- From: Ryan Grant via WBS Mailer <sysbot+wbs@w3.org>
- Date: Sat, 09 Sep 2023 03:54:02 +0000
- To: public-new-work@w3.org
- CC: w3c@rgrant.org
The following answers have been successfully submitted to 'Call for Review:
Decentralized Identifier (DID) Working Group Charter' (Advisory Committee)
for Digital Contract Design by Ryan Grant.
The reviewer's organization suggests changes to this Charter, and only
supports the proposal if the changes are adopted [Formal Objection].
Additional comments about the proposal:
I write to register Digital Contract Design's formal objection to the
proposed recharter of the Decentralized Identifiers Working Group
("DID-WG"), on technical merits detailed below.
This WG has a technically sound path available to it that dissolves
most and maybe all objections, should the W3C apply its values and
properly seek consensus! See below.
Picking winners and losers directly diminishes the decentralization
purpose of the working group's output. It's in the name.
Decentralization deserves respect as a core value of the W3C:
https://www.w3.org/TR/ethical-web-principles/#control
/ no consensus -> long read /
Before we begin, you might wonder why I have to write all this. That
would be because the W3C has not pursued a consensus process regarding
this matter, so there are substantial objections outstanding that
could have been resolved within the DID-WG, but were not. You are
reading the details of a working group's internal conflict. I am
primarily writing to a future AC Council. I do not know who they will
be, what concerns they would state, their education level on matters
of DIDs, or whether I will have any other opportunity for input (as I
would with due process in other forums). This is, in short, a
stressful situation for someone who cares about the matter at hand.
/ standardize DID Methods in the W3C by creating different WGs /
Our formal objection to this proposed charter would be resolved under
the following conditions:
While it is appropriate for the W3C to at any time convene WGs to
standardize any DID Methods that members find sufficient interest
in, this MUST occur in new working groups other than a rechartered
DID-WG (call those "Fit for Purpose DID Method WGs"). Those groups
MUST NOT also have authority to change the DID-core specification.
Any bugs found in a then-current "Decentralized Identifiers (DIDs)
Core architecture, data model, and representations" specification
("DID-core") can be addressed by narrowly-authorized DID-WG
recharters.
Similarly, the W3C MUST NOT promote DID Methods standardized within
the W3C as uniquely compliant to DID-core requirements.
DID-core's value for a decentralized architecture depends on it
creating a level playing field. Members concerned with that level
playing field can neither reasonably monitor every Fit for Purpose DID
Method WG that will arise within the W3C nor would those groups want
members onboard whose only purpose is to monitor for objections.
Everyone would be satisfied better by creating a separation of
concerns.
/ DID Resolution has consensus and resolves 2021 formal objections /
This WG has a technically sound path available to it that dissolves
most and maybe all objections, should the W3C apply its values and
properly seek consensus!
Since the airing at 2022 TPAC that some members care about conflict
of interest between DID Methods, Chairs and Staff took a hard-line
approach that did not seek consensus. Joe Andrieu, a long-time
invited technical expert and now the AC representative for Legendary
Requirements, found that solving DID Resolution addressed most of the
technical concerns of the August 2021 formal objectors by speaking in
person to the August 2021 formal objectors during the Sophia-Antopolis
France 2023 TPAC meeting. They appreciated his explanation of the issues
involved in DID Resolution.
Quoting Joe:
https://github.com/w3c/did-wg-charter/issues/28#issuecomment-1543579206
[...] I don't want to speak on their behalf in particular, but
there was exceptional support for focusing on resolution rather
than DID methods as the route to interoperability. "That would go
a long way to addressing our concerns" and "Yep, that seems like
the better way to do it" and "That seems reasonable, but I need to
think on it a bit more [before I say it resolves the issues of our
FO]."
I think it's fair to say that a focus on resolution (without any
DID methods) would likely avoid a FO from 2 out of 3 and, quite
possibly all 3.
/ what is DID Resolution? /
Before we continue, an ideal overview of the relationship between
DIDs, DID Methods, and DID Resolution may be found here, and this
background will be helpful in appreciating the path of least
objection:
https://www.youtube.com/watch?v=yb9ATkwBFJA
"The Power of DIDs #1: DID Resolution"
on | Feb 24, 2023
by | Marcus Sabadello
for | Danube Tech
duration | 12 minutes
/ blatant conflict of interest /
This proposed DID-WG charter, contemplating DID Methods to advance,
creates a blatant conflict of interest between those supporting
winning DID Methods and everyone who is developing other DID Methods.
And if this charter goes through the way that DID-WG Chairs and W3C
Staff are currently running the show (by overriding concerns without
scheduling any discussion or seeking consensus with the weakest
objections) then members will be left in opposition and there will be
further erosion of good faith between working group members.
There have been "trust me" apologies that consensus will be sought
properly once we just have a charter. In the context of the current
level of process abuse, such claims are hard to believe.
/ regarding advice offered by Ralph Swick, for Tim Berners-Lee /
There is another factual misunderstanding possible: the idea that this
DID-WG MUST widen its charter and create DID Methods to honor
June 30th 2022 advice offered by Ralph Swick, for Tim Berners-Lee.
That advice does not solve DID Resolution. Solving DID Resolution
addresses the substance of the 2021 formal objections and this DID-WG
has long planned to address it. Following the offered advice not only
dilutes attention from DID Resolution, but is also not required by W3C
process.
