[secdir] W3C VC/DID WG Security Review Coordination Request

Manu Sporny <msporny@digitalbazaar.com> Sat, 17 July 2021 21:09 UTC

Return-Path: <msporny@digitalbazaar.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 653F93A21A1 for <secdir@ietfa.amsl.com>; Sat, 17 Jul 2021 14:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id doc5ap3_YcgK for <secdir@ietfa.amsl.com>; Sat, 17 Jul 2021 14:09:05 -0700 (PDT)
Received: from mail.digitalbazaar.com (mail.digitalbazaar.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C937D3A219F for <secdir@ietf.org>; Sat, 17 Jul 2021 14:09:04 -0700 (PDT)
Received: from [] (helo=[]) by mail.digitalbazaar.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <msporny@digitalbazaar.com>) id 1m4rYO-0003Ql-Mn for secdir@ietf.org; Sat, 17 Jul 2021 17:09:01 -0400
To: secdir@ietf.org
From: Manu Sporny <msporny@digitalbazaar.com>
Message-ID: <f8ce3e90-221d-6ce1-dd1d-3848e646419e@digitalbazaar.com>
Date: Sat, 17 Jul 2021 17:08:55 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-SA-Exim-Mail-From: msporny@digitalbazaar.com
X-SA-Exim-Version: 4.2.1 (built Tue, 02 Aug 2016 21:08:31 +0000)
X-SA-Exim-Scanned: Yes (on mail.digitalbazaar.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ijoxNV3tjqYw1WOKI7T5O0JYts0>
Subject: [secdir] W3C VC/DID WG Security Review Coordination Request
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2021 21:09:11 -0000

Benjamin, Roman, and the IETF Security Area Directorate,

I am writing on behalf of the Chairs, Staff, and Members of multiple current
chartered W3C Working Groups related to Verifiable Credentials[1] (VCs) and
Decentralized Identifiers[2] (DIDs). The outcome of this message also could
affect future W3C Working Groups currently in the pre-chartering process
related to RDF Dataset Canonicalization and Hashing, and Linked Data Integrity[3].

TL;DR: There are two requests in this message. The first is from the DID WG,
for a best-effort security review of the Decentralized Identifier Core
specification[4] by an appropriate IETF group. The second is from the current
VC and DID WGs, on behalf of themselves and the above-mentioned pre-charter
WGs, to set up regular and recurring security reviews of specific W3C
specifications that will be developed over the next several years, in a
capacity that is more coupled than a traditional W3C-IETF liaison relationship.

Both requests are further detailed in the rest of this message.

Review of DID Core Specification

Mark Nottingham, Co-Chair of the HTTP WG, recently inquired about the security
and privacy reviews that were performed on DID Core. The W3C DID WG has
performed multiple security and privacy reviews on the specification[6], per
the W3C process. In addition to those reviews, we are hoping that the IETF
secdir or CFRG will guide us toward receiving additional security reviews on
the specification. What would be the best path to getting an initial
best-effort security review of the DID Core specification, and subsequent
security reviews every six months or so on iterations of that specification?

I will note two important considerations. The first is that the initial DID WG
charter expires in September 2021, the specification comes out of the 2nd W3C
Candidate Recommendation phase in mid-July 2021, and according to W3C Process,
the DID WG has enough implementation experience (32 implementations for many
features) to move on to the W3C Proposed Recommendation phase. The second
consideration is that the DID WG has only defined a data model and has not
defined any cryptographic algorithms or protocols in this iteration of the
specification. That said, the specification is expected to be used with
cryptographic systems, and furthermore, protocol work might be included in the
work of  a re-chartered (future) group. Thus, we desire more eyes on the
specification, especially from IETF Security Area Directorate and IRTF CFRG.

Benjamin and Roman, what mechanism would be most effective for achieving a
timely, best-effort review of the W3C Decentralized Identifiers specification?

Targeted Engagement with Future DID and VC-related work at W3C

Since the Recommendation of the W3C Verifiable Credentials specification[7],
and the expected Recommendation of the W3C Decentralized Identifiers
specification[4], there has been increased movement in government and the
private sector towards issuing credentials for a variety of use cases in a
production capacity. As a result, it is highly likely that both the W3C
Verifiable Credentials WG and the W3C Decentralized Identifiers WG will be
re-chartered to maintain and/or advance the work.

In addition, new cryptographic packaging formats and protocols[3][8] based on
active IETF work[9][10] and/or RFCs are expected to be advanced in parallel.
The chartered W3C Working Groups are requesting a more direct liaison
relationship that goes beyond periodic reviews of the specifications under
development by these groups. Ideally, participants in the IETF Security Area
would be active members of these W3C Working Groups with an additional liaison
relationship to groups like the IRTF CFRG. There is a strong expectation that
newly chartered groups that are related to the technologies mentioned
throughout this email will request the same type of relationship.

Benjamin and Roman, what mechanism would be most effective for setting up this
more formal and active relationship between the IETF Security Area and the W3C
Working Groups mentioned above?


Thank you for your time in considering the questions that we have put forward
in this message. We know that this is only the beginning of the discussion, so
don't expect definitive answers in initial responses, but hope for some
concrete guidance on next steps.

On behalf of the Editors, Chairs, and Staff contacts for W3C Verifiable
Credentials WG and the W3C Decentralized Identifiers WG,

-- manu


Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)