DID Working Group Telco — Minutes

Date: 2019-12-10

See also the Agenda and the IRC Log


Present: Chris Winczewski, Ivan Herman, Amy Guy, Yancy Ribbens, Justin Richer, Brent Zundel, Manu Sporny, Orie Steele, Dave Longley, Michael Jones, Adrian Gropper, oliver terbu, Drummond Reed, Joe Andrieu, Irene Adamski, Markus Sabadello, Ted Thibodeau Jr, Jonathan Holt, Ganesh Annan, Kim Duffy, Daniel Burnett, Dmitri Zagidulin, David Ezell, Samuel Smith

Regrets: Phil Archer, Tzviya Siegman


Chair: Brent Zundel

Scribe(s): Manu Sporny, Drummond Reed


Brent Zundel: Welcome, agenda review.
… We invite you to join IRC, that’s where the official record happens. For side conversations use /me THING_YOU_SAY
… q+ if you have something you’d like to add… q+ to THING_YOU_WANT_TO_SAY for reminder.
… we’re going to start off w/ a PSA on scribing… then F2F activity… time boxed matrix parameter discussion, then created property.
… Any additions to agenda?
… None, moving on.

1. Introductions

Brent Zundel: Anyone joining the call for the first time?

Irene Adamski: Yes, hello.

Irene Adamski: Hello, Irene, joining on behalf of Jolocom, already a W3C Member, I will be here to soak it all in, wanting to actively contribute, Honor to be here, looking forward to getting to know all of you, based in Berlin.

Brent Zundel: Anyone else want to introduce themselves?

Ted Thibodeau Jr: Hi, Ted Thibodeau with OpenLink Software, joined W3C 2001-ish. Since the early days of WebID, we’ve recognized this is an important piece of distributed computing, happy to be here.

Daniel Buchner: After thinking a lot about the Matrix param discussion last week, and the realization that Matrix params actually make an ID with a param into a new ID, I don’t thing they’re hardly as useful

2. Contributing

Brent Zundel: There are many ways to contribute to the WG… some contribute via issues, discussion, unique viewpoints, reactions/responses on PRs, all valuable things.

Daniel Buchner: That behavior, adding a matrix param == a new ID, it’s just not useful for the vast majority of cases

Brent Zundel: One of the easiest and most valuable ways to contribute is to willingly scribe. Some consider it to be a really fun thing… some think it’s onerous.

Dave Longley: daniel: i do think their utility is much more limited than perhaps some people have thought

Daniel Buchner: So much so I think they should be removed from the spec

Daniel Buchner: so much complexity, for honestly is very little benefit

Brent Zundel: We encourage everyone to scribe. Yes, some can’t, but we do hope that all of you can contribute. Please be fully engaged, if you think that you don’t think scribing is important, please look deeply into your heart and reconsider. I encourage all of you to scribe. It is important.

Daniel Buchner: Orie had a good suggestion yesterday: add some sort of resolver param character to pass resolver only values

3. public key format

Manu Sporny: https://github.com/w3c/did-core/pull/100

Manu Sporny: There’s been a long discussion around public key formats, happening in dedicated calls.
… this is a heads up that there is an intent to merge it, so this is a heads up

Daniel Buchner: like did:foo:123-456$initial-values=34534524

4. Face to Face Activity

Daniel Buchner: @markus_sabadello: Matrix params don’t work for the initial-values thing

Brent Zundel: We have an activity planned for our F2F.

Daniel Buchner: the implied difference in IDs is what nukes it

Brent Zundel: There is an attendees tab on the spreadsheet, please let us know if you’re coming.
… The boat tour is second day in the afternoon.
… Having a sponsor will make things simpler, we’re looking for a sponsor.
… We’d like to avoid figuring out the finances of it. If it doesn’t work out, people will just pay for their own tickets. Boat fee is €165 Euro, then €20 per person.
… If there are those of you that are willing and able to sponsor, reach out to Chairs.

Ivan Herman: https://boatamsterdam.com/cruises/premium-cruise/

Ivan Herman: There is the URL for the company I found, they gave me these prices, we’re talking 90 minutes with small private boat, limit of 22 people… if the group is bigger, then we have to figure out who gets to ride on a boat.
… The €8 extra per person includes a drink.

