W3C home > Mailing lists > Public > public-credentials@w3.org > September 2021

DID 1.0 Comments / Meeting Minutes (was RE: Mozilla Formally Objects to DID Core)

From: John, Anil <anil.john@hq.dhs.gov>
Date: Mon, 27 Sep 2021 22:00:56 +0000
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <BY3PR09MB8804BA15EC8C42261B847611C5A79@BY3PR09MB8804.namprd09.prod.outlook.com>
https://www.w3.org/2021/09/21-did10-minutes.html is fascinating reading!

There were two points that caught my attention in this conversation. While I can’t speak to all Governments, I can speak to the work of the DHS SVIP Program and our approach and perspective across our two  work-streams that touch upon the two points.

  1.  Governments “lobbying” for single DID method and Non-Interoperability
     *   “tantek: concerned to hear that there are governments looking to adopt, with only single implementation methods and non interop, sounds like lobbying may have occurred, … advocating for single-implementation solutions that are centralized wolves in decentralized clothing”
     *   “<cwilso> +1 to tantek's concern that governments are responding to lobbying attempts on non-interoperable methods”

Work Stream 1 (Digital Trade Credentials)  – U.S. Customs work on the digitization of Import Documents / Credentials
As the largest Customs organization on the face of the planet, U.S. Customs is the entity that enable fair, competitive and compliant trade and enforce U.S. laws to ensure safety, prosperity and economic security for the American people. To that end, we have prioritized choice and interoperability built on a foundation of security and privacy to ensure that all links in the supply chain are free to choose the technology stack / platform / vendor of their choice. We, however, expect the interfaces between these diverse systems to be based on, among other things, the W3C Verifiable Credentials and W3C Decentralized Identifiers to ensure multi-platform, multi-vendor, cross-border interoperability.

As an entity that MUST interact with a *global* trade ecosystem, we fully expect to encounter a variety of technology platforms, technology providers, and the use of multiple types of identifiers including DIDs that will use a variety of DID methods and as such *global interoperability* is a core priority in our work.

Work Stream 2 (Digital Personal Credentials) – U.S. Citizenship and Immigration Services work on digitization of Immigration Credentials (e.g. U.S. Permanent Resident Card)
As an organization that is as old as America, the focus of our work in this area has been to prioritize privacy and security to ensure individual control and consent over use and release of data, equity and access with a bridge to paper to ensure no digital divide, and no expectation that everyone uses the same technology platform or vendor.  We, however, expect the interfaces between diverse systems to be based on, among other things, the W3C Verifiable Credentials and W3C Decentralized Identifiers to ensure multi-platform, multi-vendor, cross-border interoperability.

Our conscious decision early on has been that, as the sole Global Issuer of a set of very high value credentials (U.S. Permanent Resident Card to start with, with U.S. Employment Authorization Document and others following after),  we would look to bind our Immigration Credential VC to an *existing* Subject DID owned/controlled by an immigrant, rather than seeking to issue them a DID from our infrastructure or have a “Government DID method”. This obviously means that we would have to interact with a variety of DID methods.

In both our workstreams, our approach *HAS NOT* been to mandate one DID method / technology stack / vendor but to prioritize choice and individual control supported by true interoperability.  To enable our course of action, we are consciously and deliberately investing in independent work that will allow us to make informed decisions regarding the security, privacy and operational aspects of DIDs, VCs and other supporting tech (Cryptography choices, Digital Wallets etc.) that we seek to utilize – for the blindingly obvious reason that all DID methods are not alike and de-centralization does not mean acceptance of chaos by an Enterprise in utilizing innovative technology!

Security and Privacy Assessment Criteria for W3C Decentralized Identifiers

NOTE: The above work by SRI International, which we sponsored, was briefed to the W3C DID WG earlier this month

Work in Progress:

  *   Cryptography Review of W3C Verifiable Credentials Data Model (VCDM) and W3C Decentralized Identifiers (DIDs) Standards and Cryptography Implementation Recommendations
  *   Security and Privacy Assessment Criteria for Digital Wallets

  1.  Lack of Interoperability
     *   “ekr: as i understand it, you have verified that the methods can be processed, but do you have interop?”
     *   yasskin: did:key and did:web should be standardized but are trivial. … it's the other methods that make the spec interesting. if no interop there, why bother doing this.
     *   <tantek> +1 to jyasskin's points.

We are not fans of admiring the Interoperability problem. We have been on the forefront of driving and demonstrating interoperability via our Interop Plug-Fests before anyone else in the community was even considering how to make it happen >> https://docs.google.com/presentation/d/1MeeP7vDXb9CpSBfjTybYbo8qJfrrbrXCSJa0DklNe2k/edit?usp=sharing

Not much to add on these points other than noting that I remain amused by the implicit assumptions being made by some parties that governments do not have the knowledge and capability to understand when they are being “lobbied” by technology providers with Interoperability Theater, or that they lack the ability to resist said “lobbying” to ensure they continue to operate in the public interest : -)

Best Regards,


Anil John
Technical Director, Silicon Valley Innovation Program
Science and Technology Directorate
US Department of Homeland Security
Washington, DC, USA

Email Response Time – 24 Hours


From: Orie Steele <orie@transmute.industries>
Sent: Wednesday, September 1, 2021 10:12 PM
To: W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Mozilla Formally Objects to DID Core

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.


The objection mentions comments from Google and Microsoft, but does not link directly to them.

Does anyone have a direct link to the comments from Google and Microsoft?


Chief Technical Officer

[Image removed by sender.]<https://urldefense.us/v3/__https:/www.transmute.industries__;!!BClRuOV5cvtbuNI!SW9ro46v4-sig-GAqlK4yrn3muoJttheUoB6xXnkFPfItGGDbspJqZI4AUx2iw3Fr_4E$>

(image/png attachment: image001.png)

(image/jpeg attachment: image002.jpg)

Received on Monday, 27 September 2021 22:01:39 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:22 UTC