The W3C Credentials Community Group

Verifiable Claims and Digital Verification

Go Back

Credentials CG Telecon

Minutes for 2021-05-18

Agenda
https://lists.w3.org/Archives/Public/public-credentials/2021May/0072.html
Topics
  1. Introductions and Reintroductions
  2. Announcements and Reminders
  3. Review of Community Issues
  4. Linked Data Signatures
Organizer
Wayne Chang, Heather Vescent
Scribe
Present
Mike Prorock, Manu Sporny, Markus Sabadello, Mahmoud Alkhraishi, Ted Thibodeau, Matthieu Collé, Jeff Orgel, Chris Winczewski, Ryan Grant, Charles E. Lehner, Dave Longley, Erica Connell, Wayne Chang, Orie Steele, Phil Long
Audio Log
<wayne_chang> scribe+ peacekeeper
<markus_sabadello> scribe+

Topic: Introductions and Reintroductions

Markus Sabadello: Pchampin: I'm W3C fellow, part of the W3C team, been involved in a lot of semantic web standardization, member of several working groups such as JSON-LD 1.1. I've worked with Ivan on charter for the Linked Data Signatures working group.
Wayne Chang: We have a lot to talk about regarding Linked Data Signatures (LDS) [scribe assist by Markus Sabadello]

Topic: Announcements and Reminders

Topic: Review of Community Issues

Wayne Chang: I believe there have been no community issues that were blocked. I believe outstanding issues have been met, and that we can move on. [scribe assist by Markus Sabadello]

