is again? Yeah.

Manu Sporny: so we're meeting right now and then there's a little text box in the bottom right of the screen. You click that, you paste the link in there and that goes into a separate file for whatever reason. It goes into a separate file. We would have to update. Currently, we totally ignore that file. it's just dropped on the floor, And then deleted after 30 days. and nobody has access to it but the meeting organizers. we can modify the process so that the bot retrieves that file and it only looks for GitHub links or it just looks for URLs and if it finds a URL it'll inject that URL at the appropriate timestamp in the transcript.

Manu Sporny: So it will show up in the transcript and then if it shows up in the transcript I think Avo PA's tool can then do the appropriate linking to the GitHub issue for example. Yep.

Joe Andrieu: Cool. Thanks,…

Joe Andrieu: Okay.

Phil Archer: Just very briefly,…

Phil Archer: I think what Brent said about this was as long as you say at the start of the meeting, this is what we're doing. This is how we're recording Any objections? and if there are no objections, you're good to Carry on. I think it's as simple as that. But I think you do need to say it out loud every time.

Joe Andrieu: Appreciate that, Phil.

Ivan Herman: Yeah. …

Ivan Herman: two questions. So, I try to answer both. I don't really know what it means to go to another room. I mean, maybe we will find some time to test it. Not necessarily today, but at some point. I mean it sounds very convoluted. does it mean that some people will leave this chat and going to another one so we don't hear them anymore or I don't know what it means. but it sounds extremely convoluted in any case. The other thing with the URL that's not necessarily enough because we need two things. one is in some way or other control the sectioning and then the adding of the links.

Ivan Herman: the adding of the links okay you can do that and that's great and that's part of the answer but what Pant one script does is at the moment I think that he picks the link at the very beginning of a section either in the section title or in the first line of that section and then he copies the section itself into the GitHub. at the moment, the sectioning is a bit Yeah, I see Dave Longlin do that. So, that we could use the topic like we do it in the usual IRC channel and add the URL into the topic or right after the topic.

Ivan Herman: If you can pick these two things together and pull it into the generated minutes, then I think that Panton's script will roll.

Ivan Herman: And I haven't written that one, so he is the final arbiter on that, but I think it would work.

Joe Andrieu: Okay, thanks Ivon.

Joe Andrieu: I should have done this as soon as you recommended it, Phil. I do think we're recording this. So, this is notice that we are recording this and your continued participation is acceptance of that fact. So, thank you for being on the call and Phil, thanks for mentioning that and saying that's what we should do. back to you, You're next.

Manu Sporny: Yes. So, what Dave said is what we could do. I think that would address the concern or, it would address that. Right now, the topics are autogenerated by the LLM. So the LLM reads the entire transcript and then it breaks it into four to six topics and then bunches stuff as it sees fit. we can get that back into a manual mode so that if somebody explicitly puts topic subtopic colon in a GitHub issue, it'll have the same function as it does today.

Manu Sporny: As far as the meeting,…

Ivan Herman: The you said GitHub issue.

Ivan Herman: You mean put the topic into the meeting chat?

Manu Sporny: that's correct. Yeah, but I think…

Ivan Herman: That's not…

Manu Sporny: if you put subtopic colon in the GitHub link,…

Ivan Herman: what you said.

Manu Sporny: it will go and create a subtopic and title it appropriately and all that kind of stuff. I think that works with one of the tools. I don't know which one. sure.

Ivan Herman: That works only the old one. that's the whole script which I put aside. so you cannot get the title back from the issue and generate the normal title or you have to somehow compromise P want to do the work for that because he took that over yeah of

Manu Sporny: I mean, it's all software.

Manu Sporny: we can add the feature where right it's clear how to do the technical implementation we just need to find out who gets to carry that ball. the other thing about breakout rooms it's not really that complicated that the chair there's a little button in the bottom right see all those little dots right by the padlock icon.

Ivan Herman: Come on.

Manu Sporny: the chair would click meeting tools, they would click breakout room, and they would force all of us into the room if somebody wants to say something off the record. it is more involved. but, I don't think it's complicated. It's just, the chairs push, someone says, "I want to say something off the record." they type that into the chat, the chairs see it.

Manu Sporny: the chairs force everyone into a breakout room or even a subset you can pick a subset of people and then once the conversation's over the chairs close the breakout room and…

Ivan Herman: Okay.

