W3C

VCWG Recognized Entities

26 May 2026

Attendees

Present
Dave Longley, kayode_ezike, kevin_dean, manu_sporny, parth_bhatt, Phillip Long, Steve Capell
Regrets
-
Chair
-
Scribe
transcriber

Meeting minutes

Steve Capell: Okay. You're welcome.

Manu_Sporny: Hey folks, we have another call that's going over and we've got people from that other call that are going to be coming over here very soon. So, we'll start in about two more minutes.

Kevin_Dean: Okay, thank

Steve Capell: Stop.

Reviewing Steve's Pull Requests

Manu_Sporny: All right, let's go ahead and get started. And I apologize in advance. I have to drop at half past the hour today. So unless there's someone that can keep running the call after I'm gone, it might be a short call. I think on the agenda today we're going to look at your PR again Steve to try to give you some feedback on it. I think that's largely what we had on the agenda. And then there's the threat model or categorization that we started last week that we could also go into today.

Manu_Sporny: If So, Steve, let's get you processed so that you can get back to your holiday. why don't we go get right into it?

Discussion On PR 81: Use Cases

Steve Capell:

Steve Capell: now we go.

Manu_Sporny: Anything in particular you want to talk about today? Steve, you got two PRs,…

Manu_Sporny: 80 and 81. Which one would you like to focus on?

Steve Capell:

Steve Capell: one is the one from last week which we discussed was a kind of a monolith to the use cases that we decided we'd break up into some short use case statements for the spec and some appendices to the spec with sample documents and the like.

Steve Capell: So, what I'd suggest is we just delete that first the one by the way, I'll admit to a little bit of beginner screw-ups because when I made a simple just short update to the main spec by adding a use case section,…

Steve Capell: my GitHub immaturity, I should say, led to it being considered as an extra commit on the previous PR. So I had to kind of pull back and go no clean it up and create a new branch and I think I finally managed to create just as a small PR which is only one commit to one file…

Manu_Sporny: Yep. Okay.

Steve Capell: which adds two paragraphs to the spec under the use cases section.

Steve Capell: So what I'd suggest is we review that one and the other one we just delete it or ignore it or throw it away or whatever because it's going to get replaced by this little one and another one which will be in the appendices.

Manu_Sporny: So, I can do that right now. and your new PR looks nice and clean. One commit. so if you hadn't said any of that,…

Manu_Sporny: we would have been none the wiser. let me see. D. Okay. So, add discoveral. Hold on one second. Let me make sure. I'm going to let's do the 81 first. so PR81 is add trade and conform to use case. And you've added a use case section.

Steve Capell: So yeah.

Manu_Sporny: Go ahead.

Steve Capell: Yeah. I just added a new section two between introduction and data model called use cases.

Business Value Of Use Cases

Steve Capell: and added two subsections, one called trade and one called product conformity. And They're just different examples of the same pattern, right? Which there's some a commercial invoice that has much higher value when it's linked to a entity recognition In that case, a business registration that confers confident identity. And in the conformity one, it's an accreditation credential which basically says this auditor or this test lab is accredited to do these test services. And they're the same patent just a different business context. And hopefully they're short and sweet enough that they are okay.

Steve Capell: Yeah, that's it. I haven't done the extra PR which we talked about last week which is in the appendix. And here's some sample dibs and…

Manu_Sporny: Yeah.

Steve Capell: sample entity recognition credentials and so on for those use cases. I'll try to have that for you I'll see you next week anyway in Brussels. Looking forward to that. But yeah, just right now I've got two little business stories and trying to emphasize the business value, right? Because the whole point of this is that when a important verifier and in the trade case there are two one is the importing customs authority who wants to know who packed the box and with confidence of identity and do and data integrity can lear a shipment as a benefit.

Steve Capell: The other one is the issuing bank in a documentary letter of credit where it's a painful horrible process today and if they get verifiable invoices and…

Steve Capell: identity they can automate their algorithmic due diligence and release a lot of trade value. So those are the two use cases and that's moving through them now and…

Manu_Sporny: Yep. I'm reading through them now and…

Manu_Sporny: they look very clean and…

Steve Capell: they look very good.

