W3C

VCWG VCALM

5 May 2026

Attendees

Present
benjamin_young, Dave Longley, dmitri_zagidulin, eric_schuh, james_easter, Joe Andrieu, john's_notetaker, kayode_ezike, kayode_ezike's_presentation, kevin_dean, manu_sporny, nate_otto, parth_bhatt, patrick_st-louis, ted_thibodeau_jr
Regrets
-
Chair
-
Scribe
transcriber

Meeting minutes

Meeting Introduction And Announcements

Kayode_Ezike: All afternoon box.

Kayode_Ezike: Okay, we are 3 minutes past the hour. I think a good time to get started. So, hello everyone and today is May 5th, 2026 and this is the weekly call for the verify credentials API for life cycle management spec force.

Kayode_Ezike: My name is Kyote Azik and I will be leading the call today. For those who were not here last week, you might be confused as to why I'm the one leading the call. I reached out to Patrick a few weeks ago just to see if I could support the leading of this call considering that I'm one of the editors and co facilitators and figured that it would be good to share that load. And so we'll be doing a roughly switching off by week by week for leading these calls. And so you'll be hearing a lot more of my voice. Patrick is actually here with us from the dentist, believe. so I'm just going to quickly share my screen. And while I'm doing that, I would like to just note that the call today as always, it will be recorded and transcribed. if you would like to make comment that is not recorded to you me or off and…

Kayode_Ezike: should also not me.

Ted_Thibodeau_Jr: You're breaking up a bit.

Ted_Thibodeau_Jr: Sounds like the battery dying, but it could be overloaded machine.

Kayode_Ezike: Is that just me or I was hear sorry I still can't hear that.

Ted_Thibodeau_Jr: If you can have a wired connection, that'll make a big difference.

Kayode_Ezike: If you could maybe type that out that would be good or let me know too but everyone else. m I maybe wonder Let me actually try to join from my phone instead. They're singing the

Kayode_Ezike: Hope there's no feedback here. But is this better?

Manu_Sporny: Yes.

Kayode_Ezike: Okay, it's all right. Let's have to hear two different things. I think I heard you running from my phone, but yeah, sorry for the technological difficulties here. Just bear with me. I'm gonna try to see if I can turn down the volume from one of these. Just turn this off. All right. I think we're back. so Right.

Kayode_Ezike: So I went through all the front matter. I think the only thing to say that is a reminder that we are governed by the W3C IPR and good conduct policies. So before we dive into the agenda, just wanted to take a moment to see if there are any new folks with us on the call or folks who would like to give a reintroduction for themselves. I think as far as I can tell body looks familiar. And then I also wanted to know if there was anything else that any community announcements from anybody group and this can include and this is actually on the agenda but was curious to know for those who attended IW if there's anything worth us knowing as the VCOM task force

Kayode_Ezike: Let's see.

IIW and SETI Conference Updates

Manu_Sporny: Yeah, I don't have anything for IW, but I guess the broader question is and we asked this in the render method call earlier today and there was kind of not much discussion around rendering of credentials at IW. I'm wondering if there was any discussion on any protocol related stuff VCOM DC API open ID4 how much discussion was there on any of those items?

Kayode_Ezike: I'm sorry. Go ahead, Patrick.

Patrick_St-Louis: Sorry, are you asking at IAW how much of those questions there was

Manu_Sporny: Yeah, at IIW. I was wondering what because I mean it seems like a lot of people are like, "Oh, yeah, it was all about agentic identity this time around." And I'm kind of like,…

Manu_Sporny: I guess I has moved on to aentic identity and delegation." thank

Joe Andrieu: I could chime in.

Joe Andrieu: I may be the only one on the call who's at IW. I don't recall much about our work. Brent did run a session where we talked about the upcoming work in the VCWG. and we went round robin through our task forces and talked about each of those a little bit. And we did get some folks who were like, hey, I want to participate. How do I show up? So, I think we may have, gotten a few people over the hump of this W3C thing is scary.

Joe Andrieu: But I did not participate in most of the chats that were around Kerry or AC/DC. and so my attention was more at higher level things like SETI. there's quite a bit of talk about that. the Friday event was expitly agentic. So IW now has been Monday is either project VRM or the open ID meeting. and then there are three days of identity specifically related and then the fourth day is agentic. And so certainly the closing note is this agentic AI which might be why it sounds like yeah that took over everything. but on the whole I don't think there was much that directly read on what we were doing here. certainly not in sessions that I went to.