Manu Sporny: we're all pushed back into this room. So it's just the chairs clicking two buttons that does that process.

Manu Sporny: That's it.

Joe Andrieu: Okay. …

Joe Andrieu: I wanted to add two things. one, I agree with most of what you just said, Manu, about the breakout rooms. It's not as complicated as it sounds, but I do think it's a really high threshold compared to, hey, I need to say something that's off the record. and so that's just unfortunate. but if we have a topic that we're getting heated about, we could say, "Hey, let's move this to off the record so we have that option at least. it's just not ideal." But it sounds like we have some general consensus towards let's mine the chat log and we'll figure out how to leverage some of the tools and techniques in that we've been using in IRC over there. But my question is how do we prioritize and resource that work?

Joe Andrieu: as Ivon mentioned, we have to get PA to help or someone else to help. Someone's got to actually write some code.

Phillip Long: Oops.

Manu Sporny: I can always do it in my spare time which is how we're currently using the system we have now that doesn't mean that I can commit to a timeline would love some help if somebody else wanted to jump in but if not it'll just happen when it happens especially, I just need to know that, if I go to the effort of building this thing that we're actually going to end up using it.

Manu Sporny: I don't want to spend a bunch of time building something and then find out that someone's going to object to, the upgrades. That's it.

Joe Andrieu: Yeah, that makes sense.

Joe Andrieu: So, let me ask the group. is there anyone…

Ivan Herman: Sorry I wanted to answer money.

Joe Andrieu: who has any concerns about using the chat in this way? I see Ivon's on the queue. Go ahead, Ivon.

Ivan Herman: So I would propose with you or you and I as you prefer money talk to Kanttoan because he does maintain that script which is also an action which is used on various different working groups and some of the changes that he did was because so he is answering to pushes in some sense.

Ivan Herman: So if we talk to him and he will tell us the whole thing is written in rust. I don't know whether that's a problem.

Joe Andrieu: That's great.

Joe Andrieu: Okay, thanks Ivon. So this feels like we have a direction.

Phillip Long: Okay.

Joe Andrieu: We have folks who are interested in making it happen in Manu and we have resource constraints issues. So we'll put it on the queue but not expect it tomorrow. Manu I know it'll take Any other thoughts on that? All right. Let's move on to the issues. we have cherry picked a few of them although we don't have them flagged for that. But the first one is 12. confidence levels not sufficient on its own.

Confidence Levels and VCDM

Joe Andrieu: Dan, why did we choose this one to talk about today? He said blocked by charter.

Denken Chen: Yeah, let me take the look at this. So we had a agreement to add multiple subjects in the VCDN for more example description about the possibility of delegating mechanism or any relationship between the different subjects within the VC. So for example, I could add my family members to my medical pre prescriptions. So any of my family could hold that VC and present it to the drugstore to help me to get a drugs medicine.

Denken Chen: So I think it's blocked by we need a next VC charter to have some modification within BCDM.

Denken Chen: Yeah, that's it.

Joe Andrieu:

Joe Andrieu: I thought we were just going to add some examples in our document. And it seems to me, at least as I am understanding how we're going to tackle this, we are not changing anything that's conformant. just giving an example. So, where did we get into trouble with the charter? I see Evvon. Are you still on the queue? Or is that old? Ivon, you're both muted and you have your hand raised, but I'm assuming that's old.

Joe Andrieu: they can do I'm not sure why there would be a charter conflict if we're just adding an example into the confidence method spec.

Denken Chen: Is it reasonable to lead in the competence method because it probably …

Denken Chen: how do we describe the mechanism in the competence method about different credential subjects.

Joe Andrieu: So today the VCDM has support for multiple credential subjects.

Joe Andrieu: It's not usually led with.

Denken Chen: Yes. Okay.

Joe Andrieu: So some people don't understand that and are like, " how do I do these complex use cases that have different subjects involved? so the mechanism is already there as I understand it in VCDM. What do you think would need to be changed? Thank you.

Denken Chen: So I'm thinking about what to describe for this confidence method. So for example, we already have spouse description in the credential subject in example 10 of VCDN. So we could take that example and describe more use cases in the compet in a new competence method. Right? Is that your visioning?

Joe Andrieu: So, right, we could build an example based off of example 10. So, I agree with that.

Joe Andrieu: Not sure yet where the charter is getting involved. Ivonne, I see that you're off mute and you reactivated your raised hand, so please go ahead.

