W3C

– DRAFT –
Decentralized Identifier Working Group

25 June 2026

Attendees

Present
JennieM, ottomorac, pchampin, smccown, swcurran, TallTed, Wip
Regrets
-
Chair
ottomorac
Scribe
transcriber-bot

Meeting minutes

<ottomorac> transcriber-bot, connect

<ottomorac> transcriber-bot, connect

<ottomorac> transcriber-bot, pause

<ottomorac> transcriber-bot, resume

Otto Mora: Okay. Alright, uh...
… Oh

Agenda Review, Introductions (5 min)

Otto Mora: Uh, yeah, so today, um
… We will be talking about the overall timeline for the DAD working group, so Will has kindly put together a presentation with some points around that
… Uh, we want to maybe try to get to the topic of revisiting
… the data URLs, but I don't think we have the quorum for that, so I think it will be mainly potentially around the timeline, and I guess both Will and maybe Pierre discussing that a bit more with the group. Anything else folks want to add?
… Uh, yeah, go ahead, Will

Will Abramson: Yeah, I guess I would just add, I mean, hopefully...
… I have prepared something, I mean, it's a shame Stevens… um… Not here
… Steve, right? To talk about the dig URL resolution thing, but I think I do want to socialize it if we've got time, uh, just so we can start thinking about it, and… Yeah, so we'll see. I do expect us to get to the DID URL versus DID discussion again

DID WG Timeline &amp; Options (20 min)

Otto Mora: Okay, yeah, I think we should socialize then, you're right...
… All right. Thank you, Will
… Okay, go… so, yeah, go ahead, Will, we have the topic of the… the timeline and the representing

Will Abramson: Alright, yeah, great. Um, yeah, so I'm gonna share my screen, and I'm gonna present… Um...
… basically, me, PA, and Otto had a discussion this week, and we looked at our
… Can you still see… can you see the dead working group, Taiwan?

Otto Mora: Yeah. Mm-hmm...

Will Abramson: Okay...

Otto Mora: Yeah, go ahead, yeah...

