Re: DID methods as W3C standards - a happy compromise? from Manu Sporny on 2022-02-22 (public-credentials@w3.org from February 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 22 Feb 2022 09:41:00 -0500
To: public-credentials@w3.org
Message-ID: <296dc9e8-152a-4a18-e06c-8c75e3fb636c@digitalbazaar.com>

I agree with much of what Markus has said. It may seem like a "simple matter
of...", but given the debates that have been raging in the DID WG over the
past two years, it's anything but that.

Asking W3C to standardize most DID Methods is the equivalent of asking W3C to
"Standardize Microsoft SQL Server" or "Standardize MongoDB". I'm sure all of
us can appreciate why doing such a thing would be misguided.

There are a few DID Methods where we can probably all agree that standardizing
the DID Method favours no one... for example, did:key is probably the easiest
one to drop into that category.

did:web could probably be done as well, as long as some of us can hold our
nose wrt. favouring the current commercial and governmental interests that run
both the Certificate Authority systems, the browser vendors that impose their
will wrt. "valid" and "invalid certificate authorities, and the commercial
interests that run the global DNS root servers and other name server
infrastructure.

So, even did:web is controversial to some... I wouldn't touch some of the
other ones you listed with a ten foot pole in W3C standardization space. That
you're mentioning them demonstrates that you might not be seeing the full
picture wrt. the dangers that they bring to the ecosystem. :)

On 2/22/22 6:32 AM, Steve Capell wrote:
> Of course “web” or “dns” is a technology but nobody could reasonably claim 
> that you are preferencing some specific commercial interests

Oh, if only that were true. :) By using did:web or did:dns, you are preferring:

* A government's ability to secretly MiTM your did:dns
  record; there are national firewalls that do a great
  job at this today.

* A government's ability to take those identifiers away
  from you by coercing hosting and DNS providers.

* A corporations ability to take those identifiers
  away from you if you don't serve their commercial
  interests (leasing identifiers).

Now, I don't personally hold the positions above for all use cases, but I do
find them logically sound.

Standardizing DID Methods is more fraught than it may seem at first, second,
or third glance.

Now, a generalized HTTP API for DID operations... that might actually have a
fighting chance at W3C and result in broader interoperability than just
picking a few winners. I believe Markus is already working on some variation
of that now.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Tuesday, 22 February 2022 14:41:19 UTC