Ivan Herman: Yeah, I am sorry for the previous step.

Ivan Herman: I was looking for the charter and got messed up with the windows.

Phillip Long: Okay.

Ivan Herman: So, there was a recent change on the charter proposal. I don't remember exactly when and that recent change allows us to change the already published recommendations. so I will read out loud. no, put it in the chat to make it clear. This is what the charter says about in this case VCDM.

Ivan Herman: And I draw your attention to the point that if to support the new recommendations produced by the group. So put it clearly we have the right under the new charter to modify in this case the VCDM…

Joe Andrieu: Go ahead, man.

Ivan Herman: if the new recommendations which is the one they are discussing require that convoluted way to say that we don't have to do anything with the chartered proposal in my view.

Manu Sporny: Yeah, plus one. I don't think there are any charter issues. with addressing this, I think we are ready for R in looking at the example on the screen. I think if we wanted to add a confidence method and associated with each spouse or sorry we just put it in each object the Jaden do would have a confidence method that would allow them to assert that they're that subject and then you'd have a confidence method for Morgan Doe as well.

Manu Sporny: and it would allow either one of those people to say that they're the holder and then assert, that they're also that particular credential subject. so I hope this is a fairly straightforward thing. I think we have everything that we need to create an example here. That's it.

Joe Andrieu: Thanks, V. I wrote down something that doesn't make any sense to me. my question was for you, ne. obviously if I looked at the charter text, I might be able to figure it out, but this says no new normative feature for those specifications. are render method and competence method in the set of those or are the things that really we haven't even quite gotten to a full 1.0 still open to normative changes?

Joe Andrieu: I no that's a good point.

Ivan Herman: Phil was in the queue or…

Ivan Herman: do you want to answer me right now? so no those refer to we are maintaining a bunch of recommendations the ones that we had published about a year ago and…

Phil Archer: Go forever.

Joe Andrieu: Okay go ahead.

Phil Archer: Don't worry.

Joe Andrieu: Thanks. Okay.

Ivan Herman: there are those original restriction that no new normative features will be introduced for the VCDM. So in this case the one that we are allowed to modify for these things is the VCDM.

Phil Archer: So the confidence method or any of the other ones that are already in flight or planned we have the ability to update VCDM if we need to. but there will be screams around the room if we do that because if we need to update this BCDM and let's be honest we might but you've got to go through the whole process again with all the candidate w implementation reports and everything else. So yes, if we're working on a new specification which includes the confidence method, we can make it changes to the VCDM, but you got to be really sure you need to before you do that.

Joe Andrieu: Okay, thank you, Phil.

Biometric Portraits PR

Joe Andrieu: Okay, I think that's a great closure on this. I think I captured it on screen. Thanks, Phil. Any other thoughts on this issue? Otherwise, we'll move on to the thanks folks. Next one is 14 which we have as ready for PR and needs discussion.

Joe Andrieu: Dacon, did you want to talk about this today or just review its status as we need to set up a deeper call? Thank you.

Denken Chen: Okay, sorry. Okay. So, I'm just want to make sure the status like wait make it ready for today or do I need to prepare some early example for the spec before label it into ready for PR.

Joe Andrieu: That is a great question. I'll give you my first blush response and people can chime in. I think if you see a clear path that makes sense to you that doesn't feel controversial, you can go and do a PR and my sense of it. But if you want feedback because there are choices you have to make and you'd like to get some input from the group before you commit to specex then we can talk about it some more. Manu go ahead.

Manu Sporny: Yes, plus one to that. I don't think we should raise a PR before we talk to MOSIP about this because they have work in flight, that they are deploying in production. and if this doesn't work for them, then we're not doing the right thing, in my opinion. So we really need most engagement on this. I will also note that the biometric stuff is not as simple as it seems on the surface. There are all kinds of privacy concerns that It is probably going to be one of the most difficult features that we would do for confidence method. So I don't think we should underestimate how difficult this thing is going to be.

Manu Sporny: for example, if we look at the MOSEP thing, there's a choice that you need to make around biometric templates. Which ones are you going to use? They are including things like iris template, all fingerprints, facial template, that makes me nervous. but it's the only way that they can identify some of the people that are in rural areas because those individuals have no other legitimate or government issued ID and they're not going to right yet they need to receive aid from the government to plant crops and raise livestock and things of that nature.

