W3C

– DRAFT –
Decentralized Identifier Working Group

05 February 2026

Attendees

Present
bigbluehat, denkeni, dmitriz, ivan, JennieM, KevinDean, ottomorac, pchampin, pdl-asu, smccown, swcurran, TallTed, Wip
Regrets
-
Chair
ottomorac
Scribe
swcurran

Meeting minutes

Yes

Sorry

Agenda Review, Introductions (5 min)

ottomorac: DID Issues, DID Resolution Issues/assignments, DID Resolution Threat Modelling

DID Issues \[1\] (10 min)

manu: New VC Charter is out for a vote, so if you are a member please vote -- early and often.

scribe

w3c/did#911

<ottomorac> Move normative DID method specification statements about equivalentId and canonicalId into this spec #911

<ottomorac> (meaning move them from DID resolution to DID Core)

<manu> +1 to do that, thank you!

manu: +1 to this good to do.

Wip: One of the comments from Jeffrey, so good to do. Wip to reference this when done and following up with Jeffrey.

manu: Summarizing each of the issues they raised in their tag issue tracker they have so it is clear things were closed out.

<Wip> +1 I will do that

DID CR publication

<Zakim> manu, you wanted to suggest next topic: DID CR publication...

manu: Been travelling and lost track of where we are on CR. I think I was supposed to get a CR candidate req want to be sure each horizontal review has been completed or timed out -- perhaps not accessibility. Manu to do CR candidate reg, and group needs to provide a date for it.

pchampin: A formal resolution would help.

JoeAndrieu: Date needed? Going into CR or out? And how long is CR?

manu: At least 30 days, say that, but requires resolution from the working group.

JoeAndrieu: Issue is the Threat Modelling likely to be another month.

manu: Propose leaving CR at minimum, but can be longer.

ivan: Put minimum -- just means no Recommendation before that date -- but can be longer. No need to put in details of whys and whats.

<JoeAndrieu> +1

<Zakim> manu, you wanted to suggest Feb 19th?

pchampin: Agree.

manu: Based on that -- publication date of CR Feb 19 DID 1.1 with minimum time in CR. Let's get that in a resolution.

manu: to draft a resolution ... in real time.

<ottomorac> issue 914 Publish DID v1.1 as a Candidate Recommendation with a target publication date of Feb 19th 2026.

<manu> +1

<pchampin> +1

<Wip> +1

<TallTed> +1

<ottomorac> +1

<JoeAndrieu> +1

<swcurran> +1

<ivan> +1

<dmitriz> +1

<JennieM> +1

<smccown> +1

RESOLUTION: Publish DID v1.1 as a Candidate Recommendation with a target publication date of Feb 19th 2026.

ivan: Manu -- don't know what happens with testing? Have to produce test plans for CR -- can we reuse what was done before?

manu: Yes -- good news is that work was done Oct 2025, updated the test suite to use 1.1 context, runs against all tests, and no need to contact original implementers. Nice to run full JSON-LD coverage. But we can prove will not break compatibility.

w3c/did#914

manu: did:null was submitted as a proposal as an April Fools Joke, but kinda serious. Signals could be worked on at the Method level. From experience, we have never needed a null/empty DID, so not clear there is a need. Could, and Methods may have a way to express.

Wip: Did look at it, consensus was you don't need this. Suggest that issue submitter propose a DID Method.

<Zakim> JoeAndrieu, you wanted to follow URLs/URIs

smccown: Agree let him submit. Have not seen a reason -- other than Comp Sci often needed. Not clear how serious given the other examples he provides. Perhaps just going for completeness, but I don't see the point.

JoeAndrieu: Make own did Method -- that said, there is no such thing as a "null" URL and a DID is a URL.

dmitriz: re: did:sunny, etc. -- URN is for that -- point him to that.

DID Resolution Threat Modelling

JoeAndrieu: On Tuesday met with Sing and started the process and it went well. Not much ideation, but JoeAndrieu to go through the slides.

JoeAndrieu: Joe to put PPT into the record later. Scribing will cover comments, but not slide contents.

JoeAndrieu: Slide 1 Agenda.