Kayode_Ezike: That's good to Yeah, it's natural considering the times that we're in. But thanks for that. Go ahead. M

Manu_Sporny: Yeah, plus one on that. This is not necessarily related to IAW, but I did attend the SETI conference for two days. and there was a lot of good kind of, playing off of Joe's mention of the SETI stuff, I know that they were there and they talked about it a bit. the SETI conference, was two days of SETI and then two days of Kerry AC/DC in the same kind of venue location but very much kind of disconnected as the SETI thing was focused more on policy and high level stuff but with an eye towards implementation and deployment whereas the carry DC stuff was very much focused on what carrying ACDC is going to do.

Manu_Sporny: There was quite a bit of the Kerry DC folks presenting at the SETI summit. I think there is a focus on Kerry ACDC being the core technology that's built out. there was a lot of kind of cross-pollination. the folks from Utah in the Utah government were saying they're trying to build a fairly big tent and support multiple different formats and protocols they'll have one potentially core one but want to see interoperability and that involves some of the stuff that we're doing here.

Manu_Sporny: So for example we have a part in our specification that is an interaction URL and it can provide a bunch of different protocols to boot into including some of the carry ACTC stuff and so on and so forth. I think there's a lot of discussion going on about what the technical profile is going to look like. and there was a lot of agreement on kind of the base level foundational principles to be written into law. that's it. not IIW related, but definitely, SETI related and had a number of things that I would imagine this group is going to be pulled in to comment on over the next couple of months.

Kayode_Ezike: Awesome. Thanks, Mon.

Joe Andrieu: Yeah,…

Joe Andrieu: that was great, man, because that triggered a few other things. one session that Sam Smith, for those of you who don't know, he's behind Kerry and/DC. he ran a session that was rather antagonistically titled I think it was the VC apocalypse. and he highlighted an interesting potential misuse of VCs that would violate a principle that apparently he holds dear, which is that you shouldn't have the duration of a credential be longer than the life cycle of the cryptography that secured it.

Joe Andrieu: So the fact that you can have a valid until on a VC that is disconnected from the lifetime of the verification method or the key that signed it. he made a big deal about that. I did not go to the session because it seemed like you can do stupid things. so it didn't seem that interesting to me. the other two things that are worth sharing is apparently Phil Windley is I think he's leading the RFP effort or at least he's a technical lead on that to help the Utah RFP not be just a carry fest. but we'll see how that manifests out. I know Manu I think Phil he's a solid guy and I think he will endeavor with good character to try and make that true.

Joe Andrieu: So I think there is a good chance to propose technology that isn't carry based but that is the strong momentum of the state over there and then there was also a lot of talks about fiduciaries so I've been advancing my own idea of digital fiduciaries someone else introduced something called the fiduciary commons which kind of confuses the water a little bit and Richard Wit and Richard is behind Gleonet and their approach at digital fiduciaries which is about service companies as opposed to digital fiduciary professionals and one of the things that came out of Utah, and I think this is Sam Smith, really thinks that the fiduciary or the guardianship is something that particularly helps with.

Joe Andrieu: I'm not sure I agree with this technical framing there, but there is a lot of excitement that somehow in this architecture we are getting to the actual duties of care and the proper relationships for those who have to care about others in these architectures whether that's guardianship of children and elderly parents or the duty of care that service providers have to have. So there was some interesting conversation there. and that's it.

Manu_Sporny: Yeah, plus one to all of that.

Kayode_Ezike: Very interesting.

Manu_Sporny: all of that. to totally agree that there is very important stuff happening in Utah around the city legislation and the digital identity bill of rights and duty of care and that's the key breakthroughs I think they made in their legislation which is passed like this is law now right in Utah and I think they brought a lot of other people to the table to talk about it among multiple states including who was

Manu_Sporny: there. Idaho, California, Texas, Colorado, Virginia, they're definitely building, state interest, North Dakota is interested, South Dakota. I mean, it's good bipartisan effort with pretty solid principles plus one. It is Phil that is one of the voices in there. I have been dragged into the technical working group at Versetti. that's happening every week now they're trying to figure out what the technical basis is and Joe plus one to your same saying things that are interesting interpretations of the various technologies at play.

