Meeting minutes
<Ivan Herman> date: 2026-06-02
Brent Zundel: Welcome everyone to the VCWG F2F
Brent Zundel: We will need some scribes today, so look forward to scribing throughout the day. The goal is to capture discussion and decisions made.
Brent Zundel: I have belgian chocolate and a book to share, if anyone would like either.
Ivan Herman: Ivan Herman, I am a W3C Staff contact for the WG and others -- been with the WG for about 5 years.
Brent Zundel: I'm Brent Zundel, Yubico, have been the Chair of this group for a while, before I was the Chair, I helped write VCDM v1.0. I spent a bit on chocolate over the past several days.
Phil Archer: Phil Archer, from GS1, some of our GS1 employees will be around and are excited to meet you. We have this space for all three days. If there is a fire (not counting on one) go down the stairs.
Joe Andrieu Andrieu: I'm Joe Andrieu from Legendary Requirements, do work on use cases and threat modelling and confidence method.
Shigeya Suzuki: Shigeya Suzuki from Keio University, working on Originator Profile and educational credentials, this is second visit to GS1 global, was working on RFID technology before.
Ivo Ladenius: Ivo from GS1 Netherlands
Elaine Wooton: Elaine Wooton, working on Verifiable Barcode spec.
Wesley Smithley Smith: Wes Smith, from DB, working on credential status and other related technologies.
Manu Sporny: Hi, I'm an editor on a few specs
Steve Capellapell: Steve Capell, work on trade facilitation, here because I believe W3C VCs are by far best mechanism for scaling global trade, work at UN as well.
Carolynn Bernier: Carloynn Bernier, new W3C member/expert soon, interests are vocabularies for DPP and wallets, heavily involved in ativity in europe. Phil invited me here to participate.
Denken Chen: Denken Chen, affiliated with Ministry of Digital Affairs in Taiwan, co-editor of VC Confidence method and co-chair of Credentials CG and bring more energy to APAC regions.
Kevin Dean: Kevin Dean from Legendary Requirements, co-editor on VC Use Cases.
Jennie Meier: Jennie Meier with Digital Contract Design, alternate AC rep for DCD, have been involved for 4 years now.
Amir Hameed Mir: Hello Amir from Sirraya Labs, Invited Expert and work on ZKPs and post-quantum transition. I have been implementing a lot of this technology.
Phil Archer: We'll be joined by Carsten Stöcker, Simone Onofri, and Hadley later today. I'm not planning a dinner for anyone tonight, have to leave early today -- we need to make sure we keep the room tidy.
Brent Zundel: Today we're meeting until around 6pm -- tomorrow starting at same time, but will end at 3pm, we will be doing a tour of beer museum and then a dinner.
Brent Zundel: Thursday we have to be out by 1pm.
Joe Andrieu Andrieu: What time zone are we anchored to?
Brent Zundel: Boston time zone
Phil Archer: Make sure you us IRC if you want to speak and queue.
Brent Zundel: We will need scribes throughout the day
Group discusses IRC logistics
Process and Task Force Discussion
Brent Zundel: The W3C Process document is a description of how W3C operates. Describes how W3C gets stuff done. I'm the Chair of the Process CG. Goal here is for people to feel comfortable jumping into the document.
Brent Zundel: W3C Process document talks about membership, rights and obligations, covers how we participate in groups, criteria for being invovled, rules guidelines for meetings, W3C is a member organization -- a member is a company, there are dues involved, every member can select a representative to the advisory committee. AC is group at W3C that makes final decision on charters, specifications, AC that elects members to Advisory Board.
Brent Zundel: The AC has 3 elected groupps -- Board of Directors keep lights on approve budgets hire CEO, Advisory Board gives advice to W3C Team and Advisory Committee -- AB represents the AC, AB is responsible for updating W3C Process document. For example, travel fund would be for AB to decide.
Brent Zundel: Technical Architecture Group oversees architecture of the Web, review specs as they are being developed, how they fit within greater Web architecture. Hadley is co-Chair of TAG as of today.
Brent Zundel: The rest are Working Groups and Interest Groups -- WGs recommend specifications -- here are IGs... like privacy and security IGs that do reviews.
Brent Zundel: WGs start with a Charter, which gets refined by team (WGs exist for a span of time, goals/objectives, scope of work -- charter for this group works on VC technologies). Skim through group charter if you haven't yet.
Brent Zundel: If there is stuff you want in the charter, let us know.