Daniel Buchner: for €200, I was thinking we’d each get our own keg

Ivan Herman: It’s January in Amsterdam, probably no sunshine, but there is a closed area on the boat.

Daniel Buchner: I once made a boat using kegs, so probably

Brent Zundel: Time boxed to 15 minutes. One of the Editors is going to guide us through this.

Daniel Buchner: ;)

Michael Jones: Manu, I request that you change RFC4648 to RFC7515 before merging, per my just-submitted review

Brent Zundel: Link to F2F Agenda Spreadsheet: https://docs.google.com/spreadsheets/d/11haGLiY3AYi8uxIQcfndAixmtXjymNTTFbDQWRYkKrQ/edit#gid=0

5. Matrix parameters

Brent Zundel: Matrix parameters: https://github.com/w3c/did-core/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aopen+matrix

Markus Sabadello: This is a syntactical construct that’s a part of the spec. There are some matrix params in spec that are PRs that are open, others are in the spec. Since we had the last call, two of those PRs have been closed… key matrix param was closed.

Manu Sporny: selfissued, I will change that reference before merging.

Orie Steele: Example of their potential use by workday did method, as an id for a VC Schema: did:work:MDP8AsFhHzhwUvGNuYkX7T;id=06e126d1-fa44-4882-a243-1e326fbe21db;version=1.0

Markus Sabadello: The other one is to identify resources that are not a DID Document… there are more natural ways of doing that. Discussion is that when matrix parameters should be used and when they shouldn’t be used.

Dave Longley: Orie: i think that should just be a DID instead

Markus Sabadello: Summary - matrix parameters could make sense if you want a separate identifier for a separate resource, when you make it part of a URl, you get a new identifier you want to use as a hyperlink, as a part of a graph, you want to use URLs to identify things… encourage everyone to look at PRs open now.
… There are discussions about whether matrix parameters are needed at all, if you want to remove matrix parameters, maybe open an issue (because they’re in the spec now).

Dave Longley: (i.e., just make another DID and the subject is the schema)

Markus Sabadello: The CCG made the decision that matrix params were useful. If we want to have a discussion about whether or not we want them, we need to do that in a separate issue.

Orie Steele: dlongley: I don’t disagree… we had a long debate in Aries around not doing this kind of thing for aries specs, and ended up using https instead…

Dave Longley: yup https works too

Daniel Buchner: I’ve spent some time thinking about matrix params… didn’t realize that when you add any matrix parameter, you fundamentally change the DID, it’s not the same identifier. I can’t see how that’s useful in the vast majority of use cases.
… so initial parameters don’t help… trying to get some clarity, so if it means DID changes then that’s less useful, looking for clarity there.

Markus Sabadello: It doesn’t change the DID, but it is a new DID URL… DID URL under same authority, what it identifies needs to be specified by matrix parameter.
… For example, if you use it to identify a service endpoint, you’re not talking about the DID subject anymore.
… if you use version, then you’re talking about a DID Document at a specific point in time.
… For example, when would you make something part of an HTTP URL, or when would you add it as an HTTP Header.

Orie Steele: So it sounds possible to make a matrix parameter that identifies the did subject… where the long form, is understood to be the short form.

Daniel Buchner: If I add a matrix parameter, what happens to original DID?

Daniel Buchner: orie: so we were mistaken, i assume?

Markus Sabadello: You can set a matrix parameter in a way that doesn’t identify a different person/thing.

Orie Steele: daniel: not clear at all!

Daniel Buchner: meaning, it is again OK to use them for what we need?

Orie Steele: its not clear…

Michael Jones: I’m enlightened by discussion on matrix parameters last week, this was an invention from 25 years ago that didn’t see adoption and wasn’t viewed as necessary or useful… yes, I’m raising the question on whether or not we should have matrix parameters. This is a fundamental change with Web architecture and we should go in with eyes wide open.

Daniel Buchner: based on what Markus said, it would seem so

Michael Jones: We have query parameters and fragments… before we decide we have to change web addressing, we should think about encoding things in the proper way.

Brent Zundel: Markus did say that if you want to have that conversation, raise that issue.

