Meeting minutes
Will: This is going to be a more informal call, topic is controller document
Will: Maybe manu can give an overview of the document
Will: This document was developed in VC WG, need to discuss relationship to our group
Will: We are considering pointing to that document
manu: In a controller document, you can list public key material. There are also service descriptions
manu: Really public keys are called verification methods, since there are also other ways
<TallTed> Will -- Your audio is rather choppy. If you're using a wireless/battery mic (including earbuds), it might be good to switch to wire (including built-in)
manu: Service descriptions tell you how to interact with the entity identified by the identifier
manu: The concept started out as a DID document.
manu: At some point, a subgroup of people felt that the concepts of DID documents could be generalized
manu: In DID Core, this wasn't possible based on the rules
manu: A subgroup in the VC WG tried to generalized the concept, starting from DID Core.
manu: We also defined something in Data Integritiy. And VC JOSE CODE wants to use https URLs.
manu: So you could use https URLs where previously you could only use DIDs.
manu: Now the controller document spec exists in VC WG.
manu: Probably this group here should be in charge of this document, but it doesn't really matter due to the overlap.
<ivan> The VC version of the controller document
manu: Since 2 weeks ago, a number of discussions started on the document that could result in something that is not aligned with what we intended in DID Core.
manu: There are "discuss" labels on issues in the controller doc repo.
manu: It's still very much aligned with DID Core.
manu: Basically we would have to point sections from DID Core to the controller document specification, and say that it can be used with DIDs, e.g. in the "id", "controller", etc. fields.
manu: All the properties defined in DID Core are also defined in the controller document spec.
manu: We have moved DID Resolution to a separate spec.
manu: In DID Core, we would point to the controller document spec and "subclass" it.
manu: Issues that have been raised about what is the "controller" property, and what it means for a subject to have control, etc.
manu: First question is, as a goal, do we want to re-use the controller document spec, or continue to evolve in parallel. After that we can go into specifics.
Will: Let's discuss this for about 10 min if we want to re-use the spec.
manu: I thought it might be helpful to cover what happens if we don't. In that case, we would have a fork. The "controller document" might not be fully aligned with "DID document", and it might create confusion.
manu: I don't see any hard in depending on the controller document, as long as some upcoming discussions don't hobble our ability to use it with DIDs.
manu: There were some hints about anti-decentralization, e.g. we should depend on central repos for extensibility.
manu: I think at this point, if we don't take a dependency, we should have a very good reason. In that case, controller document should not go ahead.
JoeAndrieu: I think we should try
JoeAndrieu: We'll have more say in the future of the controller document if we try to use it
ivan: There is also a very technical reason why we are almost forced to do that.
ivan: The document also includes a formal vocabulary.
ivan: That vocabulary is controlled by the VC WG. If we don't use it, then we would have to change our own terms URLs, we would have to change the context file, and it wouldn't be backwards compatible.
ivan: In a sense, we are forced to do it.
Wip: If we rely on controller document, and then if the controller decided to have a concrere representation, what would be the implications?
markus_sabadello: I wanted to express that I'm in favor of trying to add dependency for controller documents. People are confused on DID Document vs. Controller document, good idea to do that. I also have a question on extensibility, which was just restructured. I assume that there is no conflict there w/ controller document... if controller document and vocabulary are controlled by VCWG, and DID WG has extensions, I assume it's fine. In general in
support of the alignment.