Manu_Sporny: they very much favor the carry DC stuff but in a way that I don't think is actually acknowledges what the other technologies can do. So for example, it seems really big on the NIST crypto period stuff as you mentioned Joe you should never NIST has good guidance on crypto periods and we can't ignore it and because of that carry ACDC is the only solution did webs address that issue and it's not very clear what the issue is and it's not very clear and it's basically like

Manu_Sporny: did webs is the only mechanism that has a recovery capability and you're just kind of like that's not necessarily accurate. There are other did methods that have that mechanism and so I think there's going to be some need to get feedback. I'm trying to nudge them to get feedback from us the VCWG the working group and so on and so forth. but anyway it's an ongoing thing and I think it will affect us. We should have some input on that process. over to you Dmitri who was also there. it was nice to see Dmitri at SETI. Dutt.

Dmitri_Zagidulin: So, apologies. I just joined a few minutes ago, so I may have missed the context for what you were saying. but I wanted to add on to in terms of SEI and the Kerry folks. I now have a slightly better idea dove into the tech a bit. I have a slightly better idea of what Car's argument does have a couple of features that our system doesn't have an answer for yet which we should address I think and…

Dmitri_Zagidulin: part of that is key longevity and NVC longevity. Let's go ahead man.

Manu_Sporny: I Yeah.

Manu_Sporny: Plus one to that. what exactly is it right? I've listened to now several hours and read multiple things and I'm having a hard time seeing what it is. being this amorphous thing that keeps changing every time I kind of have a discussion. so it would be good to get those things down concretely because I don't think that it's impossible to solve them even if the ecosystem doesn't have the quality but it's very difficult for me to kind of pin down what the missing feature set is.

Joe Andrieu: I'm wondering, Demetri, if that's a conversation you could lead.

Dmitri_Zagidulin: Got

Joe Andrieu: I don't know if we want to do it within this context, but I would love to have a meeting with you to walk through what you are seeing as their unique features.

Dmitri_Zagidulin: Absolutely. Anytime it's appropriate. Happy too.

Kayode_Ezike: And do we think that would be for here or for CCG or what's we think is the best forum to discuss because it sounds like something that goes beyond the com. Go ahead, mother.

Manu_Sporny: I'm trying to get them to say what it is. I'm trying to get the interop group to say these are the core technical capabilities that the SETI ecosystem needs. instead of us trying to guess what it is, right? It's just like write it down on paper. Please let us know what it is. the legislation is the great, first cut. that is very clear. We understand it. There seems to be broad agreement on it. But then when it gets down to and I had a discussion with Timothy Ruff about this as well. I was like, we want to make sure that there's fair market competition.

Manu_Sporny: you need to elaborate what technical qualities are mandatory, what does the system need to be able to do so that we can actually do a comparison instead of people claiming that carry ACD solves the problem and nothing else is capable of doing it. So I wouldn't suggest we discuss it here…

Kayode_Ezike: heard Gotcha.

<Dave Longley> side note: quantum-safe "hash sets" (like bitstring status lists) are a solution to "long-lived VCs"

Manu_Sporny: until we see a list of these are the specific requirements that are necessary. Kayode Ezike:

Meeting Schedule Poll Results

Kayode_Ezike: Sounds good. So, it sounds like eventually, maybe not now, we'll reach out to the chairs of CCG or something to see if they can invite them back because they have been on the call before. I don't know that the particular presenter at the time could elaborate on things like that, but we could get the right contact to present more on that and give more resources. That's useful there. great. Sounds like SEI was another sort of parallel conference that happened last week that was valuable for us. So, thank you all for reporting out on that. The next thing I want to get into is meeting schedule. So, there was one that was created last week by Manu. Thank you. But it seems that we created a new one that was circulated today. So, we're just going to be using that one since it was sent out to the public mailing list. I'll just reshare the link. and we have some results already.

Kayode_Ezike: I did notice a quirk about it which I think is related to something that Dave mentioned offline but let me just quickly share this link first in the chat and the results as you can see on my screen in a bit. so results that I see here, it's saying that it's 4:00 p.m. for these folks, but I think it's 300 p.m. I think it maybe has to do with EST versus EDT that's happening here because I didn't know for sure that I voted for that. but that was just a quirk that I noticed and I don't know if it affects all the other times as well, but go ahead Patrick. I see your hands.

Patrick_St-Louis: Yeah, I think…

Kayode_Ezike: Yeah. …

Patrick_St-Louis: if you highlight the name and the response the individual name it will say so it says what time zone they voted in. So can

Kayode_Ezike: so I believe this was sent out yesterday, so we probably should get a little bit more time for folks to put their responses in. go ahead, Patrick. Thank you.

Patrick_St-Louis: And just since then, I've updated the time zone to US Eastern. So, it should be more straightforward for people moving forward.

