Meeting minutes
<Ivan Herman> date: 2026-06-03
<Manu Sporny> Chairs go over logistics for activity and dinner.
Phil Archer: phil opens the meeting
Sebastien: EECC introduces himself - interest in EU wallet
Phil Archer: Sebastiens company supplies GS1 with VC tech
Ganesh Annan: From digital Bazaar says hello
Business Wallet Vocabs
Pierre-Antoine Champin: W3C staff contact of DID WG and JSON-LD WG. Interested in vocab discusion
<Phil Archer> Charter
<csteocker> https:/
csteocker: Will introduce DPP vocab and (tentative) business vocabulary - for business wallet. Company registry, membership credentials, etc. Alot of work done in europe - but reaching out to US and Asia.
csteocker: Looking at UNTP and also W3C recognised entitites as basis to create interoperable voacb. Scope is things like KYC for supplier on-boarding - hopes to facilitate change from months to minuters.
csteocker: Also power of attorney as a use case for business wallet vocab. EU WeBuild consortium had 150 companies in large scale pilot. One challenge is distinction between corporates and sole traders - (companies vs individuals)
csteocker: Some debate needed about SD-JWT vs W3C VC - Carsten Stöcker is pushing W3C and is here so that W3C VC can avoid being de-scoped - because EU is writing tech standards into legal text and we need to maintain VCDM presence.
<csteocker> https:/
csteocker: presentBW vocab - four business registers participating (Finland, Germany, Netherlands, one more)
… draft use cases show the way identifiers are linked. company, related natural persons, related entities. Can be 100's of related entities. THis is the key value prop for linked data - each linked entity is a linked ID.
<Sebastian Schmittner> I think phil is making my point anyway ;)
Phil Archer: realisation that Carsten Stöcker is talking about the entire company relationship vocabulary, not the business wallet metadata. THis is complicated and important - but are they only VC based? this needs to be relevant to this group. Not only that but needs to be perceived as valuable but groups outside VCWG that may perceive this as too locked-in ... to VCWG. What is your end goal?
csteocker: we want to build vocabularies that can be used for all these business use case for corporate records and identity. AML, KYC, Export complaince, etc etc - are a heap of use cases. Due diligence on company structure.
Manu Sporny: Often a concern about overlap of vocabulary owners - and whether this group is the place for this. Work going on in US - convenience store ecosystem - 150,000 stores with lots of KYB (KYC?) challenges. This would be super helpful to them. We dont have retailers here, but we do have people representing retail (eg GS1?). US chamber of commerce - interested in KYB, and many others. We perhaps cant do the work to identity the detailed attributes but perhaps we can connect different communities together.
… Yes this is the value of working here - connecting with other groups. EU wants to work across border
Steve Capell: Concern - any time you develop standards, you need representative stakeholders. Potential users of those.
Manu Sporny: W3C is a tech SDO, it's not a place where you get banks, freight forwarders and retailers etc
… I understand Carsten Stöcker's desire but I'm not sure that W3C has the people to do it,
Steve Capell: You don't want to be tarnished with the anti-JSON-LD brush
<Manu Sporny> Ivan Herman: Along the same lines, what is it that we as a WG will have to standardize? Example of ontology, should that be standardized by W3C? These seem to be use cases put into a vocab? It could be published in a W3C space. Not a recommendation, fine line between the two.
<Manu Sporny> manu: My hope is that we can perform some kind of alignment mechanism between the business registry alignment.
Carolynn Bernier: Agree with Manu Sporny. We dont have a place like "world business vocabulary association" so maybe this is the place to do it. For the moment - we are knocking on the door of this group for it. For example - where is the "world education forum" - maybe one day it'll exist. For now we need a place that is a JSON-LD fanbase to host this stuff.
csteocker: This is the value - we are connecting people and that is the value. EUBW is starting to put a wallet group together. "Corporate Register Forum" exists but have no idea what a business wallet is.. Maybe bring them into this group. For the time being, is this group the intersection of business and technical organisations around the
… world. Business value is huge - just germany, banking, enterprise KYC - Euro 3Bn.
<Shigeya Suzuki> +1 to Pierre-Antoine
pierreAntoine: Agree with what has been said - including Steve's concern about the right stakeholders. There are two sides to this - maybe a community group or interest group (especially because these are open to non-w3c members). But a WG brings formality. So what is a WG actually endorsing int he end? Could the WG work at "meta-level"? Who
would be responsible to figure out who checks the details? Odd for a WG to publish something without standing behind the content. Maybe this is a registry function.
<Joe Andrieu> +1 to a registry maintained by the group (without normative assertions about the entries in that registry)
<csteocker> Business Register Hierarchy Example
<csteocker> 1. EU Memberstate (or European Country, which is not a EU Member)
<csteocker> 2. European Business Register Association (EBRA)
<csteocker> 3. Corporate Registers Forum (CRF), global association of corporate registries
<csteocker> EBRA: https:/
<csteocker> CRF: https:/
Ivan Herman: this working group can/should prove that these vocabs can work in VC world. Consider the vocabs as "black boxes" then the question for this WG is "can I create a VC from this?".
… eg some group was using external vocabs for VCs but demonstrated a misunderstanding of what goes where in VCDM - which can be a feedback loop for what should be added to VCDM in future. Registry might be the place for it
<Manu Sporny> Steve Capell: Just to clarify the question -- I don't think we're heading toward publishing these vocabularies as W3C Recommendations, possibly a place to put them in the registry -- if content of vocabulary needs standards-based consensus/authority, that is likely to happen somewhere else.
<Manu Sporny> Steve Capell: Different hosts that have membership structure -- what we're talking here is a framework for how to allow proposed vocabulary that's not group output as register for Linked Vocabs -- vocabulary itself has no authority, in standards sense -- that's not a bad thing, people look at registry and say that's something I can use
<Manu Sporny> Steve Capell: Vocabulary may or may not be in W3C namespace, could register all UNTP vocabs... is that your expectation, Caresten? That's two differnt things.
<Pierre-Antoine Champin> +1 communication about what the registry means and does not mean will be important
Will Abramson: agree that W3C is not the place to design these vocabs. But the question is what does it rteally mean to add somethign to a W3C registry? Does it imply endorsement?
Manu Sporny: Example of California DMV. It's in prod now - but there was no logical home for the vocab and the logical owner (eg state govt) wants to do it but isnt ready / has no place for it. Meanwhile stuff happening in Europe. Question was "can W3C do this?" answer was no but state decided to do it.
… these vocabularies often have no home - or many competing homes. So there's a common tendnancy to ask "can this go to W3C?". The tech is fundamentally decentralised anyway - and these vocabs, even if they start here, can move elsewhere when there is a viable home. Lets focus on making sure that the vocabs are VCDM compatible - and we could
… have a test suite for that
csteocker: agree with Manu Sporny. Many EU consortium (even with very large funding) build vocabls but have time limited funding / existence. So where to put the vocabs where they can endure? W3C perceived as neutral. Gives people confidence.
Joe Andrieu: Entry in registry is required - but even if not a W3C rec, it WILL be perceived as an endorsement. Because it's in the W3C register.
Ivan Herman: important for those that are new - the DID registry is not a formal registry. a home grown thing. There is a registry track now which more clearly defines rules for registry entry. The AC must approve the registry framework, but not the content of the registry. risk is that people confuse approval of registry framework with approval of registry content.
Pierre-Antoine Champin: To joe's point, a vocab doesnt need to be in the registry to be used in a VC but IF a vocab is in the registry then at least people know it's VC compatible. Like Manu Sporny's suggestion for a test suite. How can community add terms? maybe vocabs in register have contact points. Heard people say that, although W3C is not the ideal authority
… for vocabs, many want W3C to take a role. Perhaps an interest group is the place for this - because non-w3c members can meet there
https:/
<Manu Sporny> Phil Archer: Want to speak to DCAT, worked on by W3C over a long time -- many terms in W3C DCAT vocaulary are not defined at W3C, lots coming from Dublin Core, Provenance vocabulary, etc -- what should we do with most effect? How can we help move things forward in a way that allows us to show value of VCDM. If we go to expert org, they don't have LD vocabulary -- is it about persistent hosting? Persistent domain name. There are rules around w3.org namespace.
<Manu Sporny> Phil Archer: CGs and IGs, different ways of doing it? Is it about reputation? Seen as endorsement? Is it about getting an ISO standard or through PAS -- or about good practice?
<Manu Sporny> Carsten Stöcker: It's at WEBUILD
<Manu Sporny> Phil Archer: Is challenge on persistence? What do we want to do to achieve what we want to achieve? I don't know the answer here, just asking questions.
Manu Sporny: Concretely, what can we do? Lets look at the vocabs and say "hey there are three of these already, why do you want somethign different?". We can act as a kind of linked data vocab expert group. +1 to Joe & Will, we dont want bad vocabs in the registry but also need to manage scalable review processes. Some sort of review / test suite - can add value. Can we do it in a generalised way that can scale and does not impose heavy burden on this group. Rigorous technical testing can be a valuable entry point - even if we dont make value judgement on vocab content.
Ivan Herman: The vocabs must be a black-box from W3C VCWG perspective. No judgement on content. So we need clear discussions abotu how this registry is managed. We need to go down this line of formal registry management.
Carsten Stöcker: not sure about registry. Wants to reach consensus on vocabulary content.
<Pierre-Antoine Champin> Phil Archer, there are caveat on what a REC can normatively reference, though
Carolynn Bernier: we need to distinguish core vocabs from others. The registry can include any existing vocabs from EU etc - but this W3C registry can be used as a "core" vocabulary - that can be the basis for global extensions.
