-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Useful features from did:webs -- signed files in the DID path and "whois" #7
Comments
Thank you for the detailed comments, Stephen. Signed files and the whois folder indeed seem like good features. Is there any requirement of (or desire for) an immutable and/or non-repudiable history for signed files? I'm working on related concepts at the moment, and wonder if there might be something generalizable here. In particular, there's a requirement (e.g. in #8) to maintain an external copy of DID microledgers for purposes of long-term non-repudiability, service availability, and detection of deletion or attempts to alter a DID's history. Should signed files be part of this? It seems that if signed files, and in particular a "whois" folder is meant to be a formal part of a DID method, then they must be included. What do you think? |
versioning them, linking them, signing them is all done in a way that witnesses can cache/replicate them using straightorward web technologies rather than a trusted client-- this is a crucial feature! I think the flexibility of the witnessing is a strength of this approach, its lightweight microledgers can be witnessed and tracked in multiple ways (git, ipfs, waybackmachine, etc etc) rather than hardcoding one and making it mandatory in the spec, the spec remains a thin layer composable with many other mechanisms.
Why is this part of the did:webs spec, tho, and not a separate spec? Feels orthogonal and not all webplus/webs users would want to embrace that trust model or discovery mechanism. Imagine a system that is using did:webplus and the indic.io/TBD trust-establishment/credential manifest mechanism for discovery of those ecosystem credentials. for a specific use-case or customer, they want to bolt on did:webs support to their did:webplus server-- if they don't also need the whois stuff, why should they have to also reimplement/parallelize that second set of discovery mechanisms and features?
I'm a fan in general but I'm not sure they're needed for the use-cases webplus targets?
I'm a fan in general but I'm not sure they're needed for the use-cases webplus targets? Even if they were, traditional single-key/single-controller DIDs can multisign multiple other ways (linked data VCs can just have multiple proofs objects, JWS signatures can wrap one another, Chris Allen is working on Schnorr signatures...). I don't think we need to break the assumptions of the W3C DID spec to have multiple signatures.
This feels like a layer violation-- better handled by the witnessing/auditing layer, which doesn't need to make the DID layer itself more complicated.
I hadn't thought about this one at all! What about
|
AFAIK — the plan is that the KERI log/event stream will include the signing events for the files, so for long term-non-repudiability, it is available. I think it is a good idea. Even though the signing events don’t impact the DIDDoc, I think they should be part of the audit trail. For did:webs the KERI event stream file beside the DIDDoc is the “DID micro ledger”. Our assumption is that any changes to the DIDDoc and. the microledger are always published together and available to resolvers via HTTPS GETs. |
From @bumblefudge:
Why have this? Because an issuer providing more data than “fits” in a DIDDoc is a useful feature in many scenarios, and because it is so dead simple to do in web-based DID. It completely fits with the DID Spec (DID URL paths), so any DID Method can do it, but is particularly simple for web-based DIDs — controllers and resolvers. Combining signed files and whois as part of this spec should be done (I think) because they enable incredibly useful features using a dead-simple implementations. Given the power and simplicity, I think it gives a major reason for adoption — that works nicely with did:web, if you trust the controller. I think a secure web-based DID method can eliminate the use of most other DID methods — except did:peer and did:key. |
Sorry, I think you're answering a different question. Why do they have to be ONE SPEC and both mandatory/coupled, is my question. Someone who wants did:webplus without the "whois" functionality is forced to do both if they're one spec. Someone who wants to do both loses nothing by implementing two separate specs. |
Here I disagree, because I think that web3 and web5 (insofar as either of those are a thing that exists and will continue to develop) are increasingly defined by wallets being the primary user agents (not the browser) and offline or onchain "backends"; in many web3 use-cases, wallets and nodes interact directly, without any web servers or HTTPS or DNS-based trust! When I was working with KYC for Web3 use-cases, many DeFi developers would say to me, "no, I'm not setting up a web backend just for your app; we use a PWA with no backend beyond the blockchain node". It's a wild new world out there, with totally different trust models! But yeah, in use-cases where people aren't already clustered around a blockchain and have more DNS-based trust than DPKI-based trust, i.e. most other use-cases, did:webplus and/or did:webs would be incredibly useful! |
To be clear — the trust is NOT DNS-based or PKI based, but the event stream that created the identifier and evolved it and secured it. The web is used as the discovery mechanism for the DID information about the identifier — not the basis of trust. I can put a Agree that others will still want to use ledger-based DIDs and that’s fine. |
No one is forced to have a |
Interesting. Does it obligate the resolver in any way? Are there whois contents/properties that change the mechanics of the did resolution in any way? If it changes nothing about DID controller behavior or DID resolver behavior, then why should it be in a DID method spec and not its own spec? I'm not sure it would work moved into DID core, because I can't see it working equivalently and interoperably for many of the architectures targeted by the DID WG use-cases doc... but I'd have to think about it. I've got no problem with it, to be clear, I just like smaller specs and see no strong benefit to coupling them. |
I would argue that a domain name means nothing to DID resolvers unless there is reputational/social/business trust being anchored to control of a domain. So in the technical sense of the word |
I guess it would be in the DID Resolver spec vs. core, but it would think it would certainly be implementable in any DID Method. It defines what MUST happen when resolving the “/whois” path on a DID. But for now, we are just saying “This is what MUST happen when you resolve the “/whois” path of a |
Oh, that makes a lot more sense! I was assuming it was a /whois path off |
To be clear — Note that with “did:webs”, there is always an AID as the last “:” component of the did, so for |
After a discussion last week between the did:webs working group at ToIP and the did:webplus team, I shared a note about some of the important features of did:webs for consideration in did:webplus.
For the most part, the goals of the two web-based DID methods are the same:
The two methods vary in how that is done. did:webs uses a KERI "audit log file" that allows a resolver to process the events to verify that they are all valid, and that they produce the same DIDDoc as is published with the audit log. As the controller evolves the DID, they publish new versions of the current DIDDoc and the audit log. did:webplus publishes and retains all DIDDocs, versions them, and cryptographically links the files.
The additional features of did:webs that I think are valuable in any web-based DID method, including did:webplus, are signed files and the "whois" folder. From the full did:webs spec, the source description of these features can be found here for signed files and here for the whois folder. I recommend that you consider adding them to did:webplus.
In did:webs, the following additional goals are defined:
The text was updated successfully, but these errors were encountered: