- From: =Drummond Reed <drummond.reed@evernym.com>
- Date: Sun, 7 Apr 2019 23:32:12 -0700
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: Markus Sabadello <markus@danubetech.com>, W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CAAjunnaTAYkO6jpwV0W=McgB-LEOZDb7WGBaXRfHgFAGVo1P=g@mail.gmail.com>
Adrian, your messag casts a broad net, but IMHO the answer to your questions is "Yes—SSI infrastructure will provide all of what you are asking for." To three specific questions you ask; Right now, I believe that all of the above is true but if someone asked me > to explain how this relates to WebID, OIDC, UMA, X509, FIDO, I would tell > them it's too complicated for me to understand. I can't tell which of these > current things will remain when DIDs come online. I would put it this way: SSI infrastructure will not make these other technologies obsolete any more than federated identity technologies may centralized identity solutions obsolete. It will be an improvement and gradual replacement for older technologies—that's always how Internet infrastructure evolves. Why would anyone ever use Sign In with Facebook? I personally believe SSI-based connection management will gradually replace social login services. It won't even be called "login" anymore—it will just be "connect", and it will largely be handled by trusted agents using cryptographic keys working on behalf of humans rather than manually. Would I still need my 1Password or will 1Password change to list a bunch of > DIDs instead of usernames and passwords? I believe today's password managers will be gradually replaced by trusted agents acting in conjunction with digital wallets holding all your DIDs, private keys, verifiable credentials, link secrets, and any other cryptographic material needed to form and maintain secure and private digital relationships. For a deeper anatomy of those components and how they stack up, I recommend the eight appendices of the Sovrin Glossary V2 <https://docs.google.com/document/d/1gfIz5TT0cNp2kxGMLFXr19x1uoZsruUe_0glHst2fZ8/edit?pli=1#heading=h.4tum49dbq7jq> . =Drummond On Sun, Apr 7, 2019 at 2:34 PM Adrian Gropper <agropper@healthurl.com> wrote: > Markus, thank you so much for picking up on my question! > > I went and reviewed a bunch of papers including: > - https://www.w3.org/wiki/WebID > - > https://docs.google.com/document/d/1oUDVxWy674ZWG2ElB3YN9bcmSXXR9f2mg60E_Uazigc/edit?ts=5c79597d#heading=h.rfqxmrvt8ml5 > - > https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Identity-Hubs-as-personal-datastores/ba-p/389577 > > I'm more confused than ever. > > Here's what I hope I could explain to a patient or a doctor: > > - DIDs improve on today's choice of email address or Login with > Facebook by adding convenience, privacy, and security. > - DIDs solve the explosion of passwords for authentication, but > require you to have a Web browser or mobile app that holds secret keys > - In almost all cases, you will also want to have server / web site / > hub somewhere online, away from your Web browser or mobile app > - You can choose where this server is, move it, or host it yourself > without having to re-register your ID with every website and merchant that > you gave a DID to. > - You can choose how much of the information you attach to a DID is > public and how much is private. For example, you may want to attach a > photograph to your DID so that people can match it to your in-person face > the way they use a driver's license. You may not, however want the search > engines and everyone else to be able to add your face and DIDs to a global > database of everyone. > - In order to decide who gets to see your face or anything much else > about you, you will have some authorization features on your mobile device > and / or on your sever. > - When this authorization feature is on your mobile device, you will > be asked and have to click something. > - When this authorization feature is on your server online, the server > can act on your behalf without bothering you as long as it can understand > and trust the credentials presented by whoever is asking and depending on > what they are asking for. > - DIDs also help the person who is asking you or your server for > authorization present their credentials in a way that protects your privacy > as well as theirs. > > Right now, I believe that all of the above is true but if someone asked me > to explain how this relates to WebID, OIDC, UMA, X509, FIDO, I would tell > them it's