Manu Sporny: So, all that to say, this is not a simple PR. and we should talk to MOSIP and we should try to see if we can align with them. And ideally, they would be the one proposing it. and ideally we start out with something easier. I don't know what an easy biometric is. I mean even the template formats there are multiple different template formats for everything Iris has three different standards facial templates have 50 different standards then so on and so forth.

Manu Sporny: So just some feedback on this. this is not an easy thing. and it may be something that we want to wait until we pick some super simple thing and…

Joe Andrieu: I want to plus one that last thought you had and…

Manu Sporny: then wait for all the other complicated things in a next revision. that's it.

Joe Andrieu: I think it moderates what I was expecting you might do. Denin I think with the Taiwan's digital ministry you are working on digital biometrics and so it may be that the incorporating MOSIP in that work may be too early but we can go to PR on your proposal for what would work for you in that context as a starting point and that feels like what you just said man let's do a simple one and…

Joe Andrieu: then we can tease out how we might plug in MOSIP because they are dealing

Joe Andrieu: with far more complexity than most of us have had exposure in this space. Thank you.

Facial Picture Biometric PR

Denken Chen: So I think today I will try to limit the scope to face portrait.

Denken Chen: I mean in this draft we already have a biometric portrait image encoding the image in base 64 and most has a type of biometric for person's face biometrics.

Denken Chen: So I think that's one I will look at as a first example to incorporate into our competence method. in our case we are mostly concerned about using the face portrait image.

Joe Andrieu: does it make sense to create another PR that is this first pass at a biometric method and…

Joe Andrieu: and have it be distinct from this let's reach out to MOSIP let's get a deeper sort of engagement and support that because that seems like a simpler PR to work with. Thank you.

Denken Chen: I think it's also available in most of the government issued credentials and I have a regular meeting with most now so I will reach out to them for advice or comments.

Joe Andrieu: Okay. go ahead, man.

Manu Sporny: Yeah, a plus one to what you said, Joe, plus one to what Denin said. I do think facial biometric is the easiest one. and a picture is it definitely makes it much easier. things to avoid there are biometric facial vector templates that are a patent minefield. anytime you get into biometric, templates, it's like patent minefield, right? So we would have to do some pretty good due diligence to pull those in. but a picture of a person fairly easy, to Denin, one of the other things plus one to splitting it and working in two different PRs and just focusing ultra focusing on just facial picture.

Manu Sporny: Denin, one of the other things that I'm hoping that you would put in there is I'm wondering if we should put some kind of mandate that you should make it selectively disclosable. Meaning you should not have to just hand over a picture of yourself whenever you're disclosing these things. And we should really start pushing the industry towards selectively disclosable confidence methods in general. I might maybe that that's a general confidence method thing like all confidence methods should be selectively disclosable. we'd love to go The only reason I think we might not want to go to must is because some people are just using technologies where you just don't have the selectively disclosable option.

Manu Sporny:

Joe Andrieu: Cool. Thanks,…

Manu Sporny: but maybe we should do a little bit of lecturing in the specification of you really should be making these selectively disclosable if you can. That's it.

Joe Andrieu: Okay, this sounds straightforward. thanking that suggests we're going to create a new issuer PR for the simple version.

Joe Andrieu: Do you want to take that on or would you like me to? One of us should.

Denken Chen: Yeah. Yeah.

Denken Chen: Just take that.

Joe Andrieu: Okay, And I'm not closing the issue, but we'll close this stage of the agenda and move on to the next issue.

Confidence Levels in Evidence Field

Joe Andrieu: Okay, the next one was 16 and Dan, you had also thought this was blocked by recharter. and your notes that you sent me charter PR to change from confidence methods to confidence. I think this is on me so you have charter PR to change from confidence methods to confidence. I remember having that discussion and then adding assurance le level as an evidence field in the VCDM.

Joe Andrieu: Okay, I'm remembering that now. Thank Anyone speak to

Denken Chen: So we had a discussion about whether to put this confidence levels.

Denken Chen: So in the discuss discussion we agreed that this should be one confidence level or one assurance level corresponding to one VC. So that would be VC level of things and the most appropriate way to express that is in the evidence field in BCDN. So I think the most proper way is to describe how we could use the field evidence property to express that level of assurance. Yes.

Denken Chen: So we should make it clear that whether we should wait for the recharter of the VC

Joe Andrieu: I feel like this should have been assigned to me.