<Kayode_Ezike> WhenIsGood: W3C VCALM Meeting Time

Kayode_Ezike: Okay, great. Thank you.

Dave Longley: I wanted to ask on that results page,…

Dave Longley: what time zone are we viewing on the results page?

Patrick_St-Louis: It's I could not figure it out.

Patrick_St-Louis: I think it's just times and whatever time zone people because people can select the time zone that they vote for and the hours do not seem to change. so you know what's that?

Patrick_St-Louis: That's all I got to say.

Kayode_Ezike: Yeah, that's…

Eric_Schuh: I was just going to say having just filled it out,…

Kayode_Ezike: because Yes.

Eric_Schuh: these are Eastern times that we're seeing here. yeah.

Patrick_St-Louis: They are intended to be

Kayode_Ezike: Yes. Yeah. Is it Eastern? and I guess at least anecdotally for myself, I know that I voted for the current time that we have, which is 3 to 4:00 p.m. Eastern, but the way it's recorded or viewed in the results does not seem to indicate that. So, I may have to I don't know, resubmit or revisit this. But in any event, I think we need a little bit more time for folks to give their responses while we figure out some of these other details. I think by next call we'll announce the official time moving forward for us to convene

Patrick_St-Louis: I would like to know. So I noticed Nate so if you highlight Nate's name so it seems like Nate selected PST. and this is I'm not sure how the application is meant to be.

Kayode_Ezike: Good.

<Nate_Otto> Watch out for this display, there are multiple variants of similar time zones, some of which incorporate DST and others which don't. There are separate "US/Eastern", "EST", and "EST5EDT" zones

Patrick_St-Louis: So we selected PST, but he still selected the hours over there. So, I'm assuming that Nate, you wanted to select the 300 p.m. Eastern for all these days and then 10:00 a.m. Wednesday, Thursday.

Nate_Otto: Yes, I am also available of course at 3 p.m. since I am here I did save the edit link for my response. I responded on my phone and watch out there are some gotchas on this app. The/ Eastern time zone did not appear in the time zone selector on my phone. Only these EST or…

Nate_Otto: EST5 EDT PST8 PDT. So, there's variants of the time zones that have daylight saving time incorporated and others that are all mixed into the time zone selector. And it looks like, I intentionally selected PST8 PDT, but I think I misinterpreted which time zone the original times were set in. So, I was off by one. So, I'll update my measure responses to include 3BM.

Kayode_Ezike: I see. clearly this was a good idea for me to propose this tool to use, but yeah,…

Kayode_Ezike: we're working through the kinks and

Patrick_St-Louis: It's okay.

Patrick_St-Louis: It's my fault this one. I should have taken the right time zone at first. So I think there's only two response. I think it's only Nate and Coyote that it seems that it's delayed by an hour. so we can just keep this in mind and moving forward the default time should be US Eastern. So there should be no confusion. I'm curious probably you could select PST because I'm not sure why that would be available.

Patrick_St-Louis: So yeah, still need to understand a bit how this works. it seemed pretty good, but yeah, I think we will be okay once we get more results in.

Kayode_Ezike: Great.

Threat Model Discussion

Kayode_Ezike: So, fill those out when you get a chance, folks, and we'll send out the results next week. And moving forward, we can go ahead and continue with the agenda. So outside of pull requests and issue requests as standard, we wanted to go through a few other things. So there's a follow up on the threat model which we started discussing last week as it's very useful document that Eric and Joe have been working on. And then I wanted to circle back on test suite. I know there was a discussion about using different tools for that but I don't know that we actually captured that anywhere in issues or anything.

Kayode_Ezike: So, it'll be good to pin that down. And so, let's start with the dark model. Looks like Eric's hand is up. So, go ahead, Eric.

Eric_Schuh: Yeah, fairly quick update this week. I haven't pushed forward too far in terms of expanding the DFD as of yet. Joe and I have a call later this afternoon to do that. so I'm just going to drop the link to the Google doc that is being shown on screen right now as well as the issue. and the ask is still if people have threats that they want to start indexing, there's a section in the Google doc to do that or feel free to just add a comment to the threat modeler issue. I think for Coyote and Patrick just in terms of scheduling next week we might want to set aside maybe 20 or so minutes to go over kind of the next iteration of our DFD diagram. that's my goal to get done this week after syncing up with Joe and making sure things are headed in the right direction.

