Algorithms are poorly defined / unimplementable

[msporny]

The algorithms in Section 11 and Section 12 are poorly defined, do not provide the interface specified in the VCDM, and are generally unimplementable as written.

The following problems exist in Section 11:

• The algorithm does not specify expected inputs or outputs.
• There is no definition of a formal algorithm in this section.
• The reference to SD-JWT is broken.
• The algorithm does not differentiate between SD-JWTs and SD-JWT presentations.
• There are no COSE examples anywhere in the specification.
• There is a note about additional validation checks, but no link to which ones might be expected (a link could be put to the validation section in VCDM v2).

The following problems exist in Section 12:

• The algorithm does not specify expected inputs or outputs.
• There is no definition of a formal algorithm in this section.
• Most of the MUST statements in the first paragraph are vague and untestable and are thus, unactionable.
• It's not clear what to do with the JWT claims during validation (see issue #205 for the ambiguity problem this causes)
• It seems like both credentialSchema and credentialStatus can be ignored -- which seems like a bad idea. The group hasn't agreed to this being the default validation practice.

[selfissued]

From my point of view, neither of these sections is intended to define formal algorithms, with inputs and outputs. Rather, they are a set of steps for implementers to follow when sanity-checking instances of data structures defined by this specification.

If you want to suggest adding steps that you believe are missing, have at it.

I'll fix the broken SD-JWT reference. Thanks for pointing it out.

[msporny]

From my point of view, neither of these sections is intended to define formal algorithms, with inputs and outputs.

Based on the input from Google, the VCDM now has clear requirements for all securing specifications:

https://w3c.github.io/vc-data-model/#securing-mechanism-specifications

This includes the definition of algorithms w/ inputs/outputs.

If you want to suggest adding steps that you believe are missing, have at it.

That is primarily the responsibility of the Editors of the specification. I don't expect the specification will be able to transition to Candidate Recommendation when it fails to meet the requirements established by the WG and highlighted as a potential to cause a Formal Objection by a W3C Member.

[iherman]

The issue was discussed in a meeting on 2024-01-09

• no resolutions were taken

View the transcript

#### 1.4. Algorithms are poorly defined / unimplementable (issue vc-jose-cose#206) _See github issue [vc-jose-cose#206](https://github.com/w3c/vc-jose-cose/issues/206)._ **Michael Jones:** this tracks the ask for more actionable description of verification and validation. … I have assigned this to myself.

[selfissued]

The new VCDM text pertinent to this is at https://w3c.github.io/vc-data-model/#securing-mechanism-specifications. @brentzundel , can you please either tell us that you think this is done or create another PR? Thanks.

[iherman]

The issue was discussed in a meeting on 2024-03-06

• no resolutions were taken

View the transcript

#### 1.1. Algorithms are poorly defined / unimplementable (issue vc-jose-cose#206) _See github issue [vc-jose-cose#206](https://github.com/w3c/vc-jose-cose/issues/206)._ **Michael Jones:** 206 is about the verification algorithm. … but manu's already mentioned that all the specs are doing the right thing in terms of algorithm. **Manu Sporny:** I wasn't referring to JOSE/COSE, just the Data Integrity specs. … I think the editors of JOSE/COSE should figure out if the new interfaces apply for create and verify. … I'm checking to see what Jeffrey wrote about this earlier. > *Manu Sporny:* [https://w3c.github.io/vc-data-model/#securing-mechanism-specifications](https://w3c.github.io/vc-data-model/#securing-mechanism-specifications). **Manu Sporny:** section 5.13 securing mechanism specifications. … I don't know if the VC JOSE/COSE spec does the things that section requires. … it must provide a verification method that only contains the data in the document. … there are a bunch of other requirements for embedded proofs. … but no real requirements for enveloping proofs. … it's up to the editors to decide if they've hit that bar. … and the group to agree or not. **Michael Jones:** brent, this is assigned to you, do you want to keep it. **Brent Zundel:** yes. I'll keep it. **Gabe Cohen:** we have a section on this, but the rendering is broken. **Brent Zundel:** I'll look at that as well. **Manu Sporny:** there's a bulleted list in the issue I made. I've not seen responses. … I'll not block this going into CR, but without these changes it's likely to get formally rejected. … so, going through the list and explaining how they're addressed should help avoid the formal objection and close that issue. **Michael Jones:** you mean the one from December? **Manu Sporny:** yes. **Brent Zundel:** I'll tackle this. … anything else about JOSE/COSE? **Michael Jones:** decentralgabe has the other issues. **Gabe Cohen:** I plan to do both this week. > *Michael Jones:* The three vc-jose-cose before-CR issues are [https://github.com/w3c/vc-jose-cose/issues?q=is%3Aissue+is%3Aopen+label%3Abefore-CR](https://github.com/w3c/vc-jose-cose/issues?q=is%3Aissue+is%3Aopen+label%3Abefore-CR). **Brent Zundel:** if all three of these are addressed with PRs, it's theoretically possible we could vote next week...but that seems really tight. **Michael Jones:** no opinion on timing, ivan's the expert.

[brentzundel]

PR is here #261

[selfissued]

Addressed by https://github.com/w3c/vc-jose-cose/pull/261