Ballot for charter-ietf-spice
Yes
No Objection
No Record
Summary: Has enough positions to pass.
Ballot question: "Is this charter ready for external review?"
high level comments: ==================== In general the charter looks different from other charter styles observed. i.e. this charter has a 'program of work' section. I see more often 'goals an deliverables' within a WG charter though. For the charters as co-chair i pursued effort to comply to a structure with following style: * Description of Working Group: More detailed information about the problems the group will address, the technologies it will develop or improve, and the methodologies it will use. * Charter: A detailed description of the group’s purpose, which covers: **Mission Statement: A concise overview of the group’s aims and responsibilities. **Scope: The boundaries of the group's work, including what is and is not included. **Goals and Deliverables: Specific outcomes the group aims to achieve and by when. This usually includes a timeline for drafts and proposed standards. * Milestones: A timeline of expected achievements, typically listed as a series of dates by which drafts or other deliverables are expected to be completed. * Dependencies: Relationships and dependencies with other IETF working groups or external bodies. editorial comments: =================== Please find editorial suggestions in an effort to improve readability of the proposed charter. Please use (or not) at your convenience. [OLD] "A digital credential expresses claims, assertions, or attributes about a subject, such as their name or age, and their cryptographic keys. Some sets of claim names have already been defined by the IETF and other standards development groups (e.g., OpenID Foundation)." [NEW] A digital credential intends to express claims, assertions, or attributes regarding a subject, including but not limited to their name, age, and cryptographic keys. Various sets of claim names have been defined by the IETF and other standards development organizations, such as the OpenID Foundation. [OLD] "Digital credentials typically involve at least three entities. An issuer constructs and secures a digital credential for a holder. Holders may be willing either to partially disclose some values of their attributes or to demonstrate some properties about their attributes without disclosing their values. Holders disclose credentials, attributes, or proofs regarding attributes in what is called a "digital presentation" to a verifier." [COMMENTS] What are the three entities being referred towards? i realized at the end of reading the charter that this is —issuers, holders, and verifiers—. maybe this can be explitly mentioned before digging deeper in the documented considerations? [OLD] The SPICE WG will profile existing IETF technologies and address residual gaps that would enable their use in digital credentials and presentations. [NEW] The SPICE WG shall profile existing IETF technologies and address any remaining gaps to facilitate their application in digital credentials and presentations. [OLD] The JOSE WG is already standardizing a token format for unlinkability & selective disclosure in the form of JWP/CWP (draft-ietf-jose-json-web-proof). The SPICE WG will profile these token formats for use with digital credentials. [NEW] The JOSE WG is currently standardizing a token format for unlinkability and selective disclosure as specified in JWP/CWP (draft-ietf-jose-json-web-proof). The SPICE WG shall profile these token formats for application in digital credentials. [OLD] The OAUTH WG is already standardizing a token format for unlinkability & selective disclosure in the form of SD-JWT/SD-JWT-VC (draft-ietf-oauth-selective-disclosure-jwt and draft-ietf-oauth-sd-jwt-vc). The SPICE WG will define SD-CWT/SD-CWT-VC, analogs for these JWT-based tokens but based on CWT. [NEW] The OAUTH WG is currently standardizing a token format for unlinkability and selective disclosure in the form of SD-JWT/SD-JWT-VC (draft-ietf-oauth-selective-disclosure-jwt and draft-ietf-oauth-sd-jwt-vc). The SPICE WG shall define SD-CWT/SD-CWT-VC, which are analogous to these JWT-based tokens, but based on CWT. [OLD] The SPICE WG coordinates with RATS, OAuth, JOSE, COSE, and SCITT working groups that develop documents related to the identity and credential space. The SPICE WG builds on existing cryptographic primitives and does not define novel cryptographic schemes. [NEW] The SPICE WG shall coordinate with the RATS, OAuth, JOSE, COSE, and SCITT working groups that are involved in developing documents pertinent