Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add relatedResource property to VerifiablePresentation #1370

Closed
wants to merge 5 commits into from
Closed

Add relatedResource property to VerifiablePresentation #1370

wants to merge 5 commits into from

Conversation

msporny
Copy link
Member

@msporny msporny commented Dec 3, 2023
edited by pr-preview bot
Loading

This PR attempts to address issue #1360 by allowing the relatedResource property to be used on a VerifiablePresentation. It also adds an "at risk" issue marker noting that the feature might be removed in the Candidate Recommendation phase based on implementer feedback.

Preview | Diff

@msporny msporny mentioned this pull request Dec 3, 2023
Open
iherman
iherman approved these changes Dec 4, 2023
View reviewed changes
index.html Outdated
</p>
<p class="issue" title="Mandatory listing of contexts in relatedResouce are under debate.">
The requirement that contexts be listed in `relatedResource` is currently being
debated in the VCWG. This requirement might be removed in future iterations of
the specification.
</p>
<p class="issue at-risk" title="Use of `relatedResource` in `VerifiablePresentation`">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<p class="issue at-risk" title="Use of `relatedResource` in `VerifiablePresentation`">
<p class="issue at-risk" title="Use of `relatedResource` in `VerifiablePresentation` is at risk">

I think it is better to make the "at risk" features very explicit when reading the document. (I have not checked whether this is the case for the other, at risk features in the spec.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got the "atrisk" class wrong and fixed it in de83559.

Which results in this rendering, does that work for you @iherman ?

image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks perfect! 😀

@iherman iherman mentioned this pull request Dec 4, 2023
Closed
@brentzundel brentzundel changed the title Add relatedResource property to VerifiableCredential Add relatedResource property to VerifiablePresentation Dec 4, 2023
OR13
OR13 reviewed Dec 4, 2023
View reviewed changes
vocab/credentials/v2/vocabulary.yml
@@ -163,7 +163,7 @@ property:

- id: relatedResource
label: Related resource
domain: cred:VerifiableCredential
domain: [cred:VerifiableCredential, cred:VerifiablePresentation]
Copy link
Contributor

@OR13 OR13 Dec 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sry, I meant for this comment to go on "range".

Given this points to credentials by URL, which can't you use a Data URI here?

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "id": "urn:uuid:5ec137ea-871e-11ee-a783-ef96a4397a9a",
  "type": ["VerifiablePresentation", "ExamplePresentation"],
  "relatedResource": [
    "https://vendor.example/resources/42",
    "data:application/jwt;base64,QzVjV...RMjUK==",
    "data:application/cwt;base64,ZmlOW...pYzMK="
 ]
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confusing when comparing to https://github.com/w3c/vc-data-model/pull/1372/files#diff-dfe00db9d510a45f71289312990ee36df870f36c02094551bfba625dcd0d8e96R193

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because an enveloped credential is far more that just a "related resource".

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be concerning to me to use this property to represent jwts/cwts that are transformable to w3c vcs

Copy link
Member Author

@msporny msporny Dec 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@decentralgabe, would you find this mechanism more acceptable? #1379 (preview here)

OR13
OR13 reviewed Dec 4, 2023
View reviewed changes
index.html
<code>relatedResource</code> is present, there MUST be an object in the array
for each remote resource for each context used in the verifiable credential.
for each remote resource used in the verifiable credential.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

data URIs are IRIs.

@jandrieu
Copy link
Contributor

jandrieu commented Dec 5, 2023

This is still a layering error

jandrieu
jandrieu requested changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@jandrieu jandrieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this. It isn't a good adjustment.

@iherman
Copy link
Member

iherman commented Dec 6, 2023

The issue was discussed in a meeting on 2023-12-05

  • no resolutions were taken
View the transcript

1.1. Add relatedResource property to VerifiablePresentation (pr vc-data-model#1370)

See github pull request vc-data-model#1370.

Brent Zundel: only has approvals.
… likely to get merged within the week.

Joe Andrieu: I still think this is a layering error. I don't know why Verifier would know how to interpret related resource, they didn't ask for it, it's not a VC, I think most use cases could be handled w/ a VC or how to secure contexts for ... generic mechanism seems wrong.

Manu Sporny: I largely agree with Joe on his use cases. We should probably have a context securing mechanism.
… and have something for enveloped VCs.
… a fear is that some implementers are going to use related resources as a dumping ground for all sorts of things.
… I want to express XYZ, I'm going to put that in there.
… All that to say, Joe has a point.
… But if folks want to use the data model in that way, they can.

Joe Andrieu: I want to note that anyone can add to the context and they can add properties. What we're talking about here is that everyone has to respect... we aren't preventing people that want to use relatedResource. I don't see reason for extensibility in this way.

Brent Zundel: I see the benefit of having more specific mechanisms for the different things.
… would the related resource be seen as a stepping stone?