<Zakim> manu, you wanted to speak to "concrete representation" concerns.
manu: Regarding concrete representation concerns.. There is a disagreement on one of the PRs about whether we will have a concrete representation for the controller document. We need to settle that in VC WG.
manu: My impression was people wanted to use a plain JSON non-DID version. We have no media type for that.
manu: So we need to decide if we are creating that and if it gets a media type. If it does, then that's okay. Then DID document will have its own media type.
manu: I'm not concerned about the layering there and about concrete representations.
manu: It's a discussion we need to have, but there are multiple ways forward.
manu: Regarding extensions, where do they live. It could be part of VC extension, and we could move the DID-related extensions over there.
manu: Or we have our did-extensions. We could say any property that is allowed on a DID document can be allowed on a controller document.
manu: Other option is that we could have a separate controller-extensions repo.
manu: It's an open question.
manu: We should pick something and go with it, there ways through both topics.
ivan: Regarding disagreement between manu and I, we'll solve it.
ivan: Regarding question by markus_sabadello, we already have a funny situation. Almost all terms are in the controller document or security vocabulary.
ivan: As I remember, one term ended up in a different vocabulary.
ivan: So we already have a case where a DID document may have properties that are not in the controller document, which I think is not a problem.
ivan: Every time there is a new term, we should decide if it's DID-specific, or if we believe it is also usable for any other specification that may decide to use the controller document.
<Zakim> manu, you wanted to speak to service descriptions, and what we want to do there.
ivan: I'm not worried about that
manu: I'm not worried about it either. Due to the extensibility mechanism we have, there is a clean story. There is a full URI that describes the property. You don't have to worry about conflicts elsewhere.
manu: We should have a discussion where the best place is for these discussions.
manu: The specific examples regarding service endpoints is a really good one to figure out.
manu: I think we should move service descriptions over to controller document.
manu: People who didn't want to use DIDs did not want to use JSON-LD, and didn't need service descriptions.
manu: We should move service descriptions over.
markus_sabadello: Yes, I agree - service descriptions should be moved over. Historically, there are other examples of discovery formats where you have service descriptions or some equivalent concept.
markus_sabadello: In the core properties, there is already one property that's in a different namespace... `alsoKnownAs`, we had discussions with Activity Streams, so it's an example of a property that's defined elsewhere in a different group, in a different vocabulary.
ivan: There is a pragmatic reason that worries me about service descriptions. We are under time pressure in VC WG. In order to move to Rec, we need clear references.
ivan: Controller document was relatively late in the process.
<Zakim> manu, you wanted to note time pressure on controller document
ivan: If DID WG needs something in controller documents, it should happen fast
manu: I think our timeline for controller documents was shifted recently, as many new issues have been opened.
manu: Moving service descriptions over I think may be a challenge, but would be worth doing (vs. not doing).
manu: If we are in agreement that architecturally speaking it makes sense, we should go ahead and try.
manu: I don't think it will go into CR until maybe November.
Wip: Seems there is consensus to use controller document, let's bring this to the main DID WG call.
<Wip> issue w3c/
Wip: for the rest of the call, let's focus on an issue 43 raised by David Chadwick
<Wip> w3c/
Wip: A PR was created to address this issue.
<Wip> w3c/
JoeAndrieu: Regarding issue 75, there is a notion that I have pushed back fairly consistently, which is referring to the properties in the DID document as describing the subject. I think this is an error and confuses people.
JoeAndrieu: Describing the subject is something VCs do, DID document shouldn't be a place where we make statements about the subject.
JoeAndrieu: Its primary function is to express how to verify proofs.
JoeAndrieu: It's about verifying actions and interactions.
JoeAndrieu: Received some feedback from Mike and Dave.
manu: It seems JoeAndrieu is making good, concrete suggestions.
manu: A bit of history.. DID documents were always meant to be general resources that existed in a global information graph. They are like any other node in an information graphs.
manu: But they had certain useful pieces of information used for interactions, such as cryptogrpahy.
manu: Nodes in the graph are identified by an identifier, and then you have relationships to verification material, which are keys that an entity controls.
manu: I don't like the word "controller". There is pushback that we shouldn't talk about a global graph, but rather a specific thing.
manu: I get concerned when people say VCs are different from DID documents from a data model perspective.