Eric_Schuh: So hopefully next week we can talk about a draft DFD diagram. as well as I should have all of the stakeholders indexed, at least a first pass. currently what's in this document, just for those that weren't here last week, is a first pass at the holder portion of the DFD as well as the index stakeholders from that holder portion alone. it's already gotten pretty long. so last week we did talk about breaking up the DFD diagram kind of into a holder,…

<Eric_Schuh> VCALM Threat Model (Draft) - Google Docs

Kayode_Ezike: Awesome. Thank you very much,…

<Eric_Schuh> Create Threat Model for VCALM · Issue #628 · w3c/vcalm · GitHub

Eric_Schuh: issuer, and verifier parts and then a higher level diagram that kind of unifies the three. but that's what Joe and I are going to be discussing more this afternoon.

Threat Model

Eric_Schuh: I think that's it for today.

Kayode_Ezike: I believe you also were urging us last week to give examples of threats as well in this document as a threat section here which so basically a good input to this will be a compilation of threats that we believe are viable and classifying them and all that stuff and I think we're just asking folks to get in here and follow the template that you've created for that which I can't scroll through right now for some reason but it's in that section for threat models. So for thigh None.

Manu_Sporny: I am a little concerned that if we don't take the time to do this on the calls, you're not going to get much feedback, Eric, just based on how overloaded absolutely everybody is right now. I'm wondering if there's something we can do to kind of force the issue, meaning spend some time on here. even 15 minutes of all of us putting in ideas would be I think better than getting to next week and…

Manu_Sporny: finding out nobody provided input.

Kayode_Ezike: Yeah, it's a good idea.

Kayode_Ezike: Go ahead, Great morning.

Eric_Schuh: Yeah,…

Eric_Schuh: I'm completely fine with that. I didn't know how much time we wanted to spend today since I know we spent a healthy chunk of last call on this. but if we wanted to spend some time doing that now, that's fine. I was thinking of doing that kind of once we got a full DFD. was kind of in my head the timing so that way people can reference the different components but that might be too far down the road. So if we wanted to do that now I have issues with it

Manu_Sporny: Yeah, I mean plus one to doing that. this is the blocking item for us to get horizontal review, So we should get this done and if it means taking up call time, I think it's call time well spent.

Manu_Sporny: Not to mention that, it is good to do these things collaboratively. that's it.

Kayode_Ezike: Great. So,…

Kayode_Ezike: let's do that then. let's spend the next at least 10 to 15 minutes discussing some threats that folks can foresee moment after everyone. So, if you have a threat idea, just put yourself on the queue and we can let's go down the line. Go ahead,…

Kayode_Ezike: Sure.

Manu_Sporny: I'm wondering…

Manu_Sporny: if we could leverage the fact that this is a editable document so all of us could jump in and do that in parallel and then maybe discuss just a suggestion just get a whole bunch of ideas down and then we can sort through

Kayode_Ezike: So, the link is in the chat again, folks. Just Feel free to ideas like ahead, Joe.

Joe Andrieu: These are fresh eyes on here. so apologies, Eric that we didn't get a chance to circle around before sharing this publicly. But in the diagram I do think we need to enumerate flows…

Kayode_Ezike: Okay, great.

<Kayode_Ezike> VCALM Threat Model (Draft) - Google Docs

Joe Andrieu: which is going to make that diagram a little bit harder to deal with. But those are the points at…

Joe Andrieu: which there are definitely certain kinds of compromise there. So we want to figure out how to update that.

Eric_Schuh: Yeah, just to speak to that a little bit for those that weren't here,…

Eric_Schuh: I started into this diagram and I kind of got all of the patterned off the did resolution diagram. when I started thinking about the flows mostly Joe, I wanted to sync up with you before I actually put flows on this diagram. but also last week we did talk with the group and confirm that we want to have the holder kind of as our main user instead of abstracting that away and a few other points that would affect the flows. So I think we still have some work to do on kind of our base use case to figure out yeah

Joe Andrieu: Okay, cool.

Kayode_Ezike: All right.

Kayode_Ezike: So, I'll give us about five or so minutes to just the time of the end. We'll circle back a bit.

Joe Andrieu: Also Eric, it looks like we only have the entities.

Eric_Schuh: I have not done a dictionary yet. No.

Kayode_Ezike: Jesus.

Joe Andrieu: That's just stakeholders. Is there also a dictionary of the other elements? Yeah, that is a lot of entities.

Joe Andrieu: Plus one for the comments. I'm not sure who else typing because we all end up as anonymous otter and…

Kayode_Ezike: Yes, it's okay.

