14:55:06 RRSAgent has joined #did 14:55:10 logging to https://www.w3.org/2025/07/24-did-irc 14:55:12 rrsagent, draft minutes 14:55:13 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html ottomorac 14:55:18 rrsagent, make logs public 14:55:23 Meeting: Decentralized Identifier Working Group 14:55:28 Chair: ottomorac 14:55:41 Agenda: https://www.w3.org/2025/07/24-did-minutes.html 14:58:06 previous meeting: https://www.w3.org/2025/07/17-did-minutes.html 14:58:08 next meeting: https://www.w3.org/2025/07/31-did-minutes.html 14:59:06 present+ 15:00:30 JoeAndrieu has joined #did 15:00:38 present+ 15:00:44 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html TallTed 15:01:09 markus_sabadello has joined #did 15:02:02 KevinDean has joined #did 15:02:08 present+ 15:02:45 present+ 15:03:27 Wip has joined #did 15:03:36 present+ 15:03:49 scribe+ 15:03:54 present+ 15:05:10 present+ 15:05:37 ottomorac: reviews current progress and agenda 15:05:53 q+ 15:05:53 ... Any questions? 15:06:00 ack pchampin 15:06:23 present+ 15:06:29 pchampin: Email from Julian from ISO about the decentralized identity architecture. 15:06:45 ... basically very positive. we can got for category A liason for TC307 15:06:54 ... I'll work on that form with a goal of end of this week 15:07:07 s/can got/can go/ 15:07:07 present+ 15:07:08 Topic: Debrief DID Test Suite Special Topic - 23rd July 15:07:19 ottomorac: first topic: test suite topic call 15:07:27 q+ 15:07:32 ack Wip 15:07:35 JennieM has joined #did 15:07:38 present+ 15:07:47 wip: It was a great discussion. Markus wasn't there, so we want some feedback. 15:08:05 ... We want to pick 1-5 normative statements in the spec we feel are stable ... 15:08:12 ... Manu? 15:08:38 manu: Good discussion. The things we talked about were like what would be the best way to create the test. 1. We have to extract all the normative statements. 15:08:48 ... initial extract: 82 statements. 15:08:57 ... Concern that is a lot of statements. 15:08:57 smccown has joined #did 15:09:08 ... Concern raised that these tests take a lot of effort 15:09:16 ... and we want to avoid problems we had with previous approaches. 15:09:28 ... specifically avoiding static tests 15:09:43 ... we want to ensure that the test suite can be regularly run to make sure conformance is maintained 15:10:06 ... There was a discussion about starting small and focused and get to an end-to-end scenario with at least two different implementations? 15:10:14 ... If we can, then we can expand to more tests 15:10:30 ... Also discussed how disruptive it is for the spec to change after tests are written. 15:10:54 ... So we discussed how we as a group figure out how implementers should run the test 15:11:11 s|Agenda: https://www.w3.org/2025/07/24-did-minutes.html|Agenda: https://lists.w3.org/Archives/Public/public-did-wg/2025Jul/0009.html | 15:11:18 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html TallTed 15:11:26 ... No one signed up for leading the test suite. Will mentioned willingness to help, as did Digital Bazaar, but neither could take the lead. 15:11:43 ... Then, towards the end, we talked about concrete things to move the test suite forward. 15:12:06 ... 1. Pick an architecture. (Reuse VC 2.0 or something else) 15:12:30 bigbluehat has joined #did 15:12:49 present+ 15:13:11 ... I can go into detail about what that means, but if we have consensus on that, the downstream decisions get easier. 15:13:22 q? 15:13:42 ... Next question is what are the first 5 tests and what organizations are going to provide endpoints? 15:14:17 ... Another key decision to make: do we require that each resolver work against at least one did method? or do resolvers bring their own method 15:14:56 ottomorac: some of these tests might be automated. Was there a discussion about hiring a tester? 15:15:59 Topic: Unaddressed denial of service vector #897 15:16:18 manu: I think it would be good for us to take some resolutions with the test suite 15:16:19 +1 to resolutions 15:16:32 ... Will had suggested some proposals. I have some rough ones written up. 15:16:46 ottomorac: let's go to that 15:16:57 q? 15:17:15 s/Topic: Unaddressed denial of service vector #897// 15:17:29 manu: I have three rough proposals 15:17:46 ... first is to make the test suite did method agnostic 15:18:37 ... the alternative is we would need to require that all resolvers resolve a specific DID method for testing, such as a did:key 15:18:43 q+ 15:18:53 q? 15:18:55 ... So the resolver tells the test suite which methods it supports 15:18:59 q+ 15:19:01 ack markus_sabadello 15:19:08 markus_sabadello: I think its a good idea based on our experience. 