Joe Andrieu: I think I verbally said I would take care of that. Ivonne, go ahead. in this case we wanted to change the title of the spec from confidence methods to confidence…

Ivan Herman: Before I don't fully understand…

Ivan Herman: what is the charter issue here. I have two reactions on that.

Joe Andrieu: which lets us open the scope a little bit. So it's just that one word

Ivan Herman: It's not strictly necessary because the working group has the right to change the specification title at any time.

Joe Andrieu: okay.

Ivan Herman: This is not a chartering issue and the document has already been published in the first public draft with the current title. So that would be necessary anymore. the second answer independently of the previous one. if you want to change something in the charter proposal then you have about a week because I have gathered all the green light to move on to the AC vote and…

Ivan Herman: I plan we will have to discuss with the chairs to Friday but I plan to move on to the AC sometimes next week but as far as I am concerned I don't think that you need to change distractor.

Joe Andrieu: Okay, great.

Joe Andrieu: I think I'm keen to just close this then. anyone think that's crazy? Go ahead, Manner.

Manu Sporny: not crazy and I certainly won't stand in the way. it's good to have the charter is going to stick around for a long time and we sometimes refer other people to the charter and it's good to align as much as possible before the thing set in stone and we definitely can't change it, So, we have an opportunity here to change some words to make it easier for people to kind of understand what we're working on.

Manu Sporny: I suggest we do that since we have a week to do it

Joe Andrieu: Okay, I'll assign this to me.

Joe Andrieu: Whoops. That was not how I do that. and I think this is something I can probably do today now that I'm on the other side of the threat modeling Any other thoughts? I think we can move on. go ahead, Will. Correct.

Will Abramson: Yeah, just something You said you're going to rename it to confidence. I think there's another issue linked here maybe verifiable credential confidence.

Will Abramson: I think just having a spec called confidence feels a bit strange to me.

Joe Andrieu: Yeah that's a valid point.

Joe Andrieu: My thought is this is much broader than VCs. right I can see confidence levels is simply being part of how you do authentication with a DID right independent of a VC. that said the spec is called VC confidence method as a short title. maybe the long title should also have it. Manny

Manu Sporny: Yeah, I thought we were just going to remove the word method and then we would expand it to say defines mechanisms. So it's strike the word meth from the charter strike the word method and make mechanisms plural.

Manu Sporny: And that was the change we were talking about.

Joe Andrieu: Hey, Could you restate that?

Ivan Herman: Yeah. Getting to follow up to one…

Ivan Herman: what money said if getting to the way of saying that this goes beyond the verifiable credentials etc. that would raise a lot of eyebrows. I would not go there even if it's on long term your intention but let's not go that way because then it becomes a totally different ball game.

Joe Andrieu: I didn't follow what you were.

Ivan Herman: You said that this is something that goes beyond the verifiable credentials. I would not put anything into the charter that would suggest that because that would raise lots of eyebrows.

Joe Andrieu: Plus one. I appreciate that, Dave.

Dave Longley: Yeah, I was about to put my hand back down. I think it's been covered now. but I'll just reiterate. I think changing the singular a mechanism that's in the current charter text to mechanisms would be sufficient because then it would read that this spec defines mechanisms that can be used with the BCDM to increase a verifier's confidence about a particular subject identified in a verifiable credential.

Dave Longley: I think that includes defining new evidence mechanisms or evidence extensions which there's already an extension point in the VCDM for evidence. We can define evidence types in this new spec that would have whatever is needed.

Joe Andrieu: Okay, cool.

Joe Andrieu: All right, I'm going to go and comment on this and we can move on to the next issue and I will make an effort to subtopic before we start typing. Sorry about that. so the 17 is next and I'll let you introduce it Dan. It seems like you mostly just wanted to have a conversation.

Biometric Privacy Concerns

Denken Chen: Yeah, I would like to keep this as the open discussion. I'm probably not going too deep today. but one thing I would like to highlight is in the last meeting Brent mentioned he would love to in include pass key support for this or at least do some early research on it and so we can keep human eye on it. And so for now today we try to understand our first draft. The scope will probably limited to the first one is a facial image and the second one we will talk about it later. Yeah.

Denken Chen: So that's why I would like to share and so I suggest that we today should really go through all of the issues and…

Denken Chen: make final decision for our first draft. Yeah. this one just keep it or…

Joe Andrieu: Okay. I'm not sure…

Joe Andrieu: what the decision is you're looking for on this one.

