- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 31 Mar 2019 12:10:57 -0400
- To: W3C Credentials CG <public-credentials@w3.org>
Hi all, In an attempt to streamline the front matter of the DID specification, the Editor's are attempting to capture where we think consensus is at present (and prepare us for the coming DID WG). One of the PRs has raised a couple of questions wrt. the rewording, which is non-normative, but has raised a few concerns (no objections, but just active discussion that the community should be aware of): https://github.com/w3c-ccg/did-spec/pull/179 Namely, the new language opens the possibility to non-DLT technologies being used for DIDs, such as did:web or even did:facebook. Clearly, there is hand wringing over "did:facebook" as well as hand wringing over drawing a bright line and saying "only fully decentralized blockchains can do DIDs". As the work goes into an official W3C Working Group, the community should have a position on this (and hopefully one that demonstrates that we're inclusive, but firm on the expected outcome for DIDs -- that they are decentralized). The goals that I'm suggesting are these: 1. Make it such that we are inviting to folks that want web-based DID methods to collaborate with us. 2. Make it easier for our colleagues in non-western countries to talk about DIDs. The "Self-Sovereign" language is damaging to this particular goal. 3. Simultaneously, not compromise the vision of self-sovereign by setting that as the expected bar (at least, in the western world). The PR above attempts to do this and rewords the "Abstract" section of the specification to try and strike this balance. Good standards can, and often do, attempt to find the right balance -- build a large enough tent so that innovations can happen without having to coordinate with the group that created the standard while also signalling what the expected "ideal mode" of implementation should be. If you look at all of the DID Methods today, almost every one is based on a DLT of some kind, so I don't think the whole "decentralization" thing is at risk. To go at it from another direction, what the DID spec states, even if normative (e.g. MUST utilize a DLT) can be entirely ignored by the "did:facebook" method and there is nothing a small group of companies can do against a multi-billion dollar company that is dedicated to co-opting the technology for purposes that are not aligned with the community. The goal here is to build a big tent and enable the folks that want to use web-based methods, even though they are based on "centralized DNS", to be in the tent with us and collaborate and innovate. The alternative places them squarely outside of the tent and puts the group at odds with the folks that want to create Web-based DID methods (which will create political problems for us down the line). I think our approach to all of this should be the "Is Your Linked Open Data Five Star?" approach: https://www.w3.org/DesignIssues/LinkedData.html#fivestar Our "Five Star DID" approach could be (I'm pulling this out of thin air, not suggesting that these are the 5 things): 1. Enable individuals to directly self-administer their identifiers on the network. 2. Comply with local and global data privacy regulations, such as GDPR. 3. The governance mechanism does not enable the targeting and censorship of individuals or organizations. 4. The technologies do not enable the targeting and censorship of individuals or organizations. 5. The network is operated as a global public utility. So, did:facebook could achieve 1 and 2 above, but not 3, 4 or 5. did:http could do 1, 2, and 3, but not 4 or 5. Yes, we could also use ChristopherA's list of 10, but we may need to try for something more pithy in order to provide a simple rating system that's understandable by people not in this space. Clearly, some of the items above need definitions (e.g. global public utility), but the idea would be to nudge implementers in the right direction instead of using an ineffective specification MUST requirement. So with all of that said, here is the current proposed abstract: """ A Decentralized Identifier (DID) is a type of Uniform Resource Locator (URL) that is highly available and cryptographically verifiable. DIDs that are managed through the use Distributed Ledger Technologies (DLTs) are often also independent from any centralized registry, identity provider, or certificate authority. DIDs resolve to DID Documents, which describe how any entity may securely interact with the entity that is in control of the DID. DIDs are useful when you need strong cryptographic guarantees on interactions such as when authenticating with a system or when checking a digital signature on a document. This document specifies a common data model, concrete syntaxes, and operations that all systems providing DIDs must support. """ Thoughts? ... and please be concrete if you want text changes. If you add something, pick something to remove from the abstract. We're trying to keep it short and sweet. If you are not concrete on the text changes you want, they most likely will not happen (The Editor's can't read your mind). :) -- manu -- Manu Sporny (skype: msporny, twitter: manusporny) Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Sunday, 31 March 2019 16:11:21 UTC