15:19:24 *chair hat off* I strongly prefer the BYO DID Method approach 15:19:25 ack ivan 15:19:25 ... when you submit your implementation, you specific a number of DIDs and expected results and we run against that. 15:19:48 ivan: Nothing against it, but to make it automatic, we'll need a clear way to identity each method. 15:20:00 manu: it will literally be a DID that it supports 15:20:04 ivan: ok. that works. 15:20:10 q? 15:20:13 +1 15:20:29 PROPOSAL: Make the DID Resolution test suite "DID Method agnostic" (each endpoint specifies legitimate and invalid DIDs to use against the implementation) 15:20:33 +1 15:20:33 +1 15:20:34 +1 15:20:34 +1 15:20:38 +1 15:20:39 +1 15:20:42 +1 15:20:50 +1 15:21:36 RESOLUTION: Make the DID Resolution test suite "DID Method agnostic" (each endpoint specifies legitimate and invalid DIDs to use against the implementation) 15:21:39 +1 15:21:58 ottomorac: ok. thanks for that. 15:22:06 ... 15:22:13 manu: two more to consider 15:22:46 ... The next one is imperfect, but the general architecture of VC 2.0 can be reused 15:23:08 ... I think this is a solid improvement over the original DID test suite 15:23:56 ... these are mocha driven tests that output JSON we format for humans 15:24:12 ... hundreds of thousands of dollars of work that we can reuse 15:24:19 ... Then we just need to write the literal tests 15:24:35 q+ 15:24:41 ... The only thing I'm concerned about is that Danube Tech did build a test suite. 15:24:45 ack markus_sabadello 15:25:07 markus_sabadello: I would have suggested the same thing. All these tests suites (VC-related) have been successful, so starting with that as a basis is great. 15:25:19 q+ 15:25:26 ... And we can help with specific tests by copying what we have into the VC framework 15:25:29 ack ottomorac 15:25:39 q+ 15:25:44 ottomorac: Does this architecture require the use of Mocha? 15:26:01 q? 15:26:03 ack manu 15:26:19 q+ 15:26:20 manu: Yes. It does use Mocha. We don't have to use it, but it would be more work to replace it 15:26:33 ... Let's reuse as much as possible 15:26:34 ack bigbluehat 15:26:54 bigbluehat: what we're getting from Mocha is the reporter integration. We could use something else, but it would basically be starting over. 15:27:33 ... The tests can be rewritten in another language, but the framework with mocha/chai/javascript would be non-trivial to replace that 15:27:39 q? 15:28:01 RESOLUTION: For the DID Resolution test suite - adopt the test suite infrastructure that was used for VC v2.0; configuration based, HTTP API driven, runs at a regular interval, generates JSON output, formatted into a human-readable report. 15:28:01 +1 15:28:03 +1 15:28:05 +1 15:28:07 +1 15:28:08 +1 15:28:10 +1 15:28:10 +1 15:28:12 +1 15:28:17 +1 15:28:19 +1 15:28:24 s/s/RESOLUTION: For/PROPOSED: For/ 15:28:25 +1 15:28:34 +1 15:29:11 RESOLUTION: For the DID Resolution test suite - adopt the test suite infrastructure that was used for VC v2.0; configuration based, HTTP API driven, runs at a regular interval, generates JSON output, formatted into a human-readable report. 15:29:36 manu: hopefully an easy one. We're going to start small. 15:29:51 q+ 15:29:56 +1 , fully agree to start small 15:29:59 ... this is modest guidance to the person writing the initial tests 15:30:11 q- 15:30:19 ... Then we will decide how to flesh out the rest of the tests as things stabilize 15:30:33 q? 15:30:40 PROPOSAL: For the DID Resolution test suite, focus on a small number (~5) of end-to-end tests with at least two implementations to start. 15:30:42 +1 15:30:43 +1 15:30:44 +1 15:30:44 +1 15:30:46 +1 15:30:46 +1 15:30:47 +1 15:30:47 +1 15:30:50 +1 15:30:54 +1 15:30:57 +1 15:31:02 +1 15:31:32 RESOLUTION: For the DID Resolution test suite, focus on a small number (~5) of end-to-end tests with at least two implementations to start. 15:31:33 q+ to ask DDOS question 15:31:41 ack JoeAndrieu 15:31:41 JoeAndrieu, you wanted to ask DDOS question 15:31:43 scribe+ 15:31:47 q+ 15:32:01 q+ 15:32:04 q- 15:32:34 JoeAndrieu: I wanted to ask, If I have resolver that wants to work with these tests... I think we agreed that I need to have resolver up and running to respond to these tests, how to handle denial of service? 