Meeting minutes
Phil Archer: ok, lets get underway
… we're still kind of in a rebooting (rechartering) of the group
… and this is the first time I've chaired a meeting under a new charter
… I'd like to ask people who we haven't heard from before to introduce themselves
… I'll also introduce myself
… I've been at GS1 for over 9 years. before that, I was at W3C over 8 years,
… I worked on mobile web, other data standards, looked after the Semantic Web suite and some other things
… I've chaired various groups, most recently RDF Canonicalization group I cochaired with Markus Sabadello
… when I chair like this, I will do my best to be a neutral independent chair
… if I need to switch my hat to a GS1 representative, I will say so
… but will do my best to stay neutral
… are there any others in the group who want to introduce or re-introduce themselves?
Elnar Hajiyev: (no irc nick I think) hi everyone, this is my first time joining this call
… I come from a company called Realize (sp?), we work on biometric solutions
… we recently became members of the VC WG, in order to work on VC Confidence Method, specifically related to biometrics
… hopefully we'll be able to help out there and push the topic forward
… since we have natural interest in that area
Scott Jones: (no irc nick) Hi, I'm a colleague of Elnar Hajiyev,
… collaborating on privacy preserving client side biometrics
… excited to be part of this group
Phil Archer: ok, lot to get through
… I'd like to go through the Task Forces
… lets start with -- Scott Jones and Elnar Hajiyev mentioned they're interested in Confidence Method, lets start with that
Task Forces
Confidence Method
Joe Andrieu: main think we did at the Confidence Method Task Force is to choose a meeting cadence
… every other week, starting next week
… on Weds
<Susanne Guth-Orlowski Guth-Orlowski> Yes, sorry, was not able to unmute fast enough. I introduced myself last time. I am here to work on the DPP vocabulary.
Ivan Herman: I added it to the calendar, made it every week by accident. should we change it to every other week?
Joe Andrieu: let's change it, make sure people don't show up by accident
Phil Archer: thanks Joe. One question -
… how far are you away from seeking wide review, for the Confidence Method?
Joe Andrieu: pretty far. we don't have yet the spec text the meat of the spec of various methods. we still need to write up the biometrics method, etc. we have the framework
… and we do have the question of -- evidence vs Assurance Level vs Confidence Method
… so that the group can help decide terminology
Phil Archer: should we set aside one of these meetings to decide on that?
Joe Andrieu: yes? I'm not sure how much time it will take
Phil Archer: it's making good use of the time, allowing the meeting to be genuinely useful to everyone
… like, today is for generally orienting everyone
… but like you said, we should specifically add it to an agenda
render Method
Dmitri Zagidulin: Regarding VC Render Method
Dmitri Zagidulin: I'm not sure we've set new meeting cadence, we're working on the broad categories of the render methods.
Dmitri Zagidulin: We have an iframe/sandbox method, talking about general purpose template substitution method is useful or not, or if iframe supercedes it.
<Patrick St-Louis> +1
Dmitri Zagidulin: Discussing what to do with OCA proposed method and one other existing one. Ongoing work, not sure how close we're to asking for broad review. Would like to do it sooner than later...
Phil Archer: Don't have to ask all the groups at the same time.
Phil Archer: You could ask groups sooner rather than later.
Phil Archer: one issue that came up yesterday in one of the TFs is the security issue
… whether every one of our specs needs a regular Security Considerations section
… OR if we can write one Thread Modeling document, and point to it
… I'm hoping we can do that latter one
… I've already sent an email to Simone, Security Lead at W3C staff, let's see what happens
… I'd like to invite him to one of these future meetings to possibly answer that
<Patrick St-Louis> how do I get on the queue?
Phil Archer: that raises the question - who's going to write the Threat Model?
… I'm initially thinking Joe, but he's busy with Confidence Method
Ivan Herman: one step at a time...
Patrick St-Louis: just wanted to chime in, Dmitri mentioned an OCA render method, that was my one proposal,
… last thing to discuss was - do we want to define an OCA specific thing in Render Method, or whether it fits into a broader method category
… so we still would need to discuss that
Phil Archer: should that be a full WG discussion, or start with the TF?
Patrick St-Louis: we can start in the task force, yes
Joe Andrieu: I'm happy to help out with the Threat Modeling stuff
… however I will at least need a domain lead on each of the specs. since they each need their own threat model
… what Simone and I have been trying to figure out (this and the DID work are tough litmus tests) -- within a set of related specs, how do you reconcile that
… individual threat models vs a monolithic threat model
… so, I'm happy to be an overall editor, but will need individual domain experts
Ivan Herman: that worries me slightly, as a general problem (and I'm not sure if it's something you can comment on)
… it looks like the Threat Modeling approach, for security, it's still in the process of forming
… (like, you mentioned you're still working with Simone on it)
… and we have 12 or 13 docs in this WG to go through
<Joe Andrieu> https://
Ivan Herman: so I feel a little bit uneasy for this WG being the experimental subject, for this new process
… we already have our hands full as it is
… could we get away with just using the old method, of Security Consideration sections?