Brent Zundel: W3C cares a lot about consensus -- strong consensus model, which means we aim for unanimity (everyone agrees)... strong consensus is "I can live with it" (the ugly baby is the best thing we can make)... the benefits is that we know that the thing that was produced was agreed to... consensus is very important. If this group makes a decision that you feel is absolutely wrong, it is your right to formally object to that.
Brent Zundel: Formal objection is a part of the process, it is your right to do so, but it is a very serious step and takes months to work through.
Brent Zundel: If there is a FO, team tries to resolve, then goes to council, then is resolved eventually if everything fails.
: Is anything changing in the next year or two that will affect this group?
Brent Zundel: There is a set of suggestions to W3C Process changes that is incoming.
Brent Zundel: We took feedback at TPAC, put them into actionable thing that could change, AC meeting we talked about two directions to head on prcess changes. The first is tooling improvements that will help ease burden of holding to process -- for example, wide review -- i18n, privacy, TAG, security, all groups review. Toolingn around horizontal review is something that could be useful. Possible changes to WGs (how items are added/removed, how it interacts
with patent commitments made).
ack
Brent Zundel: Potentially a lot of stuff should be changing -- AB is going to try to make things better w/o sacrificing quality of W3C specs.
Phil Archer: To add to what you're saying -- Chairs are appointed by W3C Team -- for me, Chairing is a privilege, take it seriously, our job is to help the group come to consensus, go through wide review, we have a timeline to get documents done... there are a lot of documents to get through the process.
Phil Archer: I try very hard to co-chair and focus on being the Chair -- I am also from GS1, but focus on Chairing.
Brent Zundel: Our powers as Chair are fairly limited, we keep things on the rails, and have to find consensus if it exists (or make calls on how to proceed)
Ivan Herman: Most WGs have W3C Staff/team contact -- I'm here to help the Chairs and group to navigate the W3C Process. We do stuff to help publish documents.
Ivan Herman: Each staff contact has a view on what they have to do -- try to coordinate with other groups, keep things connected. I also help w/ various technical items in the WG.
Brent Zundel: There are three types of documents we can produce: NOTEs, Recommendations, and Registries. NOTES don't necessarily have consensus (other than to publish). Registry is a standard set of guidance for how registry process works (registry has contents that are updated).
Joe Andrieu Andrieu: IP commitments -- don't understand language on "content of registries" -- for example, registration of DID Methods doesn't mean you entangle any IP. RECs are free of patents (per W3C Process). Registries don't have patent commitments (for example, proprietary DID Methods can exist).
Carolynn Bernier: There are three types of technical reports... is a use case a NOTE?
Brent Zundel: yes, exactly.
Ivan Herman: Some groups rely heavily on NOTES for things like best practices.
Brent Zundel: When we talk about FPWD, CR, these are "Recommendation" path technical reports.
Brent Zundel: Wide review is required for Recommendation -- but we can make changes to Recommendations (class 1, class 2, class 3, class 4) -- each has requirements.
Ivan Herman: Our charter allows us to make certain changes to certain documents.
Brent Zundel: Looking at picture of process -- CG follows CG process of incubated technology -- then WG considers if something is ready for FPWD... once FPWD is done, it keeps publishing as WD while we work on document.
Brent Zundel: Until we're done, at which point we move into CR phase.
Ivan Herman: Important to emphasize role of FPWD -- when do we do that? As soon as possible is a good way to go there... FPWD is a message to the outside world that the WG is working on a particular technology so public can make comments.
Ivan Herman: Publishing FPWD for quantum resistant cryptosuites -- we'll publish that next week, that we publish it and make an extra point on publication on website of W3C -- we are communicating this to the outside of the world, we are working on quantum-safe cryptosuites, message to community at large.
Ivan Herman: Some other groups have reluctance to go to FPWD -- FPWD doesn't have to be complete.
Brent Zundel: FPWD kicks off patent commitments.
Phil Archer: We might want to change name of FPWD -- throwback from long ago... this is misleading.
https:/
Carolynn Bernier: Even the drafts are public?
Ivan Herman: yes
Ivan Herman: In theory, a WG could choose to work behind closed doors, but no one does that lately.
<Ivan Herman> ack
Manu Sporny: what documents in the groups charter haven't had an FPWD?
Ivan Herman: Vocabularies and Quantum safe aren't yet
Ivan Herman: probably two documents from the vocabularies
Ivan Herman: some of the maintained documents may also need FPWD
Joe Andrieu Andrieu: Wanted to comment about public drafts, sometimes we do Google docs, but that's not a part of the process.
Brent Zundel: We sometimes have member-visible documents, and private documents, which W3C tries very hard to avoid... they are very few and far between. Board of Directors work tends to be mostly private.
