- From: Steven Rowat <steven_rowat@sunshine.net>
- Date: Sun, 31 Mar 2019 10:40:03 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Greetings, My quick response to the new DID abstract. Can somebody (Manu, others) please explain further the specific implications of did:facebook? We must assume that if a corporation can gain advantage from something, they will do it. If Facebook can make use of their own DID method, they will. If they can write that method to continue doing exactly what they're doing (including the worst parts of the surveillance/advertising model), they will. What, then, will occur when they do that? Will they be able to offer "identity" to people, deceiving them about what will happen to the data about them? Will this same thing happen to people in totalitarian countries? Will China be able to offer "identity" to people, and get them all to sign up, and manage their lives using DIDs, even more completely than they do now? Facebook+China= 3 billion. Before proceeding with something that can happen that way, I suggest we look at the implications more carefully. I suggest that the discussion be carried on in non-technical language wherever possible. I remember Feynman's sincere and long-lasting regret over having worked on the atomic bomb, and Einstein's statement that for similar reasons he wished he'd been a clock-maker. Steven Rowat On 2019-03-31 9:10 am, Manu Sporny wrote: > Hi all, > > In an attempt to streamline the front matter of the DID specification, > the Editor's are attempting to capture where we think consensus is at > present (and prepare us for the coming DID WG). > > One of the PRs has raised a couple of questions wrt. the rewording, > which is non-normative, but has raised a few concerns (no objections, > but just active discussion that the community should be aware of): > > https://github.com/w3c-ccg/did-spec/pull/179 > > Namely, the new language opens the possibility to non-DLT technologies > being used for DIDs, such as did:web or even did:facebook. Clearly, > there is hand wringing over "did:facebook" as well as hand wringing over > drawing a bright line and saying "only fully decentralized blockchains > can do DIDs". As the work goes into an official W3C Working Group, the > community should have a position on this (and hopefully one that > demonstrates that we're inclusive, but firm on the expected outcome for > DIDs -- that they are decentralized). > > The goals that I'm suggesting are these: > > 1. Make it such that we are inviting to folks that want web-based DID > methods to collaborate with us. > 2. Make it easier for our colleagues in non-western countries to talk > about DIDs. The "Self-Sovereign" language is damaging to this > particular goal. > 3. Simultaneously, not compromise the vision of self-sovereign by > setting that as the expected bar (at least, in the western world). > > The PR above attempts to do this and rewords the "Abstract" section of > the specification to try and strike this balance. > > Good standards can, and often do, attempt to find the right balance -- > build a large enough tent so that innovations can happen without having > to coordinate with the group that created the standard while also > signalling what the expected "ideal mode" of implementation should be. > If you look at all of the DID Methods today, almost every one is based > on a DLT of some kind, so I don't think the whole "decentralization" > thing is at risk. > > To go at it from another direction, what the DID spec states, even if > normative (e.g. MUST utilize a DLT) can be entirely ignored by the > "did:facebook" method and there is nothing a small group of companies > can do against a multi-billion dollar company that is dedicated to > co-opting the technology for purposes that are not aligned with the > community. > > The goal here is to build a big tent and enable the folks that want to > use web-based methods, even though they are based on "centralized DNS", > to be in the tent with us and collaborate and innovate. The alternative > places them squarely outside of the tent and puts the group at odds with > the folks that want to create Web-based DID methods (which will create > political problems for us down the line). > > I think our approach to all of this should be the "Is Your Linked Open > Data Five Star?" approach: > > https://www.w3.org/DesignIssues/LinkedData.html#fivestar > > Our "Five Star DID" approach could be (I'm pulling this out of thin air, > not suggesting that these are the 5 things): > > 1. Enable individuals to directly self-administer their identifiers on > the network. > 2. Comply with local and global data privacy regulations, such as GDPR. > 3. The governance mechanism does not enable the targeting and censorship > of individuals or organizations. > 4. The technologies do not enable the targeting and censorship of > individuals or organizations. > 5. The network is operated as a global public utility. > > So, did:facebook could achieve 1 and 2 above, but not 3, 4 or 5. > did:http could do 1, 2, and 3, but not 4 or 5. Yes, we could also use > ChristopherA's list of 10, but we may need to try for something more > pithy in order to provide a simple rating system that's understandable > by people not in this space. > > Clearly, some of the items above need definitions (e.g. global public > utility), but the idea would be to nudge implementers in the right > direction instead of using an ineffective specification MUST requirement. > > So with all of that said, here is the current proposed abstract: > > """ > A Decentralized Identifier (DID) is a type of Uniform Resource Locator > (URL) that is highly available and cryptographically verifiable. > DIDs that are managed through the use Distributed Ledger Technologies > (DLTs) are often also independent from any centralized registry, > identity provider, or certificate authority. DIDs resolve to DID > Documents, which describe how any entity may securely interact with the > entity that is in control of the DID. DIDs are useful when you need > strong cryptographic guarantees on interactions such as when > authenticating with a system or when checking a digital signature > on a document. > > This document specifies a common data model, concrete syntaxes, and > operations that all systems providing DIDs must support. > """ > > Thoughts? ... and please be concrete if you want text changes. If you > add something, pick something to remove from the abstract. We're trying > to keep it short and sweet. If you are not concrete on the text changes > you want, they most likely will not happen (The Editor's can't read your > mind). :) > > -- manu >
Received on Sunday, 31 March 2019 17:40:38 UTC