15:43:57 RRSAgent has joined #did 15:44:02 logging to https://www.w3.org/2026/02/26-did-irc 15:44:11 rrsagent, make logs public 15:44:20 Meeting: Decentralized Identifier Working Group 15:44:23 Chair: ottomorac 15:44:27 Agenda: https://lists.w3.org/Archives/Public/public-did-wg/2026Feb/0014.html 15:44:28 clear agenda 15:44:28 agenda+ Agenda Review, Introductions (5 min) 15:44:28 agenda+ DID Core Candidate Rec Update \[1\] (5 min) 15:44:28 agenda+ DID Path PR - Final Call \[2\] (10 min) 15:44:28 agenda+ DID Resolution Privacy Review \[3\] (10 min) 15:44:31 agenda+ DID Resolution Test Suite \[4\] (10 min) 15:44:33 agenda+ DID Resolution Threat Modelling Update \[5\] (15 min) 15:44:40 previous meeting: https://www.w3.org/2026/02/19-did-minutes.html 15:44:44 next meeting: https://www.w3.org/2026/03/05-did-minutes.html 15:56:25 TallTed has joined #did 16:00:30 present+ 16:00:47 KevinDean has joined #did 16:00:48 JoeAndrieu has joined #did 16:00:54 present+ 16:01:53 present+ 16:01:56 swcurran has joined #did 16:02:01 present+ 16:02:08 I have made the request to generate https://www.w3.org/2026/02/26-did-minutes.html TallTed 16:02:26 Wip has joined #did 16:03:08 bigbluehat has joined #did 16:03:20 dmitriz has joined #did 16:03:43 present+ 16:03:46 scribe+ 16:04:08 ottomorac: welcome everyone 16:04:16 ... we'll look at the update on DID Core 16:04:19 ... the DID path PR 16:04:29 ... and a few issues raised by someone at Mozilla 16:04:46 ... and then we can wrap with 15 minutes or so about threat modeling 16:04:51 ... anything else? 16:05:00 zakim, next item 16:05:00 agendum 1 -- Agenda Review, Introductions (5 min) -- taken up [from agendabot] 16:05:09 zakim, next item 16:05:09 agendum 1 was just opened, ottomorac 16:05:16 q+ 16:05:21 ottomorac: the CR update 16:05:34 ack manu 16:05:39 zakim, next item 16:05:39 agendum 1 was just opened, ottomorac 16:05:43 manu: I made some changes to the status of the document section 16:05:52 ... and I could use some feedback 16:05:54 q+ 16:06:04 ... we didn't point to a test suite link, but now we do 16:06:24 ... we warn implementers as class 1-3 might result in changes to the spec 16:06:39 ... we clearly highlight what we need in order to exit CR 16:07:02 ... for statements that are machine testable, there must be ___ implementations 16:07:27 For CR criteria: 16:07:32 there should be a test suite for DiD 1.1 (it's the case but not explicit). 16:07:33 ... we've heard that we'll need 2 producers and 2 consumers 16:07:34 JennieM has joined #did 16:07:36 we'd like to see a dependency between DiD 1.1 and DiD Resolution, ie DiD 1.1 shouldn't move beyond CR if DiD Resolution isn't able to do the same as well. 16:07:41 conforming implementation is defined using conforming producer and conforming consumer. At least, we'd like to see two consumers interoperating with one producer and two producers interoperating with one consumer. 16:07:43 ... which is different than the typical "2 implementers" 16:08:02 ... these are complaints from previous iterations and so I think the goal is to avoid that this time 16:08:10 present+ 16:08:19 q? 16:08:27 ... additionally there's pressure to make sure DID Resolution exits at the same time as DIDv1.1 16:08:32 ... which raises the bar a bit 16:08:53 ... there's also some boundary setting language about formats and resolution 16:09:05 ... but there have been no new comments on it--positive or negative 16:09:11 ... so I plan to merge it after the call 16:09:17 ... prepping the doc for publication 16:09:35 ... and PLH has approved it once his concerns have been addressed--which they are now 16:09:41 ack pchampin 16:09:46 present+ 16:09:50 ottomorac: so the two specs are kinda joined at the hip now, correct 16:09:55 manu: yes, and that's new 16:10:14 pchampin: did you see that PLH +1'd the transition issue? 