Denken Chen: need discussion as is.

Denken Chen: So I think if there is anything that people would like to talk about this issue please raise your hand or I suggest we go through all the issues today.

Joe Andrieu: All right.

Joe Andrieu: So, this is a heads up for folks to dive into this if you care about these items and we will be revisiting this discussion likely in the future. All right. We'll move on to the next one.

Joe Andrieu: Okay. 20.

Joe Andrieu: You want to introduce this one? Thank you.

Denken Chen: Yeah, I think we talked about this to added also a initial competence method example and…

Denken Chen: Joe you will be drafting the first PR. So we could remove the need discussion and…

Joe Andrieu: Excellent. …

Denken Chen: just make it ready for unless there's other concerns.

Joe Andrieu: I think this is ready for PR. let me see if the conversation suggests otherwise. And I see Manny raised his hand. Go ahead, Manny.

Manu Sporny: Yeah, I mean plus one. I'm looking at Denin's proposal down at the bottom and it looks good. the only thing that I was wondering about was the last part of your example Denin where we use a decentralized identifier document. that might need to be just decentralized identifier and then the question becomes which one of the verification methods are you going to use I would presume it's authentication and maybe that's what we say in both of these cases the expectation is that it is used in some kind of authentication process the other thing about specifying a multi

Manu Sporny: key is you have to run it over a protocol and we should probably talk about the protocols where you can utilize these confidence methods. So we have one protocol that is in scope for our next charter VCOM it does specify how you do a D off in it. so we should at least reference that. other things to consider are JSON web keys and the DOP stuff that you can do over OOTH. I don't know if we're going to say anything about that either.

Joe Andrieu: Go ahead. I

Manu Sporny: And I would expect we would have to say that at some point for people to be able to actually use confidence method within a protocol.

Manu Sporny: That's it.

Ivan Herman: So I'm looking at that example and…

Ivan Herman: that rings a more generic bell for me. It uses in this case Who defines that type? Where is it defined? Is it an example this definition or just it come out of the blue air? remember that I am the one who is always shouting about the proper vocabulary and this is in the vocabulary area where does it come from and this is not only on this example in general both documents that we are working on have this kind of examples…

Ivan Herman: where I don't know what is formally defined I don't know is there for the purpose of an example or it comes from elsewhere and that always bothers me.

Joe Andrieu: cool. Thanks,…

Joe Andrieu: Ivon. I agree that, yes, we are going to have to create a new type. We're going to have to do all the work that entails. and we have not yet done this. I actually think this type probably did or it's u verification method. and I think that's one of the things that's missing here, Denin, is that I think the identifier for the confidence method in example the second layer here doesn't have the details to get to a specific verification method.

Joe Andrieu: to Manu's point what are we supposed to just use any authentication method in that did document I think that's probably not as appropriate as the first one which points to a specific key although I want something in here that says this is a did off confidence method so that's my feedback go ahead manu

Manu Sporny: Plus one to what you just said, we probably do want it to speak to I guess a protocol more than I mean although the verification method thing sounded fine to me as well which is not necessarily protocol. So that's interesting. we can try and sort it out in the PR, but I don't want Denin to put in the time to put in a, that, is going to be pushed back against. So maybe more discussion As for, Ivon, yes, we need a new type. My expectation is that it would go in the security vocabulary.

Manu Sporny: I don't think we should have a separate confidence method vocabulary. That feels like it would be kind of ick. security vocabulary and then if we can't fit it in security vocabulary, the verifiable credential vocabulary, but again, I think that's the second option. and then we would need to include it in the next the VC21 context or the 20 context or whatever we end up doing. but I think there's a semi clear path there. The we'll work out the details, but I think we can go in that general direction with the vocabulary

Manu Sporny:

Joe Andrieu: Plus one for that.

Joe Andrieu: That seems to make sense. I wanted to add that I think that the way I'm approaching this particular one I think this should be assigned to me. so I think I'm the one stuck with the PR man. is at least for did o I'm approaching that as conceptually free but I will mention two protocols as examples and one is hey you may have gotten this in a VP and the signature on the VP is one way to have that confidence and then separately you have this verification method you can engage in any protocol you want and I think at that stage it's also appropriate to pull in BCOM to the extent that

Joe Andrieu: that's mature enough to reference. but I think in essence the verification method itself is like an atomic element that however you manage to interact around it is sort of at another layer in my thinking. So I saw a thumbs up from so maybe that's So this seems straightforward for me. I just need to wrap my head around what all do I need to write for the did off but otherwise I think it's on me and I think the issue labels I don't know that we need any more discussion. Does anyone feel we need to keep talking about this? We can revisit in a future call but feels like I could remove that label and the roaring science endorses my executive decision.