Ivan Herman: This private member/public is reflected in mailing lists that W3C Operates -- group member lists; two mailing lists for WG -- member mailing list and public mailing list. Mailing lists are on WG web pages.
Steve Capell: The UN standards have a less well specified but similar intent -- open development process, UN hasn't had tooling to do that effectively. UNTP was one of the first to use Github to do this, only two weeks did we hit FPWD (we have been working in public for last two years) -- had an enormous positive effect... wholly supportive of working in public.
Steve Capell: We are here in a member-visible meeting, wondering about other members and who is/isn't here.
Brent Zundel: That might be a good discussion for dinner.
Brent Zundel: A couple of more minutes to go through REC track -- when we publish CR Snapshot (but we keep updating CR as a Draft, we can snapshot again while doing that)
Brent Zundel: Once we get to when we're done, have implementer feedback, all normatives features have been implemented by independent implementations, wide review, horizontal review, responded to it appropriately, we say "we're truly done" and it moves to a W3C Recommendation vote.
Brent Zundel: That's the process, this is the W3C Process document, please take a look at it.
Ivan Herman: For vocabularies, what CR phase means for a vocabulary is different -- it is well defined in VCs what it means... more fuzzy wrt. vocabularies.
Ivan Herman: Pierre-Antoine will be here tomorrow -- for vocabularies, two independent uses of vocabularies -- Recommendations are useful in practice, implementations can be written from specs. Vocabulary work item creators need to specify what the bar is -- broader W3C community, set bar for ourselves and figure out what's good enough for vocabularies.
Phil Archer: quick intro to new folks...
Will Abramson: Hi Will Abramson, Chair of DID WG, work for Legendary Requirements.
Carsten Stöcker Stöcker: Hi Carsten Stoecker, work on Business Wallet and DPP vocabularies.
Phil Archer: Thank you for being here, welcome to GS1.
Use Cases
https:/
https:/
Phil Archer: Let's talk about use cases -- some triggers for this -- Ingo has done some work, business vocabulary work -- Carsten Stöcker working in WEBUILD, Carolynn Bernier been working in DPP done in CIRPASS2.
Phil Archer: Joe Andrieu and Kevin worked on it, how long ago?
Joe Andrieu Andrieu: It's been stable for years, but looking at how we can collaborate w/ others in the group
Phil Archer: Carsten Stöcker has been working on use cases -- are these use cases for the business wallet, DPP, confidence method, quantum resistant cryptosuite? What are these use cases for?
Phil Archer: Use cases document are well written -- we need use cases that will guide our work that we're doing now.
Carsten Stöcker Stöcker: We did use cases for legal persons -- in WEBUILD, large scale pilot of European Commission -- focus on legal persons (companies and companies that are regisered).
Carsten Stöcker Stöcker: Natural person identity, birth certificate, to phone to natural person wallets... mDL, identity card, add digital identity to phone, secrity, holder binding, and othe stuff for natural persons.
Carsten Stöcker Stöcker: We are doing same sort of thing for businesses... entry in business registry, inherting in business wallet, identity credentials that we're starting to use in European... eu unique identifier, european company certificatite, european company certificate... all of this can be generalized, link to identity in business registry... identifier of company.
Carsten Stöcker Stöcker: EU idetnfieri identifiers business registry, unique identifier for company, same approach for US. In other jurisdictions it's simpler (Singapore has one registry, for example).
Carsten Stöcker Stöcker: What GLEIF was doing w/ vLEIs is also interesting.
Carolynn Bernier: We need to come out of this meeting with agreement on use cases -- diplomas, etc. In our task forces, we need to agree, what is use case for DPP and wallet TF, we might have different leel of use cases. There are thing that already exist that are similar to legal trustworthiness of org.. look sand feels like business wallet attestation -- no interop between them. The business wallets between countries mimght not align.
Carolynn Bernier: How do we get interop between different nations? US Business wallet, DPP, many DPP systems out there -- UNTP DPP, EU DPP, we want to create interop between different DPP, use case is examples of where inerop needs to happen. KYC between borders. General VC use cases is one thing, need to agree on what was just said.
Carsten Stöcker Stöcker: We could move use cases elsewhere once we discussed them. We should also talk about GLEIF and work with German registry, etc.
Steve Capell: The use cases are broad, need to be chunked up to align w/ the work that we're doing here.
Steve Capell: The recognized entities work and UNTP work might be able to be collapsed down to certain business space, can discussed which WG does which use case.
