- From: Ryan Grant <w3c@rgrant.org>
- Date: Sun, 15 Dec 2024 15:08:14 +0000
- To: Filip Kolarik <filip26@gmail.com>
- Cc: W3C DID Working Group <public-did-wg@w3.org>
Filip,
The purpose of a URL, including a DID URL such as your proposed
did:pgp, is to meet people where they are and give them a choice to
access a resource. That is inclusion and it is a core principle of
the Web, as W3C understands:
https://www.w3.org/mission/
To achieve our vision to make the web work, for everyone, we
uphold the following core values:
The web is for all humanity.
[...]
There is one interoperable world-wide web.
Sometime in autumn of 2016, in edits now lost to time, I drafted a
commentary paragraph at the bottom of Section 1.1 of "DID
(Decentralized Identifier) Data Model and Generic Syntax 1.0
Implementer's Draft 01" stating:
Note that DID methods may also be developed for identities
registered in federated identity management systems. For their
part, federated identity systems may add support for DIDs. This
creates an interoperability bridge between the worlds of
centralized, federated, and decentralized identity.
This idea has survived in the following paragraph from the spec:
https://www.w3.org/TR/did-core/#introduction
[...]
This specification does not presuppose any particular technology
or cryptography to underpin the generation, persistence,
resolution, or interpretation of DIDs. For example, implementers
can create Decentralized Identifiers based on identifiers
registered in federated or centralized identity management
systems. Indeed, almost all types of identifier systems can add
support for DIDs. This creates an interoperability bridge between
the worlds of centralized, federated, and decentralized
identifiers. This also enables implementers to design specific
types of DIDs to work with the computing infrastructure they
trust, such as distributed ledgers, decentralized file systems,
distributed databases, and peer-to-peer networks.
In autumn 2016, it was a new idea for the spec to not require
decentralization, but rather to allow it and bridge possible systems
to existing systems.
If your goal is to connect people who use PGP with DIDs, and perhaps
to educate us all on what did:pgp can offer versus both what PGP
standalone offers and versus what other DID Methods offer, then by all
means carry on. Since PGP users have hardcore needs for verifying who
signed what, they should be highly motivated to understand what
they're missing. It's not obvious without an implementation.
Most of the problem with PGP is merely the user interface of existing
tools. There is baggage in how messages were routed over email, but
that's neither intrinsic nor the most prominent use case today. There
is a fatal flaw in using a decaying centralized server infrastructure
for key revocation (and this very fatal flaw was the spark that made
did:btcr and thus all DIDs worthwhile to me, in 2016). Even that can
be mitigated since PGP has the capacity to declare master and
subsidiary keys, which (if the master keys are kept secured in special
ways) could be used to implement limited key rotation without relying
on servers.
You have my support.
Please show us what did:pgp can be.
~ Ryan
--
slavery needs censorship
Received on Sunday, 15 December 2024 15:08:54 UTC