This widening the charter of the DID-WG will create an impossible
situation for consensus, leaving members in opposition and further
eroding good faith between working group members, as they would be
pitted against each other in the process of picking winners and losers
among the DID Methods, all while giving a false impression of
consensus to outsiders, due to the reputation of the group's good
consensus work to produce the DID-core 1.0 spec.
Ralph Swick, for Tim Berners-Lee, erred in recommending this
inherently centralizing path to DID-WG, rather than recommending that
DID-WG explore the high road to consensus via solving DID Resolution
in a way that **addressed the spirit** of the formal objections: that
network interoperability must be demonstrated at some point. This
recommendation instead creates a totally unnecessary scarce resource:
the order of standardizing, and it will be an unending fight.
This DID-WG should take a better path, to avoid a conflict of interest
that will destroy goodwill and block further consensus.
/ bad DID Methods are bad lessons for implementers /
Within the WG, two "harmless" DID Methods are generally offered as
examples that implementers could learn from if they were standardized.
Readers will note that Digital Bazaar's AC-public feedback on
August 6th 2023 suggests did:web and did:key.
https://github.com/w3c/charter-drafts/issues/428
Both of these DID Methods have serious problems that would interrupt
the group's hope for consensus if offering them for any useful
positive example.
The first, did:web, cannot offer non-repudiation (a feature which
prevents the ability to "double spend" an identifier's claims by
selectively causing elements of its history to fail verification)
because it cannot prevent a controller who also has write access to
the DID Document from selectively rewriting history to offer different
keys at different times. Separately, it proxies all security to the
existing cobbled-on sign-in security models for the third parties
hosting DNS. It even invites name squatting problems, which DID
Methods that only use cryptographic identifiers avoid.
The second, did:key, does not even try to offer key rotation and
revocation, which are critical usability features that DID Methods
should provide. Its own DID Method specification warns that its
identifiers should not be used for more than a week!
https://w3c-ccg.github.io/did-method-key/#long-term-usage-is-discouraged
Section 5.4 Long Term Usage is Discouraged
[...] For this reason, using a did:key for interactions that last
weeks to months is strongly discouraged.
We have had URLs, vCards, and PGP keys for decades, and someone trying
to learn from the proposed remedial wrappings of them will only learn
that the DID-WG has little to offer. These bad examples will weaken
understanding of the specification and collect totally valid
objections later in the process.
For these reasons, in addition to the problem of conflict of interest,
the proposed "harmless" DID Methods should not gain consensus for work
by the DID-WG, and will be opposed. But! If "Fit for Purpose DID
Method WGs" wanted to take on the responsibility of standardizing them
within the W3C, without the imprimatur of the expertise and consensus
of DID-WG, and without the goal to create a level playing field for
all DID Methods, we would not be opposed.
Note also that Digital Bazaar's proposal **leaves open** the
expectation that **after** "ample implementer feedback" DID-WG would
indeed go on to pick winner and loser DID Methods by advancing these
blessed DID Methods further.
Further reading on these usability and security topics:
https://w3c.github.io/did-core/#non-repudiation
Section 9.4 Non-Repudiation
https://w3c-ccg.github.io/did-method-key/#key-rotation-not-supported
Section 5.1 Key Rotation Not Supported
https://w3c-ccg.github.io/did-method-key/#deactivation-not-supported
Section 5.2 Deactivation Not Supported
/ more objections /
Separately, we have filed a formal objection to the process of
advancing this charter to AC-review, which ignored the W3C's contract
to its members to seek consensus. The W3C will harm its members and
itself, should a rechartered DID-WG continue on its current path to
standardize DID Methods. By failing to follow the W3C Process
Document, Chairs and Staff have denied the DID-WG a reasonable
proposed charter, instead advancing this charter despite strong
objections by several members on technical grounds. This creates
conditions that force members to escalate our concerns in awkward
ways.
We also agree with claims in invited expert Christopher Allen's formal
objection, Joe Andrieu's April 12th 2023 appeal (submitted under a prior
process and identified under the current process as a formal
objection), and Joe Andrieu's September 8th 2023 formal objection linked
below. These formal objections include more problems with venue and
process, due to not seeking consensus. In addition, invited expert
Kaliya Young (formerly Hamlin) expressed her support of Joe Andrieu's
April 12th 2023 appeal, and she too is now silenced by this shift to
AC-review.
https://blog.joeandrieu.com/2023/09/08/fighting-for-consensus-take-2/
"Fighting for Consensus, Take 2"
on | September 8, 2023
by | Joe Andrieu
/ in conclusion /
The best path forward is to leave winning and losing among the DID
Methods to other W3C WGs, other standards bodies, and the marketplace.
DID-WG's enthusiastically committed members can then return to
celebrating the consensus they found in the DID-core 1.0
specification, and to working together in a healthy atmosphere of
collaboration under a limited scope that advances collaboration,
rather than destroying it.
The reviewer's organization intends to participate in these groups:
- Decentralized Identifier (DID) Working Group
The reviewer's organization:
- intends to review drafts as they are published and send comments.
- intends to develop experimental implementations and send experience
reports.
- intends to develop products based on this work.
- intends to apply this technology in our operations.
Comments about implementation schedule:
2024
Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/did-wg-2023/ until 2023-09-08.
Regards,
The Automatic WBS Mailer
Received on Saturday, 9 September 2023 03:54:05 UTC