Steve Capell: My personal view is that a Swiss non-profit is not a authority of a business registered in any national jurisdiction. We are a mission at UN to issue membership w/ verifiable proof of membership -- want to re-use recognized entity, want to align w/ recognized entties -- let's focus on what problem we're addressing.
Joe Andrieu Andrieu: How we've thought about use cases here -- how we expect this technology to be used. We want to document and focus feature debates. What we're seeing is task force specs are putting use cases in the spec itself.
Joe Andrieu Andrieu: There are use cases in DPP, don't know if we want to aggregate, will leave it there.
Shigeya Suzuki: LEI adoption is not unevent among jurisdictions, it's problematic in certain context that we use LEI -- like idea of focusing use cases not toward specific technology
ack
Carolynn Bernier: For DPP won't align with W3C, different standards will exist, we can't control what happens in China, we have to create interop between that.
Manu Sporny: Joe Andrieu mentioned: how are these use cases popping up? One reason is because Horizontal Review often asks for a set of use cases, that's why they are being added to each document
Carolynn Bernier: hving the VC Use Cases document is great. but having a few tight use cases in each extensiuon spec to help justify the reason for the features is helpful.
… then we can decide later if they should be combined
Phil Archer: We have to expand overview document, too.
Carsten Stöcker Stöcker: We should discuss ater -- small section of use cases, use that to talk to people so we are doing relevant work, easier to have multiple buckets for use cases in beginning and then collect themm together later.
Carsten Stöcker Stöcker: We just need to have something that helps people see what we're working on.
Carolynn Bernier: Yes, standards bodies will do their own thing, but if there is willingness to align, then we can align.
<Ivan Herman> +1 to Joe Andrieu Andrieu
Joe Andrieu Andrieu: We probably want to avoid setting up vc use cases document as a bottleneck -- people are going to wonder -- we should link to the use cases in these other documents via vc use cases spec.
Will Abramson: The use cases document is quie dense, diagrams would help
Steve Capell: Trying to distinguish on technical standards, which can be used for all kinds of business use cases. When we write a trade use case, are we implying that we're going to develop a trade vocabulary. There is risk involved in a technical body -- be careful w/ use cases -- how do we distinguish?
Phil Archer: Yes, standards bodies need to stay in their area of focus.
Phil Archer: We can transclude information from one spec to the other.
Carsten Stöcker Stöcker: Discussions around JSON-LD security, vocabularies (people working on them) will disappear... W3C could have base vocabulary to keep it around -- might be desirable for medium assurance use cases
Carsten Stöcker Stöcker: It's important for some sort of "semantic hub" to exist.
Carolynn Bernier: Use cases, each task force will have relatively detailed use cases to dig down into problem each task force is trying to solve -- we don't need all the detailed use cases directly into general use cases. I think it would make more sense to have high-level use case to add to general use cases. Infinite posibility of use cases for VCs... task force wants to give specific examples of problems we're trying to solve.
Ivan Herman: One thing that we need to care about -- network of specs have core technology -- we can't really change those items... for new use cases coming up, what are problems w/ current VC network/family that we have to solve for use case to work.
Ivan Herman: We don't have to write use cases from scratch... example of using VCs with one of the vocabularies -- From VC point of view, you can do X -- VC for that, but then there was requirement for new features into VCDM that are not there -- seems like there is something in VCDM missing, maybe we have to look at core tech... we don't want to start like we're starting from scratch... we are extending.
Is the nearest thing I know of as a register of known vocabs
ack
Ivan Herman: Should W3C set up registry of vocabularies -- we've talked about it for a while, but we want decentralization -- VC can handle it, JSON-LD structures can do that -- you don't have to re-register the data and you're done. ALl vocabularies put in W3C account, goes against foundation of decentraization. There might be cases where it's required, but first reaction should be, if there is a vocabulary out there that's stable and used, use that.
Manu Sporny: +1 to Ivan Herman. I want to underscore Carsten Stöcker. We're seeing in market verticals that are outside of W3C concerns using W3C Credentials, creating vocabularies, that want their vocabularies here.
Ivan Herman: we need a formal response to them if we're going to tell them to not bring them here.
… we need to figure out how to walk people through the process of setting things up on the web for long term availability
… vital records agencies are completely rudderless here.
… we can help them build the vocabulary, but they want to keep it elsewhere, and we need to help them figure out what to do.
