W3C

Verifiable Credentials Working Group Telco

24 June 2026

Attendees

Present
Benjamin Young, Brent Zundel, Carolynn Bernier, Elaine Wooton, Hiroyuki Sano, Ivan Herman, Jennie Meier, Joe Andrieu, Kevin Dean, Kayode Ezike, mark-andree, Steve McCown, Phil Archer, Ted Thibodeau Jr., Ted Guild, Wesley Smith, Will Abramson
Regrets
Manu Sporny
Chair
Brent Zundel, Phil Archer
Scribe
Kevin Dean, Wesley Smith

Meeting minutes

Brent Zundel: We're going to look at forgery defence, process some data model issues, and get updates on task forces.

Wesley Smith: I have a brief note and ask a brief question.
… I've been speaking either Elaine Wooton Wooten, who has been speaking with European Committee for Standardization (CEN) and they're interested in developing biometric credentials that would be useful for VC use cases.
… They're interested in getting a concrete set of technical requirements for the confidence method task force.
… What are the next steps to do so?

Phil Archer: Would you clarify the name of the standards body?

Wesley Smith: CEN European Committee for Standardization.

Phil Archer: They are not an open standards organization so we will have to figure out how to integrate them.

Wesley Smith: Elaine Wooton, can you clarify how they can participate?

Elaine Wooton: Some have expressed that they can't participate in W3C so we'll have to look into it.

Brent Zundel: I would encourage the task force to look into it so we can have a deeper conversation.

Elaine Wooton: They're looking into how to join W3C.

Ivan Herman: To be very specific, I think the best thing is to invite them to one of the task force calls and see what they want to do. There's no need to put the load on Elaine Wooton right now until we see what the requirements are.

Joe Andrieu: That's fine. Happy to have them join us. We meet every other week Thursday at 7am Pacific.

Forgery Defense Co-Editor

Brent Zundel: Originally this topic was to announce that we have a co-editor. I would like to share some information feedback to the FPWD.
… We see that Forgery Defense is in the charter, but we don't quite believe that it's there. It's on the task force to get the lawyer to look into it to ensure that the work can proceed.

Ivan Herman: It would be cleaner to investigate the problem immediately.

Brent Zundel: The problem is that they need convincing that it can be supported in the current charter and they need further explanation.

Ivan Herman: Wes, do you know what else to add there?

Wesley Smith: I think the relevant question is, do they need to be convinced by the text of the specification or by the emerging security threat that allows it to fall under the charter?

Brent Zundel: They need to be convinced that the charter covers this specification.

Wesley Smith: I can put together a persuasive write-up that there is an emerging security threat that needs to be addressed here.
… That doesn't seem like stuff that would go into the specification.

Brent Zundel: That's not something for the specification, it's for communication.

Wesley Smith: If I do this write up, what's the next step?

Brent Zundel: Send it to the chairs.

Ivan Herman: I find it strange that this is happening as a back door discussion. I don't know why this wasn't put into the issues I was working on this morning.

Brent Zundel: It was someone looking for clarification.

Ivan Herman: Why didn't they ask me or Wes about it?

Brent Zundel: It was a matter of being on the same call at the same time for different reasons and it happened to come up.
… If we were to independently add some detail to the issue, that would be helpful.

Ivan Herman: It should go into a GitHub issue for it to be worked on.

Wesley Smith: I would prefer to have messaging come from the chair of the group.

VCDM Maintenance

<Brent Zundel> https://github.com/w3c/vc-data-model/issues

Brent Zundel: There are three at the top that have not yet been triaged.

w3c/vc-data-model#1633

Brent Zundel: We will look at them and determine whether we're going to address them here.
… Normative text on VP-within-VP
… Do folks have any questions or need more clarity?
… I will note that the poster is asking questions, so it may be sufficient for the group to answer the question.
… The answers may affect the specification.

Ivan Herman: My feeling is that the answer is no, that the model is such that the VP can have several VCs but not another VP. As far as I remember, this is the model.
… I would prefer having someone deeper in the technology give a definitive answer.

Phil Archer: I'm not qualified to answer directly, but it looks to me like this commenter wants links to other credentials. If the answer is no, could the answer be to look at recognized entities?

Brent Zundel: The VC Data Model says the a presentation contains a set of VCs. The JOSE-COSE documentation says that it can contain VPs as well.

Ivan Herman: I think you're right, Brent Zundel, but that means for me that the JOSE-COSE document is incorrect in terms of the model. I personally do not see how recognized entities help.
… I would like to see an example that would be solved by this.

