algorithms-related input documents for all proofs of integrity types

[Sakurann]

Currently suggested input documents in PR #77 are all CCG documents, which define Signature Algorithms such as EdDSA, ECDSA only for Linked Data Proofs, which is not the only proof of integrity for the vc-data-model. IETF documents should replace CCG documents or be added as input documents.

[OR13]

IETF documents should replace CCG documents or be added as input documents.

No, that would be a mistake, and lead to confusion.

The way this ecosystem has evolved over the past many years looks like this:

DIF and W3C CCG Drafts refer to IETF crypto.

W3C input documents refer to CCG Drafts / DIF / any document on the internet.

These drafts are actually doing stuff... that is not handled by IETF, so you cant just replace them.

The purpose of the WG referring to input documents is to respect where the work has started, but the wg can do whatever it wants, regardless of what the CCG says.

DIF does the same thing.

• https://github.com/decentralized-identity/EcdsaSecp256k1RecoverySignature2020 -> ES256K at IETF (ES256K-R unregistered)
• https://github.com/decentralized-identity/SchnorrSecp256k1Signature2019 -> SS256K (unregistered)
• https://github.com/decentralized-identity/did-jwt-vc (JwtProof2020 unregistered) -> EdDSA at IETF, ES256K at IETF, ES256K-R (unregistered)

[Sakurann]

W3C CCG Drafts refer to IETF crypto.

Yes, but only in the context of one of the proofs of integrity.

DIF does the same thing.

Yes, and it does so for both JWT and LDP

The purpose of the WG referring to input documents is to respect where the work has started, but the wg can do whatever it wants, regardless of what the CCG says.

I get that, the current input documents just seemed disproportionate.

We probably don't need to reference all the underlying crypto documents that JWS depends upon since it will be a long list, but might be good to have some of the documents below.

https://datatracker.ietf.org/doc/html/rfc7518
https://datatracker.ietf.org/doc/html/rfc8812
https://datatracker.ietf.org/doc/html/rfc8032
https://datatracker.ietf.org/doc/html/rfc8037

[brentzundel]

I am concerned about overloading the charter with every possible input document.
Would it be sufficient to clarify the data integrity deliverable to make it more explicit that it covers more than linked data?

[msporny]

IETF documents should replace CCG documents or be added as input documents.

Definitely not. An input document is something the group takes over and puts on the W3C REC track. W3C has no authority to take an IETF RFC as input and put it on the REC track.

Any document that is already an IETF RFC can be referenced, normatively, from any specification that the VC2WG will work on.

There still seems to be a fundamental misunderstanding on what an input document is, what an IETF RFC is, and how the WG will work with those types of documents.

[OR13]

I would be fine accepting this list of RFCs as input documents relevant to VC-JWT...

https://datatracker.ietf.org/doc/html/rfc7519
https://datatracker.ietf.org/doc/html/rfc7518
https://datatracker.ietf.org/doc/html/rfc8812
https://datatracker.ietf.org/doc/html/rfc8032
https://datatracker.ietf.org/doc/html/rfc8037

Also many of them are relevant to JsonWebSignature2020.

But it's not correct to say they should replace CCG docs which are currently present.

They do different things.

[Sakurann]

Could we keep CCG input documents as-is and add (all or parts of) above RFCs suggested by Orie as additional reference documents?

[msporny]

Could we keep CCG input documents as-is and add (all or parts of) above RFCs suggested by Orie as additional reference documents?

The way this is typically done is that those normative references would be included in the JsonWebSignature2020 document (which is an input document to the VC2WG).

[OR13]

@msporny yes, but that assumes that those RFCs are somehow not relevant to VC-JWT... which seems wrong... Not a hill I would die on, but.... seems worth it to be exhaustive in input documents given they are an entry point for "getting up to speed".

[msporny]

@msporny yes, but that assumes that those RFCs are somehow not relevant to VC-JWT

Any document that depends normatively on IETF RFCs can reference IETF RFCs. So VC-JWT can reference them as well.

seems worth it to be exhaustive in input documents

IETF RFCs are not input documents. :)

[iherman]

The issue was discussed in a meeting on 2022-03-23

• no resolutions were taken

View the transcript

2.8. algorithms-related input documents for all proofs of integrity types (issue vc-wg-charter#88)

See github issue vc-wg-charter#88.

Brent Zundel: algorithms-related input documents for all proofs of integrity types.