Manu_Sporny: do we have any other feedback from anyone else on these two use cases?

Steve Capell: Do you have any other tech help? Okay. Manu Sporny:

Manu_Sporny: They look good to me. Go ahead, Dave. All right.

Dave Longley: I think we should accept them But one of the things that we've done in previous groups with use cases is not mention the specific technology used to solve the problem. And that's kind of integrated in to the use cases here.

Steve Capell: is integrated in capable but we could again I think it's accepted…

Dave Longley: Again I think we should accept this as is but we might want Yeah.

Steve Capell: but we might talk them later. Yeah, that's fine. I do agree with that sentiment. I suppose I'm trying to establish a pattern of this kind of discoverable but we don't have to do that in the use case. it could be done in a sort of solution to the use case later but I tried to keep it fairly high level.

Steve Capell: By the way, a little just for those that are interested in history, I happen to be sitting in the city of Valleta, which was created by a merger of the Knights Templars and the Knights Hospital 500 years ago and about 900 years ago, the Knights Templars to support pilgrims going from Europe to the Jerusalem created the very world's first documentary letter of credit and I'd argue a sort of a verifiable credential, right? Because the idea was you posit deposit gold, let's say in London with the office of the Knights Templars and along your journey, you present a credential which was a paper thing but with a substitution cipher that made it verifiable to various Knights Templar's office along your journey and you got a little bit of gold back each journey.

Steve Capell: And so it's a really sort of old very relevant story that is still a problem today and…

Steve Capell: verifiable credentials can help to solve really kind of nearly a thousand years earlier…

Manu_Sporny: That is a really cool piece of history,…

Manu_Sporny: That's neat.

Kevin_Dean: predecessor to American Express Travelers.

Kevin_Dean: Checks. Yeah.

Steve Capell: but Yes.

Kevin_Dean: My wife loves travel and she loves u period TV shows. I got her a book on travel in the medieval ages and it's just chalk full of stuff like that about letters of credit and how you manage credentials across borders when everyone's traveling on foot and each journey takes months.

Kevin_Dean: quite fascinating.

Steve Capell: And everybody wants to steal your pocket of gold. So you have a piece of paper you can't fake and…

Kevin_Dean: Yes. Mhm. steve capell:

Steve Capell: is not stealable. it's a brilliant idea, Made them extraordinary wealthy by the way. They were 300 years of building a banking network in Europe and then eventually they became lenders. I'm distracting here, but it's interesting they became lenders to nation states. And what ended them was the fact that the king of France owed the Knights Templars so much money it's like today's national debt problems multiplied. So much money he could never pay it back. So his solution was to kill them all.

Steve Capell: in the 14th century he killed them all and that what was left all the ones in France and the ones that were left merged with the knights hospital which are really fortress builders and they established Malta and the payment for Malta to the king of Spain every year for 268 years was one Maltese falcon which you might and that's true right and there's a bit of movie history here right the multis falcon…

Steve Capell: but it's based loosely on that idea that the knights of St. John which was the merger of Templars and hospital paid the Holy Roman Emperor and the king of Spain who the same guy at the time one multistark per in a big ceremony I love this sort of history right anyway I won't waste any more time on that…

Kevin_Dean: As long as our work here today doesn't lead to our executions,…

Steve Capell: but it's kind of cool isn't it Right.

Kevin_Dean: I'm okay.

Manu_Sporny: Yeah, exactly.

Manu_Sporny: Now we've got something to worry about.

Manu_Sporny: All right. I'm closing your other PR. Steve taken by and…

Kevin_Dean: There he is.

Steve Capell: Yeah. Yeah, that's fine.

Manu_Sporny: then it'll live again in another future PR.

Steve Capell: It'll exactly.

Manu_Sporny: Okay.

Steve Capell: Yeah. Yeah.