Markus Sabadello: +1 to brent, raise an issue if you want to discuss matrix parameters in general (rather than discussing a specific matrix parameter)

Dave Longley: I agree with Mike, but I do want them to know where the conversation started. It started from place of where matrix parameters started, we didn’t have a way to construct a URL that didn’t impact query parameters and fragments.
… A DID is used to resolve DID to get DID Document. If you have a matrix parameter in it, the only time you want to use a matrix parameter is when you’re trying to refer to something and you can’t use anything else… like no query or fragment. Refer to external resource relative to DID subject via some content in DID Document, past version, or talking about identifying resource that you go through DID Doc to find endpoint to go to server to find resource.

Daniel Buchner: So are folks on here still fine with adding a regular URL param to the end of a DID?

Daniel Buchner: did:foo:123-456?initial-values=34w5445vw45gv4wv

Daniel Buchner: ^ ?

Dave Longley: It lets you create a stable URL based on servers moving locations… you want to move the end resource around, so you can port data from server A to server B but keep stable identifier for resource… that was main canonical use case.

Daniel Burnett: +1 to service endpoint use case, -1 to most others. dlongley is correct that service endpoint was the initiating use case for matrix params.

Dave Longley: That resource may need to have query, hash, and that kind of stuff… those things need to be opaque, which is why we need matrix parameters.

Drummond Reed: Wanted to reinforce, having worked on these things, answer to mike’s question – there is a very specific reason we chose matrix parameters and syntax… it was to leave the path, query, and fragment components completely open to developers to use in any way.

Daniel Buchner: Seriously though, I just need to tack some crap on to the end of a DID string to allow a resolver to resolve a DID Doc that has not yet propagated, or the current Doc, if it’s after the initial publication

Drummond Reed: The use of a service endpoint to compose a result URL and be able to pass it path, query, fragment leaves open only one option to select the endpoint. Something that’s a part of the authority component of the URL, which means syntactically separate from DID.
… Yes, it’s an old construct, but because we’re creating a class of abstract identifier that doesn’t exist on the web today, that’s why we are discussing.

Chris Winczewski: Point of clarification. We are formally discussing https://github.com/w3c/did-core/issues/137 correct?

Manu Sporny: responding to @selfissued: Manu does not want to raise an issue to get rid of matrix parameters

Kim Duffy: late to the party but everything I’m hearing about matrix parameters gives me the gut reaction that these are non-standard and have design stink all over it. The use case of specifying down to a server sounds like “you’re doing something wrong”

Manu Sporny: because there is no other way to solve the problem for a set of use cases
… for example the ones that @dlongley and @drummond have explained, e.g., service endpoint selection or version selection

Markus Sabadello: Current list of PRs about matrix parameters: https://github.com/w3c/did-core/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aopen+matrix+parameter

Brent Zundel: We do have an issue about matrix parameters, 137.

Michael Jones: In the interest of time, let’s not discuss here, but would like to have a discussion about query parameters and why we can’t use those.

6. meaning of “Created”

Brent Zundel: https://github.com/w3c/did-core/pull/28

Drummond Reed: @selfissued RE the authority component, we have full rights to add syntax there in the DID URI scheme, but not in query parameters

Manu Sporny: https://github.com/w3c/did-core/issues/65

Manu Sporny: wants to try to focus the discussion on what we should talk about in this WG
… there are 3 aspects. The first one is when the DID document was created an updated.
… that topic is being debated in the resolution subgroup that @markus_sabadello is leading
… so the other options are: 1) an assertion on the ledger itself about when the DID document was created/issued

Dmitri Zagidulin: there is already a field for ‘the ledger is asserting the creation date’, separate from ‘created’

Manu Sporny: and 2) the DID subject’s assertion of when the DID document was created/updated

Dmitri Zagidulin: so we’re only talking about 2

Manu Sporny: manu believes that it is the latter

Dave Longley: wouldn’t it be when the DID subject was created?

Oliver Terbu: We should also consider that some did methods do not have an easy way to assert created/updated time

Dmitri Zagidulin: we are not talking about the ‘ledger is asserting the DID was created’ date, because that’s a different parameter
… so the DID document contains: 1) the DID, 2) DID metadata, 3) resolution metadata

Jonathan Holt: For specific DID methods, you must refer to the ledger, so the only option is the author’s assertion

Markus Sabadello: Notes that “created” and “updated” correspond to two operations required by a DID method
… so it’s okay that the DID document contains the author-asserted timestamps and resolution produces the DID registry-based timestamps

Joe Andrieu: wants to comment on terminology

Oliver Terbu: some did methods are not ledger-based but there are some did methods such as did:ethr that are ledger-based but don’t require a ledger to be created. so, no information can be put into the did document for the creation time.