16:10:25 ... you can count him as approving the other PR also 16:10:29 ... so we're good to go 16:10:46 manu: excellent. I'll let you know when it's done 16:10:55 https://github.com/w3c/did/pull/921 16:11:03 https://github.com/w3c/transitions/issues/774 16:11:12 zakim, next item 16:11:12 agendum 2 -- DID Core Candidate Rec Update \[1\] (5 min) -- taken up [from agendabot] 16:11:19 zakim, next item 16:11:19 agendum 2 was just opened, ottomorac 16:11:30 Zakim, close item 2 16:11:30 agendum 2, DID Core Candidate Rec Update \[1\] (5 min), closed 16:11:31 I see 4 items remaining on the agenda; the next one is 16:11:31 3. DID Path PR - Final Call \[2\] (10 min) [from agendabot] 16:11:36 Zakim, next item 16:11:36 agendum 3 -- DID Path PR - Final Call \[2\] (10 min) -- taken up [from agendabot] 16:11:48 https://github.com/w3c/did-resolution/pull/260 16:11:52 ottomorac: next topic 16:11:59 q+ 16:12:05 ... we are mostly done on this one, I think 16:12:15 swcurran: I had a great conversation with JoeAndrieu yesterday 16:12:20 ... I think we agree on the state of it 16:12:26 ... but language clarification would help 16:12:28 ack swcurran 16:12:35 ... JoeAndrieu would like me to go through it one more time 16:12:44 ... and I think he was going to take a look at it lalso 16:12:51 s/lalso/also 16:13:14 ... our disagreements that remain seem separate from this PR at this point 16:13:28 ... so I plan to do one last pass to clean up anything that remains awkward or unclear 16:13:34 ... and thanks to TallTed for his help also 16:13:37 q? 16:13:49 zakim, next item 16:13:49 agendum 4 -- DID Resolution Privacy Review \[3\] (10 min) -- taken up [from agendabot] 16:13:53 +1 to Stephen's report out 16:14:19 subtopic: https://github.com/w3c/did-resolution/issues/294 16:14:26 HTTP Bindings could be more tightly specified #294 16:14:43 ottomorac: there are some suggested improvements hese 16:15:43 scribe+ 16:15:58 q+ 16:16:05 ack Wip 16:16:16 danpape has joined #did 16:16:39 Wip: are we using http headers? 16:16:48 q+ 16:16:49 q+ 16:16:53 ack manu 16:17:09 Manu: I think he is saying we are vague about what layer we are trying to target.... 16:17:37 Manu: so he is basically saying we are not clarifying caching and which headers are ok.... 16:17:47 q- 16:17:48 Manu: Also regarding the client and resolver trust relationship.... 16:17:51 smccown has joined #did 16:18:05 Manu: He wants more clarity that 16:18:19 q+ 16:18:54 present+ 16:18:55 Manu: He is also asking about browser apis vs just pure http.... it sounds like you guys are using pure http... and then we need to clarify what changes we might make before raising PR 16:19:03 q? 16:19:08 ack JoeAndrieu 16:19:53 q+ 16:19:54 q+ 16:19:57 JoeA: We are not using HTTP headers in a meaningful way, we are only using https so we need to put some detail around that 16:20:01 scribe+ 16:20:02 ack bigbluehat 16:20:26 bigbluehat: In the context of a privacy review he does want more detail about referer.... 16:20:52 bigbluehat: I dont think he wants the whole expansion of http headers, perhaps a paragraph or two could suffice... 16:20:58 bigbluehat: In the context of a privacy review, he's looking for specific callouts that "void the warranty" on privacy -- origin cookies, things of that nature -- it is in the context of a privacy review. I don't think he's looking for a full expansion, and how we treat each one, perhaps something on privacy conscious clients and things that might explore those things. 16:21:01 q- 16:21:07 q? 16:21:21 q? 16:21:23 q+ 16:21:24 scribe- 16:21:27 ack Wip 16:21:35 Wip: anyone want to take this on? 16:21:54 ... we have maybe 4 weeks 16:22:05 ... so it'd be great to have someone tackle it 16:22:28 bigbluehat: I'll do it 16:22:31 ottomorac: thanks! 