<Joe Andrieu Andrieu> (off q) Sounds like a good interest group, for publishing/hosting appropriate/mature vocabularies
Steve Capell: I want to draw a huge distincntion between W3C setting up a erver vs. W3C publishing meaningful schema -- any standards groups that develops standards should look to membership to decide what they're doing. W3C Members are tech companies, long-term sustainability, UN Trade Data Element Vocabulary -- long running places where things live, membership is right characteristic of where this should exist. In UNTP, org that has authority to develop vocabulary but doen't know how to host it. We should give people instructions on how to create and host vocabularies.
Ivan Herman: I had a discussion last weekend with Pierre-Antoine on vocabularies -- set up formal registry for vocabularies -- my reaction was for VC-related vocabularies -- no, goes against ethos of VCs, maybe we need registry like DID Method registry -- registry for vocabularies, loose set of requirements for vocabulary, don't want to get into details. some sort of mechanism like DID Methods. Don't know how well that works.
Manu Sporny: Not very well :)
Phil Archer: I think there is consensus -- if you're working on new spec, render method, those documents should have use case section that discusses why we've done this. Avoids putting everyhing in one place. Use case that motivates particular piece of work. We can collect later.
Phil Archer: Ok, thank you! 15 minutes and then we discuss confidence method
Confidence Methods
<Joe Andrieu Andrieu> https:/
Joe Andrieu Andrieu: presents those slides
<Joe Andrieu Andrieu> https:/
Joe Andrieu Andrieu: I'm going to share the work Denken and I are leading on the Confidence Method
… Increasing confidence about a particular subject
[Slides provide text]
Joe Andrieu Andrieu: Biometrics are super-powerful, also super-dangerous. It's easily abused.
Denken Chen: When we issue a VC, is the subject the holder, and when presented, is the presented the subject
Denken Chen: We need to be very careful when sharing your portrait image online. Are there other methods for increasing confidence?
… Talking about online confidence
Carsten Stöcker Stöcker: Do we need confidence for legal persons as well as natural persons?
Joe Andrieu Andrieu: Yes. We just need someone to come forward to propose it
Joe Andrieu Andrieu: Goats, and dogs also need VCs. The owner offers the confidence. But hang on, dogs can have chips. Might have a point of extensibility there.
[back to slides]
Joe Andrieu Andrieu: Talks about use of DID and CID for the example of a "marriage certificate". Use CID to get the public key simply
ack
: +1 to that. There are use cases where the VC is attached to a person, or can be associated with a card (chip & pin etc)
ack
: There are use cases coming out of mDL wanting the whole thing in the card.
… Another use case is everything is the card - it's the card that is legitimate. So you need confidence method work to associate that card with a person
Joe Andrieu Andrieu: The marriage cert doesn't say anything about whether Jayden Doe and Morgan Doe are who they say they are
[Assurance level slide]
Joe Andrieu Andrieu: External assurance systems can be plugged in
w3c/vc-confidence-method#38
Scott Jones: The intention is to add a Biometric Vector Confidence method to the spec
… We added a challenge/response flow
… Updated to cover multibase...
… Renamed relevant ZKP suite
Joe Andrieu: There's a note, but if you add a class of "atrisk" then it will be shown as such
Scott Jones: I resolved some merge conflicts. There are open issue and review comments
Joe Andrieu Andrieu: I want to go through the comments from Manu Sporny and Amir Hameed Mir but...
Joe Andrieu Andrieu: Confused about the workflow
ack
: This is probably the first time a lot of people ere have seen this. Let's go back to the use case. We're trying to do a privacy-preserving biometric check. Ideally with the user's device and the biometrics ever leave the user's device.
… Trying to get it so that there are 2 improvements. 1. you don't know where your video is going to. Maybe you get to choose which video service is used.
… 2. Better - you have software on your phone that has been audited and spits out a signal that your detailers were checked and verified.
: If you're at a store buying alcohol, you want to send them an unlinkable check that you're over 18
: We want a proof something like "with 94% confidence, this person's government ID checks out and is over 18"
… The retailer doesn't get to see any PII.
… Assumes that there is a gov-issued ID on your device (an mDL or VC)
Will Abramson: I'm a little confused. What is the binding? I have some proof but how does the relying party know that the gov ID that was checked is for the presenter?
Wesley Smithley Smith: I'm looking at example 4. I'm interested in how the proof is linked to the presentation
… I'd think some or all of that proof should be in the VC?
ack
: I don't think we have good answers to those speicific questions yet.
… How does a verifier ask for a check to be carried out
: Scott Jones may have more to say.
: It could work sth like: I need a proof of likeness of you. Perhaps include a challenge, and might then specify the biometric matching models that it allows.
… For example, I'll accept a Real Eyes check against a gov-issued ID.