Brent Zundel: The description of the VP is that it contains multiple VCs and can contain arbitrary data, and that the VCs may be from multiple issuers.
… Conceptually, there wouldn't be a problem with including another VP, but it doesn't explicitly say that that can be done.
… I think that the VC JOSE-COSE recognizes that need from the supply chain space. Often folks would be receiving VPs and would often want to pass them along directly rather than extract the VCs.
… What I'm reading in the core data model section of our spec is that this is possible but in order to make it explicitly possible it would require normative and substantive changes to the VC data model.
… These changes would be beyond what we're currently chartered to do.
… I'm adding the class 4 and future labels.

w3c/vc-data-model#1632

Brent Zundel: remove confidence and render methods from the VCDM spec
… This is definitely within our charter to do.
… It points out that because we're producing a confidence method specification and extension points should point to those specifications.

Ivan Herman: That's one possibility. Another option is to delete the entire section.
… That will raise problems for the confidence and render methods. I think we can remove the whole section altogether. Something has to be done.

Brent Zundel: Sounds like this is class 2, editorial.

Ivan Herman: Yes, maybe a bit more.

w3c/vc-data-model#1631

Brent Zundel: Deployment-pattern guidance: principal-authority pre-layer for credentials consumed by autonomous agents
… Is there anyone who has read this and has an opinion?
… On one hand, the formatting and length suggests that this was written by an agent, but there still may be a point within the text. It's mostly usage guidance. Unless vcomm wants to have an opinion, perhaps this would best fit within the implementation guide.
… My suggestion is that this is a recommendation for implementation guidance clarity and doesn't appear to be calling for changes to the data model itself.

Will Abramson: It definitely reads like AI to me, but we can move it to the implementation guide.

Brent Zundel: Anyone opposed to transferring to the implementation guide? Hearing none, we can look at there in the future.

Task Force Round Table

Wesley Smith: On behalf of the barcode and data integrity task force...
… One of the big issues is the forgery defence specification, but we need to make sure it's clear how that fits into the charter.
… The barcodes work is on the back burner as a result. We know we have outstanding work such as threat modeling to do.
… My understanding of the data integrity work is that it's going well.
… I think we're in a good place in that task force.

Ivan Herman: There is one more thing we discussed the other day. It's an editorial reengineering of the DI spec and the crypto suite.
… We are considering factoring all of them out and generating separate specs. This would make future crypto suite publication much easier.

Brent Zundel: The guidance I have heard in various quantum secure forums is to keep things as simple as possible. Choose as small a subset of the existing potential algorithms as is absolutely necessary.

Carolynn Bernier: Things are going well. We spent an hour and a half with Ivan Herman to prepare the work for the Digital Product Passport task force. We're writing a note in three parts: Why are VCs useful for DPP? Why is there an international VC task force in W3C? How can I check that my DPP standard is compatible with VCDM?
… I hope to steer the group on the first part in the coming weeks.

<Phil Archer> Thanks Carolynn Bernier - that sounds very +ve

Kayode Ezike: We got good progress at the meeting with the vcomm task force and have a good path forward. We've created a v1.0 label for labelling existing and new issues. We want to implement a feature freeze to discourage blood in the spec. We're continuing to apply that to issues as they come in. We're making good progress on existing PRs and issues.
… Threat modelling is proceeding and we should have a PR in the next day or two. We are also developing test suites. We're going to move the CCG tests into the charter.

Phil Archer: It sounds like you're making fantastic process. As CR is on the horizon, have you thought horizontal review yet?

Kayode Ezike: No, but that's why we're rushing issues. It will likely still be in flight at TPAC but we should be closer.

Brent Zundel: Another feature of GitHub that might be useful is creating milestones.
… I encourage you to consider that.

Ivan Herman: I wrote in an email this morning that I don't recall seeing any requests.
… Can you send me an email to tell me what needs to be moved forward?

Kayode Ezike: I think we're just looking for permission to move the repository into W3C space.

Ivan Herman: We can coordinate that.

Joe Andrieu: We don't have a lot to report. We merged in the draft biometric PR with quite a few at-risk issue markers. We thought it was a good foundation. We also made a commitment to have enough of the tests fleshed out so we can get to horizontal review by TPAC.

<Joe Andrieu> +1 to a month out to start the request

Brent Zundel: It may be good to submit for horizontal review a month before TPAC.

Ivan Herman: Another thing I would need is, what are the terms that would have to be added to the VCDM coming from your spec? It would be helpful to have clear guidance.
… Same for the render method.

<Joe Andrieu> +1, understood. I'm not sure either at this point.

Brent Zundel: I don't see Dmitri on the call, who is leader for render method.

Kevin Dean: Brief update on Recognized Entities, recently have been discussing linkages between credentials, focused on the GS1 use case, which documents a hierarchy of credentials beginning with a root of trust.
… We have been discussing how the presence of one VC can authorize the issuance of others by the subject of the original VC.

Ivan Herman: Something which is not a technical thing is to say in presentations about our work... The interesting thing I find in that work is that it's an application of VCs that does not add anything to the VCDM per se.
… I think it's important that we demonstrate the ability to add community-specific capabilities built on the existing VCDM spec.

Phil Archer: Next week, my target is to create the ISO-friendly version of VCDM2.

Minutes manually created (not a transcript), formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).