Kristina Yasuda: This data is whether we want to add additional RFC input documents for VC-JWT work.
… We don't need to remove any CCG documents for LDP work.
… It would be good to have these RFCs referenced.

Orie Steele: PR welcome..

Manu Sporny: JWS will reference the RFCs. VC-JWT should do so as well..
… I don't think there's an issue adding references based on the input documents we already have?.

Brent Zundel: If there was a theoretical PR, would people be opposed to merging it..

Orie Steele: I would be in favor of a PR adding the RFCs relative to VC-JWT..

Kristina Yasuda: I would be glad to do that..

Michael Jones: I had a practical question, are there RFCs not transitively referenced by JWS or some of the other JOSE related input documents that we should be adding because there isn't a transitive reference to them?.

Manu Sporny: The answer to Mike's question is that I don't think there are documents not transitively referenced..
… We could add input documents..
… I don't understand what we're trying to include. I'm against modifying the charter at this point..

Orie Steele: I queued to answer Mike's question about transitive reference..
… VC-JWT has no input documents..
… I think it's a bad idea to not have input documents for VC-JWT. The charter should reference them..
… Having directly links to the IETF RFCs is incredibly useful to people reading the charter..

Manu Sporny: The input document to VC-JWT is defined in the VC 1 spec.

Manu Sporny: See relevant section in the 1.0 spec.

Manu Sporny: It contains normative references to the JOSE specs. I don't see the problem here..
… It doesn't make sense to me..

Kristina Yasuda: Could we add a sentence that clarifies that input for VC-JWT is vc-data-model v1 and normative references there?.

Michael Jones: Since there aren't input documents other than previous version of our own specification, I would support WG considering a PR to do so, probably authored by Kristina and approved by Orie..
… Let's try that as good due diligence..

Brent Zundel: We have an input document, which is the previous version of the specification..
… If there aren't RFCs already referenced in that way, I support adding them..
… I would not be opposed to a PR adding them..

Orie Steele: I don't see any problem making the link between VC-JWT in VCDM 1.1 and IETF RFCs more explicit.... thats a helpful thing for folks who don't have the background information that we all have..

Kristina Yasuda: My suggestion would be to explicitly add a sentence saying that the previous specification is an input document for the VC-JWT work..
… I can investigate whether there are additional RFCs we should be adding..

Manu Sporny: but we already do that... :(.

Manu Sporny: "Container Formats: VC-JSON Web Token (JWT)" <-- right there.

Manu Sporny: It links to VC Data Model spec -- VC JWT section..

Manu Sporny: (which then references the IETF specs).

Brent Zundel: There is a link in the charter..

Orie Steele: given how poorly defined VC-JWT was in the previous versions, I think its prudent to do better with IETF RFCs..

Kristina Yasuda: Can I have a few days to investigate?.

Manu Sporny: I'm fine w/ checking....

Brent Zundel: I am fine with that course of action..
… We need to see that PR by the end of the week to be able to review it our next meeting..
… With that, we have closed all but one of our issues..
… I am assigning the remaining issue to Kristina..
… We'll see what happens..

[brentzundel]

addressed by PR, closing

[iherman]

The issue was discussed in a meeting on 2022-03-30

List of resolutions:

• Resolution No. 1: (over the objection of Manu) Merge PR 107.

View the transcript

1.2. updating algorithms-related reference documents for jwt-vcs (pr vc-wg-charter#107)

See github pull request vc-wg-charter#107.

See github issue vc-wg-charter#88.

Brent Zundel: This was raised by kristina.
… Can you walk us through this?

Kristina Yasuda: Addresses issue 88. For the cryptosuites we are only referencing CCG documents which define algorithms.
… But not for JWT VCs.
… I got the question a few times, what does that mean. The purpose was to clarify the cryptosuites that would be used for JWT VCs.
… I thought JOSE registry was the most concise way.
… Is there a better way to portray concerns about the context. The PR is an attempt to do so.

Michael Jones: I find manu 's comments a bit confusing. He seems to be assuming input documents we would take over and modify. That's not that list.
… Input documents will inform the work. I applaud kristina since this is a really concise to reference input documents.

