RE: Experimental did:cel Witness Service (open-source)

Some day your smartphone/watch will display the time-of-day as a stylized DID …time synchronization with an atomic clock will use DIDs.

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Sent: Friday, March 13, 2026 9:24 AM
To: Jori Lehtinen <lehtinenjori03@gmail.com>; Filip Kolarik <filip26@gmail.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Subject: RE: Experimental did:cel Witness Service (open-source)

RE: how do we envision an identifier’s life cycle? Should it last as long as possible, or be replaced over time?

…a space station, a voyage to Mars, a planet/comet, a galaxy, a star, a constellation.  There is no time limit on the age of a DID.

Should the age/birth event of a DID have a DID?

From: Jori Lehtinen <lehtinenjori03@gmail.com<mailto:lehtinenjori03@gmail.com>>
Sent: Wednesday, March 11, 2026 3:20 PM
To: Filip Kolarik <filip26@gmail.com<mailto:filip26@gmail.com>>
Cc: W3C Credentials CG <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Experimental did:cel Witness Service (open-source)

>And perhaps there’s some miscommunication, how do we envision an identifier’s life cycle? Should it last as long as possible, or be replaced over time?

I think this varies per usecase as DIDs can identify pretty much anything.

A transaction or a session might have just an empheral did.

An shipment or order, might last until delivered or some years of book keeping time.

DID of an academic publisher or public figure might be intented to last beyond their lifetime.

Atleast that is how I see it.

And if I have understood the heartbeat concept correctly, as a keep-alive signal or ttl refill (DID being actively used) In some implementations the identifier lasts as long as it is actively used or preserved. And dropped when it is inactive/unattented for long enough.



ke 11.3.2026 klo 11.01 ip. Filip Kolarik <filip26@gmail.com<mailto:filip26@gmail.com>> kirjoitti:
I don’t share the concern about log size becoming unsustainable over a decade or two, for all the reasons others have mentioned. One thing to note: an identifier’s life cycle depends on its use case. Which identifiers should really last a decade? I can think of only something like CA roots.

And perhaps there’s some miscommunication, how do we envision an identifier’s life cycle? Should it last as long as possible, or be replaced over time?

Anyway, the witness and provision service [1] now supports post-quantum ready DI cryptosuites [2]: mldsa44-jcs-2024, mldsa44-rdfc-2024, slhdsa128-jcs-2024, slhdsa128-rdfc-2024.

and here’s a new live oblivious witness signing with the VC DataIntegrity cryptosuite mldsa44-jcs-2024:
https://witness-purple-5qnvfghl2q-uk.a.run.app


Thank you, Patrick and Stephen, for sparking this discussion!

[1] https://github.com/filip26/iron-did-cel

[2] https://w3c-ccg.github.io/di-quantum-safe/


On Wed, Mar 11, 2026 at 8:02 PM Manu Sporny <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On Wed, Mar 11, 2026 at 2:09 PM Jori Lehtinen <lehtinenjori03@gmail.com<mailto:lehtinenjori03@gmail.com>> wrote:
> I think it is not so much about the actual size, but how much a cloud-provider charges you if you want to host these logs at scale.

Yes, that's a good consideration.

Github (free tier) has a 5GB soft limit per repository.
Google Drive (free tier) has a 15GB limit.
Dropbox (free tier) has a 2GB limit.

AWS S3 storage for 5GB would be approximately $0.115 per month.

Not bad... we should run some numbers to see how did:cel and did:webvh
fare under something like MLDSA PQ signatures. I will note that GregB
has been doing some good work on the post-quantum Data Integrity
specs, including JCS support.

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/

Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/