Will Abramson: Yeah. Yeah, so we were talking on Tuesday, um, we were talking about the timeline, right? How long we got left in our charter...
… What have we got to do? All of those things. Um, this is just a summary of
… That discussion, and kind of
… a bit of a reality check, I think, for us, about what our priorities are, given that. You know, 2 weeks of our 6
… Two months of our six-month extension is… up, effectively. Um… So
… Yeah, I mean, please, also you can manage the queue, and we can stop and have a conversation about any of this at any time. I'm trying to work through the conversation that we had. Yeah, so
… you know, just to highlight that, you know, we are running out of time. Our charter expires on the 28th of October 2026, which will be at TPAC. in Dublin
… And we've already been given the maximum 6-month extension for our chart
… That's a given. So that means we have 17 weeks, approximately. of work remaining in this group. But… You know, we are
… starting summer, right? It is summer now. I know I'm going to be out for at least two weeks, right? Joe and Manu aren't here this week. I know Joe's going to be out for a couple weeks in summer. Like, I'm sure people are going to be out. That just happened, so… You know, maybe we've got 15 weeks of work, right, if we're being generous. Um
… So it's just a, uh, you know, bear that in mind as we're going through this. And then there's, okay, well, what do we need to do in those 15 weeks to get to a state that
… Would be satisfactory for this group by the time our charter expires
… And I think the main thing, I'll decide about this later, is it will be a failure of this group if we do not get into candidate rec. for… bid resolution before our charter expires. I think it'll be much harder for us to get a re-charter, and it will be
… it will reflect badly on, you know, all the work that we've put in, and the wider DID community. We absolutely must
… be targeting to get into candidate rec. So, you know, we've got our first public working draft
… We have a working draft of bid resolution. Bid is already in candidate rec, with a few caveats that I'll get into later. Bid resolution is not in candidate rec, and we still have a bunch of things that we need to do to get a working group decision and team approval to move into candidate rec
… And then once you're in Candidate Rec, right, we can iterate on different Candidate Recs, but we also need to start thinking about how do we get out of Candidate Rec, how might we get out of Candidate Rec, and how do we get something that we're happy with, that we can go out to wide review. And then go out to have a AC review in time
… So, what does that actually look like in practice? This is what, you know, PA was just flagging for us. AC review is going to take a minimum of 28 days. Like, that's really the bare minimum
… Um… Before you have AC review. you have wide review. So, wide review is where, I guess, you… Let the W3C members know. You have a candidate rec that you're happy with
… And please take a look at it, right? I mean, maybe PA can speak a bit more to the details of that, but that also takes… you know, you need to have wide review for a minimum of 28 days, like an announcement on the mailing list for W3C members. Here's a spec, we want to get it to REC. We're just going to review it and provide comments, I think
… Right, and this is… I guess the wide review is kind of where
… the objections might come up, you know
… Or where they came up before, right? That's, like, the browser vendors look at it, and they say no, or they say yes. Um, so, yeah, that's 8 weeks, right? Like, we're really targeting to get to rec
… That's 8 weeks of our time, just trying to do the review, right? Like, so we've got 7 weeks. Of work
… that we have left to prepare our spec to be in a candidate REC state that we are satisfied with, so we can go out to wide review in time to be complete by the end of our charter. So, 7 weeks, not very much time
… Uh, which doesn't seem like very much time to me
… Um
… That's just a flag for that. And then second, or next, is, okay, what do we actually need to do in that time? Like, if we wanted to finish the DID resolution work in a place, or put it in a place that we would be. happy with, or it would at least have achieved something in this work, what needs to happen? So, this is really, um
… Starting from the backwards, right? Like, we need to absolutely move into data resolution candidate rec, right? We need to have a candidate rec that can be wide reviewed and can go to AC review
… So what do we need to do to move the JID resolutions back into cancer review? Candidate Rex, sorry
… We have to complete the horizontal review, and we have done quite a lot of this
… There are a few minor tag issues that remain
… thought
… The big thing, I think, for us to move into horizontal review, or the couple, is
… this threat modeling conversation, right? Like
… We haven't put any, or hardly any time in this group on threat modeling, but security requires threat modeling to be complete, or it requires specs to have a threat model to move into candidate review. And I think Joe would say, like, the bid core spec also requires a threat model to move out of candidate rec into a recommendation, based on

what he's heard from Simone. Um… I have a little pushback against this
… You know, it feels a bit unfair on this group that we've been asked to produce a threat model. Um
… really, this year, right? When we had… when we were just wrapping up the group, right? We didn't really know what a threat model entailed, like, saying we're still figuring it out. Feels like threat modeling maybe should have been a conversation that. New groups
… A requirement as far as new groups
… But even so, I think the threat modeling work is super valuable, and
… we should try and do it if we can. Like, for me, that is something that
… Has already uncovered interesting things, and it's just a different perspective that
… helps us when we're looking at this work. But it is a lot of work, right? A threat model is not… it's not something that we just whap out in a week. Like, that's gonna take some time and some conversation in the group to get something that
… we can all live with. Okay, and then the other thing we need to do is revisit the inputs to did resolution. Even though we've spent many… Painful weeks discussing this. Um
… we need to revisit it, I think, and I'll explain this in more detail later, um, I'd love to hear what you think
… Um, and then the last thing is, the thing that we've also spent many painful weeks discussing is the refactoring and finalization of the DID URL dereferencing algorithm
… And I guess I'm putting it to the group
… This is too much work for us to achieve in the small timeframe we have left
… So, the question goes, okay, well, what… what… you know, like, what is
… What does it mean to finish the DigiURL dereferencing algorithm?
… You know, like, how much work is just that piece?
… Currently, we've been talking about this as a working group since March
… Um
… I'm not… I mean, maybe other people are more positive than me, but I'm not convinced that we're much closer to a solution that everyone could live with than we were then
… maybe we are. There are some positive directions. I do like the direction of this refactoring, and I think there is… there is value to be uncovered there. But, um
… I'll get to how this fits in, like, I'm not saying we should discard the dural dereferencing entirely and go back to the current version, but I'm just saying maybe in this current charter, or in the current weeks that we have left, this shouldn't be a priority, because it is not critical past. Um
… Yeah, and just like, so could we do just this feature in seven weeks, right? Like, that's what I'm trying to say, right? If we didn't have anything else to do, and we just had finished the URL dereferencing, could we do that in seven weeks? I think maybe we could. But, just to flag, you know, we have spent at least 12 weeks on this already
… And even if we get a refactored algorithm that we are happy with, this algorithm would have to go through horizontal review. I think that's tagged, seeing, and ping, at least
… We have no test suite, and we have no implementations, I don't think, unless there are ones out there. I mean, maybe Marcus has one, but… um
… kids might not be conformant. Yeah, so, like, there's a whole piece of work there that's not even factored in. that we also need to do
… So, just like, you know, I'm not sure we're being realistic. I mean, I'm not sure even in 17 weeks we could do that. Maybe other people think it's… I'm being… Um, very negative
… I don't mean to be, I'm just trying to do a bit of a reality check here for folks
… Okay, and then I want to talk about, like, what is our priority right now? Like, what is the thing that we should be focusing all of our attention and energy on? And maybe, as chairs. We've not
… Have this top of mind, as much as we should have
… Um
… But my suggestion, and really, PA and me and Otto were talking about this
… from the outside, what people are looking to the DID working group to do is address the interoperability objections that were raised
… In the initial bid working group, the previous bid working group
… And the reason that we included did resolution into our charter
… was as a direct response to these objections. We claimed, by standardizing a interface. a consistent interface across DID methods, that you can execute the resolve function and get back a conformant DID document for any DID method, right? Not for any DID method, but you have one standard entry point. that you can call the same way for any DID