Manu_Sporny: That one's closed and we got some PR processing done. let's see. And with that,…

Steve Capell: And with that,…

Manu_Sporny: Steve, I mean, you can feel free to go and…

Steve Capell: feel free to go.

Manu_Sporny: enjoy your dinner, of course. and…

Steve Capell: I would appreciate that and…

Steve Capell: I look forward to seeing you next week in Brussels.

Manu_Sporny: Yes, same here.

Threat Model Categorization

Manu_Sporny: Really looking forward to it. Until then, take care. Bye. All right. the rest of the call will probably focus on threat model for recognized entities. We were classifying it last time. I don't know if someone can take over for me in about 10 minutes because I am unfortunately triple booked for this hour. what we need to do is move I'm not sharing my screen anymore. we need to move all the uncatategorized things into categories.

Manu_Sporny: So here is topic threat model then there is a link to our threat model and we're just going to keep going through this. and then I'm going to have to drop at about 25 past. we'll just go from the top. maybe it's a random walk. cryptographically relevant quantum computer breaks traditional cryptography that feels like it is a dependency threat because this spec does not deal with that at all. who provided this one?

Manu_Sporny: of course forgetting.

Dave Longley: I probably type that in,…

Dave Longley: but I don't know that we need these contributor names if the thread is understood.

Manu_Sporny: Yeah, that's true. although I'll leave it there. recognized list is in an X509 list and the verified does not do proper X509 specific validation required to ensure certificate revocation lists are taken into.

Kevin_Dean: that's implementation threat. Manu Sporny:

Manu_Sporny: Yes, thank you very much.

Discussing Implementation Threats

Dave Longley: This is one of those ones that's weird…

Dave Longley: because it's not an implementation for the spec unless we're going to tell people how to do X509 validation. So yeah, I think it is an implementation threat but at a different layer from this the spec we work on.

Kevin_Dean: Is this really a threat that we should consider though? Because you could argue that, failing to implement any of the underlying technologies on which this spec depends. you could have an explosive list of threats. if there's an X509 list,…

Dave Longley: Yeah, we yeah,…

Kevin_Dean: you expect that somebody using X509 technology should understand revocation lists.

Dave Longley: figuring out where to draw the line on the universe for external and…

Kevin_Dean: Yeah. Yeah.

Dave Longley: dependency threats is hard. but maybe there are spe ones we really wanted to call out. Is that how we should do external independency threats?

Manu_Sporny: So I think the way this is supposed to work is that we focus really hard on target threats and…

Manu_Sporny: implementation threats and the other ones we list but we're kind of like that's dealt with elsewhere. understand that this risk exists, but we're not going to go into excruciating detail about how you mitigate it and whatnot in this spec.

Dave Longley: Okay, given that, let's just try to throw anything in there that goes there and then not talk about it too much.

Manu_Sporny: All right. An issue of recognized is not precise about the data schema and…

Manu_Sporny: allows too broad a category. Where's this one go?

Dave Longley: That seems like it's an implementation threat in our spec.

Manu_Sporny: Yeah, I guess because of the schema, it's really the author, right? I'm wondering.

Dave Longley: It's still implementation, isn't it? we're going to say this is where you put this, this is how you do it. But you can, build something that is problematic.

Manu_Sporny: Yeah, to put it there. An attacker recognized entity list URL is entered into verification software and is used to accidentally validate incorrect VCs. So this is a kind of a administrator usage error.

Dave Longley: It's just another implementation threat, right?

Manu_Sporny: Yeah. As you the system wrong. It's like a configuration error, not a software. I don't know if those are implementation threats or not. Just leave it there for now. go ahead. Okay.

Kayode_Ezike: Isn't configuration considered external because we don't specify how to configure per se? It's similar to one of the other issues we had last week. it had to do with entering the wrong top level,…

Kayode_Ezike: VC recognized as TVC or something like that.

