Address controller ambiguity

[OR13]

Consider the case where:

id: https://gov.example // issuer
verificationMethod: [{
  id: '#key-0',
  controller: https://org.example, // controller
  ...
}],
assertionMethod: ['#key-0']

jws.header.kid = https://gov.example#key-0

Possible normative statements:

a. The assertionMethod used to issue a verifiable credential MUST have a controller that matches the issuer.
b. The assertionMethod used to issue a verifiable credential MAY have a controller that matches the issuer.
c. The assertionMethod used to issue a verifiable credential SHOULD have a controller that matches the issuer.

What are the implications for each of these?

Why would we pick a over c?

[logpo]

My gut feeling is that it could lock out some potential use cases around key management and delegation if we go with a. Though for the overwhelming majority of cases I would expect the the verificationMethod would have the controller be the issuer

[decentralgabe]

Before picking any, we need to define matches. What if the controller is a separate DID which is controlled by the issuer?

[RieksJ]

We may also want to revisit

• issuer, which is defined as a role (that an entity can perform), but (non normative, but nevertheless documented) examples are limited to various kinds of organizations (see Ecosystem Overview). We need to be clear(er) here. Either an issuer is a party (an organization or person), that cannot digitally sign anything (it needs a digital actor to do so on its behalf), or it is a digital component (actor, of which a party can employ many. It is relevant to know whether the URI specified in an issuer field refers to a party or an electronic component.
• controller, which is not defined in the VC data model. A statement about whether this would be a party or an actor/agent would be nice.

If an issuer is a Party (e.g. organization) and the controller is an electronic component that can access and use cryptographic keys, then matching means: looking for proof that the electronic component identified by the controller-URI has signed on behalf of the party identified by the issuer-URI. If both issuer and controller are parties, the URI's should be the same. Etc.

[iherman]

The issue was discussed in a meeting on 2023-04-05

• no resolutions were taken

View the transcript

3.8. Address controller ambiguity (issue vc-data-model#915)

See github issue vc-data-model#915.

Brent Zundel: Address controller ambiguity.
… Is there someone that wants to be assigned to the issue?

Orie Steele: Similar to previous when discussing how to obtain key material, this may belong to data integrity, not data model.
… Would like for someone else to take this issue.
… Seen a lot of confusion in VC-JWT over what to do with this property.

Manu Sporny: Agree that this issue should be transferred to vc-data-integrity and vc-jwt (and ideally, they both give the same advice) :).

Brent Zundel: Speak up to be assigned.
… Is the step forward to raise issue with vc-data-integrity and vc-jwt and link to this?

Orie Steele: Cannot address this in the core specification. What you get back from dereferencing will depend on the integrity specification, not the model.

Ivan Herman: Just a minor thing, in the core model where this property is defined, it should say that it depends on the security format.

Orie Steele: ivan than it should stay in core data model, and the guidance should be added to the vocab.

Orie Steele: who is willing to do that?

Orie Steele: I have observed data integrity implementations doing that binding, regardless of what the spec says.

Orie Steele: and I have observed vc-jwt ignoring that convention as well.

Brent Zundel: Is there a need to have a Data Integrity version of this issue?

Orie Steele: vc-data-integrity and vc-jwt can define document independently.

Dmitri Zagidulin: +1 Orie, I agree, there's definitely a normative behavior for DI, wrt controller.

Brent Zundel: Adding ready for PR label.
… We are going to continue triaging until all issues assigned.

---

[OR13]

Data Integrity addresses some of this here: https://www.w3.org/TR/vc-data-integrity/#retrieve-verification-method

[OR13]

They use the term controllerDocumentUrl and the controllerDocument

[iherman]

The issue was discussed in a meeting on 2023-04-19

• no resolutions were taken

View the transcript

2.2. Address controller ambiguity (issue vc-data-model#915)

See github issue vc-data-model#915.

Brent Zundel: This one is marked ready for PR. I think the last time we talked about it. A bit of a brief conversation.
… Also raised by Orie ... is someone willing to be assigned?.

Manu Sporny: I feel like this is important -- I can't remember if Data Integrity addresses this partially.
… I'm not volunteering but will definitely take a look at it. If it's marked ready for PR, I imagine one of the editors will pick it up.

Orie Steele: Anyone who likes DIDs could pick this up.

Orie Steele: and be a hero.

[brentzundel]

@OR13 can this be closed now that Data Integrity addresses this directly?
What concrete changes to the VC Data Model that should be made to address this? The only mention of controllers and assertion methods that I'm finding in the spec are tucked into examples and in a non-normative appendix, so I'm not sure where any of the normative statements you've proposed would go.

[mprorock]

this feels like a data integrity issue, not something to be addressed in core data model

[OR13]

data integrity does cover this, jwt does not... is it ok if vc-jwt and data integrity disagree on processing of the controller field.

[iherman]

The issue was discussed in a meeting on 2023-05-17

• no resolutions were taken

View the transcript

2.2. Address controller ambiguity (issue vc-data-model#915)

See github issue vc-data-model#915.

Brent Zundel: Controller ambiguity.
… Also raised by Orie.
… Anyone willing to move it forward?

Orie Steele: the controller property, as far as I'm aware, completely not relevant to VCs.
… There's no reason we need it. But it is mandatory in a few places.
… To work on this, someone would have to think about VCDM and if they need to say anything. Data Integrity proofs? Do they?
… probably.

Brent Zundel: Is anyone willing to be assigned?

Michael Prorock: i think it should get moved to DI.

Dmitri Zagidulin: +1 to move to DI.

Brent Zundel: Or is there agreement to move it to DI.
… anyone opposed to moving it?

Oliver Terbu: I think there might be interplay between this and VC-JWTs as well.
… This applies to other integrity mechanisms right?

Manu Sporny: DI already talks about this and how you do processing. So I'm not sure what's being asked for DI.
… Clarity there would be helpful before reassigning.

Phillip Long: Does this mean that the problem posed is already addressed in the data integrity spec?

Michael Prorock: I am inline with Manu. the right place for this is not core data model.
… just in scanning, it looks like DI covers it.
… I suggest we just close it.
… To oliver, about possible overlap with JWTs, there is to some degree, but the JWT spec is covering that as appropriate.

Orie Steele: vc-jwt does not cover this topic.

Brent Zundel: current informal proposal: just mark it closed?

Michael Prorock: no concern from me.

Orie Steele: that might be valid. The concern is that if VC-JWT describes different behavior, would that be ok?
… If so, great.

Michael Prorock: they are different securing mechanisms.

Ivan Herman: there is a more general problem I raised in another issue. When I read the VCDM document and I go through the examples. The fact is many examples use terms that are defined all over the places.
… There may be examples that use controller, and it's not clearly stated that this term is defined over there.
… There is editorial work to be done to make it clear to outside readers.

Dmitri Zagidulin: I suspect we need to add those sections to the Example descriptions ("Terms controller, proof, etc, defined in DI").

Brent Zundel: is anyone willing to be assigned? Or is anyone opposed to closing?

Ivan Herman: this is a separate issue.

Brent Zundel: my suggestion is to mark as pending closed.
… no opposition. Marking pending close.
… Moving on to issue 1089.

Orie Steele: vc-jwt still has no documented way to obtain public keys.