methods. We claim that that is the way we can address interoperability, because whether you use DID key, or DID web, or, you know, any of the DID methods
… as a… as someone… a client of those bids, someone receiving those bids, they know that the resolved operation is going to be the same, and the… the response from that is also something that's the same. The bid document's already been defined, so as long as they can take a bid. and get back a DID document, then we're claiming that there is

interoperability, and that is how we're addressing these
… objections. um… I think that's valid. I stand behind that claim. But, there is nothing in that claim that is dependent on did URL dereference. That's what I'm claiming here. Um… So
… I don't know, like, do these objectives care about digital URL dereferencing? Maybe. I know people in this group care about it strongly, right? That's why we're talking about a lot of people in this group have
… have use cases that depend on digital LD referencing, and ideally, they want those use cases to be
… standardized, so that there aren't all these competing different approaches to how you interpret a dig URL
… Uh, but I don't know if it's critical path. In fact, I think it's… I'm claiming it's not critical path
… You cannot have did URL dereferencing without did resolution. I think we all agree with that. Um, most people out there
… I may be claiming, without any evidence, are more interested in bid resolution initially. I mean, I think one of the reasons we have struggled in this group is there is not enough implementation experience with bid URL bid resolution. Um
… Yeah, so again, just to highlight this, the worst case scenario
… is for us to fail to get CR before our charter expires. Like, that is, like, people will be able to point out the DID working group and the work and say, they failed
… You know, like, the objectors will be able to point out the work and shut it down, or it'll be much harder for us to reach out to. And continue this work
… So… so what should we do? How do we… address this. Um
… when we were talking, we came up with a few different approaches. They're kind of in the same vein, but, you know, we can pick which one we might get first, with the caveat, you know, with the
… Um, point that we have to get to CR, right? Like, that is what we should focus on
… And so I think it's like, what's the minimum viable bid resolution spec that produces value?
… That we could take to CR
… Right? So, like, for me, I think what's critical is threat model is critical, although maybe we could debate that a little bit, but I would like to see us focus on threat modeling to get that done. I think the horizontal review issues are critical, and a decision on bid resolution input is critical. Did URL dereferencing is not?
… Um, and then, you know, that's not, like I said, that's not to say we're chucking out digital LD referencing, pull out the specs, we don't want to talk about it anymore. It's just to say right now, as a working group, what we're focusing our attention and time and energy on, especially in the calls. Has to be getting something
… that we are happy… that we are comfortable with to CR
… Um, and then, when we're in CR, there are a couple of options for how we can continue the work, right? Like, we can either
… plan to and intend to recharter to continue to discuss and address just the URL dereferencing, right? Like, we know we have this piece, we know it's under-defined, we know we haven't got enough time to get it ready, given our charter
… So we can… we can propose to reach out to that. The other option that PA suggested is, once you're in CR
… you can have… you can come into CR with the explicit intention to continuously iterate in CR, so create new candidate recommendations
… to complete the URL dereferencing. So I'm not fully sure on the… it's a bit of a hack, apparently, of the system. Maybe Jay can speak to it more. But, um
… So the real thing is, we have to get to see how with something. As soon as possible
… And once we're in CR, it just gives us much more options and, I guess, like, safety
… for how… We can progress to work. So, I think that's all I've got. Are there any questions, concerns, comments? Like, does anyone disagree?