Joe Andrieu: VCWG is not the expert group and will not survive long term. Endorse Carsten Stöcker's suggestion to get started.
Steve Capell: I think a consensus is emerging here - this is the wrong place to have authoritative discussions about content.
Joe Andrieu: There are cases where obvious authorities don't want to do something, and then down the line that perspective changes and they want to take it over.
… We should be talking about the qualification criteria for entry into the registry.
… Any vocabulary that isn't in the W3C namespace but is VCDM compliant should be allowed in the registry.
… The interesting question is around the metadata and usage of the registry.
… There could be interesting metrics surrounding volume of use of registry entries.
<Manu Sporny> Steve Capell: Feels like a consensus emerging -- this is the wrong place to have authoritative discussions about content -- however, if an authority can't do work yet, but then we do it, and they want to take it over -- that's fine and might be useful. We should be talking about qualification criteria for entry into the register, should accommodate any vocabulary that is VCDM compliant. What is the register metadata and how do they use it? What metrics should we establish about volume of use? Could we track use? Which ones are more popular, etc? That could be valuable.
<Manu Sporny> Steve Capell: My only nervous concern is "Core vocabulary" -- look for content, look for overlap -- is that our role or note.
DPP Vocabularies
Carolynn Bernier: A brief intro on DPP - I want to know who is interested in this work.
… What's important to understand is that DPPs are being introduced as both mandatory and voluntary instruments
… In Europe, this was introduced for sustainability and market surveillance reasons.
… Market surveillance authority people don't understand what this technology can do for them, so we do education on what opportunities it provides.
… DPPs will be mandatory compliance tools on the European market, starting with batteries in 2027.
… Iron and steel will be mandated in 2028.
… Not only finished goods, but also intermediate products. Garments will be mandatory in 2029.
… The European Product Act is a review of product regulations to harmonize work done by different people.
… Term definitions and semantics must be unified across different legislation.
… What compliance means for a DPP is not entirely understood.
… There are different serialization options for DPP - JSON is mandatory, JSON-LD and XML are optional.
… The need for something called a "semantic repository" was published recently - we are trying to convince regulators of explicit semantics.
… Now people agree we need explicit semantics, whether via JSON-LD or some other form.
… Industry has been introducing DPP for a while - the tire industry has DPP in production for every truck tire, for example.
… Michelin in France introduced DPP for business reasons.
… The tire industry agreed on a data model and semantics, and they designed an RFID DPP tire system.
… There is a widely used industry resolver.
… Industry is supportive of DPP. The United Nations transparency protocol is a different type of DPP with different objectives - to improve the traceability of ESG information.
… Here, proof is not required that data is correct.
… What Steve Capell has been providing with the UN is a layer of assurance that the data is correct.
… The US has introduced a voluntary DPP for customs clearance. Vietnam has introduced a consumer protection DPP. China has several DPP initiatives for different product segments.
… The EU correctly requires a unified DPP approach, while the Chinese approach is more chaotic.
… The goal in China is to digitize the product economy.
… In the EU both JSON and JSON-LD will be used for DPP. UN DPP is solely JSON-LD, and we are trying to convince China to use JSON-LD.
… Some DPPs will be issued as VCs. UN DPPs MUST be issued as VCs. In the EU, the standards can be read differently w.r.t whether VCs are mandatory.
… Vocabularies will be highly political things, with questions of sovereignty in different places.
… We must accept and expect that there will be different vocabularies.
… Personally, I want to make it easy to reuse data across all DPP schemes while respecting the sovereignty of nations to create their own vocabularies.
… DPPs can be linked - products can have subcomponents with their own DPPs.
… Product related attestations and claims can also be linked.
… There are two major challenges for the success of global DPPs: Companies may be forced to put different data carriers to conform with different regulations, and there could be conflicts of law yielding regulations shutting down DPPs as barriers to trade.
Amir Hameed Mir: What about attacks where data carriers are swapped onto counterfeit goods?
Carolynn Bernier: There are protections that directly link products to DPPs. There are multiple options to create trust on the authenticity of the product.
<Kevin Dean> ISO/IEC 15459
Kevin Dean: Depending on the regulator there could be different restrictions - for example, EU regulations could preclude usage of a DID.
Carolynn Bernier: EU regulation does not preclude usage of a DID in this case.
Carolynn Bernier: Harmonized standards are clear that many different identification schemes can be used.
… Louis Vuitton has a blockchain based product identification system.
<Michael Shea> +1 to what Carolyn has said. (I have been part of the JTC24 process)
Carolynn Bernier: Different sectors will use different identification schemes, and this should be a per-sector decision.
<Michael Shea> +1
Carolynn Bernier: Among the things we might want to achieve in this group, one of the first things I am interested in understanding is why to use VCs for DPP.
<Kevin Dean> My statement regarding ISO/IEC 15459 came from Annex III at https:/
Carolynn Bernier: For Steve Capell it's clear, but in the EU context I don't think that this is what is going to happen, since for example when I make a request for a DPP I am querying the Manu Spornyfacturer's site and using HTTP to retrieve the data.