Joe Andrieu: cheetahs and crows and stuff, but those are some good starting threats that I'm seeing filled in here.

Eric_Schuh: And I would say don't worry too much about the threat type at the moment. That was something I added in case people had time to think about that. But mostly just a name and description and your name or an identifier that we can reach out to talk about it.

Joe Andrieu: And then I want to speak to number two in your questions. ic, you asked if does it make sense to break down the DFD into a few diagrams? it may. one of the things we're doing in the did resolution threat model that's not done yet, but it's on our road map real soon now.

Kayode_Ezike: Okay.

Joe Andrieu: Is to show the diagram in different conformant situations did key everything's on one device is quite a bit different from Bitcoin and then the BTCR ones where you necessarily have some external clients.

Joe Andrieu: That's part of the hard work is figuring out what are the one or two or three diagrams that best capture what we need to. So, we can talk about that in our call.

Eric_Schuh: since it's full life cycle I think last week we discussed wanting to include replication as well. Yeah.

Joe Andrieu: I mean, it probably makes sense to separate issuing and verification. I don't know if there would be a third that would make sense, but it's a good question.

Joe Andrieu: Okay. Yep.

Kayode_Ezike: Just one more minute.

Kayode_Ezike: Let's get your thoughts down and then we can discuss a little

Kayode_Ezike: Okay, let's circle back and talk about these so there's a few approaches we can take here. I think to go through each one could lead to a long discussions that maybe we don't have time for today. But maybe if there are any here that we feel needs more elaboration that would help Joe and Eric to address them in this document. Maybe that's one way to go. if there are any of these that we feel could use more elaboration as you all work on this asynchronously. Sure.

Kayode_Ezike: The screen is well done because the next steps as I see it would be to fill out the descriptions and the types and it could be useful for the folks who actually drafted them to actually help with those descriptions.

Kayode_Ezike: I haven't been the ones to think of them, but go ahead, Joe. He does.

Joe Andrieu: Yeah, one of the things I expect is a good next step is for Eric and…

Kayode_Ezike: He does.

Joe Andrieu: To go through and see if we can clean these up while keeping the intention. One of the things for example if we had the flows in the diagram then for example this first threat denial of service attacks we could state specifically which endpoints we're concerned about which flows we're concerned about with that. so we do still have some work to get the diagram anchored so we can then anchor the threats to those elements in the diagram. but I'd be curious if anyone wanted to highlight any of these to have the group talk about it because they think it's obscure or not. Most of these look pretty good.

Joe Andrieu: I mean, I think I can map those to something that sort of fits into say stride which is a framework for thinking about threats like stolen authorization tokens is probably spoofing for example.

Joe Andrieu: So just working through that and mapping it to the language of threat modeling is something Eric and I can take on in the intermediate

Kayode_Ezike: Okay, sounds good.

Kayode_Ezike: And then of course if you have any questions about either of them, we can always discuss them in a future call make comments in the issue that's open for it currently. but in the meantime, are there any of these that folks feel that maybe should use a little bit more elaboration? Go ahead, man.

Manu_Sporny: we generated quite a large number of these in a very short period of time which is great and it's also I'm wondering how we manage that long term Joe and Eric this feels like if we…

Manu_Sporny: if we finish the DFD and we include these threats and all that kind of stuff like that might be good enough to request a horizontal review.

Kayode_Ezike: Good job.

Manu_Sporny: How do we know we're not done but in a good enough shape to request horizontal

Joe Andrieu: Yeah, it's a great question.

Joe Andrieu: With an unfettered lens the threats will expand to fill all our available time right we can get distracted by hardware Fi related threats depending on your appetite for investigating more you can always investigate more the framing that I've been championing within the sing conversation and sort of how the W3C might approach this in a reasonable way is that the real opportunity here is not to try and be exhaustive. It's not to sort of be mythos in our, investigation of all the possible things that everything can go wrong, but rather to tap in the expertise of the people on this call, the people who have been contributing this work and capture what we see as the primary threats that we've cared about as we've been working on this technology.

Joe Andrieu: we each know what those are or we have thought about them and maybe haven't distilled it into a threat. But it's about tapping that expertise is the real step in the process. because anyone can throw this spec at claude and say hey what do you think is risky about it. so we don't want to attempt to replace that work because people are going to do that work anyway but we can capture what those of us on this call have concerns about. And so that's my limus test manu is to say hey does this feel like it's a good representation of the threats that we know about as a group. And when we can say yes to that then if that's five threats if it's 20 threats like part of the goal for me in this work is to have the number of threats be small enough for someone to read it without being overwhelmed.