Otto Mora: Uh, I put myself in the queue just to say a great presentation, Will. I think it's very, uh...
… grounded in in in reality. Yeah, definitely. Most people do care about the resolution
… That dereferencing… I mean, it is important and not to, like
… dismiss the… some of the, you know, the stuff that Joe has pointed out needs to be tightened up in dereferencing, but
… Uh, yeah, by and far, most folks just care about resolution and getting… you know, your dead document back. Um… So yeah, I think, uh
… it is raising some good valid points, and also, like, you know, realistically, yeah, like, even if… even if we have made some really good progress in recent weeks, I… You know, the current direction doesn't
… Wouldn't show that we would be able to fix
… the, uh, the referencing in time. I agree with that. Um, okay, I see Steven

Stephen Curran: Yeah, I mean, I agree with what you said, Will...
… I don't quite know… my purpose here is to just try to move things forward. I think not completing is a far bigger deal. We have
… Two people that have expressed that they're gonna formally object depending on what we do, so we have to… It would be nice to figure out
… You know what we could do
… to leave this… I… I guess what I want… was wondering, Will, is are you saying we leave this back as it is with the… did URL dereferencing, or remove it entirely?

Will Abramson: uh...
… Yeah, so concretely, um

Stephen Curran: Is that the way you want to go forward? I'm just not sure what you're suggesting on. Did you say?...

Will Abramson: I guess we would… I'd probably defer to Pierre for how he's on the call, but I think it would be the initial version that we moved to CR, you know, maybe we mark the sections as, like, non-normative, or at risk, or, you know, potentially we remove them. I think, ideally, we...
… We wouldn't remove them until, like, the final calendar wreck, but
… I think we… we make it clear when we're moving to CR which bits of the spec are, like, normative, um, part of the standard that we're trying to get to wreck in this candidate wreck. Like, part of the candidate wreck, and which parts are still very much
… unstable and could be either removed or need further iteration
… I don't know, PA, maybe if you can speak to Howie, yeah, yeah

Otto Mora: But go ahead, Pete...

Pierre-Antoine Champin: Yes, thank you. I hope you don't pick up the background noise too much. Is that okay?...

Otto Mora: Uh, it's okay, yeah...

Will Abramson: Yes...

Pierre-Antoine Champin: Okay, cool. So, yeah, marking some features as at risk is a way to warn people that, and I think it fits quite well the situation we're in...
… Well, to some extent, marking a feature as at risk means this might go away before we go to rec
… So we are not, the working group is not entirely confident that we can gather enough implementation experience on that. And if we don't, then it won't be part of the REC
… So that would be one way to go. I mean, at least marking it as at risk gives us this backdoor to move forward despite the absence of
… of implementation feedback
… But as Will stated, in fact, once we have a CR
… There are really two ways to move forward. Either we publish it as is
… Potentially by removing the at-risk part, and then hope to make the missing… to add the missing part in a future version of the REC
… Or we could just remain in CR for a while and publish. And you see our snapshots, which is something which is becoming increasingly common in working groups. And I'm not even sure that we have to decide this beforehand or that we have to clearly announce that
… I guess… I guess we need a straight story, uh, when we ask for a recharter, so probably if we… if we can clearly announce what's the plan, it would be better. But, um… But again, yeah, to strengthen Will's point
… I do agree that we need a CR to have something to show for our work. And then how we move on from that, there are several options. Yep, that's it

Otto Mora: Yep...

Will Abramson: Yeah, I guess I'm wondering...