Manu Sporny: My understanding of input documents is quite different from that. An input document is a document that is specifically an input for the WG. The WG is taking it over and may or may not change it.
… Inputs are taken over to create deliverables.
… The reason why it's important to specify them is to establish IP commitments. This should be reviewed by legal council, as the technologies that the group will touch directly. It establishes an IPR scope.
… I think this understanding of input documents has been pretty consistent across W3C WGs.
… This PR feels like a no-op, nothing changes if we accept or not accept it. In the best case.
… In the worst case, we list IANA registry as input document, which it is not. We reference it, not use it as input document.
… CCG input documents reference IETF RCFs. Therefore we don't have to mention them in the charter.
… What are we attempting to accomplish with this text? What's the concrete goal of this PR, I don't understand it right now.

Ted Thibodeau Jr.: My intuitive understanding of input docs is closer to selfissued than manu. I'm searching from some definition and can't find one.
… If that definition exist, we should be able to link to it and also gain understanding from it.
… Failing that definition, then I'm siding with selfissued with what that list should do. It's basis for continuing work, not work that we're going to subsume and replace.

Orie Steele: +1 justin, mike and ted.

Justin Richer: It seems very strange to cite IPR protections as motivating factor for listing input documents, since input documents traditionally are documents the group will look at to create new things. Any text that is taken in has to be vetted regardless of its original source.
… My concern with listing input documents is that this would be used as a limiting function to the WG; somebody would use this list to say that we can't talk about something because it's not in the list of input documents. That worries me about having things explicitly listed.

Michael Prorock: +1.

Justin Richer: Charters are meant to guide the WG. It's up to chairs and WG and SDO to interpret the charter to help the WG do its job. Not a strict recipe for the WG to follow.

Michael Jones: manu unless you can find W3C document which explains the term "input documents" in the manner that you're interpreting it, I suggested it would be more reasonable to use plain English meaning, which TallTed and justin_r and others have just supported.

Justin Richer: +1 to plain english (as opposed to a defined separate term).

Michael Jones: This is a concise way to listen important inputs, otherwise we would have a much longer list. I will reserve judgement based on whether manu can find W3C document that says what we mean by "input document".

Justin Richer: @manu "input document" does not occur in that page, and the only uses of "input" are simple plain english.

Kristina Yasuda: It's to clarify the documents that we would look into when we work on JWT VCs.
… Regarding definition of "input document", I did try to look for a definition, unfortunately I couldn't find it. Can you provide a definition, then I'm happy to change PR accordingly.

Manu Sporny: See W3C process document.
See W3C patent policy.
I'm just providing links -- "input document" has no official definition at W3C. I can just speak to how it's been used in Patent Advisory Groups in the past.

Justin Richer: if it has no official meaning, then why are you using it as a term?

Michael Jones: The W3C process document doesn't speak about Input Documents, as far as I can tell.

Michael Jones: I'm fine with "input documents include".

Ted Thibodeau Jr.: Limiting factor concern can be handled by a phrase that says the list is not exhaustive. Or similar phrasing. Then there's no limiting factor.

Justin Richer: +1 to TallTed.

Kristina Yasuda: Justin, did you mean to imply none of the input documents should be listed?

Brent Zundel: At first my understanding was the same as manu's, but reading through the process it is quite broad of what it expects. We must describe the nature of deliverables. If an deliverable is based on previous document, then we have to say what those are.

Justin Richer: @kristina: no I'm saying that listing input documents just means "this is a bunch of stuff we're going to look at".

Kristina Yasuda: it already says "The following are a non-exhaustive selection of input documents".

Justin Richer: @kristina: you could list a blog post as an "input document".

Brent Zundel: If there still is a concern about intentions on our part to take over those things, we should add additional language. Those concerns should be no reason to not merge the PR.

Manu Sporny: There is no official definition, we talked about this in a previous meeting. I thought it was clear, but it seems there isn't. Should we define what we mean by input document.
… I'm -1 on this, but I will not stand in the way.

Michael Jones: There was a suggestion in chat to say "input documents include...". I'm fine with this clarification.

Brent Zundel: The charter already has the sentence: "The following are a non-exhaustive selection of expected input documents:".

Michael Jones: Defining terms such as "input documents" is going too meta for me. The English meaning is clear enough.

Ted Thibodeau Jr.: Existing "non-exhaustive selection" language seems sufficient to me.

Kristina Yasuda: to me too.

Michael Prorock: plenty of other examples out there in this regard: w3c/dpubwg-charter@c4db647.

Justin Richer: I wanted to provide a quick definition what input and output documents mean.
… Input documents is something you read and you might take text from, when you create output documents.

Michael Jones: +1 to Justin's characterization of Input Documents and Output Documents.

Justin Richer: This group should treat all artifacts as something that is created by this group. As an official artifact.

