PROV identifiers for non-URL like naming from Guy Kloss on 2019-03-20 (public-prov-comments@w3.org from March 2019)

From: Guy Kloss <guy@mysinglesource.io>
Date: Wed, 20 Mar 2019 14:54:34 +1300
To: public-prov-comments@w3.org
Message-ID: <94585cfc-8ca4-728e-9113-139c254f712d@mysinglesource.io>
Kia ora,

For the briefest of context: We are building a decentralised digital
identity system, in which identity attributes (claims) are being
attested by some party to become verifiably usable. We are expressing
quite some of the meta-data of the attestation process and linkage to
external entities (preceding attestations, documentation, etc.).

Now, our problem resides in this: An identity in this system is uniquely
identified by a 'DID' (decentralised identifier, as specified by the
Decentralised Identity Foundation). This DID is in form similar to a
URN, along the lines of something like this:

 did:sov:8uQhQMGzWxR8vw5P3UWH1ja

So it follows in some way the URN example of this RFC:
https://tools.ietf.org/html/rfc3986#section-3

We are using the Python PROV library by Trung Dong Huynh to generate the
provenance trail in PROV-N. Doing so I've been made aware that there is
a problem using the identifier (which in itself is fully qualified) with
the Python PROV library, however it has also raised the concern on which
way to use it is actually compliant with the PROV (or PROV-N) specs.

Here are the ways I've attempted to use the DIDs:

* Use them directly (without a defined provenance namespace), as they're
  fully qualified already, but that has failed on the side of the PROV
  library. This could theoretically just be a case of a lack in the lib.
  I guess Dong would have to check/validate that.

* Register a namespace prefix `did`, that I've mapped to `did` as well,
  and thus was able to use them directly within the document, and that
  worked, but I don't know whether that output would be considered
  compliant:

  document
    ...
    prefix did <did>
    ...
    wasAssociatedWith(kauriid:identityAttestation/01234,
did:ssid:2omXXXbobXXX...WEG, -, [prov:hadRole="kauriid:attester"])
  endDocument

* There is also a suggestion for a future spec to 'URL wrap' the DID,
  but I feel uncomfortable to use that (yet) as this has been only
  suggested less than a month ago, and not been ratified in any way,
  yet. It 'works', but also here I'm not sure whether I'm doing it right
  (plus, as indicated, I'd like to avoid it as it's still unconfirmed
  and not used anywhere, yet):

  document
    ...
    prefix did <http://uniresolver.io/did:>
    ...
    wasAssociatedWith(kauriid:identityAttestation/01234,
did:ssid:2omXXXbobXXX...WEG, -, [prov:hadRole="kauriid:attester"])
  endDocument

This last one is using an awkward namespace
(`http://uniresolver.io/did:` including the colon) and the spec for the
URL scheme is from here: https://github.com/w3c-ccg/did-resolution/issues/32

Any input is welcome on how others are sorting out issues like this. I
could imagine that there may be similar issues e.g. with the provenance
of a Git commit history when using the commit hash as an identifier. So
it can't be a new problem altogether ...

Cheers,

Guy

-- 
Guy Kloss
Blockchain Architect, SingleSource Ltd.
M: +64 (0)210 2323 715  |  E: guy@mysinglesource.io
https://mysinglesource.io
OpenPGP: B9ED5 19FB A2F0 4F1A 9ACD 6589 D459 7489 2E88 ED6C
Received on Wednesday, 20 March 2019 12:57:20 UTC