too complicated for me to understand. I can't tell which of these > current things will remain when DIDs come online. Why would anyone ever use > Sign In with Facebook? Would I still need my 1Password or will 1Password > change to list a bunch of DIDs instead of usernames and passwords? > > Adrian > > > On Fri, Apr 5, 2019 at 1:02 PM Markus Sabadello <markus@danubetech.com> > wrote: > >> Adrian, >> >> I just realized nobody had responded to this question, sorry about that. >> >> We were talking about WebIDs on that earlier call, because just like >> DIDs, WebIDs are also URIs that are designed to identify an individual in >> the real world (e.g. Alice). >> And just like a DIDs can be resolved to a DID document, a WebID can be >> resolved to a WebID profile. >> >> In my mind, the difference between a DID or WebID, and e.g. an OpenID >> Connect UserInfo Endpoint, is that the latter is not an identifier for >> Alice. >> Instead it's a URL of a service associated with Alice that can be used to >> authenticate or interact with Alice. >> >> An OpenID Connect UserInfo Endpoint can be discovered from a DID or from >> a WebID. >> >> Those distinctions are important if we want to be 100% in line with >> (Semantic) Web architecture and principles. >> >> Does that make sense? >> >> Markus >> On 3/22/19 12:32 PM, Adrian Gropper wrote: >> >> Question: >> >> Along with WebID, might we also consider DID Resolution for folks >> familiar with OpenID Connect UserInfo Endpoint? >> >> Adrian >> >> >> On Fri, Mar 22, 2019 at 6:46 AM Markus Sabadello <markus@danubetech.com> >> wrote: >> >>> Zoom recording, chat logs, and slides for the (now weekly) DID >>> Resolution Spec First Draft Meeting are here: >>> >>> https://github.com/w3c-ccg/meetings/tree/gh-pages/2019-03-21-did-resolution >>> >>> List of attendees and call notes are here below. You can also read them >>> on the meeting page >>> <https://docs.google.com/document/d/1BKbwWCS9ZT1Aawxv2YVvGUUOv9WfPqMK9MiWh1s9dLo/> >>> . >>> >>> Markus >>> >>> DID Resolution Spec First Draft Meeting Page >>> >>> This page is for taking notes of weekly meetings held in 2019 of members >>> of the W3C Credentials Community Group >>> <https://www.w3.org/community/credentials/> who are collaborating to >>> complete the First Draft of the DID Resolution specification >>> <https://w3c-ccg.github.io/did-resolution/>. Meeting notes are listed >>> in reverse chronological order. >>> >>> Note: This meeting directly follows the weekly DID Spec Community Final >>> Draft Meeting >>> <https://docs.google.com/document/d/1qYBaXQMUoB86Alquu7WBtWOxsS8SMhp1fioYKEGCabE/> >>> . >>> Call Information >>> >>> Time: Every Thursday, 14:00-15:00 PT >>> >>> https://zoom.us/j/7077077007 >>> >>> Or iPhone one-tap: >>> >>> US: +16465588656,,7077077007# or +16699006833,,7077077007# >>> >>> Or Telephone: >>> >>> Dial (for higher quality, dial a number based on your current >>> location): >>> >>> US: +1 646 558 8656 or +1 669 900 6833 >>> >>> United Kingdom: +44 (0) 20 3051 2874 or +44 (0) 20 3695 0088 >>> >>> Meeting ID: 707 707 7007 >>> >>> International numbers available: https://zoom.us/u/q6mghCSZ >>> Links (Generally Useful to the Group) >>> >>> - >>> >>> DID Spec <https://w3c-ccg.github.io/did-spec/> >>> - >>> >>> DID Resolution Spec <https://github.com/w3c-ccg/did-resolution/> >>> >>> Thursday 21 March 2019 Attending >>> >>> - >>> >>> Markus Sabadello >>> - >>> >>> Jonathan Holt >>> - >>> >>> Drummond Reed >>> - >>> >>> Joe Andrieu >>> - >>> >>> Michael Herman >>> - >>> >>> Stephen Curren >>> - >>> >>> Dmitri Zagidulin >>> - >>> >>> Dan Burnett >>> - >>> >>> Nader Helmy >>> - >>> >>> Amy Guy >>> - >>> >>> Adrian Gropper >>> - >>> >>> Chris Boscolo >>> - >>> >>> Yancy Ribbens >>> >>> Agenda >>> >>> 1. Community governance: issue resolution and closure policies >>> >>> 2. What does it mean to dereference a DID URL? >>> >>> 3. Presentation of the above README: did-url-spec - Decentralized >>> Identifier URL (did-url) Specification as well as the spreadsheet: >>> https://github.com/mwherman2000/did-url-spec/tree/master/src (latest >>> numbered version) >>> Meeting Notes Topic #1: Understanding DID URLs and “Resolution” and >>> “Dereferencing” >>> >>> Markus explained the overall topic using this slide: >>> >>> >>> Michael pointed out that the “defererencing” category also splits into >>> two: >>> >>> 1. >>> >>> A DID URL that dereferences to a subcomponent of a DID document. >>> 2. >>> >>> A DID URL that undergoes a