… As I understand the harmonized standards, this data does not need to be signed.
… In most cases for DPP, the issuer is the holder, but there could be multiple holders.
… So why issue the DPP as a VC? What are the properties that the VC brings that are of use in such use cases?
Steve Capell: For "Why VCs", it's not about revocability, it's about "who is the issuer"? This could be hosted anywhere - many providers will use a DPP service provider to host things, but this tells you nothing about who issued it.
Joe Andrieu: When you have a register, issuer identity is linked by the register.
… In a decentralized architecture, there can be many copies of a DPP.
… There is a problem - the DID of the issuer is largely an opaque value - but there are efforts to solve this via business registration and Recognized Entities.
… I envision a future where VCs can be used as transactional messages rather than authoritative credentials.
… You must know who issued something in a way that is decoupled from storage.
<Manu Sporny> scribe_
Wesley Smith: Steve spoke to valu ethat VCs bring, getting data over HTTPS over trusted channel -- are there not use cases today that require some sort of P2P transfer where you can't inherit trust via protocol? Give DPP to someone else? Move product to another product? Where HTTPS doesn't match domain?
Manu Sporny: there is another benefit of VCs. As a creator of a product, why would you publish digitally signed information? One example, going back to the convenience retail sector in the US, is that it is difficult for small merchants to understand the latest that is going on with a product (identifier numbers, images...). These are things that it
would be nice for them to go out and fetch.
… Also, the relationship between that product and other things (such as a GTIN).
… Specifically, having core product descriptions as a bag of knowledge that an AI agent can work with is useful - relying on an agent to derive things can be inconsistent, and there can be regulatory requirements surrounding that.
Carolynn Bernier: You are talking about liability of publishing or using this data?
GTIN = Global Trade Item Number, the number you see printed beneath a typical barcode. It's a super-class of Universal product Code (USA) and European Article Number (EAN) seen elsewhere. GTIN is the bedrock of GS1.
Manu Sporny: Using - the consumer of the data must be able to say that they were acting on the fact that there was a confirmable certification about some aspect of the product (such as being allergen free).
i think what's not well understood is that almost every integrity verification use case involves a linked set of more than one credentials. The DID is the cryptographic glue that links credentials. You cant do this for example with an EU register issued VC identifying the economic operator if it is linked only to PDF or unsigned DPPs
Carsten Stöcker: To add to this - DPPs are coming to all products. For cybersecurity purposes and other purposes. VCs have main use cases including data provenance on the data plane, but also authn/authz on the control plane.
… We should distinguish between data plane and control plane.
… There is a pattern in supervisory bodies - how do we define trust. GenAI content is flooding mainstream information streams, leading to insurance fraud and similar - people are starting to see the value in provenance and authenticity.
… When it comes to ISO certificates relating to this, people are starting to put a trust infrastructure in place.
… Europe is investing massively into trust infrastructure for conformance assessment bodies.
… E2E verifiability of data is important.
Carolynn Bernier: I think we need to distinguish between issuing claims and the DPP itself, which can contain links to claims to things.
Wajih Rehman: We perceive this as an identity problem, which is why we see VCs as the solution.
… VCs provide built in proof that products have rights to exist.
… Commerce sites often have many Manu Spornyfacturers related to some IP and it is hard to tell what has the right to exist.
Shigeya Suzuki: VCs have time-limited credential functionality built in. What is the use case for revocation?
Carsten Stöcker: The Pharma industry is interested in privacy related to lookup.
Michael Shea: On the privacy issue, within the context of the EU, tracking access to DPP data, legally the economic operator is bound not to track consumer access.
… Outside the context of the EU, it's anyone's guess.
Carolynn Bernier: Issuers can track but cannot store data.
Michael Shea: Empowering consumers also gives some legalities around the content that can go into the DPP. Having the ability to legally prove things about data in a DPP is relevant, and where VCs are very valuable.
Carolynn Bernier: Are you saying that the signature on the data provides a timestamp for the data which limits liability issues?
Michael Shea: correct, DPPs, especially in the fashion world, have been on the market for years - the question is just on how trustworthy the data is.
… This new directive goes into effect in July and assigns liability around making claims as a brand.
Carolynn Bernier: Coming back to vocabularies, the different vocabularies across all product domains create a need for core vocabs and semantic anchors.
… We need to determine what a use case is in this context, and determine vocabulary requirements from there.
… Another question about the applicability of the VCDM to DPPs - we want to double check if there are compatibility issues for the EU there.
… What are the next steps for our task force?
Ivan Herman: I have the impression that what we have is not a use case document in the traditional sense.
… What I want to see is a document that contains the entire use case completed with VCs.
… This is use case + solution, at least a proof of concept.
… I think there could be discrepancies, and this document would let us take care of those discrepancies.
