vc-data-model
vc-data-model copied to clipboard
w3c
Definition of evidence should align with NIST
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf
By applying the security design principles within a systems engineering process, it is possible to assemble a body of evidence to demonstrate that trust is warranted in an individual system component or in the system. Once a sufficient basis exists to grant trust, a judgement can be made as to whether the level of trust granted is sufficient for the specific missions or business operations.
The security aspects of the solution include the development of the system protection strategy; the system security design requirements; the security architecture views and viewpoints; the security design; the security aspects, capabilities, and limitations in the system life cycle procedures; and the associated security performance verification measures. The security aspects of the solution are realized during the implementation of the system security design in accordance with the security architecture and in satisfaction of the security requirements. The evidence associated with the security aspects of the solution is obtained with a level of fidelity and degree of rigor that is influenced by the level of assurance targeted by the security objectives. Assurance evidence is obtained from standard systems engineering verification methods (e.g., analysis, demonstration, inspection, and test) and from complementary validation methods applied against the stakeholder requirements.
^ A few quotes.
The current definition of evidence is as follows (as per W3C VC spec 1.1):
This specification defines the evidence property for expressing evidence information. evidence The value of the evidence property MUST be one or more evidence schemes providing enough information for a verifier to determine whether the evidence gathered by the issuer meets its confidence requirements for relying on the credential. Each evidence scheme is identified by its type. The id property is optional, but if present, SHOULD contain a URL that points to where more information about this instance of evidence can be found. The precise content of each evidence scheme is determined by the specific evidence type definition.
@OR13 are you suggesting that we change this definition? The current definition is generic enough to also include NIST definition. Do you have a suggestion on what needs to change or which specific part is missing?
I'd like to see explicit citation, and alignment with NIST terms... they have their own framing which I believe we can do a better job of relating to our existing term definitions.
The issue was discussed in a meeting on 2023-06-06
- no resolutions were taken
View the transcript
1.2. Definition of evidence should align with NIST (issue vc-data-model#926)
See github issue vc-data-model#926.
Orie Steele: suggest applying post CR label.
Brent Zundel: Definition of evidence as defined by NIST -- do we need to address this before CR? Editorial? Normative changes?
Andres Uribe: +1 to post Cr.
Brent Zundel: Suggestion to set as post-CR - any objections?
Phillip Long: Post CR works for me.
all: No objections, marking as post-CR.
Orie Steele: We have no required RDF types for evidence.
Orie Steele: best we have are community drafts that are not interoperable, which claim to use evidence.
Joe Andrieu: Do we have implementers that have used evidence, isn't it still at risk? I like it, personally, anyone using it?
Brent Zundel: We do need to understand if it's used.
Joe Andrieu: I'm fine w/ moving on.
Andres Uribe: We are debating using this for identity proofing -- right now, thinking of using it.
The use of evidence is central to the VCs that have been introduced in the education/training community through 1Edtech. Two efforts were undertaken to transform the OBv2.x Open Badge credential to conform with the W3C VC v1.1 data model specification as OBv3. Similarly the Comprehensive Learner Record (CLR) was revised to also make it compatible with the VC v1.1 data model and released as CLRv2. Both of these specifications are done, and are now in Final Candidate Public, meaning they are available to the public for implementation. Both have multiple companies who have committed to incorporate these specifications into their products.
As more and more educational institutions embrace verifiable credentials, the evidence property will be very important to them, especially in considering Prior Learning Assessments.
See also my comment in https://github.com/w3c/vc-test-suite/issues/134
The issue was discussed in a meeting on 2024-01-17
- no resolutions were taken
View the transcript
2.7. Definition of evidence should align with NIST (issue vc-data-model#926)
See github issue vc-data-model#926.
Brent Zundel: This was raised by Orie, it is assigned to MikeP, the issue recommends where possible, that we should align w/ NIST definition (and link to it).
Manu Sporny: https://csrc.nist.gov/glossary/term/evidence.
Manu Sporny: NIST has a glossary where they define "evidence" and I think it aligns with our usage of it. I don't know if we even ... NIST also has entries in their glossary where they have multiple different definitions.
… NIST understands that when they use a word even they are not consistent in how it's used across every document they have. They have all of the definitions cross reference. Luckily with "evidence" there is just one definition and it seems to align.
… We could point to the NIST definition but I don't know what that would accomplish.
Jeffrey Yasskin: Just a suggestion, it seems like one of the "at risk" things that doesn't have a firm spec behind it, could put it in registry entry, don't have to worry about it for this document.
Manu Sporny: I think this issue is just about our use of the word "evidence", not the extension point. I agree with you Jeffrey for the extension point, but I think this is just about how we use the word.
Brent Zundel: Of the 30-odd uses of the term, only two are related to the extension point.
Jeffrey Yasskin: One is in the introduction / non-normative.
Brent Zundel: It is my opinion, that we're not using "evidence" in a way that's outside the standard english definition. While it would be simple to link to NIST, I don't think there's anyone to do here.
… Anyone opposed to marking this "pending close"?
Ted Thibodeau Jr.: just for fun... https://csrc.nist.gov/glossary/term/public_key ... https://csrc.nist.gov/glossary/term/secret_key ... https://csrc.nist.gov/glossary/term/cryptographic_material ...
Phillip Long: +1 to pending close.
Manu Sporny: +1 to pending close.
Brent Zundel: thanks everyone for your time today!