Topic: Linked Data Signatures

Manu Sporny: Here's the email with the slide deck for today: https://lists.w3.org/Archives/Public/public-credentials/2021May/0082.html
Manu Sporny: I sent a slide deck to the community group. [scribe assist by Markus Sabadello]
Manu Sporny: I will be presenting (sharing screen). [scribe assist by Markus Sabadello]
Manu Sporny: We're reviewing the LDS charter today. [scribe assist by Markus Sabadello]
Manu Sporny: We have been working on RDF canonicalization, LD proofs, etc. in this CG and others. [scribe assist by Markus Sabadello]
Manu Sporny: This is fundamental underpinning of Verifiable Credentials [scribe assist by Markus Sabadello]
Manu Sporny: We are doing this in "reverse order". In an ideal world, this would have happened before VCs. But we are on a very good path to get this standardized. [scribe assist by Markus Sabadello]
Manu Sporny: The work has been done for a while, a draft charter has been created. It went out in a "pre-circulation", before an official vote. [scribe assist by Markus Sabadello]
Manu Sporny: Today we're going over where we are with the charter. We are at the final stages of this pre-review stage [scribe assist by Markus Sabadello]
Manu Sporny: We have input from a variety of organizations, large and small. We had people from this community weigh in. We'll go over it and answer questions. [scribe assist by Markus Sabadello]
Manu Sporny: Today we cover roadmap, and each work item listed in the charter, and then things that are out of scope. [scribe assist by Markus Sabadello]
Manu Sporny: We have found items that are out of scope that would have resulted in objections to the charter. [scribe assist by Markus Sabadello]
Manu Sporny: Any other topics people want covered? [scribe assist by Markus Sabadello]
Manu Sporny: We did a presentation what LDS are a couple of months ago. This current slide deck has that in the appendix, incl. e.g. examples of LD proofs, canonicalization, etc. [scribe assist by Markus Sabadello]
Manu Sporny: Showing roadmap on screen. The shape hasn't changed that much [scribe assist by Markus Sabadello]
Manu Sporny: We're talking about standardizing three things described in the roadmap, everything else (e.g. specific cryptosuites, BBS+) is out of scope. [scribe assist by Markus Sabadello]
Manu Sporny: We want a strongly focused charter. [scribe assist by Markus Sabadello]
Manu Sporny: Expectation is that the WG will launch in September. We're now circulating the charter, then we'll get a final review from TAG and other W3C groups, and then there will be a membership vote. [scribe assist by Markus Sabadello]
Manu Sporny: Typically you look at ~25 companies supporting the charter, otherwise there will not be a WG. [scribe assist by Markus Sabadello]
Manu Sporny: Therefore, don't forget to vote for the charter. [scribe assist by Markus Sabadello]
Manu Sporny: Showing three bars on the roadmap slide: RDF Dataset Normalization, Linked Data Signatures, Linked Data Proofs. [scribe assist by Markus Sabadello]
Manu Sporny: We tried to make it very clear what the work items are (showing in green on a slide). Others (shown in gray) are out of scope, but could come later and we need to prepare for it. [scribe assist by Markus Sabadello]
Manu Sporny: The group should make sure it doesn't accidentally prevent the future work items from happening later. [scribe assist by Markus Sabadello]
<jeffo-stl> Go Markus!
Manu Sporny: The deliverables for LDS WG are RDF Dataset Canonicalization, RDF Dataset Hash, and Linked Data Integrity & Linked Data Security Vocabulary. [scribe assist by Markus Sabadello]
Manu Sporny: We do have use cases and requirements documents. High-level, not detailed. [scribe assist by Markus Sabadello]
Manu Sporny: Documented use cases that came up during the review [scribe assist by Markus Sabadello]
Manu Sporny: Some use cases: Secret confirmation of the contents of datasets, Annotating datasets with digital signatures, Anchoring datasets to distributed ledgers, Naming blank nodes in RDF datasets, Constrained data transfer, Semantic consistency of multi-part datasets (being able to sign subsets of graphs), Digitally signing ontologies [scribe assist by Markus Sabadello]
Manu Sporny: Many other use cases exist that are variations of the above [scribe assist by Markus Sabadello]
Wayne Chang: I was wondering if the following was in scope: Often we want someone to sign something, but there is no canonical way to explain what they are signing. Have you thought about this? [scribe assist by Markus Sabadello]
Markus Sabadello: Pchampin: There were are a lot of questions on the semantic web list about similar questions. I think we agreed that this would be considered out-of-scope. Obviously those issues need to be addressed, but the WG is merely to provide building blocks for this kind of thing. Linked Data Integrity (LDI) Framework would be extensible to express e.g. social meaning or commitment.
Manu Sporny: Wayne could you explain a specific use cases that elaborates on your questions? [scribe assist by Markus Sabadello]
Wayne Chang: One example is: there are a lot of users with browser extensions that have private keys. How to get someone to sign something with those keys? We could defined a LD signature suite, but in order to sign it they may face canonicalized RDF which is not user friendly. You still want to provide some sense of what users are signing. We couldn't find anything for doing that. [scribe assist by Markus Sabadello]
Manu Sporny: Effectively that's out of scope, you're at the application layer where you are dealing with customers/users. The WG is working on a lower leverl. [scribe assist by Markus Sabadello]
Manu Sporny: This is where a number of companies that said this could be a very big discussion, and you don't want the WG to start this discussion. You want to build the foundation first. [scribe assist by Markus Sabadello]
Manu Sporny: Wayne I think there is no proposal on how to do that. How does an individual know what they sign is an old problem. [scribe assist by Markus Sabadello]