Joe Andrieu Andrieu: I think... we might have a slight error in example 3. It's a VC that has a biometric vector... you can achieve confidence by applying this method using this kind of issued ID
Carsten Stöcker Stöcker: Physical goods don't have biometrics, they might have product characteristics
Carsten Stöcker Stöcker: I wonder if we need a list of authorized, qualified ID verification companies?
Wesley Smithley Smith: Going back to the ZKP concept... something that might be a challenge - a lot of the models we're describing are based on proprietary mechanisms. We can't specify that in the W3C doc
ack
: The biometric face matching is highly proprietary. Everyone has own method and models
… There are some open models, but they're not nearly as accurate
Phil Archer, to be clear, my concern was not about W3C documentation, but a technical concern about ZKPs on proprietary computation
: If an open model were to become competitive then there might be a shift.
: Because the models are unreversible, meaning if someone gave you the template, you couldn't reconstruct the person's face. I think
: If you needed to communicate the biometric vector to another system, at least you're not uploading a picture of your face. It's a slight improvement.
: You could potentially put this on a card.
: There's a problem when someone clones all the data on a card and then uses a fake image
… Very hard to get even a low-res image into a barcode
Steve Capell: I'm interested in the relationship between confidence methods and recognized entity. Imagine an RE issues a credential, how do you know that it was issued to that entity?
Joe Andrieu Andrieu: These confidence methods we have been talking about have been about persons. For businesses, it's how can I be confident that the business is the subject.
Joe Andrieu Andrieu: I like to idea of a service around registry of products. I don't like centralization but it seems unavoidable here for the likes of Gucci.
Joe Andrieu Andrieu: On the reversibility question - it's mathematically possible. I could generate loads of images and pick the ones that match the template
Joe Andrieu Andrieu: The goal is non-revisbility
Will Abramson: There are two VCs being talking about. A university one and you'd see the confidence method. Maybe a biometric method. That makes sense. I think I'd like to see the two credentials presented at hte same time.
Kevin Dean: An FYI - we did a lot of work at GS1 on anti-counterfeiting. Even if the algorithm is publicly known, it's still impossible for the counterfeit to fake a genuine.
Brent Zundel: 20 mins to go
Joe Andrieu Andrieu: This is most of what we want to talk about - this biometric stuff.
… I really like the simultaneous cf. interactive discussion.
Joe Andrieu Andrieu: The receiver may not care about the confidence method, or they may care deeply.
Joe Andrieu Andrieu: The confdeince method might be an email. That's common even though it's not crypto.
… Might be the handshake of the might Pooh-Bah association
Joe Andrieu Andrieu: Are there topics you want to cover here?
Denken Chen: no, carry on...
w3c/vc-confidence-method#32
Joe Andrieu Andrieu: Issue 32 started with a question - does this example need an id within the doc.
Joe Andrieu Andrieu: Ivan Herman asked whether the Credential subject needed an ID
Joe Andrieu Andrieu: Sometimes you don't want an ID for privacy purposes.
Joe Andrieu Andrieu: Dave also brought up the issue - he talked about the wrong lesson of putting personal IDs in a VC. A VC might have other PII in there, so you're not disclosing anything rextra.
Joe Andrieu Andrieu: We are aware that we're creating points of correlation. It's necessary. Maybe we should be in something about selective disclosure.
Ivan Herman: I'm looking for some consistency across all our docs. In our other docs, we always have an ID for the subject. So it looks as if it's mandatory. Maybe we need to go back to the VCDM spec
ack
: I think that Dave's probably talking about is deep in the technical weeds. If you put a subject ID and make it selectively disclosable, you're going to be giving at out every time. Might be an issue for long-lived creds.
: Businesses and things have different privacy needs than people.
: If I put an ID for the credential subject and I allow the country of residence to be SD, then you'll give away the ID every time.
Carsten Stöcker Stöcker: From a privacy POV, culture matters. Some people don't care about their privacy. Others do of course.
Carsten Stöcker Stöcker: Diff between employer ID and natural person ID and have different privacy expectations.
Ivan Herman: This sounds like a VCDM issue, so I think the issue should e transferred to the VCDM repo. It's nothing to do with confidence method.
Joe Andrieu Andrieu: It's my responsibility and until I move it ;-)
… I like the on behalf of pattern
… When someone is acting on behalf of someone else
… That often happens with employees. We don't want everything about an individual to be mixed up with their life as an employee.
Joe Andrieu Andrieu: technically, Manu Sporny was talking about BBS. Others might have a different SD method. With BBS, the ID must be disclosable
Joe Andrieu Andrieu: I hadn't realised that the subject ID would be revealed if something below it was.