Otto Mora: Go ahead, Will...

Will Abramson: You know, this option to stay in CR and continuously iterate, in both situations, we kind of need to reach out directly, aren't we? So, like, what are the pros and cons on each of them? Um, I guess one of the negatives I see about, like...
… staying in recharger… in… in Candidate Rec and never getting to Rec is… we never get to a Rec for
… Oh, it takes much longer for us to get to Iraq for bid resolution, which people can then depend on and rely on. Um, yeah, I'm interested to hear your thoughts

Otto Mora: Go ahead, Pete...

Pierre-Antoine Champin: Um, yeah, the, the, for me, the nice… thing about...
… remaining in CR is if people feel that a half-baked recommendation is worse than no recommendation at all. And I'm not sure if that's anyone's position in the group, but I anticipate that some people might feel… I've heard things
… That makes me makes me think that some people might be against having a recommendation
… rubber stamps by W3C that do not go as far as DDRL resolution
… If the plan is, we are not publishing, we are showing that we have something to show for our work that is a CR, it's better than nothing, it's definitely better than a working draft. But there is still work to do, and we will do that in CR
… until we finally reach consensus. In, in any case, yes, of course, we need, we need a re-charter, and the goal is to make, to, to, to, to, to have, uh, as much chances as possible that this re-charter is, is accepted, and that the
… The objectors to the did work cannot take this as an argument to stop us

Otto Mora: Mm-hmm...

Will Abramson: Um...
… Yeah, I mean, I guess we can move on. I mean, just to hear from anybody else, if you're not speaking and you have an opinion or thought about this, but

Grace Rachmany: Maybe...

Will Abramson: I'll share this, probably, with the mailing list...
… the email, the timeline? Do you think that's alright? Like, maybe the private paperwork and group one? Just the numbers

Grace Rachmany: When you say we can move on, I don't hear that you made the decision about what to do. Do you want to make a decision?...

Otto Mora: It's a bit...

Grace Rachmany: The same time frame...

Otto Mora: Could you speak a little closer to the mic, Grace? Sorry...

Grace Rachmany: Not sure. What?...

Otto Mora: I think you might… Ian...

Will Abramson: God, hey...

Otto Mora: Yeah, I can't hear you quite well...

Grace Rachmany: I think this is better. How's that?...

Otto Mora: Yep. Yep. Perfect. Perfect. Go ahead...

Will Abramson: Okay...

Grace Rachmany: I just had to turn off some Bluetooth things. Like, you're saying you want to move on, but I don't hear a decision, and I do hear that it's time critical. Like, is… like, the proposal on the table seems to be to remove certain parts...

Otto Mora: Mm-hmm...

Grace Rachmany: And maybe you can be explicit about what the proposal is and ask for a consensus, because it doesn't feel to me like you want to wait another week until a vote is given on what to do to move forward. If you've only got 7 weeks till you actually have to submit something, like...
… Now seems like a good time to agree upon next steps

Otto Mora: Yeah. Yeah. Go ahead...

Will Abramson: Maybe I can just respond to that. Sorry, Steven. Yeah, I mean, I think —...
… I think you make a great point, Grace, and we could figure out some proposal text. I'm a little hesitant about doing that without Joe and Manu, and I think for me, like, I think the bits that need deciding are just this end bit about what do we do around video or LD reference. thing, like… unless I hear someone strongly
… objecting to this, I think the chairs feel strongly that we need to turn all of our energy towards
… finalizing those bits around DID resolution. So that is finalizing the DID resolution horizontal review issues
… Sourcing out the threat modeling, and um
… I think that was it. Oh, and this… the inputs to the DID URL… to the DID resolution algorithm
… discussion. So, like, for me, like, that is what the chairs are gonna focus the group on next
… And then, the question that we will try and get to a resolution on, but I would like the input of Manu, and Joe at least, and maybe Marcus too, is
… Um, how do… how does the group proceed once we have got into a REC, in terms of, are we gonna try and stay in this candidate REC phase, or are we gonna
… Finish, move it, you know, completely wrecked, and then recharter around a, you know, 1.1
… spec, or whatever that just defines the URL that you're referencing

Grace Rachmany: Great. And I think it would make a lot of sense to be really specific about what, what, at what upcoming meeting you'd like to make the decision about what to submit to. I'm sorry, I don't know all the terminology, but it sounds like you need to send, submit this to review within seven weeks...
… And I think that it would be really useful to say on this date, we're going to make that decision. That way, Joe and Manu and all of the rest of us who are here today will know this is the date on which this is going to be voted on, and then anybody. Who doesn't show up on that date knows that they're missing that

Will Abramson: um...