Manu Sporny: You could work on an open source spec or work item, which could become in scope in the future. This is a good example of the kind of concerns companies have had. [scribe assist by Markus Sabadello]
Manu Sporny: When it comes to the meaning of things to be signed, it can become very complex. [scribe assist by Markus Sabadello]
Orie Steele: Signing `@json` :)
Mike Prorock: This is dealing specifically with signing of RDF. A common thing for us is representing properties and metadata of non-LD in some kind of LD format. We like this, e.g. change detection, tamper resistance. Is the WG going to touch on conversion of tabular and other data? How do we represent that as Linked Data? [scribe assist by Markus Sabadello]
Manu Sporny: That is another thing we struggled with. A lot of engagement came from the semantic web community. A number of us fought hard to make sure those things are not considered out of scope. In LD, you can use @json. You can use JCS to put something in a Linked Data payload. [scribe assist by Markus Sabadello]
Manu Sporny: If you have CVS or tabular data, you have to find a way to express it in LD, e.g. use a text blob. It's not ideal but okay. Just to be clear, that is out of scope. [scribe assist by Markus Sabadello]
Manu Sporny: Real thing that needs to be standardized is RDF canonicalization, let's focus on that rather than canonicalizing other things. [scribe assist by Markus Sabadello]
Manu Sporny: Balance in the charter is about RDF canonicalization, but also consider that there may be other canonicalization mechanisms out there. [scribe assist by Markus Sabadello]
<orie> sounds like yes to JSON, no to other formats that don't have a canonical form.... but don't block it....
<manu_sporny> effectively, yes, Orie.
Mike Prorock: That helps quite a bit, we get these discussions in the machine learning community. If we can get this standardized, that gives us the means to work on other mechanisms. [scribe assist by Markus Sabadello]
Manu Sporny: Balance in the charter is about not overwhelming the WG, and not preventing future work. [scribe assist by Markus Sabadello]
<wayne_chang> JCS is pretty widely implemented
Manu Sporny: There is an explainer document that goes with the charter. Talks about the general problems to be addressed. Talks about why we split out hashing from signing, about separation of concerns, out-of-scope items, and use cases. [scribe assist by Markus Sabadello]
Manu Sporny: When you read the charter, also read the explainer. [scribe assist by Markus Sabadello]
Manu Sporny: Let's talk now about actual deliverables. [scribe assist by Markus Sabadello]
Manu Sporny: Great news is we have 2 co-chairs, Phil Archer and Markus Sabadello [scribe assist by Markus Sabadello]
Dave Longley: +1 Great chair choices
Manu Sporny: I'm thrilled by those choices. Both have accepted. [scribe assist by Markus Sabadello]
Manu Sporny: Ivan is going to be team contact. Pierre-Antoine is going to be in the group as well. [scribe assist by Markus Sabadello]
Markus Sabadello: I'm equally excited, relatively recently that I was asked to co-chair. Not as deep into the subject as I will be. [scribe assist by Manu Sporny]
<orie> thank you Markus and Phil!
Markus Sabadello: This is important work, it was interesting how Manu mentioned how it was done in the wrong order, we've been taking this for granted for a long time, but the reason why this is important is because it's not just for Verifiable Credentials [scribe assist by Manu Sporny]
Markus Sabadello: It's for other datasets as well, we already see other examples in other communities that are using this for things that are not Verifiable Credentials, this is really broader, new trust and security layer for the Web itself, for the semantic web. [scribe assist by Manu Sporny]
Markus Sabadello: I'm looking forward to this work and seeing people participate from here. [scribe assist by Manu Sporny]
Manu Sporny: Phil is also ex-W3C, now pushing this agenda at GS1. We got a lot of experience coming into the group. [scribe assist by Markus Sabadello]
<wayne_chang> yes, thanks for chairing. ya'll are pushing the ecosystem forward in foundational ways
Manu Sporny: First deliverable: Technical Report of RDF dataset canonicalization. How do you canonicalize the RDF abstract data structure. There are two inputs to this group, one by Dave Longley and Rachel Arnold, and then a mathematical proof by Aidan Hogan. [scribe assist by Markus Sabadello]
Manu Sporny: There are two independent proofs that this is a solvable problem, this is a good signal to the group. [scribe assist by Markus Sabadello]
Manu Sporny: This problem has existed for 20+ years [scribe assist by Markus Sabadello]
Manu Sporny: Second deliverable: RDF Dataset Hash. Once you have this canonical form, how do you generate a hash? Right now, this is in the LD Proofs specification, but people want us to separate that from the Linked Data Integrity specification. It might be a short work item. [scribe assist by Markus Sabadello]
Manu Sporny: Third and Fourth: Linked Data Integrity and Linked Data Vocabulary. [scribe assist by Markus Sabadello]
<mprorock> integrity is way better than proof imho
Manu Sporny: Linked Data Integrity is basically a new name of Linked Data Signatures and Linked Data Proofs. [scribe assist by Markus Sabadello]
Manu Sporny: This covers anything from blockchain anchoring, to digital signatures, to proof of work. These are general algorithms for generating and attaching a proof. The RDF vocabulary expressed the types of proofs you are creating. [scribe assist by Markus Sabadello]
Manu Sporny: It's about how do you express signatures, proofs, etc. [scribe assist by Markus Sabadello]
Manu Sporny: There was controversy about proof of work. Feedback from larger companies was we shouldn't work on things that "melt the planet". W3C has a position that the web should be sustainable, shouldn't contribute to social and environmental destruction. [scribe assist by Markus Sabadello]
Phil Long: +1 To sustainability as a guideline.
Manu Sporny: There is great concern about proof of work. If this becomes the mechanism to protect integrity, there is concern W3C may be doing active damage to the world. [scribe assist by Markus Sabadello]