Manu_Sporny: Yeah. …

Manu_Sporny: so this mean I think you have a point Coyot it says the spec leaves the choice to them meaning an implement or someone configuring the software. That's why I think it might belong here more than because external threats I don't think we're going to spend a lot of time talking about. Whereas this I don't know do we want to talk about this? I could go either way. I don't know if other folks have strong opinions.

Manu_Sporny: So Coyote you think it should be external.

Dave Longley: I think one of Yeah,…

Kayode_Ezike: Yeah, I mean I guess it's just going with the pattern that I was using from last week, but yeah, I don't have a strong opinion, but I just like kind of trying to make sure that we're consistent with ourselves basically like how we're trying

Manu_Sporny: Yeah, of course.

Dave Longley: I was going to say that. I think we should be consistent and…

Dave Longley: we have number 10 down there is just some other configuration error. So seems like it goes at external.

Manu_Sporny: All right.

Manu_Sporny: So, all There we go. And then a recognized entity has their metadata altered by an attacker. How does that happen? who raised the issue or this potential attack we can leave it and…

Dave Longley: I don't know if I raised that one and if I did, it was a version of me that doesn't remember what I meant. presumably that might have been like …

Manu_Sporny: come back to it later, right?

Dave Longley: it's a rec a recognized entity might be identified by some decentralized identifier.

Dave Longley: And what if that thing's decentralized identifier is compromised in some way? It's going to be an external threat regardless. So I think we should just put it as an external threat.

Manu_Sporny: about themselves such as their didcument altered by an attacker and…

Manu_Sporny: that's external. You're saying let's see. Still I think information about recognized entities is out of date. a new caching of list due to online presentation.

Dave Longley: So to be consistent,…

Dave Longley: this sounds like it's external, but I really do hope that we talk about these things in the spec as imple they do seem like they're things that implementers need to consider.

Manu_Sporny: Yeah. Yeah.

Manu_Sporny: Information I recognize. Which one was this? I got a little distracted.

Dave Longley: to be consistent.

Manu_Sporny: Okay.

Dave Longley: I think it's external.

Manu_Sporny: Changing domain controller for recognized It's external as well, right? Information leak when fetching recognized entity credentials or…

Dave Longley: Sounds external.

Manu_Sporny: linked resources. what does that mean?

Dave Longley: I would think for regular privacy considerations in such a spec as this one, we would say things like fetch in some privacy preserving way,…

Dave Longley: O HTTP or whatever it is. is that a implementation concern? same sort of bucket of confusion.

Manu_Sporny: Yeah, let's say it's an implementation threat…

Manu_Sporny: because I think we're definitely going to tell people use OHTP when requesting, let's see. Leaks information to the server. All right.

Manu_Sporny: All right. I am out of time. Would someone else be able to take over for me and take the group through the rest of these items?

Kayode_Ezike: Suppose I can give it a try.

Manu_Sporny: Thank you so much, Coyote. can you get into the document and edit? Okay.

Kayode_Ezike: Yes, I'm there.

Manu_Sporny: And then I'll hand it over to you to share. Thank you very much Kyote for taking the group through the rest of this. I got to run. Thanks all. Bye.

Kayode_Ezike: Screen you quickly. One second to share my screen. Y'all can see my screen.

Kayode_Ezike: Zoom. All righty.

Dave Longley: Yep. It's not showing the Google doc yet,…

Dave Longley: but now it is.

Kayode_Ezike: So we go to set that we were at. I think we're here now. change domain control for recogniz.

Kayode_Ezike: Did we just classify this one?

Dave Longley: Yeah, that one's categorized.

Dave Longley: We got to go down to the uncatategorized section right below that.

Kayode_Ezike: Okay. Blanket censorship.

Dave Longley: So, censorship I don't know…

Threat Model Categorization Of Censorship

Kayode_Ezike: Were any of y'all the authors of this one? So, This is one of those market ones.

Dave Longley: if I wrote that one or not and if nobody else remembers. and this is fairly broad. I wonder where this goes. it could be that some of this I mean there's certain kinds of gatekeeping and censorship that this specifically helps with because it's decentralized in its nature. so let's put it under threats that the spec actually could help with.