to the identity and credential space. The SPICE WG shall build upon existing cryptographic primitives and shall not define novel cryptographic schemes. [OLD] The SPICE WG develops digital credential profiles which can support a number of use cases. To help guide engineering decisions, requirements for proposed standards in the program of work will be created in coordination with the working groups listed above. The profiles developed by the SPICE WG will enable digital credentials to leverage existing IETF technologies. [NEW] The SPICE WG shall develop digital credential profiles that support various use cases. Requirements for proposed standards in the program of work shall be established in coordination with the aforementioned working groups. The profiles developed by the SPICE WG shall enable digital credentials to leverage existing IETF technologies. [OLD] The privacy and security considerations related to the impact of confidential computing, remote attestation, trusted execution environments (TEE), and hardware security modules (HSM) on digital credentials will be developed in coordination with relevant IETF WGs (e.g., TEEP) and feedback from experts on the mailing list. [NEW] Privacy and security considerations concerning the impact of confidential computing, remote attestation, trusted execution environments (TEE), and hardware security modules (HSM) on digital credentials shall be developed in coordination with relevant IETF WGs (e.g., TEEP) and shall incorporate feedback from experts on the mailing list. [OLD] A proposed standard Metadata & Capability Discovery protocol for JWT, CWT, SD-JWT, SD-CWT, CWP and JWP using HTTPS/CoAP for CBOR-based digital credentials to enable the 3 roles (issuers, holders and verifiers) to discover supported capabilities, protocols and formats for keys, claims, credential types and proofs. The design will be inspired by the OAuth "vc-jwt-issuer" metadata work (draft-ietf-oauth-sd-jwt-vc) which supports ecosystems using JSON serialization. [NEW] A Proposed Standard Metadata & Capability Discovery protocol shall be developed for JWT, CWT, SD-JWT, SD-CWT, CWP, and JWP using HTTPS/CoAP. This protocol, intended for CBOR-based digital credentials, shall enable the three roles —issuers, holders, and verifiers— to discover supported capabilities, protocols, and formats for keys, claims, credential types, and proofs. The design of this protocol shall be inspired by the OAuth "vc-jwt-issuer" metadata work (draft-ietf-oauth-sd-jwt-vc), which supports ecosystems utilizing JSON serialization. [OLD] 04/2025 - Submit an informational Architecture document to the IESG for publication 10/2025 - Submit a proposed standard document covering a JWP/CWP profile for digital credentials to the IESG for publication 10/2025 - Submit a proposed standard document defining SD-CWT to the IESG for publication 03/2026 - Submit a document as a proposed standard covering Metadata & Capability Discovery protocol to the IESG for publication [NEW] 04/2025: Submit the informational Architecture document to the IESG for publication. 10/2025: Submit the Proposed Standard document for the JWP/CWP profile for digital credentials to the IESG for publication. 10/2025: Submit the Proposed Standard document defining SD-CWT to the IESG for publication. 03/2026: Submit the Proposed Standard document covering the Metadata & Capability Discovery protocol to the IESG for publication.
I had to do some digging to figure out what "claim names" are (referred to in the second sentence of the introduction). They're defined in RFC 7519, and even after reading that definition I'm not sure I know what the sentence is talking about, maybe I looked at the wrong definition.
Please move the milestones from the charter text into the formal milestone feature in the datatracker.
The first sentence construction seems weird if it is simplified in "A digital credential expresses claims about a subject and their cryptographic keys. " Should be be 'links' rather than 'expresses' ? What about using `Digital credentials typically involve at least three entities: issuer, holder, verifier` ? In find `The SPICE WG will profile existing IETF technologies` rather ambiguous... does 'existing' cover only published RFC ? The use of 'profile' is also weird in the sentence, what about 'analyse' (moreover 'profile' as a word seems to be at the heart of SPICE work). Unsure whether defining TEE and HSM acronyms is useful as they are not re-used in the charter. OTOH, it would be nice to expand RDF. Thank you for listing the deliverables *and* their intended status.