<ottomorac> slide: Today

JoeAndrieu: Slide 2 - commitment by end of CR -- hence previous discussion.

JoeAndrieu: Groundwork for DID v1.1 security review.

JoeAndrieu: Steps -- picture/stakeholder analysis, identify threats, describe good responses. Exercise -- used the Web -- worked well. People. Legal. Public Sector.

<ottomorac> Mocha?

JoeAndrieu: Use various frameworks -- formal analytic approach -- or start with concerns you already know about -- things we've considered in the past. What did we care about? Build out from there.

JoeAndrieu: Define responses, including accepting. Various responses -- there is an acronym for that. Could have multiple responses for a single threat.

JoeAndrieu: Slide 4 -- Categories of Threats.

JoeAndrieu: Slide 5 -- Constellation of Threat Models that interconnect. Shared diagram is key.

manu: Very helpful. Have looked at the doc. The fuzziest in my mind -- constellation. Where does this spec's model stops, others begin. Who decides where the edge is?

manu: What happens if there is no threat model to point to? E.g. if none, just point to security and privacy in the spec?

JoeAndrieu: Yes -- point to the spec if you have to. W3C is pushing this approach, but others (e.g. IETF) are/may not, so RFCs won't be covered.

JoeAndrieu: Level of detail will vary about the boundaries of concern. Could go all the way to the hardware -- go for it, but others may only go to the network, or software level. Perspective is from the authors view -- in the diagram created.

JoeAndrieu: Slide 6: Next steps

JoeAndrieu: Tada -- The Diagram -- link to be added to the record.

JoeAndrieu: Focus on first two columns -- third is proxy -- we can cover that later.

JoeAndrieu: Please think about the terms and challenge them if needed.

JoeAndrieu: Future iterations -- different implementation models.

<manu> +1 overall diagram looks good to me, thank you for all that hard work, Joe!

Wip: What do we need to spin up a repo for this work?

pchampin: I can do that if needed.

manu: Great work -- thanks. Would like to adopt, and to get it into a repo so that we can publish as an FPWD

ivan: Tried to image what would one do with VCs. Create a diagram that covers the lifecycle of a VC? Is that the process, with each step?

<ottomorac> zakim close queue

JoeAndrieu: You could use a sequence diagram. What Sing is advocating for is whatever makes sense. In my case, I like dealing with key flows, but not an end-to-end process. Could do it in one with all the processes -- the three parties, and the key flows between them.

<Zakim> Wip, you wanted to mention DID Path PR briefly

<Wip> w3c/did-resolution#260

Wip: Not threat modelling. DID URL Path review needed -- please do and let's try to merge in a week or so. It's on the clock.

JoeAndrieu: Do we need a resolution to start a repository for DID Resolution Threat Model, then a later one for DID Core.

JoeAndrieu: Proposal is all specs need a Threat Model, and changing the focus from DID Resolution to DID Core gets a different model.

pchampin: Post the resources to the mailing list, that gets a URL and then we can add the permanent URL to the record.

<pchampin> threat model diagram: https://lists.w3.org/Archives/Public/public-security/2026Feb/att-0003/DID_Resolution_DFD.png

<pchampin> Joe's slides: https://lists.w3.org/Archives/Public/public-security/2026Feb/att-0003/DID_Threat_Modeling.SING.2026.02.03.pptx

<ottomorac> m2gbot, link issues with transcript

Summary of resolutions

  1. Publish DID v1.1 as a Candidate Recommendation with a target publication date of Feb 19th 2026.
Minutes manually created (not a transcript), formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).

Diagnostics

Succeeded: s/PROPOSAL: Universal values for a *null DID* as well as an *empty DID* #914From Michael Herman//

Succeeded: s/PROPOSAL:/issue 914/

Maybe present: JoeAndrieu, manu

All speakers: dmitriz, ivan, JoeAndrieu, manu, ottomorac, pchampin, smccown, Wip

Active on IRC: dmitriz, ivan, JennieM, JoeAndrieu, KevinDean, manu, ottomorac, pchampin, smccown, swcurran, TallTed, Wip