Otto Mora: Mm-hmm...

Will Abramson: Yeah, okay, uh, we could pick a date, I mean… That's a good point...
… Maybe, I would say, 2 weeks' time? The 9th of July?
… Um, we could touch on it briefly next week, uh, and then… You know, and to bow in
… I'm gonna have to drive just to make this decision about what we're doing, if we're going to… how we're handling going direct once we are in there with a… Minimal viable version

Dan Pape: Sorry, well, I was about 10 minutes late, um, so I may have missed it. Is your hesitancy to make everyone vote next week because a bunch of people are still gonna be out, or… I don't know, it seems like we're kinda… And we got a...

Stephen Curran: Yep...

Dan Pape: make some decisions...

Will Abramson: Um, okay, well, I respond to that too. My hesitancy for voting next week is, like, I think next week, like, it's not like this vote is blocking us...
… Right? Like, there are things that we absolutely need to do on bid resolution that are
… independent of the decision that we need to make with this vote. So, like, two weeks feels like a bit more time for people to think about what they want to do, and I will share this
… slide deck in… with the mailing list, and I'll put that date thing in there, just so, like, two weeks is a bit more time for people to prepare to make sure that they're here if it's really important to them. And because it's not… okay, it is time critical, but it is not blocking the things that are also time critical

Otto Mora: Mm-hmm...

Will Abramson: On progress...

Grace Rachmany: And then maybe just say, if we do have all of the key players next week, we'll do it next week, and if not, we'll… the official date is 2 weeks from now...
… Just because, like, you don't want it to end up being blocked again because somebody doesn't show up

Will Abramson: Yep. Feather is cute...

Otto Mora: Yeah, sorry. Yeah, go ahead, Pierre...

Pierre-Antoine Champin: Yeah, my suggestion would be to plan the vote on next week...
… Uh, and the reason is, or the rationale, is that anyway, any decision made during a call
… always has a, by our process, has a one week, how do you call that? People have one week to react. So I think —
… scheduling the votes during next week's call, people, some people, everyone, but everyone will be aware. Those who want to participate to the live discussion will make their best to be here during the call. Then there will be a vote. Then the people who
… could not make it, still have the opportunity to chime in, and if there's no minus one during the call, somebody can still issue a minus one on the mailing list on the following week. So, uh, I think if we want to have a final decision in two weeks

<Wip> Ok lets do that then

Pierre-Antoine Champin: Scheduling the votes in next week's call is a right way to go

Otto Mora: Thank you. Uh… Steven?...

<TallTed> Decisions made in a call are *provisional*, until a week has passed

Pierre-Antoine Champin: Provisional is the word I was looking for. Sorry, any decision made during a call is provisional during a week...

Otto Mora: Oh, okay...

Stephen Curran: I think the biggest challenge is making what you're proposing, what the proposal is very concrete. We have...
… 5, 6 PRs that go off in different directions. Uh, we have an existing spec, we have merged one that
… is
… stated as being partial. What is the proposal? And so that's the big thing to figure out
… Then I think we need something very, very concrete, because we have very little time to execute on it. I think the threat model work is, as far as I know, it's writing. I don't think anyone's going to want to debate it for very long
… They are… we did a session, Joe hosted a session where he collected a number of threats and did the threat modeling. I think it's a… I hope it's just a matter of writing that up in a way that's reasonable, and I don't think there's going to be a lot of discussion or
… about that. It's more getting the work done. I'm much more concerned about what
… you want done to this to the did resolutions back regarding
… The did URL question and the did URL dereferencing. What state do you want it?
… left in when we go to Cr, so we can go to that direction. Right now we're going in 6 different directions
… That's it

Otto Mora: Go ahead, Will...

