- From: Orie Steele <orie@transmute.industries>
- Date: Tue, 30 Jun 2020 17:52:57 -0500
- To: Daniel Hardman <daniel.hardman@evernym.com>
- Cc: Ivan Herman <ivan@w3.org>, W3C DID Working Group <public-did-wg@w3.org>
- Message-ID: <CAN8C-_LqWKSsoK4PVUp+5WLm8XnQXLPJ_r5DOYO2pNNVdFkpZg@mail.gmail.com>
I'm not opposed to SGL, the main concern I have is that `authorizaton` is not in did core / did spec registries, if `authorization` were implemented in https://www.npmjs.com/package/accesscontrol I would have the same concern... and I imagine there would be the same objections to adding it from others. However, I don't think that DID Methods that require a particular access control / permission system are a bad idea... It's very helpful to have methods that have unique quirks, like did:github being entirely centralized and requiring you to have a github account :) ... I think did:v1 requires object capabilities, so in a way it is similar to the original did:peer, but relies on a different technology for the approach.... early ethereum dids relied on smart contracts, and sidetree relies on custom internal data model + jws... all are alternative solutions to the same problem of: "How do i know if this update operation is allowed" ... the problems arise when the data model must be changed to support that "authorization" scheme... because that causes questions about interoperability and standards... I sympathize with the need for something that just works at the permissioning / access control / capabilities layer... we don't really have any great standard options, and permission / access modeling seems like a stretch for the WG at this point, which is why I suggest that we trim did:peer down to the essentials, align it with KERI as best we can... and rely on SGL / access control at the app layer / behind service endpoints where we the development team has full control over the stack and data model :) OS On Tue, Jun 30, 2020 at 5:17 PM Daniel Hardman <daniel.hardman@evernym.com> wrote: > On Tue, Jun 30, 2020 at 1:41 PM Orie Steele <orie@transmute.industries> > wrote: > >> https://github.com/transmute-industries/did-peer.js >> >> ^ could be adapted to support "JSON-Only"... but worth mentioning that >> `authorization` in the did peer spec, is built on >> https://github.com/evernym/sgl and that `authorization` is not >> registered in did core or the did spec registries. >> > > One of the things that we need to do with did:peer as we align it with > KERI at DIF is remove this dependence on SGL. I am in favor of that, have > said so, and had that in mind when I proposed that DIF pick it up; I hope > this turns into a historical fact only. But I would like to be clear about > how this fact came about. At the time the did:peer method was written, > there was verbiage in the DID spec about how we would express authorization > rules in a section called `authorization`. I needed more sophisticated > authorization than any other DID method I know. Other important methods > seemed worried about how to approve a ledger transaction or sign a VC; I > was dealing with multisig + CRDTs with decentralized version control. Now, > I'd just finished describing how I could solve really gnarly authorization > for guardianship, delegation, and controllership in VCs with SGL in a > purely W3C-compatible way (and was presenting about it at IIW), so I > thought, "why not apply SGL to this problem, too?" There was no further > guidance to help me in the DID spec, and none of the extension mechanism or > the verification relationship verbiage that's been worked out in the past 9 > months. So this oddness is the result of me trying to COMPLY with the DID > spec too early, not the result of me ignoring it. The `authorization` key > was deleted out from under me in a PR to did core, and the mental model > adjusted; this has since made it necessary to reframe that work as an > extension when it wasn't at the time. > > SGL is open source/Apache 2 and always has been. And it's tiny--one public > function, no dependencies, and 200 lines in node.js; a few more lines in > python. When I became aware that DigitalBazaar was clarifying their > capabilities and verification relationships vision in CCG circles, I > immediately brought up SGL as an alternative in a W3C github issue. I was > rebuffed for several reasons. Some I think were human and flawed, but one I > DO consider fair (if solvable) -- SGL would introduce an oddness in how we > align DID doc structure to RDF triples. So I shrugged my shoulders and > moved on. This is particularly true because SGL only becomes interesting > with Level 3 peer DID support, and all existing impls were targeting Level > 2. I may try to explain how to map SGL to JSON-LD at some point, but it > didn't feel like a good use of my time then. > > So my question is: can you say more about why you feel the SGL quirk is > important to mention? Do you feel that it disqualifies peer DIDs from being > a serious attempt at interop because they use an extension that's not yet > registered? I have been treating extensions as not super urgent for the > time being; I thought the whole point of them was that we could do them > later, if they acquired gravitas. If I need to reset my timetable, that's > important to know. > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Wednesday, 1 July 2020 02:00:27 UTC