Dave Longley: Because the external one we would just be ignoring, whatever the spec can't do is external.

Kayode_Ezike: so this would maybe be dependency All right.

Dave Longley: And now I think it's at the top category. It's target threats. So the spec is designed to help prevent censorship because it is decentralized in how it works.

Kayode_Ezike: Happy with that schema text.

Dave Longley: So, it's definitely external, but again this spec should talk about something and…

Kayode_Ezike: Any other thoughts?

Dave Longley: maybe the spec even needs to say you need to do certain things. Did I cut out just now? this spec uses JSON schema and maybe we need to talk about it in implementations. I would feel more comfortable dropping it in implementations and moving it to external later. I don't know what other people think. We got a thumbs up from Phil. Yeah.

Kayode_Ezike: Yeah, it's really to me too there's I mean not to create more categories but oftentimes like we keep thinking of sorry before I get into that this would be a implementation for now right as we said and then maybe turn it into okay a lot of these are configuration I know I think external maybe might be a little bit confusing so this particular documentation or this document eventually is going to be in some way, shape or form included in these that at least referenced from the spec in some way, right? So between now and that point, we definitely want to think about how to make some of these concepts more understandable as far as the labeling of these issues. okay. That too lacks JSON schema.

Kayode_Ezike: Sounds similar to the one that we just did.

Dave Longley: Yeah, it's probably we should keep them together, I would think.

Kayode_Ezike: All right. improper handling of large entity list. I think and this will be an external. Okay.

Kayode_Ezike: for being consistent. yeah something that implementers need to be concerned about.

Dave Longley: Seems like it could be an implementation.

Dave Longley: Again, I'm going to continue to struggle with what the line is there.

Kayode_Ezike: I guess it's just the question of yeah what is our semantic for implementation? did you implement back right or…

Phillip Long: Dave, Dave,…

Kayode_Ezike: did you just do a poor job managing resources in your app?

Phillip Long: you made a comment earlier about things that we need to talk about and I think that's at this point in time. We're not trying to be extremely limiting. We're trying to figure out what it is we really do want to talk about. And so I would be generous about putting things into the category of implementation or whatever. so that it has a chance to be viewed again separately and then if it gets tossed down to external that's great. We can just reference it and people can take it from there.

Kayode_Ezike: J we cut everything.

Phillip Long: And sorry, I'm on a very slow connection today because my died and I'm waiting for my ISP to come out and replace it. Kayode Ezike:

Kayode_Ezike: Thanks. That's good input. I mean maybe with that lens we'll continue to go through these and we may want to go back through the external threats just to see if we Yeah.

Phillip Long: There's an external threat that we have that Dave, for example, you've mentioned you'd like to see something said about or we need to say something because there's some particular way we want people to handle it. Then it…

Dave Longley: Yeah, I think right I would say we're probably going to have to go back over the external threats at least one more time with that lens in a future call.

Phillip Long: then it goes up into wherever the implementation or whatever it should be. if we don't care, then we just leave it in imple where it is. Agreed.

Kayode_Ezike: Same page there. Thanks next one is an issuer trying to provide a recognizance to VC alongside a VC that the issuer issues the intermediary to transport the VC's alter. Are these two different dependencies to increase? And I can't tell if these are two different issues.

Dave Longley: I think that's supposed to be all one thing together. I think it's describing a situation and then what happens while that's happening and…

Kayode_Ezike: Okay, got you. Okay.

Dave Longley: talking about it trying to impersonate sounds like it would be covered by that this would go in the first category as target threats…

Dave Longley: since in theory a digital signature is going to help with that.

Kayode_Ezike: Yes, exactly.

Kayode_Ezike: We might work that a little bit later. so I'll take a few more if resolving a mechanism for discovering a recognized entity depends on DNS and DNS is not properly secured and proper recognized can be injected.