Joe Andrieu: And so that means curating to the smaller set which will take more time but it will make it more accessible to people so that they understand the critical threats and there is a tenuous line there about who gets to decide which ones are good enough…

Kayode_Ezike: All right, Derek.

Joe Andrieu: but I think at least there's a heristic there that we as a group can think about does this represent what concerns keep us up at night with this technology.

Eric_Schuh: Yeah, I think there's also an opportunity to at a certain point have the group select vote on our top 10 threats that we would want to highlight in a threat model proper and then all of the other index threats that are valid could go maybe not in an appendex but in a supplementary document so that you could keep a kind of primary version that is quick and readable, but if people really want to dive into the totality, they could do that as well. that's definitely something I've been thinking about as I've kind of looked at the scope of what this threat model is going to entail because I think it's going to be quite a bit larger than the other ones I've seen just in terms of the number of components and stakeholders that are involved in the MEC API.

Market Competition Threat Type

Manu_Sporny: There was one of these that I do want to chat about and that is about a market competition threat type. I'm curious to hear if other people want to try to go down this path. I've got a very specific example that we have been exposed to recently where effectively protocol is being used to centralize solutions and force I mean and basically stop market competition. so I want to chat about that if we have the time and see if the group wants to talk about that type of threat.

Manu_Sporny: This is very much like things most SDOS's they don't talk about this right and that leads to a pretty serious amount of kind of standards group capture so anyway I'm wondering Joe Eric if you all have talked about it but I know it's not really a Sing thing like…

Manu_Sporny: if I have been pushing W3C to have a market competition horizontal view and for obvious reasons everyone is really scared about even approaching the topic. any curious to hear others thoughts on it.

Kayode_Ezike: Is this number 31? Yeah. That's…

Manu_Sporny: 13.

Joe Andrieu: 13. …

Manu_Sporny: Yes. wow.

Dave Longley: It might be the same as

<Dave Longley> "Ecosystem gatekeeping in the name of security or privacy"

Joe Andrieu: yeah, I'll chime in. Manu Sporny:

Manu_Sporny: Yeah, it is the same as 13.

Kayode_Ezike: what I thought.

Manu_Sporny: That's hilarious.

Joe Andrieu: Awesome. Yeah. …

Kayode_Ezike: Good job.

Joe Andrieu: it's really interesting. One of the defining features of the Singh approach to threat modeling is to anchor things to components in the diagram. And it's not clear where we would anchor this. I agree with the threat. It's but how do we fold it in is a little tricky.

Dave Longley: So as an example of something with this happening today it can be done around identifying the verifying party. So you can create a separate gatekeeping authority or maybe a few of them run by large centralized providers where you need to go register with those providers in order to be able to identify yourself as a verifier.

Dave Longley: So that would be one example and that would be in some way related to I think we could certainly relate that to components in the system. as verifier coordinators are going to be publishing for example in Those interaction URLs have an origin in them that identify who they are already but protocols might add additional layers that might be unnecessary but enable gatekeeping in the name of security and privacy.

Manu_Sporny: Yeah, I mean plus one to everything Dave said. I'm going to be very concrete about the problem, So currently if you want to read an MDOC or an MDL the company or the organization have to go to Apple and get a Apple business account or Google and get a Google play account. You have to verify your organization. You have to tell them what credentials you're going to consume.

<Benjamin_Young> "Let us protect you"

Manu_Sporny: you have to tell them what the purpose is for consuming those credentials and only they meaning the big wallet vendors this includes Samsung as well right you have to go to each one of them you can't just get one you have to go through this process with every single digital wallet only they can give you a credential meaning an X509 certificate that then you have to use to digitally sign the query that goes to that wallet. That is the reality of what you have to do today. And it is I think folks can see the problem here. It is not up to the issuer and It's up to the people that run, the stores effectively, right?

Manu_Sporny: So it's that kind of stuff where kind of like that is pretty serious and it's all done in the name of privacy and security we don't want people to share their credentials with the wrong party.

Manu_Sporny: But it is very much a threat to market competition. That's it.

Kayode_Ezike: Yeah, security is fine.

Kayode_Ezike: Go ahead, Joe.

