Final Review Request of seven (7) W3C VCWG Specifications

[msporny]

The W3C VCWG is requesting a final horizontal review of the following specifications, which your group has reviewed previous versions of over the past year or more.

We are requesting this before proceeding to the Proposed Recommendation phase based on a request by W3M to ensure that changes that have been made in the past six months are reviewed by your group since your last review. We are planning to enter the Proposed Recommendation phase for all seven (7) documents in Q1 2025 (roughly February, if possible).

• Verifiable Credentials Data Model v2.0

  • Changes since Candidate Recommendation
  • Implementation Report

• Verifiable Credential Data Integrity v1.0

  • Changes since Candidate Recommendation
  • Implementation Report (see ECDSA and EdDSA test suites, which test the Data Integrity base spec in each cryptosuite)

• ECDSA Cryptosuite v1.0

  • Changes since Candidate Recommendation
  • Implementation Report

• EdDSA Cryptosuite v1.0

  • Changes since Candidate Recommendation
  • Implementation Report

• Securing Verifiable Credentials using JOSE and COSE

  • Changes since Candidate Recommendation
  • Implementation Report

• Bitstring Status List v1.0

  • Changes since Candidate Recommendation
  • Implementation Report

• Controlled Identifier Documents v1.0

  • Changes since Candidate Recommendation
  • Implementation Report

• Primary contacts:

  • Brent Zundel @brentzundel (Chair)
  • Ivan Herman @iherman (W3C Staff Contact)
  • Greg Bernstein @Wind4Greg (Editor, Data Integrity and cryptosuite specs)
  • Mike Jones @selfissued (Editor, VCDM v2.0 and VC JOSE COSE spec)
  • Gabe Cohen @decentralgabe (Editor, VC JOSE COSE spec)
  • Manu Sporny @msporny (Editor, VCDM v2.0, Data Integrity, Bitstring Status List specs)
  • Dmitri Zagidulin @dmitrizagidulin (Editor, Data Integrity and cryptosuite specs)

• Organization/project driving the specification:

  • W3C Verifiable Credentials Working Group

Further details:

There are no major unresolved issues or opposition to these specifications that we know of at the present time.

[iherman]

The issue was discussed in a meeting on 2025-02-06

• no resolutions were taken

View the transcript

1. Security group meeting.

See github issue vc-data-model#1575.

Manu Sporny: all the review requests?

See github issue security-request#81.

Manu Sporny: A couple of us joined the first meeting of the security interest group yesterday.
… we discussed VCDM and a variety of topics including their upcoming review queue.
… We wanted answers about (1) the review.
… they raised an issue asking us to restructure part of the spec.
… We mentioned that would be a burden.
… They agreed, that would be a challenge and this is a more long term ask.
… They didn't find any particular problems with the spec, so we are cleared to go to spec.
… Second, they said that any threat modeling work... if they request a more complete threat model that does not apply to the recent proposed REC things we are trying to do.
… They believe that SING plus the threat modeling CG will publish notes about threat models related to VCs, JOSE-COSE, etc. And tha twork will likely take several months.
… So that work won't be a blocker.
… We said we'd be willing to help.

Manu Sporny: https://lists.w3.org/Archives/Public/public-vc-wg/2025Feb/0000.html.

Manu Sporny: I'm going to copy/past some of the proposed rec docs.

Manu Sporny: Verifiable Credentials Data Model v2.0.
Manu Sporny: https://w3c.github.io/vc-data-model/transitions/2025/PR/.
Manu Sporny: Verifiable Credential Data Integrity 1.0.
Manu Sporny: https://w3c.github.io/vc-data-integrity/transitions/2025/PR/.
Manu Sporny: Data Integrity ECDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-ecdsa/transitions/2025/PR/.
Manu Sporny: Data Integrity EdDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-eddsa/transitions/2025/PR/.
Manu Sporny: Bitstring Status List v1.0.
Manu Sporny: https://w3c.github.io/vc-bitstring-status-list/transitions/2025/PR/.

Manu Sporny: One thing did come up. They confirmed they have not done security reviews of DI, CIDs, [and a few others], but they are at the top of the queue.
… We clarified we'll put this up for proposed REC and hopefully they can get those reviews done before we more to next stage.
… We also offered our help to come up to speed with design intent, etc. They appreciated that for VC2.0 and would appreciate it for other specs.
… one of the chairs has actually implemented DI.
… so they have familiarity with the tech, it's just a lot of work on their plate.
… That's the report.

Ivan Herman: on the practical side, manu can you put in the issues that are revelant, especially the ones where we asked for review.
… Just add them to IRC.
… all the security ones (relevant to SING).

Manu Sporny: ok, I think that's that.
… ... one is the tracking issue for horizontal reviews, the other is the security request.

Brent Zundel: anything else on this topic?