<dlongley> w3c/
manu: We break the information model that all this work has been based on. I think we can improve the language. But a DID document is a node in an information graphs, with relationships to verification methods, etc. You could merge it with a VC that speaks about the same identifiers. You have different levels of trust.
manu: Maybe we should have called them resource documents instead of controller documents.
markus_sabadello: My understanding is aligned with what Manu said - nodes in information graphs that can be merged. Traditionally, DID Documents have been used for specific content such as keys and service endpoints, mostly for privacy/considerations. However, over the years, all kinds of other information is included in the DID Document -- use cases related to organizational identity and things of that nature. The DID Document becomes more than just a
container for public keys.
<Zakim> JoeAndrieu, you wanted to say if the representation of the global graph presents making statements about identifiers, it's the wrong context for DID Documents
JoeAndrieu: I'm not a big fan of this notion of a global knowledge graph. Because of Goedel's incompleteness theorem.
JoeAndrieu: If we talk about a system of identifiers, it becomes challenging due to the "id" field in JSON-LD.
JoeAndrieu: Identifiers are the core thing we need to talk about.
<KevinDean> +1
JoeAndrieu: I'm not a big fan of this notion of a big fan of a global knowledge graph, mostly about Goedel's incompleteness issue... if we are talking about a system of identifiers, I think it's difficult to say things about identifiers. I think what we are talking about are identifiers. I love how JSON-LD gives us decentralized disambiguation, but all documents need to be reconstructable in a single knowledge graph, use mathematical cosntruct to put all
statements in graph, Difficult for me to square that.
dlongley: An identifier is just a string of characters. It could have a certain shape such as a URL, but that's about all you're really talking about when it comes to the concept of identifier.
dlongley: Controller documents let you work with resources that are related to other resources that have the identifier in it.
dlongley: All actions related to a controller document, e.g. proving that you are allowed to do something, that can change. Different people can make claims about it. This doesn't have to happen in the DID document, it can be in a VC.
dlongley: Saying that you interact with an identifier makes no sense, and you don't make statements about identifiers. You make those statements about the subject.
dlongley: We're expressing that the entity has verification methods related to it.
dlongley: When interacting with the other systems, using a resource identified by the id, you use the verification methods in those documents.
<Zakim> JoeAndrieu, you wanted to say asserting that the verification methods relate to anything beyond the provable elements of the method is a guarantee error
JoeAndrieu: I don't think they allow you to make statements about reality. We have verification methods. Do you have specific cryptographic guarantees about what is proven.
JoeAndrieu: If we make a statement about person X, whether this has validity about person X, this is what happens in VCs.
JoeAndrieu: For an identifier, we are saying how you verify certain proofs in relationship to the identifier.
<KevinDean> +1
<Zakim> dlongley, you wanted to say "this verification method is associated with a thing referred to by identifier X" is a statement about reality
JoeAndrieu: DID documents are not about proving a certain individual.
dlongley: What I'm trying to say is that the simple statement that the verification method is related to a thing, that IS a statement about reality. It's a very simple statement used to achieve certain goals. This is the kind of statement that belongs in a controller document. This doesn't mean anything about identity assurance, we don't have to
bring this into the conversation.
dlongley: Proving which person it is, that's totally different.
<Zakim> manu, you wanted to note that I'm not saying we /have/ to do the global knowledge graph thing... I'm concerned about preventing that interpretation and having no universal model.
manu: JoeAndrieu I'm getting hung up on the belief that we are trying to create an equivalence between VCs and DID documents, and I don't think we're trying to do that.
manu: The level of trust you have in a VC is different from a DID document.
manu: You may trust both of those, but I doubt the level of trust is equivalent. You may trust one more than the other.
<dlongley> +1 proving something "is true" isn't relevant here :) ... we're just expressing information.
manu: Just because we say an identifier identifies a thing in the world, that's all we're doing. This doesn't mean you have to treat a DID document equivalently to VCs. It's possible to merge them into the same graph, but I don't think anyone is saying that you should do that by deafult.
manu: It's similar to getting two VCs from different sources.
manu: I'm most concerned about not having a model for thinking about it in this way.
manu: If we say DID documents and VCs are totally different things, then we don't have a unified model anymore.
manu: All information models have issues when getting down to provability and completeness of statements.
manu: Unless those things actually apply to the problem set we're solving, I don't think we should bring them into the discussion.
manu: They may be important philosophical concepts, but probably don't affect the code we write.