Dave Longley: I mean this is clearly external and…

Kayode_Ezike: Yeah. So far that

Dave Longley: it just falls under any DNS threat. And I guess it's a dependency really, right? Because that's just an inheritance problem. We're using DNS and DNS can be attacked. maybe because there's X509 and…

Kayode_Ezike: Right. I guess for this particular one,…

Dave Longley: then there is all of the rules for how you use X9509 for validating those and depending on what we say in our spec there might be some specific thing that we add to an X509 certificate so I don't

Kayode_Ezike: it seems more appropriate to leave it where it is because it's not saying that anything was wrong with the S79 implementation. It's more so saying something wrong with the way it was processed by the verifier. So maybe that's fine where it is. So still recognizing she was due to aggressive caching policy. this is also something we did. It's a duplicate I think one we did earlier.

Kayode_Ezike: Just make sure I see the member.

Dave Longley: Yeah, that number 13 in the external list talks about caching.

Kayode_Ezike: So I'll just get rid of this So that's so what we could do is we could either start a discussion of reviewing external threats and seeing if we can recategorize some of these that we care to discuss further or maybe move on to I don't know if there any offline issues that we can review do since we're already here you just want to start with that.

Kayode_Ezike: So that's the objection is …

Dave Longley: Yeah. How about we look at external threats and…

Dave Longley: if we think we want to talk about them more with respect to implementations, we can move them up. Although it says, ac Acknowledged seems to me like you are going to talk about them, but they are out of scope.

Kayode_Ezike: I see. Or is it just saying that this document is acknowledging them as out of scope and…

Kayode_Ezike: not enough that we would acknowledge it out of in spec itself? I guess yeah. Yeah.

Dave Longley: I was going to say I think it's when we build the threat model these are things that are listed so they do get mentioned …

Dave Longley: but then they are acknowledged as out of scope. So external threats we might be able to move some of the other things down. We might want to get some more. So, one of the things that is supposedly going to come out of the face meeting for those there is more people working getting caught up on how the threat modeling is supposed to be done from the threat modeling people who put these categories together.

Dave Longley: And we might just want to wait for that work to happen because it might help us not duplicate work by moving things in and out of categories. is

Kayode_Ezike: That's true.

Kayode_Ezike: And it does help that every task force is using the same template that that's unified. So, I'm sure this discussion will come up some point.

Kayode_Ezike: That's fair. so yeah, I guess we can then just maybe on our time just keep these things in mind. I don't know how many I shouldn't switch over. any of us if you care to share going to be at the face to face next week. I'm not either.

Dave Longley: I will not be There.

Kayode_Ezike: So maybe have one or two advocates to make this particular point, but that's fine. And I think maybe on tomorrow DCWD call we can call that out as hey we've been discussing these different types of threats in some of these task forces and some of the language that we're using may be a little bit confusing for the spec documents. So just want to make sure that we're clear on what we mean when we say for example certain threats. Are we saying that this is something that we're not going to target in this version?

Kayode_Ezike: we're saying something else, So, yeah, maybe just discuss that tomorrow or something. So, I don't know if there are any open issues that any on this call be able to speak to. otherwise I'm happy. No system.

Dave Longley: I think it's recognized entities.

Kayode_Ezike: Okay.

Kayode_Ezike: So these are not categorized yet. I don't think we don't have 10. Okay. So we only have two that are not categorized and they will open by people that are not here today. So some of these seem fairly simple. So I think it's probably safe to end the call today. had a pretty productive call and unless there's anything else that folks have undermined. We probably need to cancel this call next week. I think we did that for some other task force calls, but this one I don't think I have the authorization to do that.

Kevin_Dean: Thank you for taking this on.

Kayode_Ezike: I think it's been or so we'll have to offline. until then thanks everyone for contributing and we'll see you when I see Cheers. No problem.

Phillip Long: Cheers. Meeting ended after 00:37:02 👋 This editable transcript was computer generated and might contain errors. People can also change the text after it was created.

This transcription was generated by a large language model (LLM) and might contain errors. When in doubt, check the audio recording. This page was formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).