… while the Threat Modeling approach is being worked out?
Joe Andrieu: I know change is hard, and every transition is going to feel like this
… I have to endorse Simone's perspective and experience -- seeing these Security Consideration sections, it's hard for reviewers to fully overview
… that's what we're trying to address, to have it be a higher value security review
Joe Andrieu: if we at all can, we shouldn't refuse this opportunity
Manu Sporny: I agree, we should transition to the Threat Modeling approach
… Joe, I'm not sure if you saw my email to the security mailing list, asking -- if we're doing a Threat Modeling doc, do we ALSO need a Security Considerations section?
… does a Threat Model meet the horizontal review reqs?
… Simone responded, but it's unclear.
… so, I'd like to assert -- I want us to write a Threat Model, and when we go to horiz review, neither Security nor PING should also ask for a Security Considerations
Phil Archer: that's my concern too
… with so many docs in flight (which is a good thing) -- if we have to write one or more Threat Model docs before we write other ones, that's a lot of work
… but on the other hand we want to avoid copying and pasting
… so, we do need that answer for Simone
Joe Andrieu: haha yes sometimes it's confusing
… my understanding is -- from SING's perspective, you COULD simply have a Security Consideration section "go read the Threat Model"
… I think it's more readable, for people reading the spec, if we contextualize that "go over there and read" a bit, with some paragraphs
… like, mention tamper evidence with VCs, etc
… I don't think there's a bottleneck, with the Threat Model docs
… that's how we're dealing with it in the DID WG
… so that will hopefully provide an example
… other thing to add - I have JSON-ified the presentation layer in our DID Resolution Threat Model,
… and we'll have a repo of that, which we can use as template
… for consistent look and feel
… what we DON'T know is whether or not PING will accept privacy considerations in the format of a Threat Model
… we think that the Threat Modeling guide can encompass privacy threats, but I haven't confirmed with PING yet
… I'm hoping that if we go into the Threat Modeling doc with both Security and Privacy in mind, we can cover both
Phil Archer: SING is the Security Interest Group, PING is Privacy Interest Group
Manu Sporny: the other question is - can we put the Privacy Threat Model as an appendix?
… or do we need like 20 different separate documents (which could get out of control)
Joe Andrieu: yes, absolutely. (when I made a sample Threat Model for the web as an example, I was shocked how long it became). But, an Appendix is a reasonable approach, it does not need to be a standalone note
Manu Sporny: I think we should, in the threat model, tag some threats as Privacy Threats, and then treat that as our Privacy Considerations section
<Joe Andrieu> +1 to advance that proposal to PING
Phil Archer: I think you're right
… that's partly why I'm constantly asking for wide review -- because it takes so long, to get the ball rolling
… thank you. I will follow up with Simone
Phil Archer: ok, let's move on, I want to hear from other Task Forces
VCALM
Patrick St-Louis: I want to preface this by -- this is my first time being actively involved in W3C VC WG standard process. I've observed from outside, but welcome guidance and tips
Phil Archer: guidance: RUN WHILE YOU CAN
Patrick St-Louis: ok, we had a good discussion yesterday
… about the state of VCALM
… a review of how the spec has been progressing
… we voted on presenting a First Public Working Draft (and it was unanimous), but we want to vote here on the wider group
Phil Archer: do you prefer Patrick or Pat?
Patrick St-Louis: Patrick
Phil Archer: thanks Patrick. Next one: Barcodes
Barcodes and Data Integrity
Phil Archer: would that be you, Elaine Wooton?
Elaine Wooton: that is me -- yes, that's me and Wes
… we'll do a poll on whether a different meeting day might be better
… the draft is in good shape.