transformation to address a resource >>> external to the DID document via a service endpoint. >>> >>> >>> Markus went on to explain the following slide: >>> >>> >>> Jonny asked how much DID resolution is actually parallel to DNS >>> resolution. >>> >>> Michael said that he has a set of proposals for how a set of DID >>> resolution operations can work, e.g., how to query the capabilities of a >>> resolver, or how to get a list of DID documents. >>> >>> Michael whether returning a DID document is “access”? >>> >>> Joe responded that access to a DID document is an open issue. Some >>> proposals are to encrypt a DID document. >>> >>> Drummond proposed that “DID resolution” be the set of steps that a DID >>> method takes to return a DID document. He agreed with Joe that a particular >>> DID method may in fact impose access control on obtaining a DID document. >>> He then said that once a DID document is returned, you move into the >>> “dereferencing” stage, and that can divide into the two types discussed >>> above. >>> >>> Dan: The DID document is not itself the resource, but a means of >>> determining how to access the identified resource. >>> >>> Markus next talked about this slide: >>> >>> >>> Drummond: Let’s avoid the HTTP Range 14 rathole! Let’s be clear that a >>> DID never identifies a DID document! A DID identifies a DID Subject. That >>> DID Subject MAY be a network-accessible resource. In that case a DID >>> document describes how to access that resource. But the DID document may >>> identify a non-network resource (like a person), in which case the DID >>> document describes how to access service endpoints associated with the >>> resource. >>> >>> Jonny: IPLD is a type of resource that a DID may identify. >>> >>> Joe: The resource when a DID is dereferenced is always on the network. >>> >>> Markus spoke to this slide: >>> >>> >>> Joe and Drummond discussed the analogy with DNS and URL-identified >>> resources. Drummond said that the DNS record that is retrieved in order to >>> access the web page or RDF document. The DNS record is not the resource >>> being identified by a URI. Therefore it is the equivalent of a DID document. >>> >>> >>> Markus next discussed this slide: >>> >>> >>> Dan dove into this “HttpRange-14” issue by suggesting that a DID subject >>> was not actually a person. “+1 that action on a DID for a physical resource >>> could be to return a URL for a file.” >>> >>> Drummond suggested that if a DID always identifies a DID subject, and >>> that DID subject may be either a real-world resource >>> (non-network-retreivable) or a network resource. If a DID identifies a >>> real-world resource, then the DID document describes options for >>> interacting either with that real-world resource via some type of network >>> connection, or accessing other descriptions of that real-world resource. >>> But the DID itself still identifies the real-world resource. >>> >>> If the DID identifies a network-retrievable resource, then resolving the >>> DID to the DID document will enable obtaining the actual URL that also >>> identifies that network-retrievable resource. That means the DID and the >>> URL would actually be “synonyms”, but at different layers of abstraction. >>> >>> Drummond also said this addresses the “two URI” problem from Web ID. The >>> DID that identifies Alice is URI #1, and the URL that identifies some >>> resource describing Alice (not the DID document) is a second URI. >>> >>> Joe mentioned that this means that a “naked DID” by itself should not be >>> considered a URL. We should need to add a delimiter at the end of the naked >>> DID to turn it into a URL for the DID document. >>> >>> Drummond seconded that suggestion. It could be either the empty path, or >>> the empty fragment. >>> >>> Dan said that he had clarity that a DID document is about how to describe >>> how to interact with a resource, but not describing the resource >>> itself. That’s why a DID document is never the resource identified by the >>> DID. >>> >>> >>> >>> Action Items >>> >> -- >> >> Adrian Gropper MD >> >> PROTECT YOUR FUTURE - RESTORE Health Privacy! >> HELP us fight for the right to control personal health data. >> DONATE: https://patientprivacyrights.org/donate-3/ >> >> >> > > -- > > Adrian Gropper MD > > PROTECT YOUR FUTURE - RESTORE Health Privacy! > HELP us fight for the right to control personal health data. > DONATE: https://patientprivacyrights.org/donate-3/ >
Received on Monday, 8 April 2019 06:41:39 UTC