Re: DNS -> DIDs from Christopher Lemmer Webber on 2018-08-09 (public-credentials@w3.org from August 2018)

From: Christopher Lemmer Webber <cwebber@dustycloud.org>
Date: Thu, 09 Aug 2018 10:51:14 -0400
To: Markus Sabadello <markus@danubetech.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <874lg3h9ul.fsf@dustycloud.org>

Markus Sabadello writes:

> Hello CCG,
>
> I've been working with the Austrian domain registry nic.at on an IETF
> draft on how to publish a DID for a domain name:
> https://www.ietf.org/id/draft-mayrhofer-did-dns-00.txt
>
> We also posted this to 2 IETF lists:
> https://mailarchive.ietf.org/arch/browse/din/
> https://mailarchive.ietf.org/arch/browse/dnsop/
>
> Any feedback welcome. Perhaps we put this on the agenda for a future CCG
> call?
>
> Markus

I think it's good that you're looking into this, but...

>   By referring to DIDs from the DNS, those hard to memorize identifiers
>   can be discovered via well known, human friendly and widely
>   established names.  This document specifies such a protocol, and
>   describes how DIDs can be discovered on the basis of host names and
>   email addresses.

At first glance this seems like a big win: we can bootstrap the system
quickly off of a naming mechanism that users are already using.  But I
think we have to be careful here *if we tell users they can just use DNS
as they currently use it*, for a few reasons:

 - DNS brings centralization back to the system

 - Usually when decentralized systems rely on DNS, they become
   centralized again.  And since DNS isn't very secure and doesn't carry
   the information about the cryptographic information of the target
   along with it, usually it needs to be coupled with a CA.  Now we're
   back to DNS + CAs again.

 - If we say, "don't worry, you can find my DID from my DNS record", in
   that case is the DNS record allowed to change?  If that's true then
   there's a good chance that applications will just rely on DNS, and
   will in fact have to check it all the time, because users will still
   be resolving applications via DNS which can change all the time.

 - And if you're going to rely on DNS -> the DID id as your only naming
   scheme, you probably don't need any of the complexities we're
   building into DIDs at all.  No need for a blockchain or anything.
   You already have a way to serve up a JSON document with all that
   info... just serve it over HTTP.

So I really caution about encouraging users to use DNS to resolve to
DIDs in the same way we do today.

But... but!  There is a way to include DNS that's much safer I think,
and could even use the protocol you've described above.  Instead if we
have a petnames system as described in the sadly incomplete:

  https://github.com/cwebber/rebooting-the-web-of-trust-spring2018/blob/petnames/draft-documents/making-dids-invisible-with-petnames.md

DNS can become one equal naming hub among many.  It isn't the definitive
name resolution mechanism to get to an ID... it's just one mechanism
users can use to find it.

Again, I think the work you put in can be utilized if we take that
approach.  But I really think we need to be careful and not give users
the impression that they can use DNS the way they currently do... that
could accidentally undo all the work we're doing in this group!

Received on Thursday, 9 August 2018 14:51:39 UTC