Joe Andrieu: So, let me go and get rid of the needs discussion. Thanks, next up then 21. And I see Danken that you queued up for that.

Denken Chen: Yeah, I will address privacy concern including suggesting that all competence methods should be selective disclosable. I think it's a good reminder from Ted and also Manuel mentioned it as well. Yes. So I think if there's anything others we would like to be included please have a discussion here or…

Joe Andrieu: Go ahead, man.

Denken Chen: we can just take it as ready for PR.

Manu Sporny: Yeah, plus the selectively disclosable thing. I think we should also maybe speak to what happens if you don't selectively disclose this, I mean, it is a tracking vector. for example just because an MDL portrait image is selectively disclosable the second you disclose those unique bytes are a unique token which can be used to track you globally right so the next time you present that same thing the identifier is the same even if the signature is different even if it's a totally different thing unless there's some fuzzing that's done on the biometric image which we are not talking

Manu Sporny: about doing that creates a unique thing. so there is I think future R&D to be done around verifiable fuzzing of biometric portraits so that when you do show it over and over again it's not the exact same bite sequence. but even if we are successful in doing that and get there it doesn't matter. LLMs are way good enough at recognizing faces now that no amount of fuzzing that we do is going to probably protect an individual once they've shown their biometric photo through the credential.

Manu Sporny: So, we should talk about, what happens when you do share, images of yourself. and maybe focus on some of the less known kind of dangers, global tracking and again I mean the harms are different than you just going to the grocery store and using a selfch checkckout kiosk you don't necessarily know what they're doing with those images or your face so we should say a lot about using biometric portraits and photos in these credentials and I think the general position of

Manu Sporny: the specification should be don't share it by default don't share it right and then if you do share it you should really understand what the policy on the other side is clearly like the general population can't do that and so understanding something like retention policy right lambd has we promise we're not going to retain this thing although I don't know necessarily how that sort of thing becomes important right intent to retain intent to use that sort of thing.

Manu Sporny: we should also probably mention what hap you can have an entity where its intent to retain is they don't intend to retain it but they pass it to an upstream vendor who may not follow that same policy right to do the betting these biometric things go through third party vendors not every single one of them has the same privacy policy so we should speak to

Manu Sporny: those dangers as we should probably also refer to the EFF's latest response on online age verification and the things to look out for. they specifically mention a company and their policies that are concerning and problematic. That's it.

Joe Andrieu: Do you have a URL for that That would be great.

Manu Sporny: I will find it.

Joe Andrieu: Okay. I think I captured all that. I one of the things I want to honor is trying to wrap up five minutes before the end because that Zoom insanity that happens when you're back to back. but before we actually wrap, Denin, did you have anything else you wanted us to discuss before we do that?

Denken Chen: Yeah. No, the remaining issues are minors. So, okay.

Joe Andrieu: Anyone else have anything to add to the agenda or we will yield the last few minutes of the hour. I do manage link so I will get that into the comment. Thanks I think that's a wrap then. Thank you all very much. Danken, thanks for the prep work and…

Joe Andrieu: the help running this. And we will see folks. When's our next one, Danken? I guess that's a good question.

Denken Chen: I think next week is for rendering method and…

Denken Chen: we will be the week after next week.

Phil Archer: the fourth.

Joe Andrieu: So, the 4th of February,…

Phil Archer: Yeah. Yeah.

Joe Andrieu: Phil, is that right with regard to the rest of the ECWG meetings?

Phil Archer: And then 11th is full working group meeting that I can't attend for reasons I won't bore you with. so I guess then it'll be render method on the 18th and…

Phil Archer: then confidence again on the 25th. I think that's the way it'll be.

Joe Andrieu: Okay, excellent.

Joe Andrieu: Thank you all very much. That's a wrap and we will see you on those dates, I hope. Cheers, folks.

Phil Archer: Thanks. Thanks everyone.

Minutes automatically generated by a Large Language Model (LLM), transcription errors are expected and might not represent what was said during the meeting. When in doubt, check the associated recording.