Dave Longley: agree with Joe … a DID document is controlled by a DID controller and says things about the DID subject

Joe Andrieu: it’s not the “DID subject” that sets the date, it’s the “DID controller”

Markus Sabadello: +1 to JoeAndrieu , we should have all said controller instead of subject

Joe Andrieu: wants to make sure we’re using the right language

Brent Zundel: seeing wide agreement that the datestamps in the DID document are asserted by the DID controller

Jonathan Holt: probably even more specific would be the DID controller software

Manu Sporny: agrees with Joe on terminology
… so the question is: security issues around using datestamps asserted by the DID controller
… so Manu would like to understand why self-asserted datestamps are important

Brent Zundel: so this moves us to the topic that if dates are DID-controller-asserted, are they needed?

Dave Longley: If the timestamps are in a DID document, they should be authoritative.

Ivan Herman: +1 to dlongley

Orie Steele: +1 to dlongley

Dave Longley: so they should be describing the DID subject, not the DID document

Oliver Terbu: -1

Dave Longley: “DID subject createdDocument date” would make more sense

Dave Longley: but still messy.

Dmitri Zagidulin: the name of the property is ambiguous, so the proposal is to change it to didDocumentCreated and didDocumentUpdated

Orie Steele: why?

Brent Zundel: so the question is now whether this is needed

Oliver Terbu: -1 because some ppl don’t create the did document at the created time

Orie Steele: what is the use case for knowing when the document was created, by looking at the document?

Oliver Terbu: some did methods don’t store the did doc on a ledger

Dmitri Zagidulin: oliver - I’m not sure I understand

Dmitri Zagidulin: oliver - the timestamp is not about the ledger. it’s only about when the document was created (the ‘created on the ledger’ or whatever is a separate field)

Jonathan Holt: asks if PGP keys in the web-of-trust are self-asserted with regard to datestamps?

Brent Zundel: is anyone a PGP key expert that can weigh in?

Orie Steele: I’m not sure anything PGP does regarding embedding meta data like this is good.

Brent Zundel: brent has only been to one PGP key party

Jonathan Holt: looking at his own PGP keys, he attests to their datestamps, so he wants to get the same info about others

Manu Sporny: PGP does allow you to assert datastamps for keys, but that does not make for good security

Orie Steele: +1 to manu, there is no solid use case.

Oliver Terbu: dmitriz - let’s have this discussion in a github issue

Daniel Buchner: Seems like added complexity for little benefit

Samuel Smith: q

Yancy Ribbens: +1 to manu

Manu Sporny: but we are not hearing a solid use case on why we would need “createdDocument” and “updatedDocument” as asserted by the DID controller

Daniel Buchner: one can make an argument for throwing tons of things in the docs, I think we should be super stingy about it

Jonathan Holt: can look at his own keys and the timestamps associated with each
… even though it is self-asserted timestamp, it is still a way of keeping order

Daniel Buchner: why can’t you save them with an added stamp post resolution, when you save it to your machine

Manu Sporny: agree with daniel – we should be very careful about the data we standardize in DID Document.

Dave Longley: agree with daniel/manu so far.

Samuel Smith: from a security perspective, the only way the DID controller can make an authoritative assertion about the DID document is to link it to a hash of the event that existed at that point in time
… any other ordering can be self-asserted, forged, etc.
… so that would be the cryptographic way of verifying the authoritative ordering

Yancy Ribbens: blockheight can determine time ordering?

Dave Longley: what is “authoritative” is up to the DID method, but agree we should be using crypto here to extend trust

Dave Longley: (when we can)

Manu Sporny: agrees with Sam. If a createdDocument property is in the DID document, it needs to be cryptographically verifiable

Orie Steele: you can always just embed a PGP key in your did document which contains this (and other) meta data.

Dave Longley: +1 to Orie

Joe Andrieu: @orie that would only cover the key, not the entire document

Dmitri Zagidulin: I’m totally fine with pushing down the ‘documentCreated’ metadata field down to method-specific land.