Manu Sporny: This is part of a larger conversation. I think this is one of the first charters where environmental concerns were raised. [scribe assist by Markus Sabadello]
Ryan Grant: The "melt the planet" things is a ridiculous urban legend. The value here is huge. I'm shocked that this is actually being considered by people that are trying to do technical things well. There is a recent report that the functionality is being delivered at half the cost of banking and mining gold. [scribe assist by Markus Sabadello]
<orie> manu, instead of saying big companies don't like PoW... maybe you meant big companies care about the environment and want to signal that in the charter?
Manu Sporny: This is an active debate, it's interesting that the charter triggered it. [scribe assist by Markus Sabadello]
Orie Steele: I'm not sure what you are alluding to. I get concerned when people mention large concerns. I wouldn't be surprised if folks at large companies are interested in signaling support for diversity and environmental considerations. [scribe assist by Markus Sabadello]
<mprorock> small companies are also a big fan of avoiding excess energy creation, consumption, and sourcing
Manu Sporny: Someone from Google felt this should be brought up with TAG. [scribe assist by Markus Sabadello]
Manu Sporny: This isn't going to result in anything significant in the charter. [scribe assist by Markus Sabadello]
<orie> "Supply chain meets blockchain for end-to-end mineral tracking"
Manu Sporny: The way how this work is structured in a way that makes this avoidable. [scribe assist by Markus Sabadello]
Manu Sporny: Other potential deliverables: A Linked Data Security Registry. Note on additional Linked Data Integrity techniques that are not necessarily relying on the specifications developed by the WG. This could enable other ways of canonicalization that the WG should not prevent. [scribe assist by Markus Sabadello]
Manu Sporny: Also primer, test suite, implementation guide. [scribe assist by Markus Sabadello]
Manu Sporny: Out of scope: Not going to define new cryptographic signature/encryption algorithms. This should be done by focused organizations. We will just define the usage of that work. [scribe assist by Markus Sabadello]
Manu Sporny: Also out of scope: Authenticity and trust issues that go beyond simple factual data. [scribe assist by Markus Sabadello]
<orie> I would call that "Software supply chain attacks considered out of scope"
Manu Sporny: The "meaning" of things is an important thing we should consider. Changing semantics can be a problem. But this is already being addressed elsewhere (e.g. always cache JSON-LD context rather than loading it from the network). [scribe assist by Markus Sabadello]
Manu Sporny: That's where we are. If there is no more feedback, that is the charter that will go to W3C and be voted on. [scribe assist by Markus Sabadello]
Manu Sporny: Any concerns from this community about anything you saw? [scribe assist by Markus Sabadello]
Wayne Chang: Can I get further clarification on the relationship between LDS WG and various existing work in IETF such as JCS, JOSE? Are we planning to engage with those? [scribe assist by Markus Sabadello]
Ryan Grant: PoW defense link #1: http://squ.re/BCEI-whitepaper
Manu Sporny: IETF specs are meant to be referenced directly, and we just use them. Anything that IETF has already defined we will just use as-is. JCS and JOSE are done, so the W3C group can just link to that work. [scribe assist by Markus Sabadello]
Manu Sporny: To be clear, we are not working on any specific cryptosuites. The WG will be aware of it and will ensure that the foundations happen. [scribe assist by Markus Sabadello]
Manu Sporny: With things like JOSE, proof of work, etc. there is no expectation that the WG will put significant work into that. Maybe in future iterations of the WG. [scribe assist by Markus Sabadello]
Manu Sporny: We will work on green boxes (showing slide 4), not on gray boxes. [scribe assist by Markus Sabadello]
Wayne Chang: If someone says "I want to canonicalize JSON by ordering fields, then I will sign via JWT, this works fine for my use cases.". What would you reply that LDS will provide beyond that? [scribe assist by Markus Sabadello]
Manu Sporny: So you canonicalize with JCS and sign JWT, at that point you are outside of the LDS specs. [scribe assist by Markus Sabadello]
Manu Sporny: It is possible to create a LD suite that uses JWS internally, and people have done that. [scribe assist by Markus Sabadello]
<orie> Workday and Consensus have used JCS like that.
<orie> obviously JOSE is also "locked into json"
Manu Sporny: The biggest problem is that you are locked into JSON, you have to transmit the JSON as-is. That works for a set of use cases, but won't work if you want to use other formats, e.g. do CBOR-LD compression. [scribe assist by Markus Sabadello]
Manu Sporny: LDS allows you to transform into other data formats, witout having to preserve the initial content that you signed. [scribe assist by Markus Sabadello]
<orie> the key difference between "information" and "information serialization"
Manu Sporny: JOSE approach assumes everybody just uses JSON, which is not true for some use cases. [scribe assist by Markus Sabadello]
Manu Sporny: You can convert to a different format that can go to RDF dataset and back. [scribe assist by Markus Sabadello]
Orie Steele: Only possible because RDF is an abstract data model :)
<dave_longley> LDI (Linked Data Integrity) w/RDF canonicalization doesn't lock your signatures to JSON, you can translate to other syntaxes without losing your signatures (different syntaxes are helpful for different use cases, e.g., expressing data in QR codes) -- that's the difference.
Manu Sporny: This it not theoretical, there are real use cases today where we are talking about translating VCs from JSON-LD to CBOR-LD and back, without storing payload. [scribe assist by Markus Sabadello]
Wayne Chang: So you are not locked into JSON, you might evolve into a higher being :) [scribe assist by Markus Sabadello]
<orie> CBOR = cthulhu can confirm.
Wayne Chang: Thanks everyone for attending! [scribe assist by Markus Sabadello]