Denken Chen: I agree that this ID issue should be transferried to VCDM
… especially as it's already in wide use. We prefer the device binding. But what does it solve? Do we need an ID for everything? We're trying to increase the confidence in an VC
Joe Andrieu Andrieu: Thanks - this was really good engagement
ack
: Great work on the spec so far - thanks to Scott Jones, Denken and Joe Andrieu. How far away from CR are we?
: Can we get a version 1 out fairly soon?
… And then come back and add in other features that might take longer to work through.
: Maybe 6 months for the image. Biometric later.
Joe Andrieu Andrieu: 6 months sounds doable?
Joe Andrieu Andrieu: We need to get the original draft spec text for what we think is simple before we get to what's complex
Ivan Herman: The problem I see is horizontal review as we mentioned earlier
Joe Andrieu Andrieu: Every one of these methods needs a threat model. a11y will ask questions. Maybe not i18n. I suggest the horizontal review should begin soon.
Threat Modeling
<Simone Onofri> slides for the Threat Modeling session: https:/
<Simone Onofri> slide 11 for remote folks
<Simone Onofri> if you would not to sleep or observe
https:/
has joined #vcwg
<Kevin Dean> Dropping off for another call. Back in 1.5 hours.
The group explored threat modeling around VCALM using Legos
Manu Sporny: at what point can we know our threat model is mature enough to bother the Security folks?
Simone Onofri: We are having a long discussion about that. You can consider the first iteration done when you have at least one threat per category of stride, ideally with a mitigation. One for each flow
… for example, not all threats apply to datastores
Joe Andrieu: noting we didn't introduce 'stride' to this group
Manu Sporny: so, 20 threats for 4 flows?
Joe Andrieu Andrieu: we want to elicit the threats we've had in mind as we developed our tech.
… If you feel you have closure, that's good enough. Worry less about the numbers and more about addressing what keeps you up at night
… make a flow diagram, tie your threats to the flows, start socializing with others to find new threats, then fill in
Simone Onofri: we are using a similar method for reviewing the standards.
… for security, you can use stride as a category for discovering threats
… some threats are in multiple categories.
STRIDE is an acronym for the different threat categories
Simone Onofri shares a google doc, linked in the presentation from earlier
Joe Andrieu Andrieu: for each interaction, go through STRIDE. Also, what is the most interesting of each category for the whole system.
<Shigeya Suzuki> https:/
Simone Onofri: if you need help, there are also threat modeling card decks that may be helpful
… some ideas in the document
Simone Onofri: starting with the diagram, then at least one threat and mitigation for each interaction is the goal
… probably we need to introduce other things: STRIDE per element, STRIDE per flow interaction, ping me so I can give you more information., plus also take one threat type and take it through the diagram, i.e., threat per interaction.
… when you have one for each, then it is ready for review
Manu Sporny: I'm concerned about the amount of work this represents. We could spend as much time on threat modeling as we spend writing the spec.
… There are some attacks that may introduce additional elements, that adds more.
… one thing I was hoping to get out of this: can we do security and privacy in the same model?
… there's going to be a lot of duplicate work as well
Joe Andrieu: also, when it's the same mitigation every time (e.g., TLS), then do we need to indicate each threat?
Manu Sporny: we'll need to make some judgement calls, worried the Security Group is going to say it's not good enough.
… threat modeling might be a lot of extra work,. At least 3x 4x more than previous security consideration
Manu Sporny: most CISOs aren't even asking about threat modeling when we talk to them.
Carsten Stöcker: what we do here is educational.
Shigeya Suzuki: useful to have data flow diagram, needed for STRIDE.
Joe Andrieu: we have that already, we didn't show it today.
<Shigeya Suzuki> May I have the link to the document which has DFDs?
Phil Archer: I'm also concerned with the amount of work this represents and how it will affect our timelines
Simone Onofri: You are hoping for CR after TPAC?
Ivan Herman: for some of them, TPAC would be too late
Simone Onofri: my suggestion for finishing on time: start and close the high level DFD, this may be enough for the review
Render Method
Phil Archer: is 40 minutes enough, or do you want to continue past that, some people need to go early?
Dmitri Zagidulin: I will make sure that's enough
VC Render Method
Dmitri Zagidulin: Today we will do an overview and lay out our main questions and challenges
Slideset: https:/
has joined #vcwg
Dmitri Zagidulin: VC render method is a way for issuers to provide rendering suggestions for VC handling software. See slides above
… render method is not just about display but general purpose transformation. E.g. print to PDF problem
… Anything that touches VCs with a user interfaces is going to need this
… See the goals of VC render method in the slide deck.