Carsten Stöcker: Eventually this will go into a test suite?
Ivan Herman: yes, eventually runnable code with a test suite.
Manu Sporny: I want to focus on concrete outcomes for the DPP work. Use cases are helpful, but my hope is that we would be able to provide something more concrete - actual tests, as Ivan Herman and Carsten Stöcker mentioned.
Manu Sporny: I want to focus on concrete outcomes for the DPP work. Use cases are helpful, but my hope is that we would be able to provide something more concrete - actual tests, as Ivan Herman and Carsten Stöcker mentioned.
Carolynn Bernier: There are vocabularies hosted by various organizations. We might create a core vocab for test purposes.
Phil Archer: There is no need to write a use cases for DPP - just documentation of how to use what exists today.
… Another question is what W3C document this would correspond to.
… Notes are easier than recommendations - recommendation is only required for standardization at some other standards bodies.
Ivan Herman: You said that vocabularies are available - are they in formats compatible with VCs?
Carolynn Bernier: Some yes, some I don't know.
… With respect to standardizing at other organizations, there could be value in bringing vocabularies there - this could help with regulatory bindings.
Wesley Smith: There is an eternal challenge with VCs -- it would be wonderful for the test suites and use cases displayed the extensibility for the solution. If someone can see how they can extend their own vocabulary on top of DPP, that would be wonderful
Wesley Smith: Ideally, there would be tooling like VC Playground to show how things interoperate concretely.
Wesley Smith: The VCWG knows the extensibility is a core feature, it's not obvious to people new to the technology. DPP folks that might not know about the technology could use playground to see thing working in reality.
Michael Shea: In the context of Australian agriculture/raw materials/textile sectors, there is a VCDM based DPP solution.
… There are probably half a dozen use cases in these sectors that exist today. is that what you are requesting?
Susanne Guth-Orlowski: Thank you for taking the discussion. I want to suggest that the European Commission doesn't know much about VCs and how to provide schemas - it would be great if we could produce something to demonstrate this.
for Ivan Herman - https:/
Susanne Guth-Orlowski: Creating something and showing people is important for driving these discussion.
… Discussions regarding vocabulary creation and hosting could be positively impacted if we had demonstrable materials.
Pierre-Antoine Champin: The people in the European Commission we are talking with are certainly interested in following up regarding VCs.
unsigned examples - https:/
Carolynn Bernier: There are lots of different parts of the commission that do not regularly communicate with each other.
Susanne Guth-Orlowski: The discussion is fragmented, and publishing something in public is the simplest solution.
Brent Zundel: welcome back to the VCALM session.
VCALM
<Kayode Ezike> docs.google.com/presentation/d/1F0RtWg5sUzgym8hRa501sxq2WCLiGQHAPtGjVFASO94/edit
Kayode Ezike: I've been involved in this space for some years now, primarily as a contributor and implementer of various components of this ecosystem.
… Today I want to give a rundown of VCALM - motivation, overview, demo, and status.
… Prior to VCALM, there was no standardized way for issuers, holders, verifiers to manage and move credentials around.
… This puts organizations at the mercy of credential vendors, i.e. vendor lock.
… We need a modular way to enable the different components and roles to manage the credentials within their systems and communicate them to other roles in the ecosystem.
… VCALM enables the roles in the three party model to engage with each other via standard interfaces.
… a workflow is a repeatable template of steps that any role in an ecosystem can use to facilitate a sequence of actions.
Brent Zundel: As you go through VCALM if you could talk briefly about how it relates to the Digital Credentials API for credential interactions in browsers as well as the OID4VC/OID4VP specifications that are already being used.
Kayode Ezike: We look at OID4* family of specifications as technologies that can be naturally layered on top of VCALM, and we directly support them - that family of protocols mostly concerns itself with issuance and presentation, but not other lifecycle considerations such as status management.
… DC API is a browser-centric solution, the hope is for us to have a way to hook into that specification as well.
… Currently DC API does not support VCALM but we hope that will change.
Phil Archer: When those other groups say "credential" do they mean the same thing as we do?
Kayode Ezike: For OID4*, they are talking about VCs, for DC API it is arbitrary but you can set up queries/schemas/matchers that can be used to understand the data being delivered.
Manu Sporny: VCALM existed before OID4 was a thing - we started 5-6 years ago at the behest of the US federal government that was concerned about vendors creating systems with vendor lock.
Wesley Smith: For reasons both technical and political the OID4 work began, focusing on creating a protocol for delivery only.
… These protocols say nothing about what happens in the backend systems. In OID4 implementations, when you get into the backend of government systems, this vendor lock-in was happening with proprietary APIs. So OID4 does not address locking problems on the backend.
Manu Sporny: VCALM has this protocol selection mechanism that allows interoperability for things like frontend protocol selection.
Wesley Smith: Recent high assurance profiles from other standards organizations do not support W3C VCs.