<Zakim> JoeAndrieu, you wanted to say "statements about the referrent" = VC "statements about proofs related to the identifier" = did document
JoeAndrieu: Once we frame the properties as being about the referent, we get into a loop.
JoeAndrieu: We need to make statements about identifiers. The VC doesn't make it easy. This is what Goedel's theorem is about.
<dlongley> i don't think we have anything to get around -- at least i don't understand the problem, everything seems fine to me :)
JoeAndrieu: We can prove a proof with cryptographic closure. We cannot prove statement about reality.
JoeAndrieu: We don't interact with identifiers.
dmitriz: Maybe a pointer analogy is useful in this discussion
dmitriz: In programming languages we never describe properties of pointers, we just talk about what they point to.
dmitriz: One of the places where controller docs are being used is decentralized social media... Mastodon, Bluesky, Threads, etc.
dmitriz: In that world, accounts have "actor" profiles. Those profiles have acquired verification methods that the actors can sign statements with.
dmitriz: This turns social media profiles into DID documents. They also use JSON-LD.
dmitriz: We have this data point of it being used in the wild.
dmitriz: This seems to mix VC and DID worlds.
dmitriz: In these docs, you have both public keys, and statements about the entity
<dlongley> +1 i don't think that's an information problem, but a privacy consideration
dmitriz: In the DID WG we were very careful to not put other statements (PII) into the document, due to privacy concerns
<Zakim> manu, you wanted to agree w/ Dmitri (what people are doing) and focus on concrete language.
dmitriz: But we have this data points in actor profiles of the hybrid use.
manu: +1 to dmitriz
manu: People are starting to do things that would have made us very uncomfortable a few years ago, to try to minimize what's in the DID docu
manu: But in the AcitivityPub example, people put information into the profiles that are meant to be publis
manu: It does fit in with the information graph we were talking about before
<dlongley> +1 to agree with that position, minimize what goes into the DID doc -- and a separation of concerns helps with privacy and interop; but none of this is a theoretical information problem, but rather these are practical concerns
manu: Another way of looking at it is that the DID document could be considered a "self-asserted" VC, in a different format.
manu: The "id" at the top-level is the unified information model.
manu: To get concrete about this...
JoeAndrieu: I think you just described exactly the conflation problem I have been trying to reverse.
JoeAndrieu: DID docs and VCs feel similar, but they are not the same.
JoeAndrieu: I don't think that model is the right model to think about DID docs
<dlongley> +1 i agree with Joe that DID docs and VCs are different and have different uses, but ultimately, both *happen* to make statements about things -- but that isn't what the difference is (or why there is a difference)
JoeAndrieu: Identifiers are used to "pivot" between different contexts. I'm labeling an identifier in a DID document, so that I can recognize it in VCs and verify proofs.
JoeAndrieu: Imagining that they are somehow the same thing, that is the root of the tension
<dlongley> -1 that the "they are the same thing is the root of the problem", i think the root is elsewhere :)
manu: That's a good summary of the disagreement. But I see it as a non-issue.
<dmitriz> also disagree with Joe that DID Documents are identifiers. they're documents, not identifiers.
JoeAndrieu: I think dmitriz's example in ActivityPub is the problem with the language we are using.
Hmm, I thought the ActivityPub usage was just fine :/
JoeAndrieu: We're multiplying the problem if other groups use it like this.
Wip: We will be discussing this at TPAC.
Wip: Thanks everyone.
<dlongley> +1 to the conversation; i think the boundary is privacy and whether how/why you need to decouple statements in separate containers, not what is being talked about
yes, also +1 to that ^