Phil Archer: to come back to what Patrick was just saying -- I'm well aware that both VCALM, Barcode and Data INtegrity task forces want to publish FPWDs
… for input documents
… ideally, what would happen now is that the full group would have a week at least to take a look at those documents
Wesley Smith: wrt readiness of wide review of the Barcode Spec -- the majority of the doc is ready for wide review, but there is one significant feature that the group needs to decide on,
… and that's whether (and how) to add a Quantum-Resistant feature to the spec
… the rest is just polish
Phil Archer: you should submit for wider review anyway. (once you submit, you won't hear for 8-12 weeks, so it might make sense to kick it off early)
Wesley Smith: ok, that's good to know. I'm not sure about right now, but we'll kick it off when the end is in sight
Phil Archer: right, so, there's various TF resolutions to public input docs from the CCG as FPWDs
… generally speaking, what would happen in such a transition is - this group would have at least a week to look at the docs,
… these publications, although they're driven by a relatively small group of people working on the doc, they're made in the name of the full group
… so whether or not your name is explicitly on the doc, as a participant of the WG, you're tied to the documents
… so I think it's particularly important on various transition milestones (FPWD, CRs, etc) -- it needs to be a full WG decision
… the reason I'm happy to shortcut this, in this particular case -- the docs we're talking about have been public for a very long time
… they've been published by the CCG, they've been in the charter, etc, for a long time
… so it's not like it's new text that just came into being
… so, if we don't decide to publish FPWD, it'll be May before it happens
… I'm well aware that if you're in a group like this, it's easy to be intimidated (lots of middle aged men, native speakers, strong opinions)
… especially if you're a person who's naturally client. you may be wondering "can I argue with people?". Answer: yes, you can, please do
… we will do everything we can to make you feel comfortable
… the person with the loudest voice does not necessarily know more than you
… please know that it's safe to make your opinion known, nobody is going to laugh or denigrate you. that's absolutely not how we work, and we wouldn't put up with it
Patrick St-Louis: thank you for saying that. as somebody who's used to be very quiet in social settings, it's hard to voice your question, but many people will benefit from it
… so, it resonates a lot
Phil Archer: thanks. So yes, whatever your background, if you have a question, just q plus in the chat
… we want to hear from you
… the Code of Conduct is there, but it's also deeper than that. your view is important.
… ok, so, by publishing these docs as First Public Working Draft, that's a statement from everyone, from the whole group
… my proposal (due to the fact that these docs have been out there for a long while now) is to accept these as input docs
… any comments?
Manu Sporny: thanks Phil, I'm very much aligned with everything
… the other thing I want to make clear -- we don't have to agree with everything in FPWDs
… it's just a statement "hey this is the general direction we're going with, what does the wider world think?"
… but doesn't mean we agree with every word or sentence in there
<Phillip Long> +1 to the working draft being a statement of intent, not formal agreement
Ivan Herman: to go into details on FPWD publication thing
… for the Barcode doc, the title says "v.0.8"
… I think we should publish it as v1.0
… in my view
… VCALM is fine, it's already 1.0
… in both docs, we have to decide on the "shortname"
… we have already shortnames "vc-barcode" and "vc-vcalm"
<Manu Sporny> not vc-vcalm -- just vcalm
Ivan Herman: er sorry, just "vcalm"
… but I wonder if we should include the version number in the shortname
<Manu Sporny> not "vc-barcode" ... "vc-barcodes" :)
Ivan Herman: I realize that previously, for 1.0, we had version-less shortname. and I want to avoid that
Manu Sporny: +1 to Ivan Herman's suggestions, we should have a dash version number in the shortname
<Phil Archer> PROPOSED RESOLUTION: The WG endorses the resolutions passed by the barcodes and data integrity task force, and the VCALM task force (see https://
Manu Sporny: I want to make sure we get the shortnames right. it's "vc-barcodes" with an s, and "vcalm"
Phil Archer: given what you just said, do you want to amend the text of the resolution?
… ok, Manu Sporny or Ivan Herman, please create the text for the resolution that includes the shortnames
… next, I want to talk about a new subgroup/task force, about Vocabularies
Entity Recognition
Phil Archer: oh but first let's talk about Entity Recognition TF
… there was a long discussion about the task force name itself. (and the document title, and the Shortname)
… we're not quite ready, still discussing
Ivan Herman: just reminding - we have a resolution from the Barcode Group, about the DI and Cryptosuite publishing
… we have to have separate explicit resolutions for each doc
Phil Archer: right, that's the bit Manu Sporny is working on
Vocabulary
Phil Archer: ok, so I want to talk about the yet-to-be-formed Vocab TF
… several people joined W3C to work on that
… Susanne Guth-Orlowski, plus some other people not on the call currently,
… Susanne Guth-Orlowski, do you want to say a few words?
Susanne Guth-Orlowski: thank you. what we need is to put together a base Passport vocabulary
… for various products, certificates
… Digital Product passport
… and conformative credentials
… derived from Digital Product Passport
… we have restrictions from all over the world
… VCs luckily became one of the formats that Digital Passports can be issued in, so we need to work out the vocab / semantics
Phil Archer: one of the people in the Entity Recognition TF was Steve Capell, who was the leader in the UN protocol work
Patrick St-Louis: so the UNTP spec already has some terms / vocab for related things
… is this something we want to redefine at W3C, or can we reuse UNTP? Or give to UNTP to publish?