… There are concerns that specifications are being written in a way that W3C VCs are specifically being excluded.
… In initial discussions, W3C VCs and VCALM were in scope in these other technologies.
… There are politics being played in the protocol work that this group should be aware of.
<Amir Hameed Mir> a+
Kayode Ezike: We don't have appropriate diagramming for credential life cycling, which I'd like to discuss today.
Ivan Herman: I'm interested in more complex examples, discussing things like render method, selective disclosure, zero knowledge proofs. Those details would add a lot of complexity but are important approaches to describe.
Kayode Ezike: We could add multiple clarifying steps to a lot of the pieces in the existing diagram.
Manu Sporny: Backend verification and status management would be valuable to have in this diagram, also things like scanning a QR code/interaction URLs.
Wesley Smith: I think that differentiating between VCALM and OIDVC*, for example, would be an important thing to include in the spec
Manu Sporny: Show what's possible with VCALM that is also possible in other ways and what only VCALM can do, would be good.
… One concise diagram won't cover it - it will need more
Wesley Smith: Differentiation for VCALM - we might not want to use terms like verifier, holder, what is credential lifecycle management? This looks a lot like OID4, can alreaady move things between credentials/issuers/verifiers -- breaking down internal components is what this diagram wants to do. This might be a bit of a pain to do everythign vcalm does, might need to make diagrams on what vcalm does that other protocols don't do.
Steve Capell: There is a requirement where a credential needs to be passed from an issuer through parties without credential infrastructure and reach a party who wants to verify. How do we do that consistently?
… One idea is to put a QR code on something that you want to pass along, and the QR code is two URLs - a hosted verifier and a parameterized credential.
… When you scan this, you see a rendered credential - and an advanced verifier can just look at the credential.
… Where would we put this practice in this collection of specs?
Shigeya Suzuki: Manu Sporny mentioned backend systems in OID4. A diagram can express the difference with other protocols.
Brent Zundel: The OID4* perspective might be that we don't need to standardize these backend things, those decisions are up to the individual architectures.
Pierre-Antoine Champin: This diagram is important context and useful as a starting point that can then branch into more detailed diagrams.
https:/
Phil Archer: With respect to dual use URIs, here is an example ^
<Shigeya Suzuki> Note: (I also channel some OIDF context ;) ) OIDF has SSRF.
Phil Archer: We are switching from linear barcodes to QR codes with that structure.
Phil Archer: The idea of splitting identifiers and lookup mechanisms is valuable although can cause layering issues.
Manu Sporny: The VCALM spec has a section on interaction URLs, which is not the same thing that you are talking about, but might be something that we should talk about. We should discuss - the interaction URL stuff in the VCALM spec is protocol independent at the moment.
<Brent Zundel> is this related at all to VC Barcodes?
Wesley Smith: To respond to "why standardize all of this backend stuff", we have seen vendors selling these backend services as proprietary product, especially with governments - and many of these governments want to move away from vendor locked solutions.
Wesley Smith: One of our jobs is descriptive messaging. The VC paradigm is now well accepted, but people are trying to push proprietary systems in
Manu Sporny: So we need to work on the messaging of why VCALM is necessary and show why it's important
Kayode Ezike: A short illustrative example of an issuance workflow. This is a VC playground interface, which is a community application that does issuance and verification.
… This is an example of an issuer coordinator - it holds business logic and allows the user to engage with the credential ecosystem.
… An example could be a student portal for a student to claim credentials related to a university.
… On the screen is a QR code containing an interaction URL, which contains the multiplicity of protocols we're talking about.
… Next we see a wallet that understands this QR code and shows you the origin.
… The main VCALM components were the issuer, the holder, and a workflow in the middle.
… VCALM was added to the WG charter recently. We have many implementations and production deployments.
… We spend a lot of time discussing the threat model, which has spawned the threat model template for the other task forces.
… We are also exploring test suite designs as well as PR/issue processing.
… Our goal is horizontal review for candidate recommendation readiness.
Wesley Smith: Is this a good time for a more general discussion about VCALM. People on the queue for other things
Wesley Smith: Is this a good time to talk about VCALM? See others have process questions. Let me know when the right time would be to discuss VCALM more generally.
Kayode Ezike: the goals for this discussion are largely around knowledge sharing and standardization strategy.
Phil Archer: You say you are getting ready for wide review. Wide review will take many weeks to get a response, so put in a request before you want the actual review to occur.
Manu Sporny: We have most of the pieces for wide review ready, the best we could possibly do by TPAC would be "ready for CR but without the horizontal review"
Aside - TPAC 2026 is 26 - 30 October in Dublin
Joe Andrieu: The threat modeling lego work that we did was advancing the threat model from VCALM, and Simone is converting that into updating the google document to help flesh that out.
… We need to convert that down into a renderable form, and then the threat model will be ready for CR.
… The timeline there for internal review is on the order of weeks.
… There is also some desire from the team to leverage either the DID resolution threat model or the VCALM threat model to show other groups.