Joe Andrieu: I think a lot of it is lessons learned from extensible HTTP headers, which was "X-something"... if people start using it, they won't stop using it. If burden is you have your own context that does something specific. That's the path towards getting new things into VCDM. I'm afraid of setting the wrong direction here.

Dave Longley: +1 to Joe that once people start using things they won't stop ... there are advantages for putting slight speed bumps in the way to make people do things in better ways.

Brent Zundel: this PR has nothing but approvals.

jandrieu
jandrieu requested changes Dec 6, 2023
View reviewed changes
Copy link
Contributor

@jandrieu jandrieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not go in. It's a layer violation.

@msporny
Copy link
Member Author

msporny commented Dec 7, 2023

@jandrieu wrote:

This should not go in. It's a layer violation.

You noted on the call that you were a non-blocking objection for this PR.

However, your comment above could be seen as objecting to this PR.

Are you ok with it being merged, or are you objecting to it being merged?

@jandrieu
Copy link
Contributor

jandrieu commented Dec 9, 2023

That was a miscommunication.

I do object to this going in.

@msporny
Copy link
Member Author

msporny commented Dec 9, 2023

@jandrieu wrote:

I do object to this going in.

Ok, marking this as pending close, then.

@msporny msporny added the pending close Close if no objection within 7 days label Dec 9, 2023
@iherman
Copy link
Member

iherman commented Dec 12, 2023

The issue was discussed in a meeting on 2023-12-12

  • no resolutions were taken
View the transcript

2.1. Add relatedResource property to VerifiablePresentation (pr vc-data-model#1370)

See github pull request vc-data-model#1370.

Brent Zundel: First up, 1370.
… Looks like Joe is opposed.
… We don't have consensus on this. Looking to close.
… happy to take comments. if folks are opposed, we can timebox a conversation.

Manu Sporny: As a heads up, I curated the PRs and put pending close on any thing that has an objection without a work-around.
… we need to get more aggressive about closing.
… Just an explanation about why things are marked pending closed.
… Another thing to ask is whether or not the objector would make an FO on this change.
… My concern about this PR is that if we don't put Related Resource will not have a way of adding a hash for a JSON LD context in addition to the base context.
… It has been asserted that you don't have to do that if you have static contexts.
… Orie's not here, who might be objecting.

Joe Andrieu: Yes, I am opposed to this, I would Formally Object, I think this is a huge layer violation. It creates an opportunity for surveillance through related resource, I think we can solve context securing in a different way.
… Manu, noted that VC-JOSE-COSE folks want to use JSON-LD Contexts... they should just use JSON-LD.

Ivan Herman: I'm neutral on the original thing. but what was just proposed to Joe seems the wrong thing to do.
… saying that it can only be used for certain purposes sounds bad.
… that requires additional restrictions through new properties.
… I can't object as a W3C staff, but I don't like it.

Manu Sporny: FWIW, I agree with Ivan, I was just trying to find a way through this where we don't end up w/ FOs.

Brent Zundel: I'm seeing no consensus here.
… We don't have Orie, so we can't ask him.
… based on the information we have, we should close this PR.
… I'd like to close it now, but we just put the pending close label on this three days ago.

Manu Sporny: note, if Orie is going to formally object (because you can't secure context).
… our way through this would be to have a "relatedContext" property.
… I think Joe would not be opposed to that. And maybe Orie would find that ok.

Ivan Herman: I want to remind people that there was a feature freeze a while ago.
… what you just proposed feels like a new feature. It's just too late.
… We can't work that way or we'll never finish.

Brent Zundel: appreciate the reminders.

@msporny
Copy link
Member Author

msporny commented Dec 15, 2023

PR failed to achieve consensus, marked "pending close" for over a week, closing.

@msporny msporny closed this Dec 15, 2023
@msporny msporny deleted the msporny-vp-relatedResource branch December 17, 2023 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BigBlueHat BigBlueHat BigBlueHat left review comments

@iherman iherman iherman approved these changes

@OR13 OR13 OR13 left review comments

@jandrieu jandrieu jandrieu requested changes

@dlongley dlongley dlongley approved these changes

@longpd longpd longpd approved these changes

@andresuribe87 andresuribe87 andresuribe87 approved these changes

@brentzundel brentzundel brentzundel approved these changes

@dmitrizagidulin dmitrizagidulin Awaiting requested review from dmitrizagidulin

@mprorock mprorock Awaiting requested review from mprorock

@David-Chadwick David-Chadwick Awaiting requested review from David-Chadwick

@brianorwhatever brianorwhatever Awaiting requested review from brianorwhatever

@decentralgabe decentralgabe Awaiting requested review from decentralgabe decentralgabe is a code owner

@selfissued selfissued Awaiting requested review from selfissued selfissued is a code owner

Assignees
No one assigned
Labels
before-CR pending close Close if no objection within 7 days
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@msporny @jandrieu @iherman @BigBlueHat @dlongley @longpd @andresuribe87 @decentralgabe @OR13 @brentzundel