… We expect this to support multiple languages for both the keys and the values
… In many use cases, different locals influence more than just the words but the entire UI e.g. the color scheme
Will Abramson: Is rendering always for humans or are you also looking at rendering for other machines, especially AI?
Will Abramson: Is VC render method specifically for rendering to human users, or could it include AI agents?
Dmitri Zagidulin: Good question, we need to learn what AI systems prefer
… Visual to audio or visual to text could also translate to AI
… I think this framework will help us render information in whatever ways agents prefer
Kevin Dean: Wondering why we would be catering to agents, rather than agents adapting to what we provide
Dmitri Zagidulin: there is a lot wrapped up in that
… Yes we want the agents to help us, but also humans often end up serving the agents
<Phillip Long> Great observation Kevin!
Kevin Dean: understand some provision needs to be made for agents, statement a bit to strong rather than a give and take
Dmitri Zagidulin: agreed, i believe if we focus on accessibility in general it will be accessible to the agents
Dmitri Zagidulin: Threat modelling - the key question is how much do we trust the issuer?
… What are the current approaches to render method?
… We have seen "baked" images where an issuer lays out how the credential is going to look and embed this into the VC
… Or we have seen this the other way round. Where the json is encoded into the EXIF. However, this doesn't work as well as lots strip this information
… This locks in the way to render the VC at issuance time by the issuer
… This is similar to a printable PdF that includes a QR code linking to a VC
… Not having a render method approach initially, people opted for this baked in route
Shigeya Suzuki: How do you deal with accessibility with these methods?
Dmitri Zagidulin: This is exactly right. We also have to deal with this right to paper in the VC space. It should be possible to go from a digital VC to paper based
… There are two approaches, you prerender it at issuer time or you create some form of template to render it at render time in some structured way
Phil Archer: Linking this to the barcode work. Could there be some link between rendering and the representation of a VC as a barcode
Dmitri Zagidulin: I see this as two direction. VC barcode from plastic to digital. Render method from digital to paper
Wesley Smith: Agree that barcode and render method could be linked. But more work is required. In a render method that goes on a credential you could specify a barcode representation of that credential
… The other way is a bit more challenging. Putting a render method in a VC barcode is harder due to space constraints. You would need a compelling reason to want to do that round trip
… If the use case is there, its possible
… You can do what you want with VC barcode. VC barcode accepts any VC, including ones with render method today
… Some of the usecases for VC barcode include digitally signing over data in a machine readable form that is not in the VC itself
… Might be hard to support this in a render method
… render method would have to do the work here to support this
Dmitri Zagidulin: agree with everything you said. Major challenge is the space constraints
ack
Dmitri Zagidulin: As soon as you want to embed any images or large text content in the VC it gets too big for VC barcodes. That is before you consider post quantum
… There are two basic tools to deal with this. Omission and linkage.
… E.g. we could compress html and css into a URL
… Even considering embedding something like an issuer logo into a VC can quickly cause the VC to get too large for some json parsers / handlers
… If we trade space for linking, this does not work aswell offline and it can also cause correlation and phone home risks
… This comes back to the question of how much you trust the issuer
Wesley Smith: Might be worth considering CBOR-LD for compression. Possibly render method could be designed to work well with CBORLD
Dmitri Zagidulin: Keep embed vs link and the space constraints in the back of your mind
… This is a persistent problem across the threat model of the vc ecosystem
… Whenever linking to external data via a URL
Dmitri Zagidulin: Then there is the template approach. You define some template and structure for the data in html,css or svg etc. Then on render you fill the template with the VC data
… The challenge here is how do you sanitize these templates. This led us to browser sandboxing primitives e.g. iframes
… The last approach is card style, we can describe each of the fields and how they should be rendered. Give some display directives but let the UI code make their own judgements
… This is used throughout the openid4vc and sd-jwt world
… We should keep it in mind and have a provision for this
Dmitri Zagidulin: any questions?
Brent Zundel: Nobody on the queue, we will revisit at 2.15 CET
Wesley Smithley Smith: back on vc barcodes. The only way to do what you do would be the not prebaked render method. You cant have the VC contain the barcode that will contain itself
Dmitri Zagidulin: Thanks
Phil Archer: Thanks to everyone who joined us online
Will Abramson: We reconvene tomorrow
has joined #vcwg
has joined #vcwg
has joined #vcwg
has joined #vcwg