16:22:44 subtopic: https://github.com/w3c/did-resolution/issues/293 16:22:49 ottomorac: we have another one from the same reviewer 16:22:50 Tracking of resolutions and dereferences by downstream entities from the resolver 16:23:49 q+ to say we it's likely out of scope 16:24:06 ack JoeAndrieu 16:24:06 JoeAndrieu, you wanted to say we it's likely out of scope 16:24:31 JoeAndrieu: I appreciate the concern raised, but I think because of our security model that this is out of scope 16:24:38 ... essentially, the trust is in the resolver 16:24:46 q+ 16:25:04 ... I do think we need to be more clear about that 16:25:07 ack Wip 16:25:16 ... otherwise, I don't know how to address this one 16:25:33 s/trust the resolver/rely on the resolver to keep secret information secret/ 16:25:33 `trust` is a terrible word to use 16:25:42 Wip: my first read left me feeling like he's thinking primarily of Web-based resolvers 16:25:56 q? 16:25:59 ... and this is privacy focused review again 16:26:07 q+ 16:26:12 scribe+ 16:26:21 TallTed: trust is a terrible word 16:26:34 ... relying on the resolver to keep secret information secret would be better 16:27:12 q? 16:27:19 q- 16:27:20 q+ 16:27:44 s|s/trust the resolver/| instead of "trust the resolver", 16:27:46 manu: I need to look through again because I'd though we'd added stuff about OHTTP, etc. 16:27:54 I have made the request to generate https://www.w3.org/2026/02/26-did-minutes.html TallTed 16:28:00 ... I do agree we should write more in the privacy concern section 16:28:06 ... he mentions mentioning techniques 16:28:13 ... and OHTTP would be one 16:28:27 ... one our specs does do that...maybe VC Data Model? 16:28:30 q? 16:28:41 Wip: we do say steps can be taken to obfuscate requests 16:28:51 manu: yeah, but we don't spell it out and point to options 16:28:56 ... which I think is what he wants 16:29:36 https://w3c.github.io/vc-bitstring-status-list/#validate-algorithm 16:29:42 manu: here it is 16:29:46 We say this: "Verifiers SHOULD cache the retrieved status list and SHOULD use proxies or other mechanisms, such as Oblivious HTTP, that hide retrieval behavior from the issuer." 16:30:03 q? 16:30:07 ... we could say something like this in the DID Resolution privacy section 16:30:10 ack JoeAndrieu 16:30:14 ... I think that's what he's after 16:30:23 JoeAndrieu: I agree we could improve the language 16:30:31 ... but I'm not sure caching should be here 16:30:37 s/be here/be there 16:30:49 ... it's not really part of our architecture 16:31:23 ... I think we should add that, again, one shouldn't ask a resolver for a DID unless there's some trust in what the resolver may do with that DID 16:31:32 ... I'm honestly not sure how the obfuscation helps 16:31:32 q? 16:31:32 q+ 16:31:33 q+ 16:31:40 scribe+ 16:31:46 ack bigbluehat 16:31:55 bigbluehat: the question is who are you being private from? 16:32:05 bigbluehat: http will only mask so much... 16:32:46 bigbluehat: as Joe said we need to clarify what level of trust is expected 16:32:50 ottomorac: so, maybe we're clarifying what level of trust is being expected? 16:33:01 JoeAndrieu: TallTed's right. We should avoid saying trust 16:33:06 ... it is more about reliance 16:33:17 ... the protocol may need you to talk to a central server 16:33:24 ... as sad as that makes me, it's possible 16:33:29 ... and that may leak PII 16:33:35 q? 16:33:51 ... and the fact that the resolver can do all that stuff is just part of the pioneering part of this ecosystem 16:34:08 ottomorac: and I guess the concern here is that the resolver may not work on behalf of the user? 16:34:22 JoeAndrieu: it's just like browser choice 16:34:22 ack manu 16:34:54 manu: so, the reviewer is coming from a browser vendor 16:35:08 ... and browsers do try to mask certain requests through things like caching 16:35:26 ... to really know something, you do have to GET the newest thing 16:35:33 ... but what if you do it 10 seconds later? 16:35:40 q+ caching is a thing that people will do. We don't have a secure way to do that. 16:35:45 q+ to say caching is a thing that people will do. We don't have a secure way to do that. 16:35:56 zakim, close the queue 16:35:56 ok, ottomorac, the speaker queue is closed 16:36:01 ... one thing that caching does do is mask how many requests are being made which can help obfuscate usage patterns 16:36:09 ... OHTTP can help by masking who's asking 16:36:26 ... that plus caching can be helpful for further obfuscation 16:36:39 ... so I don't think it's quite the same as choosing a browser 16:36:48 ... I do think there