Building a bigger tent for DIDs - Are you using a 5-star DID Method?

Hi all,

In an attempt to streamline the front matter of the DID specification,
the Editor's are attempting to capture where we think consensus is at
present (and prepare us for the coming DID WG).

One of the PRs has raised a couple of questions wrt. the rewording,
which is non-normative, but has raised a few concerns (no objections,
but just active discussion that the community should be aware of):

https://github.com/w3c-ccg/did-spec/pull/179

Namely, the new language opens the possibility to non-DLT technologies
being used for DIDs, such as did:web or even did:facebook. Clearly,
there is hand wringing over "did:facebook" as well as hand wringing over
drawing a bright line and saying "only fully decentralized blockchains
can do DIDs". As the work goes into an official W3C Working Group, the
community should have a position on this (and hopefully one that
demonstrates that we're inclusive, but firm on the expected outcome for
DIDs -- that they are decentralized).

The goals that I'm suggesting are these:

1. Make it such that we are inviting to folks that want web-based DID
   methods to collaborate with us.
2. Make it easier for our colleagues in non-western countries to talk
   about DIDs. The "Self-Sovereign" language is damaging to this
   particular goal.
3. Simultaneously, not compromise the vision of self-sovereign by
   setting that as the expected bar (at least, in the western world).

The PR above attempts to do this and rewords the "Abstract" section of
the specification to try and strike this balance.

Good standards can, and often do, attempt to find the right balance --
build a large enough tent so that innovations can happen without having
to coordinate with the group that created the standard while also
signalling what the expected "ideal mode" of implementation should be.
If you look at all of the DID Methods today, almost every one is based
on a DLT of some kind, so I don't think the whole "decentralization"
thing is at risk.

To go at it from another direction, what the DID spec states, even if
normative (e.g. MUST utilize a DLT) can be entirely ignored by the
"did:facebook" method and there is nothing a small group of companies
can do against a multi-billion dollar company that is dedicated to
co-opting the technology for purposes that are not aligned with the
community.

The goal here is to build a big tent and enable the folks that want to
use web-based methods, even though they are based on "centralized DNS",
to be in the tent with us and collaborate and innovate. The alternative
places them squarely outside of the tent and puts the group at odds with
the folks that want to create Web-based DID methods (which will create
political problems for us down the line).

I think our approach to all of this should be the "Is Your Linked Open
Data Five Star?" approach:

https://www.w3.org/DesignIssues/LinkedData.html#fivestar

Our "Five Star DID" approach could be (I'm pulling this out of thin air,
not suggesting that these are the 5 things):

1. Enable individuals to directly self-administer their identifiers on
   the network.
2. Comply with local and global data privacy regulations, such as GDPR.
3. The governance mechanism does not enable the targeting and censorship
   of individuals or organizations.
4. The technologies do not enable the targeting and censorship of
   individuals or organizations.
5. The network is operated as a global public utility.

So, did:facebook could achieve 1 and 2 above, but not 3, 4 or 5.
did:http could do 1, 2, and 3, but not 4 or 5. Yes, we could also use
ChristopherA's list of 10, but we may need to try for something more
pithy in order to provide a simple rating system that's understandable
by people not in this space.

Clearly, some of the items above need definitions (e.g. global public
utility), but the idea would be to nudge implementers in the right
direction instead of using an ineffective specification MUST requirement.

So with all of that said, here is the current proposed abstract:

"""
A Decentralized Identifier (DID) is a type of Uniform Resource Locator
(URL) that is highly available and cryptographically verifiable.
DIDs that are managed through the use Distributed Ledger Technologies
(DLTs) are often also independent from any centralized registry,
identity provider, or certificate authority. DIDs resolve to DID
Documents, which describe how any entity may securely interact with the
entity that is in control of the DID. DIDs are useful when you need
strong cryptographic guarantees on interactions such as when
authenticating with a system or when checking a digital signature
on a document.

This document specifies a common data model, concrete syntaxes, and
operations that all systems providing DIDs must support.
"""

Thoughts? ... and please be concrete if you want text changes. If you
add something, pick something to remove from the abstract. We're trying
to keep it short and sweet. If you are not concrete on the text changes
you want, they most likely will not happen (The Editor's can't read your
mind). :)

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Sunday, 31 March 2019 16:11:21 UTC