Manu Sporny: the case of just self-assertion of metadata about a DID document for the author can be handled in other ways

Yancy Ribbens: +1 to metadata not going in diddoc

Manu Sporny: but all of those ways are outside of a DID document

Daniel Buchner: or use Epoc seconds as your IDs in the values

Manu Sporny: so Manu is not hearing a strong use case for having these properties in a DID document

Daniel Buchner: epoch*

Manu Sporny: and believes we should take them out of the spec until there is a strong use case

Dave Longley: if you want to express when you registered a DID with some registry – you can add that to your DID doc perhaps under a “registration” property with more information about what you registered … i would think if you have anchored your DID to other blockchains you’d want something like that anyway for more than just one ledger/blockchain

Manu Sporny: daniel, yes, that would be a fine thing to do… epoch in id itself, and hopefully, asserted by the ledger.

Dmitri Zagidulin: dlongley: there’s a separate field for when it was registered, tho

Joe Andrieu: believes that it’s too early to call for lack of use cases when the conversation is just getting started

Dave Longley: dmitriz: this is about the DID controller saying something

Joe Andrieu: there are lots of examples of claims that are not directly tied to the subject

Daniel Buchner: The DID controller saying something is not substrate-authoritative

Joe Andrieu: this is the only place where the DID controller can assert these properties for purposes of redundancy and sniff tests

Orie Steele: SamSmith this is an attempt to formalize inception event

Dave Longley: so it seems the cases here are entirely around self-assertion, in which case such an “anchor” should have

Daniel Buchner: it’s speculative data, not something remotely falsifiable

Dave Longley: semantics that make it clear that its self-asserted info from the DID controller

Joe Andrieu: +1 to more specific property

Manu Sporny: +1 to daniel

Irene Adamski: @manu: unrelated to current discussion - who can I contact about more infos on the f2f in Amsterdam?

Justin Richer: the fundamental question is whether the DID document should be internally self-describing

Daniel Buchner: If it’s just an assertion by a party external to the trust-minimizing anchoring system, then there’s 0 reason we can’t make that a separate witness statement outside of the doc

Dmitri Zagidulin: great way to put it, Justin

Justin Richer: there are others seeing the DID document will be in a context that has other metadata about it

Daniel Buchner: if you want it bound to a doc revision, we could just allow a single prop for witness data that can be included via hash reference

Justin Richer: so these two views need to be reconciled

Dmitri Zagidulin: agrees with Justin_R

Joe Andrieu: @daniel, it’s a statement by the controller, just like everything else in the DID Document. All of which lack falsifiability.

Daniel Buchner: That way you can stuff a freaking DVD worth of witness data in there if you want, just via hash link

Dmitri Zagidulin: Dmitri believes that DID documents need to be self-describing
… but if it is self-asserted, then it can be kicked down to DID method specs

Daniel Buchner: Can someone argue against the hash-link approach?

Dmitri Zagidulin: (also standalone, yes! has implications on portability / exportability of the DID)

Jonathan Holt: conflating the need for a DID registry to add the security around the created or updated timestamp is a different issue

Dave Longley: a DID document has information about the DID subject … if there will be “self-describing” information, then the DID controller should state that the DID subject has a DID Document with properties X, Y, Z.

Jonathan Holt: but for a DID document to be able to standalone and self-describing is still important
… there is probably a room for a compromise, where the property is optional

Daniel Buchner: { witness: HASH_OF_N_OTHER_FIELDS/DATA }

Jonathan Holt: what jonathan currently does is using Open Timestamps
… so thinks there is room to compromise

Samuel Smith: +1 to self describing. The DID Controller needs to be able to make authoritative statements in the DID Doc. But I think that it may be method specific

Dmitri Zagidulin: +1 to manu’s proposal.

Joe Andrieu: -1

Dave Longley: we should remember that the root subject of the DID document is the DID subject

Manu Sporny: to speak to that compromise, he proposes to take it out of the core DID spec, and let method specs decide about how to use it

Yancy Ribbens: +1

Daniel Buchner: +42

Dmitri Zagidulin: daniel - that’s + too many :)

Manu Sporny: however there is already dissent, so no action on that proposal yet

Dave Longley: so something must say “DID subject has a DID document”, and introduce a new object with properties about that DID document.

Brent Zundel: closes the call with thanks to the scribes

Dave Longley: (so there’s no confusion over what the properties apply to DID subject vs. DID doc)

Brent Zundel: remind that we won’t hold the call on Dec 25 or 31.