- From: Ryan Grant via WBS Mailer <sysbot+wbs@w3.org>
- Date: Sat, 09 Sep 2023 03:54:02 +0000
- To: public-new-work@w3.org
- CC: w3c@rgrant.org
The following answers have been successfully submitted to 'Call for Review: Decentralized Identifier (DID) Working Group Charter' (Advisory Committee) for Digital Contract Design by Ryan Grant. The reviewer's organization suggests changes to this Charter, and only supports the proposal if the changes are adopted [Formal Objection]. Additional comments about the proposal: I write to register Digital Contract Design's formal objection to the proposed recharter of the Decentralized Identifiers Working Group ("DID-WG"), on technical merits detailed below. This WG has a technically sound path available to it that dissolves most and maybe all objections, should the W3C apply its values and properly seek consensus! See below. Picking winners and losers directly diminishes the decentralization purpose of the working group's output. It's in the name. Decentralization deserves respect as a core value of the W3C: https://www.w3.org/TR/ethical-web-principles/#control / no consensus -> long read / Before we begin, you might wonder why I have to write all this. That would be because the W3C has not pursued a consensus process regarding this matter, so there are substantial objections outstanding that could have been resolved within the DID-WG, but were not. You are reading the details of a working group's internal conflict. I am primarily writing to a future AC Council. I do not know who they will be, what concerns they would state, their education level on matters of DIDs, or whether I will have any other opportunity for input (as I would with due process in other forums). This is, in short, a stressful situation for someone who cares about the matter at hand. / standardize DID Methods in the W3C by creating different WGs / Our formal objection to this proposed charter would be resolved under the following conditions: While it is appropriate for the W3C to at any time convene WGs to standardize any DID Methods that members find sufficient interest in, this MUST occur in new working groups other than a rechartered DID-WG (call those "Fit for Purpose DID Method WGs"). Those groups MUST NOT also have authority to change the DID-core specification. Any bugs found in a then-current "Decentralized Identifiers (DIDs) Core architecture, data model, and representations" specification ("DID-core") can be addressed by narrowly-authorized DID-WG recharters. Similarly, the W3C MUST NOT promote DID Methods standardized within the W3C as uniquely compliant to DID-core requirements. DID-core's value for a decentralized architecture depends on it creating a level playing field. Members concerned with that level playing field can neither reasonably monitor every Fit for Purpose DID Method WG that will arise within the W3C nor would those groups want members onboard whose only purpose is to monitor for objections. Everyone would be satisfied better by creating a separation of concerns. / DID Resolution has consensus and resolves 2021 formal objections / This WG has a technically sound path available to it that dissolves most and maybe all objections, should the W3C apply its values and properly seek consensus! Since the airing at 2022 TPAC that some members care about conflict of interest between DID Methods, Chairs and Staff took a hard-line approach that did not seek consensus. Joe Andrieu, a long-time invited technical expert and now the AC representative for Legendary Requirements, found that solving DID Resolution addressed most of the technical concerns of the August 2021 formal objectors by speaking in person to the August 2021 formal objectors during the Sophia-Antopolis France 2023 TPAC meeting. They appreciated his explanation of the issues involved in DID Resolution. Quoting Joe: https://github.com/w3c/did-wg-charter/issues/28#issuecomment-1543579206 [...] I don't want to speak on their behalf in particular, but there was exceptional support for focusing on resolution rather than DID methods as the route to interoperability. "That would go a long way to addressing our concerns" and "Yep, that seems like the better way to do it" and "That seems reasonable, but I need to think on it a bit more [before I say it resolves the issues of our FO]." I think it's fair to say that a focus on resolution (without any DID methods) would likely avoid a FO from 2 out of 3 and, quite possibly all 3. / what is DID Resolution? / Before we continue, an ideal overview of the relationship between DIDs, DID Methods, and DID Resolution may be found here, and this background will be helpful in appreciating the path of least objection: https://www.youtube.com/watch?v=yb9ATkwBFJA "The Power of DIDs #1: DID Resolution" on | Feb 24, 2023 by | Marcus Sabadello for | Danube Tech duration | 12 minutes / blatant conflict of interest / This proposed DID-WG charter, contemplating DID Methods to advance, creates a blatant conflict of interest between those supporting winning DID Methods and everyone who is developing other DID Methods. And if this charter goes through the way that DID-WG Chairs and W3C Staff are currently running the show (by overriding concerns without scheduling any discussion or seeking consensus with the weakest objections) then members will be left in opposition and there will be further erosion of good faith between working group members. There have been "trust me" apologies that consensus will be sought properly once we just have a charter. In the context of the current level of process abuse, such claims are hard to believe. / regarding advice offered by Ralph Swick, for Tim Berners-Lee / There is another factual misunderstanding possible: the idea that this DID-WG MUST widen its charter and create DID Methods to honor June 30th 2022 advice offered by Ralph Swick, for Tim Berners-Lee. That advice does not solve DID Resolution. Solving DID Resolution addresses the substance of the 2021 formal objections and this DID-WG has long planned to address it. Following the offered advice not only dilutes attention from DID Resolution, but is also not required by W3C process. This widening the charter of the DID-WG will create an