Ivan Herman: Are you discussing review by the task force or the working group
Joe Andrieu: The WG
Brent Zundel: Under the VCALM model, does VCALM define its own transport from issuer to holder interaction?
Manu Sporny: Yes
Brent Zundel: The question from folks in another WG will ask is "why not point to OID4VCI"?
Manu Sporny: Yes, you can do those things and swap out protocols.
Wesley Smith: general point about VCALM, I'm not actively engaged in VCALM, but do design/build VCALM compliant systems -- real messaging problem, developer experience starting to hoook into VCALM is difficult, no concrete actions to support -- difficult building VCALM initial integration, need to improve the developer experience.
Wesley Smith: A lot of reason is what we have is extensible, general, powerful, but it comes across as complicated. Appreciate power flexibility modularity, but need to make it easier.
Ivan Herman: One way to achieve this is with an appropriate high level conceptual model of what is happening. If that is a focus of the spec the accessibility of the spec could be improved.
Brent Zundel: Other organizations are working to develop OIDF/ISO technologies to incubate some of these technologies - this group should be aware that rules regarding who can participate in an OIDF working group are changing.
… There will be minimal requirements around who can join this joint working group even if you are not an OIDF member.
Manu Sporny: In the worst case, DC API will sideline VCALM. We should ask them to integrate VCALM, but should prepare for cases where that does not happen.
Wesley Smith: Ideally other groups are not in the critical path for VCALM.
Phil Archer: The TAG is designed to support standards cooperation, they might be able to help here if we communicate these issues to the TAG appropriately.
Render Method part two, the Reckoning
Dmitri Zagidulin: overal goal: how things are displayed, making implementing easier, handle different devices, handle multiple languages
… number 1 thread model: issuer
… looming thread from issuer about tracking, caching, etc
… render methods is different types, trade-off to link to rendering instructions from VC. a notion of remote integrity,
… digest tags and hashes
… with other extensions we need notion of types, selectors: the consuming client, wants to display VC, and render the information,
… the client needs to pass selectors into a rendering engine, "i want to rendering method for a purpose to print"
… what is the device that is rendering it? Printer, colour printer,
… click to expand, can this device do this?
… can you hover or is it a pointer based screen
… think about these selectors, also multilanguage, which language display
… questions about selectors?
Phil Archer: He was a young man, he was in a mobile web best practises, they were also talking about this, and progressive enhanchment
… is there is 1 then X, if there is 2 then Y,
… 25 may 2010: revolutionize web design, progressive enhanchment got an upgrade for example mobile web,
… W3C recomendation, that tells how big a certain screen is, that was made redundant
Ivan Herman: html + css rendering diagram, isn't it on that level that should be dealt with?
Dmitri Zagidulin: we have a lot of tools like CSS to solve this stuff. But our case in progressive enhancment in general there are still tough corners with regards to modality, multilanguage, accessability
… it solved a lot of problems but with a *
… it is for this group expectations to highlight challenges, pitfalls and how those to comply to credentials
Joe Andrieu: statement of expected needs: the group has explored html features like SVG, PDF, points out to the email: "Brainstorming: Accessibility-First Interaction Negotiation for Decentralized Identity" that raised about accessability
… ways to approve accessability tools, it is in line with what Amir Hameed Mir said (the e-mail)
Ivan Herman: fully understand but still worry going down the path, instead of solving the missing corners, push the relevant working groups that it is html problems,
… usually we avoid our own solution that become outdated in a few years, think that CSS-like media, we should not deal with it. acknowledge, and let the world solve it
Dmitri Zagidulin: agreed, we are dealing with inside-out, in a JSON, we are inviting the browser to the web, we still need to make a technical decision to offload to the web
Phil Archer: we not only need a review but also expertise, it is not just about html or SVG, Member of accessability group could help possibly
dimitriz: awesome! we need the accessability people to help, phil will write to the group
Benjamin Young: we have a layer inside the JSON object where there is a handfull of render specs but not all are full on HTML or Javascript.
… but they could work together to solve certain problems, but it start a layer above with rendering
… or render method array, to give 4 or 5 render methods that is going to be influenced by render method devices, for example non browser devices
dimitriz: reminder: render methods, do we reinvent them, link to them, do we want connectivity or front-end caching,
… downsize, logo could be changing in the future, so the template can be changed upstream by the issuer, hasher is compatible for it.
… flipside is embedding, but great usable offline
… regardless of the method, html, iframe, etc, we want to keep in mind sandboxing and standardisation
… challenges come across various methods: we have a couple special cases, one is, printing and screen displays, you want to link a raw JSON, it is laid out in the screen, you can also use your own source code. But you can't have a source code in the credential, you need a special tag
… that says: when you are rendering, you need to do some kind of processing
… print pdf functionality, share the credential, in the printed version there is a placeholder for the QR code, it goes to the raw source code but also a specifiek rendering for raw source code
… you cannot hard-code the QR code, it is a special case field that the client knows where it is located
… special case number 2: there are some cases where the rendering method is gonna need to do special processing: date format function, time stamp in VC is location independent. the consuming client and engine need to work together to pass the information like templating information like mustache
Steve Capell: nightmare of QR code templates: how do you know which QR code you need to print without the product beeing made yet. Question: We need to be able to pass credentials that don't have a wallet, maybe a phone, solution: resolver.