15:32:58 manu: I think we had this concern before, we could use a docker based approach.... 15:33:07 manu: yes. that was a concern with VC 2.0, but nobody had a problem with that. We do have a docker option. 15:33:19 ... that could be a way to provide a non-DDOSable way to do it. 15:33:20 s|Topic: Debrief DID Test Suite Special Topic - 23rd July|Topic: Debrief DID Test Suite Special Topic - 23rd July https://github.com/w3c/did-resolution/issues/92| 15:33:24 q+ 15:33:30 +1 15:33:31 ack manu 15:33:35 ... Also we have authorization turned on for some of the VC services. 15:33:52 ... So that would also be a way to do it. Oauth or ZCAPs. 15:33:57 ack bigbluehat 15:34:11 ... Github secrets manage the access tokens 15:34:41 My connection is still a little spotty. I just wanted to flag, that we will aim to schedule another special topic call soon to make progress on the test suite work. Especially focusing on selecting the 1-5 statements 15:34:59 Topic: Unaddressed denial of service vector #897 15:35:10 https://github.com/w3c/did/issues/897 15:35:23 Issue raised by Victor Dods in regards to possible loophole for infinite did resolutions related to various way in which we refer to the term controller in the spec. He sees a risk for infinite loops which he thinks should be addressed in the security considerations section. Will has provided some comments on it. And Manu is suggesting that we perhaps move it to DID resolution. 15:36:02 ottomorac: manu thought this might be more a did resolution issue than did-core 15:36:22 q+ 15:36:27 ack markus_sabadello 15:36:31 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html TallTed 15:36:48 q+ 15:36:59 ack manu 15:37:36 manu: I can do the move. Basically we had to provide advice that did resolvers need to detect cycles and make sure they don't get lost in infinite loops 15:38:05 Topic: DID Resolution PR Processing 15:38:19 Subtopic: add security consideration about how noCache can lead to DDOS so clients should expect that servers may deny cache bypass #171 15:38:31 Feedback has been provided by Manu and Will on the PR. 15:38:39 https://github.com/w3c/did-resolution/pull/171 15:38:44 ottomorac: feedback from Manu and Will. Markus anything to point out? 15:38:55 s|RESOLUTION: For the DID ReRESOLUTION: For/PROPOSED: Forolution |PROPOSED: For the DID RESOLUTION | 15:39:07 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html TallTed 15:39:13 markus_sabadello: I haven't been able to review yet. It makes sense. 15:39:13 q+ 15:39:25 ack Wip 15:39:51 wip: Wanted to add, the PR is great. But there is a mention of an error in there. We probably need to add the error to our error list. 15:39:56 q? 15:39:59 q+ 15:40:06 ack markus_sabadello 15:40:30 This bit "Resolvers that deny resolution without caching can respond with an error that makes it clear that bypassing the cache was not permitted " 15:40:32 markus_sabadello: I agree. If we say there's an error, we should also define that using problem details and error codes 15:40:47 ... we already have a few errors specific to resolution. So we should add it 15:41:08 Subtopic: Remove "Future Work" section #170 15:41:13 https://github.com/w3c/did-resolution/pull/170 15:41:19 Suggestion from Markus to remove this section from the spec since we haven’t had much suggestions and corresponding issues have been closed and/or moved to DID Extensions 15:41:43 ottomorac: this seems to have general agreement 15:41:50 q+ 15:42:02 ack markus_sabadello 15:42:20 markus_sabadello: it just made sense to me. There were three topics: JSON Pointers, Introducing Proxy Service and Introducing redirection functions. 15:42:31 ... Those discussions, we moved these things to extensions 15:42:43 ... Unless we want a list of future extensions, we can just remove this 15:42:51 ... But I'm not sure we should have such a list 15:42:57 q? 15:43:00 +1 to remove this 15:43:04 +1 to remove 15:43:14 +1 15:43:21 Subtopic: Write examples as text instead of PNG images. #168 15:43:30 https://github.com/w3c/did-resolution/pull/168 15:43:40 q+ 15:43:48 ottomorac: this next one is examples in text instead of images 15:43:54 ack markus_sabadello 15:44:06 markus_sabadello: used to be a lot of PNG documents, largely replaced with SVG docs 15:44:27 ... this one replaces images directly with text (JSON) 15:44:46 Subtopic: Remove a few issue markers #169 15:44:54 https://github.com/w3c/did-resolution/pull/169 15:45:03 ottomorac: mostly editorial. 