impossible situation for consensus, leaving members in opposition and further eroding good faith between working group members, as they would be pitted against each other in the process of picking winners and losers among the DID Methods, all while giving a false impression of consensus to outsiders, due to the reputation of the group's good consensus work to produce the DID-core 1.0 spec. Ralph Swick, for Tim Berners-Lee, erred in recommending this inherently centralizing path to DID-WG, rather than recommending that DID-WG explore the high road to consensus via solving DID Resolution in a way that **addressed the spirit** of the formal objections: that network interoperability must be demonstrated at some point. This recommendation instead creates a totally unnecessary scarce resource: the order of standardizing, and it will be an unending fight. This DID-WG should take a better path, to avoid a conflict of interest that will destroy goodwill and block further consensus. / bad DID Methods are bad lessons for implementers / Within the WG, two "harmless" DID Methods are generally offered as examples that implementers could learn from if they were standardized. Readers will note that Digital Bazaar's AC-public feedback on August 6th 2023 suggests did:web and did:key. https://github.com/w3c/charter-drafts/issues/428 Both of these DID Methods have serious problems that would interrupt the group's hope for consensus if offering them for any useful positive example. The first, did:web, cannot offer non-repudiation (a feature which prevents the ability to "double spend" an identifier's claims by selectively causing elements of its history to fail verification) because it cannot prevent a controller who also has write access to the DID Document from selectively rewriting history to offer different keys at different times. Separately, it proxies all security to the existing cobbled-on sign-in security models for the third parties hosting DNS. It even invites name squatting problems, which DID Methods that only use cryptographic identifiers avoid. The second, did:key, does not even try to offer key rotation and revocation, which are critical usability features that DID Methods should provide. Its own DID Method specification warns that its identifiers should not be used for more than a week! https://w3c-ccg.github.io/did-method-key/#long-term-usage-is-discouraged Section 5.4 Long Term Usage is Discouraged [...] For this reason, using a did:key for interactions that last weeks to months is strongly discouraged. We have had URLs, vCards, and PGP keys for decades, and someone trying to learn from the proposed remedial wrappings of them will only learn that the DID-WG has little to offer. These bad examples will weaken understanding of the specification and collect totally valid objections later in the process. For these reasons, in addition to the problem of conflict of interest, the proposed "harmless" DID Methods should not gain consensus for work by the DID-WG, and will be opposed. But! If "Fit for Purpose DID Method WGs" wanted to take on the responsibility of standardizing them within the W3C, without the imprimatur of the expertise and consensus of DID-WG, and without the goal to create a level playing field for all DID Methods, we would not be opposed. Note also that Digital Bazaar's proposal **leaves open** the expectation that **after** "ample implementer feedback" DID-WG would indeed go on to pick winner and loser DID Methods by advancing these blessed DID Methods further. Further reading on these usability and security topics: https://w3c.github.io/did-core/#non-repudiation Section 9.4 Non-Repudiation https://w3c-ccg.github.io/did-method-key/#key-rotation-not-supported Section 5.1 Key Rotation Not Supported https://w3c-ccg.github.io/did-method-key/#deactivation-not-supported Section 5.2 Deactivation Not Supported / more objections / Separately, we have filed a formal objection to the process of advancing this charter to AC-review, which ignored the W3C's contract to its members to seek consensus. The W3C will harm its members and itself, should a rechartered DID-WG continue on its current path to standardize DID Methods. By failing to follow the W3C Process Document, Chairs and Staff have denied the DID-WG a reasonable proposed charter, instead advancing this charter despite strong objections by several members on technical grounds. This creates conditions that force members to escalate our concerns in awkward ways. We also agree with claims in invited expert Christopher Allen's formal objection, Joe Andrieu's April 12th 2023 appeal (submitted under a prior process and identified under the current process as a formal objection), and Joe Andrieu's September 8th 2023 formal objection linked below. These formal objections include more problems with venue and process, due to not seeking consensus. In addition, invited expert Kaliya Young (formerly Hamlin) expressed her support of Joe Andrieu's April 12th 2023 appeal, and she too is now silenced by this shift to AC-review. https://blog.joeandrieu.com/2023/09/08/fighting-for-consensus-take-2/ "Fighting for Consensus, Take 2" on | September 8, 2023 by | Joe Andrieu / in conclusion / The best path forward is to leave winning and losing among the DID Methods to other W3C WGs, other standards bodies, and the marketplace. DID-WG's enthusiastically committed members can then return to celebrating the consensus they found in the DID-core 1.0 specification, and to working together in a healthy atmosphere of collaboration under a limited scope that advances collaboration, rather than destroying it. The reviewer's organization intends to participate in these groups: - Decentralized Identifier (DID) Working Group The reviewer's organization: - intends to review drafts as they are published and send comments. - intends to develop experimental implementations and send experience reports. - intends to develop products based on this work. - intends to apply this technology in our operations. Comments about implementation schedule: 2024 Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/did-wg-2023/ until 2023-09-08. Regards, The Automatic WBS Mailer
Received on Saturday, 9 September 2023 03:54:05 UTC