Will Abramson: Yeah, um, I guess, you know, what I'm suggesting is we stop going in all of those directions. I think that has been a distraction, and it's unfortunate, but we should...
… I mean, we can vote on this, too, next week, but I guess there's two proposals. The first proposal is the group stops putting its time and energy into DigURL dereferencing until we have a
… provisional, you know, a REC that the group's comfortable with, that is, like, minimum viable, and it includes resolution. And then the second proposal is about, once we have a REC, how does the group want to
… Um… move out of that wreck. Moved out, moved out of that candidate wreck
… into a recommendation, or do we want to continue this sort of iterative approach? So, like, the proposal is we're going to mark all of the digital URL dereferencing bits at risk
… And… Um… move forward like that. Like, that will be acceptable, I think, is what PA is saying, to move it into rep

<ottomorac> Link to Presentation from Will: https://docs.google.com/presentation/d/1aXwUMyvv37Iz0VfTl2jMlbqeJFWPIPgoYh0o5HAGbpM/edit?usp=sharing

Will Abramson: Uh, into a CR, rather. And then, obviously, before we moved out of… before we move out of CR, we would have a decision about, okay, how do we tidy up those, um, at-risk sections?

Otto Mora: Sure...

Stephen Curran: Sorry, I can't get to my the chat room right now. So I'm going to jump in the queue if I could...
… But does that mean, Will? Do you mean like we?

Otto Mora: Go ahead, go ahead...

Stephen Curran: go back to where the spec was 6 months ago on DID resolution, and just say, okay, we're gonna leave it at that. Is that what you're saying?...

Will Abramson: Um...
… Well, I think we need to get resolution, like the resolution algorithm, to a state that the group. Is, um, you know, willing to live with

Stephen Curran: Yeah...

Will Abramson: Like, whatever that is, we still have to get to consensus on the state of the DID resolution algorithm. That is part of the work that we will be doing over these 7 weeks...

Stephen Curran: And and my concern is, there's the passion is so high that that...
… that that's not really possible. I'm… I'd like to state that I don't care. I don't think it matters whether it's six months ago, whether the one we're going on. We're… we're… they're just… They come down to minor issues, in my opinion, but people think, you know, are very

Will Abramson: No...

Stephen Curran: passionate that absolutely, positively, this must happen, and they're conflicting, and that's where we've got a problem. I think it's… it's all on the margins, and whether we word it this way or we word it that way, it really doesn't matter...
… Um, so… But we have to have a definitive, okay, this is the direction we're going to go
… Um… Because saying, oh, we're going to resolve the DID resolution question, I think will take months. Um, given where we are and the… and the… progress we're making. I'm willing to close all my PRs on it. I'm
… I write PRs to try to express the will of what I interpret the DID Working Group is saying, and right now, I don't have a clue
… Um, because we're off in so many directions, so my preference would be we just go back to what it was at the beginning, and

Will Abramson: Yeah, thanks...

Stephen Curran: If we go into CR with that, I would like to see PATH added, but that would be just controversial, and therefore I don't want to see it, because I don't want any more controversy. I just want to see us get to CR, because if we don't get to CR, DIDs are seriously at risk...

Otto Mora: Pierre?...

Pierre-Antoine Champin: Okay, here's my potentially naive view on the topic and how we could move forward. For me, there are two aspects to the dissent in the group. One of them is...
… Should there be two entry points or just one? The previous version of the spec had two entry points, resolve that took a did and dereference that took a did URL
… And now it seems, if I understand correctly, we're moving toward a single entry point, which would therefore accept the URL
… The second source of dissent, and that's also why it took so long, is, uh, what about… how do we exactly manage did URLs that are not just dids? And there's a number of, uh, tricky issues there that… That makes that we don't have consensus
… So in order to move forward, the general plan is to leave aside the second source of dissent
… and focus on, okay, you give me a DID, I give you a DID document
… I think we could implement that in both of the… the first problem, really, both options allow to do that. Either we have two entry points, and therefore we just specify the first one, and we leave the second one for further work
… Or we have just one entry point, and then we say, okay, at the moment, that entry point, that function or algorithm or whatever
… it's supposed to accept arbitrary DID URLs, but at the moment, it is only specified for the subset of DID URLs that happen to be just DIDs. So. Again
… I, I, I, uh
… we need consensus on the first one, I guess, and that has been a large part of the discussion recently. The idea is to leave aside the second part, which is then, what do we do about those URLs that have paths and parameters and everything?
… But at least that divides the problem so that we only have to find consensus on that single part
… But yes, we still need consensus where it might still be hard to find

Otto Mora: Yeah. Thank you. Dan?...