are places where this stuff matters 16:36:52 q? 16:36:58 ack JoeAndrieu 16:36:58 JoeAndrieu, you wanted to say caching is a thing that people will do. We don't have a secure way to do that. 16:37:30 JoeAndrieu: if we're talking about making OHTTP optional, I think that's fine 16:37:38 q+ 16:37:40 q+ 16:37:42 ... making it mandatory would be a mistake 16:37:50 ... I think encouraging caching would also be a mistake 16:37:56 ... because it's not actually resolution 16:38:00 What to cache and for how long is a business decision based on the use case. 16:38:11 ... and if we encouraged that, we'd be doing a disservice to the client 16:38:24 zakim, next item 16:38:24 agendum 5 -- DID Resolution Test Suite \[4\] (10 min) -- taken up [from agendabot] 16:38:26 hmm, "stay silent on caching" feels like sticking our heads in the sand -- people will do it, fine to warn, but think it's a mistake to not talk about it as a privacy concern. 16:38:29 ottomorac: k. I want us to move on. Let's let this on simmer 16:38:39 Wip: I'm taking the lead on the test suite 16:38:44 https://github.com/w3c-ccg/did-resolution-mocha-test-suite/pulls 16:38:46 q+ 16:38:56 ... there is an open PR on this repo which has a pretty solid base 16:39:09 ... not sure who's implementing, but I'd love to hear from folks who are 16:39:17 ... I've implemented resolution locally 16:39:21 ... but it's not live 16:39:28 ... so not sure how we want to do that 16:39:43 ... if you have a library, just plug it in locally 16:40:00 ... there are some tests that are still unstable 16:40:10 ... but many of these feel complete 16:40:14 q? 16:40:18 ack manu 16:40:51 manu: glad to see we have 2 implementations! 16:40:55 ... this PR looks good to me 16:41:05 ... I'd say we make this the new base 16:41:15 scribe+ 16:41:17 ... and I don't think the WG really needs to give it a deep review yet 16:41:31 q? 16:41:33 q+ 16:41:37 ack manu 16:42:00 manu: on the local implementation vs remote, when we do what we did for did-core we already paid the price for longterm.... 16:42:23 manu: some people just want to up a simplified docker instance and try to call it a resolver... 16:42:49 q+ 16:42:59 manu: I don;t want us to put it in the effort and then people abandon those resolvers... 16:43:11 q+ 16:43:24 manu: I would rather help you out 16:43:47 ack Wip 16:44:03 Wip: yes thats fine, what I meant is i DO have an https wrapper... 16:44:23 Wip: last thing, swcurran do you have a resolver implementation? 16:44:23 q- 16:44:43 swcurran: I think so, but let me take a look at what you did 16:44:44 swcurran: the DID webvh meeting is soon. I need to do a bit more work 16:44:52 q? 16:45:02 scribe- 16:45:17 zakim, next item 16:45:17 agendum 6 -- DID Resolution Threat Modelling Update \[5\] (15 min) -- taken up [from agendabot] 16:45:45 ottomorac: so, JoeAndrieu I think you've been tackling these 16:45:59 JoeAndrieu: we've made some adjustments to the diagrams 16:46:12 ... one thing to share is that I went over this with swcurran 16:46:18 ... mostly to focus on the path PR 16:46:35 ... some of this was tangled up in resolution vs. dereferencing 16:47:01 ... these clarifications should allow me to clean some stuff up this weekend 16:47:55 ... I've walked through the diagram with various methods, etc. 16:48:04 ... and each time I've gone through it, it's gotten "richer" 16:48:47 ... the goal here is that each component in the diagram is shared across each of the flow diagrams 16:49:12 ... so, for example, when one is offline, there are fewer components, etc. 16:49:32 ... as I think through this for my personal situation, I'm the client admin for example 16:49:53 ... but in a larger organization, that may be a completely different person in a different part of the organization 16:50:01 ... swcurran is hopefully going to do this one for webvh 16:50:16 q? 16:50:22 ... I'm hopeful that these diagrams will give us things to point at when reviewing methods 16:50:44 ... like my disdain for DNS in did:webvh presents as a particular threat in the modeling 16:51:00 ... so we can point at those and discuss them more accurately and narrowly in future 16:51:14 ... there is more work to do here on extensibility 16:51:27 ... and think about where those introduce threats 16:51:45 ... for example, when we get into DID Core and start talking about verification methods 16:52:01 JoeAndrieu: swcurran and I are setup to do regular meetings 16:52:08 q? 16:52:12 q+ 16:52:16 ack manu 16:52:17 ... I could talk through some of these threats now, if we want 16:52:33 manu: this might derail us... All of this made good sense, JoeAndrieu 16:52:50 ... however, I am concerned about other people being able to do this same sort of work being done here 16:53:12 ... is there a way to productionize this work, basically 16:53:19 ottomorac: are we saying other spec writers? 16:53:23 manu: all of them 16:53:24 q+ 16:53:29 ... we don't want a bottleneck here 16:53:42 ... for example, we don't all have access to the diagramming tool 16:53:47 ... so could we use Mermaid? 16:53:54 ack JoeAndrieu 16:54:04 ... we don't have to solve any of this right now, but I do want to highlight the concern 16:54:20 JoeAndrieu: the threat modeling guide actually already speaks to this 16:54:32 ... it's not tool or even diagramming approach specific 16:54:39 ... the output just needs to be accessible 16:55:00 ... I think the threat modeling is the solution, not the creator of the problem 16:55:12 ... software developers don't really have training in any of this 16:55:29 q+ 16:55:29 ... and we've been abdicating to SING...and they are eternally backlogged 16:55:32 q+ 16:55:36 ack manu 16:55:46 ... so the hope is that training all of us in threat modeling will alleviate that a bit 16:55:59 manu: sorry, that wasn't what I was trying to convey 16:56:07 q+ 16:56:18 ... mostly, I'm after "where's the respec for threat modeling" sort of questions 16:56:24 ack JoeAndrieu 16:56:25 JoeAndrieu: just ask. We have plans for these things 16:56:33 ... we're trying to JSON-ify these things 16:56:40 ... and WGs can model threat models in JSON 16:56:50 ... and then a respec plugin will render them 16:57:00 ... we do have a threat modeling spec in respec 16:57:02 q? 16:57:07 ... it's not JSON-ified yet 16:57:09 ack ottomorac 16:57:19 manu: thank you. that's actually what I was looking for 16:57:32 ottomorac: specifically on some of there charts 16:57:37 q+ 16:57:40 ... are you expecting everyone to make these? 16:57:46 ... like at least DID Method authors? 16:57:48 ack JoeAndrieu 16:57:50 JoeAndrieu: yes. that's the goal 16:57:56 ... really anyone could do a threat model 16:58:02 ... we state this in the guide 16:58:07 zakim close the queue 16:58:16 ... we have a weird thing with the high extensibility of DID methods 16:58:20 zakim, close the queue 16:58:20 ok, ottomorac, the speaker queue is closed 16:58:28 ... but we expect that people will use this as foundations in their own work 16:58:45 ... for example, we don't say anything about key management 16:59:00 ... but the hope is that each group would express how they're doing it via a threat model 16:59:07 ottomorac: k. let's come back in a few weeks 16:59:10 JoeAndrieu: sounds good! 16:59:16 ottomorac: thanks everyone 17:00:56 rrsagent, make minutes 17:00:58 I have made the request to generate https://www.w3.org/2026/02/26-did-minutes.html ottomorac 17:02:09 m2gbot, link issues with transcript 17:02:09 comment created: https://github.com/w3c/did-resolution/pull/260#issuecomment-3967923903 17:02:10 comment created: https://github.com/w3c/did-resolution/issues/294#issuecomment-3967924011 17:02:11 comment already there: https://github.com/w3c/did-resolution/issues/294#issuecomment-3967924011 17:02:12 comment created: https://github.com/w3c/did-resolution/issues/293#issuecomment-3967924251 17:02:45 zakim, please excuse us 17:02:45 leaving. As of this point the attendees have been pchampin, KevinDean, TallTed, swcurran, bigbluehat, JennieM, ivan, smccown 17:02:45 Zakim has left #did 17:03:02 RRSAgent, please excuse us 17:03:02 I see no action items