Manu Sporny: hrm, that's not true -- why do CGs at W3C have FCGR and IPR commitments, then?

Justin Richer: You have to treat the documents that are created here as brand new documents that are taking some if its contents from other sources.

Dmitri Zagidulin: would this topic of discussion be a question for Ivan?

Michael Prorock: from the Publ WG "Input Documents: The following documents will be considered by the Working Group as inputs to the specifications to be developed.".

Justin Richer: There must be misunderstanding if there back channel comments.

Justin Richer: yes, CGs have IPR commitments for their output documents.
it's exactly the same.
this is not in contradiction to what I've said.

Ted Thibodeau Jr.: In my world the reason to list input documents is to tell people that we have taking into account various input documents. We are aware of standards from IETF that says whatever it says.
… It could contradict what we output, but we output it for a reason.

Justin Richer: +1 to TallTed.

Ted Thibodeau Jr.: There's nothing there that gives IPR.

Michael Prorock: I did some querying, and in every case it's defined very broadly.
… I really like the spirit of this PR.

Manu Sporny: To address justin_r 's point, I don't know how many of you work with legal team when joining WGs.
… It is very important to those legal councils that. For example when CCG creates a specification that it goes through final specification agreement that requires IPR agreement, before it can be moved into an official group.
… This is a requirement for being used as an input document for a WG.
… Our legal counsel has made it clear that an input document needs prior IPR agreement.

Justin Richer: this is only true because you are pulling in text.
it's not because it's an "input document", it's because it's going into the outputs.

Manu Sporny: Your statement was "IPR starts at the WG" -- that's not true... it starts before.
and it's vitally important that it does.

Justin Richer: @manu I believe that is a mis-characterization.

Manu Sporny: I'd like to hear that from your legal counsel, justin_r :).

Markus Sabadello: I remember when the DID WG started, there was a previous specification in CCG, the DID Core specification, that was input document to the DID WG. at that time I remember the discussion about asking whether the GitHub history of it should be preserved when moving it into the WG.

Justin Richer: @manu you'll hear from my lawyers ;).

Markus Sabadello: I think there was a lot of support for keeping the history. I think this means that the input document does not just inform the working group but is actually the basis of something the WG will take on to work on to create a deliverable.
… So in my mind I think input documents can be both, something to inform the group, but also could be a basis for an output document.

Kristina Yasuda: exactly, I think it can be both.

Brent Zundel: There is a difference in my understanding between input document listed in the charter, and a document the WG selects as FPWD of a deliverable they are working on.

Justin Richer: +1 those are very different.

Michael Prorock: the did-wg charter uses "input" in relation to documents in both ways - one informative, one to convert into an actual rec.

Brent Zundel: I think any documents that could become FPWD should be listed as input documents. But we shouldn't conflate the two.
… Having something as input document doesn't mean that the group takes it as FPWD. Theoretically we could use something else as FPWD as long as IPR is clean.

Proposed resolution: Merge PR 107. (Brent Zundel)

Brent Zundel: Going to run a simple proposal.

Michael Jones: +1.

Ted Thibodeau Jr.: +1.

Orie Steele: +1.

Justin Richer: +1 (this is a silly discussion).

Kristina Yasuda: +1.

Michael Prorock: +1.

Shawn Butterfield: +1.

Brent Zundel: +1.

Manu Sporny: -1 it doesn't change what the WG does (but I will not object to the charter over it).

David Chadwick: 0.

Markus Sabadello: 0.

Charles Lehner: +0.

Dave Longley: 0.

Justin Richer: @manu it's not meant to change what the WG does -- which is what we're saying.

Manu Sporny: -0.9 it doesn't change what the WG does (but I will not object to the charter over it).

Ted Thibodeau Jr.: Some are citing experiences from last groups, others are citing legal counsels.

Resolution #1: (over the objection of Manu) Merge PR 107.

Ted Thibodeau Jr.: Member submissions need to have IPR. We could list Encyclopedia Britannica as input document. That would be silly. Listing a dozen input documents that do have influence, that's entirely reasonable. Nobody outside the group needs to be involved.

Justin Richer: q.

Brent Zundel: With that I'm going to close issue 88.

Michael Jones: Microsoft has a very rigorous IPR process when chartering/joining WGs. None of what manu said applies at Microsoft. Input documents are not part of the discussion.

Brent Zundel: Thank you everyone for the conversation.
… I believe we constructed something good that is ready to take the next step.