… do you put that in VCALM or in VC render method? Yes in the last one
<Sebastian Schmittner> example for passing a VC by passing a link (in a QR Code) which is in this case even usable by people withtout any ssi tech https:/
<Sebastian Schmittner> this is a demo credential on a demo stage, but you get the idea
Carolynn Bernier: conversation with amazon right now because of law, you need a link to the DPP that might have a VC that needs to be accessable before purchase, the UI is a design problem for them. Is the rendering problem the way to access with the VC or the way for rendering.
<Ivan Herman> s/Do you put that in/….Do you put that in/
Manu Sporny: yes, it is multiple things, 3 potential taskforces, VC barcodes, VCALM, VC render methods, where does it land? we should all be carefull, because we do not know all the use cases that they mean. use case: i want the thing in a rendering template within a QR, etc, there is no clear answer in which taskforce certain things land
Phil Archer: gs1 hat on: GS1 would see the code that reads the code and do the verification on the device. They are moving to a QR code, the retailer will use a resolver within their system, i would like to do without online lookup or notice that there is an identifier and then look for the VC. i know a few scanner Manu Spornyfacturers
<Ganesh Annan> dmitri, could you put that link in irc please?
Dmitri Zagidulin: one example of a degree template of a qr code. at the time of sharing the wallet goes where it is hosted,
<Dmitri Zagidulin> https:/
<Ganesh Annan> thank you
Dmitri Zagidulin: these various types of embedded jsons or wrapped in a renderer. the render methods spoke so far has been put in these 5 categories; pre-baked payload, JSON card style, Templated text, sandboxed approach, "other"
… pre-rendered: issuer knows all the properties, no processing, just display it. example: pre-rendered pdf.
… it is just a binary stream for example. and easily parameterized, type, version, contenttype, payload
… second method: JSON card style: at least: make, description, icon, style is a card with maybe a couple colours and key values. Google, apple and samsung wallet are doing it right now with this method.
… it is a bag of key values with a couple of colours, like airline tickets, concert tickets,
… it is really easy to display for the client. Not as easy as a pre-baked image or pdf but some have well-known card components and do not have a long list.
… third method: templated text, some text with variables for text substitution, clients perfoms text processing and display's it
here's a signed VC with linked render template - displayed in an aware verifier. https:/
Dmitri Zagidulin: challenge: how to sanitize it? we learned how to display arbritrary javascripts and show html safely
… example: "print to pdf" in wallets
<Sebastian Schmittner> https:/
I think its closest to Dmitry's version 4
Dmitri Zagidulin: fourth example: sandboxed iframe approach: javascript app in a iframe. the app handels display
… drawback: it has challenges with special fields, the iframe knows where to display it. but for example the wallet not (yet). print to pdf is a problem then.
… issue 53 points out some of his findings about pdf rendering in Iframe
… the fifth one is other.
Brent Zundel: how few of these method need to be standardizing? i think i understand conceptually for Iframe sandbox method by default in a browser but does that work out of the box for google or apple wallet? because it is logical place for VC's
… is there a plan to reach out?
Sebastian Schmittner: regarding iframe rendering method: we are already at SVG rendering, if we use this with mustache for example with HTML, why do we need complicated web-apps, what is the rational?
<Sebastian Schmittner> mustache spec: mustache/
Benjamin Young: mustache has it's own limitations, but they are not really standardized specs, instead of borrow it and make it a spec, the iframe thing came over and do the whole thing, you can do it in a sandboxed iframe with security,
Dmitri Zagidulin: sandboxed mechanism can displayed in iframe, we can use iframe for both of these methods, method 3 it takes place outside the iframe, method 4 inside iframe
Steve Capell: there are very strict lay-out regulations in train regulations, rendering requirements are much more complex for the world,
<Dmitri Zagidulin> -1 to eliminating 3 (in favor of 4). 3 has the same security properties, and is much simpler
Manu Sporny: +1 to that, we do have to do sandboxed app, we can probably 3 as 4. we need to do probably 2. method 1 could be
Wesley Smith: singapore work could be replaced the iframe, the OCA bundle could be in javascript or HTML
… we are not saying we can do it in this order, but for now, do we freak out about priority: iframe, card style, prebaked payload
Benjamin Young: who is providing render methods?
Dmitri Zagidulin: openbadge just use prebaked, but questionable
Joe Andrieu: is not listed as a challenge, but it is a security problem if it is interactive, if we make it a javascript