Joe Andrieu: Yeah,… this is really interesting. I think this is a good example of where maybe two, an extra diagram would help because I think there's how the technology works with VCOM which doesn't require these third party registries. but a big part of what we do need to do and it's been an interesting dance with Sing and with other specs that we've been talking about is we have to deal with the technology as deployed what is the context in situ in which these things are actually used. Joe Andrieu:

Joe Andrieu: And so if we do have these centralized registries we can show how they might impact the ecosystem and then we can talk about those flows or those interactions as potential attacks. So maybe there's a diagram where we can identify those third party registers without cluttering up sort of here's how it works with…

Kayode_Ezike: Go ahead.

Joe Andrieu: what you need because we can implement VCOM without a third party registry.

Manu_Sporny: And I think the attack is a market power attack. it's a centralization of power. It's a centralized gatekeeper and that can have a very negative impact on security and privacy if everything has to be routed through that central gatekeeper or even multiple gatekeepers. So I think we can tie it back, but it's not like square peg round hole but it's like why are we looking at the threats in that way? I understand that's the way he's saying has traditionally looked at the threats, but I think if you take a step back and you're like there is this centralized authority and they get to make all kinds of arbitrary decisions without any kind of legal oversight or anything of that nature. It's a private organization. I mean that is clearly a security risk, right?

Manu_Sporny: I mean it should be like…

Kayode_Ezike: 3 plus one

Manu_Sporny: if it's not it it should absolutely be a core security risk to centralize things in that Okay.

Dave Longley: Sometimes these things are in other groups referred to as user hostile or threat to user choice and liberty. And maybe that could be in these threat models as

Joe Andrieu: Yeah, I think one problem we're running into with your most recent framing there,…

Joe Andrieu: Manu, is VCOM actually doesn't have whereas for example DCAPI bakes those threats into the spec right now with their limited list of approved protocols.

Joe Andrieu: So there's a challenge in that we want to differentiate this work from other work but our threat model should be about our work. so there's a nuance there that we'll have to pull out. I do think we can explain in situ…

<Dave Longley> user hostile/threat to user choice and liberty

Dave Longley: I want to speak to that.

Joe Andrieu: but go ahead

Dave Longley: So VCOM allows other protocols to travel over the exchange portion of the spec. And so that is a place where we can talk about how other protocols might have these requirements and you should be aware that if they do have those requirements what those threats are. And since we already know about specific protocols that have these problems,…

Kayode_Ezike: Awesome.

Dave Longley: we should highlight those.

Kayode_Ezike: I see that we have five minutes. So maybe we can make a decision as to how to address this. I know this is a unique type of threat because it's more than just a technological one. but it does point to value judgments that we hold as a group. but I think maybe next step would just be to flush it out in this document asynchronously and you can review the copy in a future call. Go ahead.

Manu_Sporny: Sorry, I put myself on the queue to say what Dave said and he said it. So off.

Kayode_Ezike: Okay so we don't have too much time to do much else. the test suite was a topic I want to get into at some point and also There were some issues that I think as it is. There was one for Akidna and there was also one that just removed a reference issue that is no longer relevant. those won't take much time to process. It's just a matter of do we think it's worth squeezing that in the next few minutes. I think I don't know if the kid know one is one that's critical for next steps with publication or not. I know Ivon created that one but I don't know if it's something that we should maybe try to squeeze in if nothing else.

Technical Report Publication Workflow

Manu_Sporny: Yeah, I think Let's get it in there. it'll start autopublishing the editor's drafts, the working drafts. So, we should just merge that in. It looks good to me.

Kayode_Ezike: Okay,…

Kayode_Ezike: Looks good to me, too. Should probably put the Sorry really slow today.

Kayode_Ezike: This is so I think what I'll do if folks are okay with this, I can through this offline and just move forward like that. there's not too much to it. It's just a GitHub actions workflow that enables it can for publication of our technical reports. So it's pretty standard W3C process. Okay, here we go. Yeah.

Kayode_Ezike: So, I'm going to go ahead and submit my approval. This

Kayode_Ezike: All just waiting for this to So, we've merged this and I'll make a comment in the associate. I don't think there was an issue in her mind. And that is it for Any good thing good for the order before we close today? Not thank you all for joining me today and bearing with challenges technologically. It's my first call, but appreciate your patience and look forward to next week's call. Cheers.

Joe Andrieu: Cheers. Meeting ended after 00:59:10 👋 This editable transcript was computer generated and might contain errors. People can also change the text after it was created.

This transcription was generated by a large language model (LLM) and might contain errors. When in doubt, check the audio recording. This page was formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).