15:45:11 ack markus_sabadello 15:45:26 markus_sabadello: In some sections there are references to old issues. So this just removes the ones that have been closed. 15:45:34 q? 15:45:49 Topic: DID Resolution Issue Processing 15:46:04 Add DID Resolution architecture security and privacy considerations #133 15:46:10 Subtopic: Add DID Resolution architecture security and privacy considerations #133 15:46:20 https://github.com/w3c/did-resolution/issues/133 15:46:25 What considerations do implementers of the resolvers need to have in mind. Joe had referenced “RFC 3552 Guidelines for Writing RFC Text on Security Considerations” indicating that in the work with Simone this was incorporated. 15:46:43 scribe+ 15:46:56 q+ 15:47:05 ack JoeAndrieu 15:47:53 JoeAndrieu: Simones suggestion is that security consideration sections be done as threat model and the walk through the various types of threats.... 15:47:56 q+ 15:47:58 q+ 15:48:19 JoeAndrieu: I am still working with Simone, so we should probably revisit later 15:48:21 ack ivan 15:48:46 q+ 15:48:47 ivan: would that kind of requirement be there for already existing recommmendations that get republished. Do we need it for DID spec as well. 15:48:53 Ivan: Is this something that we should do for the did spec as well? 15:50:00 JoeAndrieu: I think it is desirable, but perhaps not required.... The goal we have is to have a threat model framework that any spec in the W3C VC spec can fit into... 15:50:20 Ivan: I have some doubts about it..... 15:50:39 ack markus_sabadello 15:51:03 markus_sabadello: I've been thinking about security consideration. I agree we need more work. The threat modeling sounds useful. 15:51:24 ... One thing is the specification has a section about resolver architectures. Which introduces some security related topics. 15:51:38 ... How to read from a VDR, how to talk with a resolver, and proofs and meta data. 15:51:47 ... So how does that relate? 15:51:48 q+ 15:52:07 ack JoenAdrieu 15:52:17 ack JoeAdrieu 15:52:34 JoenAdrieu: the diagrams are the right place to start the work.... 15:52:41 q- 15:52:53 S /JoenAdrieu/JoeAndrieu/ 15:53:11 manu: Just to react to did-core consideration request. I'm not sure what the ask would be. 15:53:45 ... I don't think it's quite there yet. It's a lot of work. I'd rather not redo that section until we have a good guidance on what to do. 15:53:49 q+ 15:53:54 ack manu 15:54:03 ack JoeAndrieu 15:54:26 q? 15:54:39 Subtopic: Complete threat modelling analysis for different DID Resolution architectures #132 15:54:41 ottomorac: there is another issue. 15:54:44 https://github.com/w3c/did-resolution/issues/132 15:55:04 q+ 15:55:17 ottomorac: should we merge these? 15:55:18 ack markus_sabadello 15:55:25 markus_sabadello: Will created that one. 15:55:47 ... My recollection is that there is maybe an interest in describing the architectures in a general way (as it is now) but maybe also concrete examples. 15:55:56 Wip has joined #did 15:56:21 ... This feels like adding the specific examples. 15:56:53 ottomorac: sounds like this is more specific for each architecture. 15:57:03 ... this is also blocked by having more guidance 15:57:12 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html pchampin 15:58:06 JoeAndrieu: this is not blocked by Simone's guidance.... I think the security considerations section does need to wait, but the let's dive into the diagrams.... 15:58:26 Yep I think so. We first select the architectures, then model the threats 15:58:33 agree ^ 15:59:18 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html pchampin 17:10:53 zakim, end the meeting 17:10:53 As of this point the attendees have been TallTed, ottomorac, KevinDean, pchampin, Wip, JoeAndrieu, markus_sabadello, manu, ivan, JennieM, bigbluehat 17:10:55 RRSAgent, please draft minutes 17:10:56 I have made the request to generate https://www.w3.org/2025/07/24-did-minutes.html Zakim 17:11:01 I am happy to have been of service, ottomorac; please remember to excuse RRSAgent. Goodbye 17:11:02 Zakim has left #did 17:11:26 RRSAgent, please excuse us 17:11:26 I see no action items