W3C home > Mailing lists > Public > public-did-wg@w3.org > June 2020

The DID service endpoint privacy challenge

From: Adrian Gropper <agropper@healthurl.com>
Date: Mon, 29 Jun 2020 05:14:20 -0400
Message-ID: <CANYRo8jF9CCzU1C-vp_ShBRuwQiN_4bdR+ENJoL36VgqnTWZ9Q@mail.gmail.com>
To: W3C DID Working Group <public-did-wg@w3.org>
I’m hoping to speed the privacy discussion across DID, auth, and SDS by
introducing a challenge:

DiDs are a public and persistent identifier that will be indexed,
correlated, analyzed and catalogued to create new opportunities for privacy
and security mischief including inferences leading to discrimination, spam,
and denial of service attacks. The mitigation of these attacks is rooted in
the demarcation between the public DID Document and the private user agent
that controls the DID, often secured by a biometric.

This demarcation is the service endpoint. If DIDs were normatively
restricted to a single service endpoint privacy analysis would be greatly
simplified. Allowing multiple service endpoints of the same type and of
different types (authorization, storage, notification) makes privacy
analysis of DIDs more difficult and unintended consequences more likely.

If there were only one service endpoint, what would it be and could it
accommodate authentication, authorization, storage, and notification uses
without undue limitation?

- Adrian
Received on Monday, 29 June 2020 09:14:44 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:50 UTC