… basically, I don't want to split the work
… or step on toes
Susanne Guth-Orlowski: I've also been working with UNTP for the past few years. The only home we had for VCs for Digital Passports was UNTP for a while,
… of course we don't want any divergence between us here and UNTP
Phil Archer: agreed. I want to point to an example of your concern being addressed (the thing you're worried about DIDN'T happen)
… and that's the https://
… what it says is "use Dublin Core" or similar existing vocabularies, and only define new things
… so that's my expectation here too. what the W3C work will say is "you see the existing UNTP work, use that"
Phil Archer: the other thing I want to ask people about is --
GDC 2026
<Phil Archer> https://
<Joe Andrieu> maybe
Phil Archer: is anyone going to GDC 2026 in Geneva in Sept?
Susanne Guth-Orlowski: is that the Identity Conference?
Phil Archer: it's the Global Digital Collaboration conf, lots of work on wallets, credentials, etc
<Phillip Long> Maybe - I went to the first. Still determining if I can make the next.
Phil Archer: it was in July last year
<Elaine Wooton> I may or may not.
Susanne Guth-Orlowski: I'm not sure, I will look
Phil Archer: ok, just wanted to mention it, it looks important
Joe Andrieu: it was pretty amazing last years, lot of perspectives from parties around the world
… I have a potential conflict, so I'm a 'maybe' right now
Resolutions
Phil Archer: ok, let's talk about the resolutions, over to Ivan Herman and Manu Sporny
<Patrick St-Louis> +1
<Manu Sporny> PROPOSAL: Publish the VC API for Lifecycle Management v1.0 specification (https://
<Kevin Dean> +1
Phil Archer: these are the things that were passed by the relevant Task Forces yesterday, so this is to ratify
<Patrick St-Louis> +1
<Dave Longley> +1
<Denken Chen> +1
<Manu Sporny> +1
<Ivan Herman> +1
<Ted Thibodeau Jr.> +1
<Steve McCown> +1
<Phil Archer> +1
<Susanne Guth-Orlowski Guth-Orlowski> +1
<Joe Andrieu> +1
<Kayode Ezike> +1
<Jennie Meier> +1
<Phillip Long> +1
<Will Abramson> +1
<Dmitri Zagidulin> +1
<Wesley Smith> +1
Phil Archer: thank you, Manu Sporny, consider that one done!
RESOLUTION: Publish the VC API for Lifecycle Management v1.0 specification (https://
<Manu Sporny> PROPOSAL: Move the Verifiable Credential Barcodes v1.0 specification https://
<Phillip Long> +1
<Susanne Guth-Orlowski Guth-Orlowski> +1
<Dave Longley> +1
<Ivan Herman> +1
<Ted Thibodeau Jr.> +1
<Denken Chen> +1
<Steve McCown> +1
<Manu Sporny> +1
<Phil Archer> +1
<Joe Andrieu> +1
<Patrick St-Louis> +1
<Parth Bhatt> +1
<Dmitri Zagidulin> +1
<Kayode Ezike> +1
<Wesley Smith> +1
<Kevin Dean> +1
<Jennie Meier> +1
<Will Abramson> +1
Phil Archer: as always, don't feel pressured on this, speak up if dont agree
RESOLUTION: Move the Verifiable Credential Barcodes v1.0 specification https://
<Manu Sporny> PROPOSAL: Publish the Verifiable Credential Data Integrity v1.1 specification (https://
<Patrick St-Louis> +1
<Ivan Herman> +1
<Dave Longley> +1
<Steve McCown> +1
<Ted Thibodeau Jr.> +1
<Denken Chen> +1
<Phillip Long> +1
<Dmitri Zagidulin> +1
<Parth Bhatt> +1
<Phil Archer> +1
<Kayode Ezike> +1
<Manu Sporny> +1
<Joe Andrieu> +1
<Jennie Meier> +1
<Will Abramson> +1
<Wesley Smith> +1
<Susanne Guth-Orlowski Guth-Orlowski> +1
RESOLUTION: Publish the Verifiable Credential Data Integrity v1.1 specification (https://
Phil Archer: thank you, that's unanimous votes for all those.
<Phillip Long> wohoo!
Phil Archer: one more thing - on the vocabulary work, GS1 does have a position on that, and a colleague will join to work on that (so that I can remain neutral)
Phil Archer: ok, we have just resolved to publish a whole lot of FPWDs, thank you all!
… new publications, based on the new charter. we've hit the ground running
… thanks everyone!