Final Horizontal Reviews for Verifiable Credentials Data Model v2.0

[msporny]

This is a tracking issue that covers the final horizontal review of this specification:

• Final Review Request of seven (7) W3C VCWG Specifications w3ctag/design-reviews#1029
• Final Review Request of seven (7) W3C VCWG Specifications w3cping/privacy-request#153
• Final Review Request of seven (7) W3C VCWG Specifications security-request#81
• Final Review Request of seven (7) W3C VCWG Specifications a11y-request#99
• Final Review Request of seven (7) W3C VCWG Specifications > 2025-02-01 i18n-request#255

When all of the final horizontal reviews are complete, this issue will be closed.

[iherman]

The issue was discussed in a meeting on 2025-02-06

• no resolutions were taken

View the transcript

1. Security group meeting.

See github issue vc-data-model#1575.

Manu Sporny: all the review requests?

See github issue security-request#81.

Manu Sporny: A couple of us joined the first meeting of the security interest group yesterday.
… we discussed VCDM and a variety of topics including their upcoming review queue.
… We wanted answers about (1) the review.
… they raised an issue asking us to restructure part of the spec.
… We mentioned that would be a burden.
… They agreed, that would be a challenge and this is a more long term ask.
… They didn't find any particular problems with the spec, so we are cleared to go to spec.
… Second, they said that any threat modeling work... if they request a more complete threat model that does not apply to the recent proposed REC things we are trying to do.
… They believe that SING plus the threat modeling CG will publish notes about threat models related to VCs, JOSE-COSE, etc. And tha twork will likely take several months.
… So that work won't be a blocker.
… We said we'd be willing to help.

Manu Sporny: https://lists.w3.org/Archives/Public/public-vc-wg/2025Feb/0000.html.

Manu Sporny: I'm going to copy/past some of the proposed rec docs.

Manu Sporny: Verifiable Credentials Data Model v2.0.
Manu Sporny: https://w3c.github.io/vc-data-model/transitions/2025/PR/.
Manu Sporny: Verifiable Credential Data Integrity 1.0.
Manu Sporny: https://w3c.github.io/vc-data-integrity/transitions/2025/PR/.
Manu Sporny: Data Integrity ECDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-ecdsa/transitions/2025/PR/.
Manu Sporny: Data Integrity EdDSA Cryptosuites v1.0.
Manu Sporny: https://w3c.github.io/vc-di-eddsa/transitions/2025/PR/.
Manu Sporny: Bitstring Status List v1.0.
Manu Sporny: https://w3c.github.io/vc-bitstring-status-list/transitions/2025/PR/.

Manu Sporny: One thing did come up. They confirmed they have not done security reviews of DI, CIDs, [and a few others], but they are at the top of the queue.
… We clarified we'll put this up for proposed REC and hopefully they can get those reviews done before we more to next stage.
… We also offered our help to come up to speed with design intent, etc. They appreciated that for VC2.0 and would appreciate it for other specs.
… one of the chairs has actually implemented DI.
… so they have familiarity with the tech, it's just a lot of work on their plate.
… That's the report.

Ivan Herman: on the practical side, manu can you put in the issues that are revelant, especially the ones where we asked for review.
… Just add them to IRC.
… all the security ones (relevant to SING).

Manu Sporny: ok, I think that's that.
… ... one is the tracking issue for horizontal reviews, the other is the security request.

Brent Zundel: anything else on this topic?