W3C home > Mailing lists > Public > public-credentials@w3.org > November 2017

Re: DID Spec Hardening Proposal V3

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Mon, 27 Nov 2017 11:16:13 -0500
To: =Drummond Reed <drummond.reed@evernym.com>, Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Christopher Allan Webber <cwebber@dustycloud.org>
Message-ID: <5f92439f-d3a1-8161-5020-c72d76ea868a@digitalbazaar.com>
On 11/25/2017 05:31 PM, =Drummond Reed wrote:
> Melvin, I like the idea of sites being able to publish a DID via their 
> HTTP(S) URLs at /.well-known/did/ . It would be easy for a DID resolver 
> to verify that against a DID document if we established a standard 
> service endpoint for verifying the association of a website URL with a DID.
> Thoughts from others?

Chris Webber, Kim, Nathan, Joe, myself, and some others chatted a bit at
TPAC about making better use of DIDs as URLs. This includes resolution
over protocols such as HTTP.

After TPAC, Chris and I talked quite a bit more about it and came up
with a couple of rough ideas that I'll try to outline so we can get more
people exploring them. Please jump in with anything I've left out or
that you were thinking we'd do differently, Chris.

First of all, we spoke about "path resolution" for DIDs in the context
of retrieving documents over HTTP (or another protocol) that are rooted
in a DID document (or, really, use a DID document like DNS).

So, for example, how would one write a client to retrieve:


Our proposal is essentially that the client would:

1. Retrieve the DID document identified by "did:ex:1234" according to
the DID method (more on this later).
2. Search its services for an HTTP service (yielding an IP address or a
domain or root URL).
3. Retrieve over HTTP: http://<the IP or domain>/foo/bar

The same could be done for any protocol that supports path-based URLs
(and potentially others) such as FTP, e.g.:


Chris may have more to say about how this would be useful for addressing
decentralized social media portability.

Next, we talked about how one of the original intents behind DID
resolution was to play nicely with HTTP. The first implementation of
DIDs (at authorization.io) used HTTP as its primary retrieval mechanism.
If every DID method supported the retrieval of DID documents via HTTP,
we would get excellent interoperability at little cost (on the client
side). In other words, it would be much easier and simpler to write a
client that could resolve DIDs from a variety of different sources
(e.g. ledgers).

So the question is -- how can this be achieved and can it be done easily
enough with each DID method so that applications can all benefit from
this interoperability? Veres One is designed to support HTTP-retrieval
of DID documents, but what about other methods? Can it work generally?

Suppose that a DID resolver had a set of rules for every DID method it
supported that it could use to determine an IP address or domain to hit
to retrieve a DID document. For example, when a client is given the URL:


1. The client chooses an IP address (or domain) from a set of trusted
seed peers for the `ex` method, similar to choosing a primary or
secondary DNS server.
2. The client performs an HTTP request for:

https://<chosen IP>/.well-known/did/did:ex:1234

Or perhaps:

https://<chosen IP>/.well-known/did/1234

Or perhaps:

https://<chosen IP>/did:ex:1234

(The exact details of how to construct the HTTP URL TBD).

3. The peer returns the DID document, optionally containing appropriate
proofs therein. If no proofs are available or possible (for whatever
reason), the client may use the network perspectives approach and
request the same DID from multiple peers and compare.

In order for this to work, nodes participating in whatever ledger or
data source that is associated with a DID method must respond to HTTP
requests (or there could be a secondary resolver network for the DID
method that performs this function). For example, for BTCR, bitcoin
nodes could listen on port 80 (or 443) for HTTP requests and respond
with DID documents constructed from their view of the blockchain.

If every DID method supported this method of retrieval, DID resolvers
would become vastly more simple, interop would receive a significant
boost, and application developers could more easily embed these smaller
DID resolvers and focus on writing applications. Also, if we combine
this approach with the path resolution approach above, a DID resolver
that worked across all DID methods could be entirely implemented using
only HTTP for all HTTP-based service requests.

Note that there may also be some economic opportunities for trusted
resolution services that could arise from this model.

Anyway, I've been meaning to send some of these ideas out post-TPAC and
figured this thread was a good opportunity.

> On Thu, Nov 23, 2017 at 12:48 PM, Melvin Carvalho 
> <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>> wrote:
>     On 22 November 2017 at 09:53, =Drummond Reed
>     <drummond.reed@evernym.com <mailto:drummond.reed@evernym.com>> wrote:
>         For those W3C Credentials Community Group members who are not
>         taking the Wednesday before Thanksgiving off and would like to
>         attend tomorrow's special DID Spec Closure Call #1, here is the
>         updated DID Spec Hardening Proposal
>         <https://docs.google.com/document/d/1je9Bnhe-1tLgP1bfCSUjvbQ_qllwCz042aGncWX7Uio/edit?usp=sharing>
>         (called V3 because the proposers have iterated it twice based on
>         the feedback received from the first proposal).
>         Reviewing this and contrasting it with the current Working Draft
>         (Decentralized Identifiers V0.7) will be the main topic of
>         tomorrow's call (10AM Pacific Time/1PM Eastern Time—see the
>         invitation emails earlier on the mailing list).
>     Thanks for sharing this.
>     I noticed that the http URL where you can dereference the did is in
>     a number of places e.g. .identity or the root
>     It would be easier to create a global web of reputation for
>     indexers, software and libraries if this was in a relatively
>     consistent place
>     Typically, one would use the /.well-known/ pattern similar to
>     /.well-known/ni/ used in RFC 6920 it may be possible to use
>     /.well-kwown/did/
>     If that's considered too restrictive perhaps it could be an example
>     or an opt in and / or use the rel=canonical pattern if it occurs in
>     more than one place
>     I could picture this eco system getting quickly off the ground it it
>     were easy to create reverse indexes and offer services to everyone
>     consuming did's
>     Thoughts?
>         =Drummond

Dave Longley
Digital Bazaar, Inc.
Received on Monday, 27 November 2017 16:16:47 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:42 UTC