Dan Pape: Oh, I was just going to ask, um, our… These...
… Will made the comment of, you know, PRs are going in all these different directions. Are any of these directions
… In the sense of just removing that thing completely, because if not, then yeah, hopefully
… It would be easier to make people see the sense of, you know, let's
… Just, you know, at least agree on something for these at-risk sections, and then, you know, yeah, if we can definitely iterate on them. After CR. Then, you know, hopefully that could

Otto Mora: Thanks, Dan...
… Will?

Will Abramson: um… forgot what I was gonna say. I, I...

Dan Pape: you know, get some people to, you know, come together a little bit. Like, for instance, I mean, yeah, if we need to put a pause on URL dereferencing, or at least, you know, at least put it in, just say, look, you know, this is still...

Will Abramson: I mean, I think, Dan, for the moment, we aren't talking about removing it...

Dan Pape: trying to be finalized or something, then yeah, that's… seems better than if there is someone who just doesn't want us to talk about it at all, which I don't recall there being, but I could be wrong...

Will Abramson: Like, removing it completely from the spec...
… Um, but that may happen once we're in CR, dependent on what the group wants to do

<swcurran> -1 to removing DID URL Dereferencing from the spec :-)

Will Abramson: I think the big… I mean, Pierre, you sort of hit the nail on the head. The big question that I have for the group, which we need to resolve, is what are the inputs to the resolve algorithm? You know, we've just had this long debate about switching from DIDs to DID URLs
… now, potentially, there's a reason to switch back, but are people gonna be happy with that? Like, I, I, um
… I think that is the big, um, blocker that we have to decide on. I mean, with my chair hat on… off, rather, I… Have
… a lot of sympathy for what Steven is saying, like, maybe we just roll back 6 months, and
… And is that a version of the spec that is minimum viable and the group could get behind? And that would be great to know. So, at least we have something that we're comfortable with. Uh, I don't know if that is the case with some members of the group, though, so

Otto Mora: Yeah...

Will Abramson: We'll have to see...

Otto Mora: Okay, well, I think we've, you know, I think the sense of urgency has been communicated. I agree with Grace as well about needing to cap to vote...

Revisiting Resolving DID URLs (20 min)

Otto Mora: And maybe we should move on to the next topic of of the the changing of the. um

Will Abramson: Hmm. Okay...

Otto Mora: potential changing of, uh… revisiting of the date URL as input. Um… Perhaps...

Will Abramson: Sure. Yeah, there's not that much time for this. Um… I don't know… Steve… Steven McCown, how well are you up to speed with this, uh… I think you and Joe came up with this reason that changing to dig URLs is maybe not a good idea?...
… Um, I have… I have a pre… like, a very short thing that I can just go over with the group, um, if that's useful, but it's really just what Joe sent me. I haven't had a chance to talk to him, um, so Steve, if you are able to speak to this issue. Might be better

Steve McCown: Yeah, Joe and I talked quite a bit about this, basically...
… Uh, well, long story short, um, it's probably good to review what he sent. He's more eloquent about that than I am

Will Abramson: Okay...

Steve McCown: Um, part of the concern...
… we were having was, what do online cloud-based resolvers do, and how can they, um
… cause surveillance issues for… for the users. And if… if those are virtualized and
… uh, pass requests on to other resolvers, um, then it kind of gets worse. And so, um, that
… That he sent you. Was part of our conversation. It was a long conversation about about that. Umm. I'm… I'm
… always kind of a little bit on the fence when it comes to dead URLs, um, just because of the way. That resolution, um
… dereferencing process can work, depending on how things are implemented

Will Abramson: Okay. I'll share...

Steve McCown: So, yeah, um, take a look at what he sent. He's much more eloquent than I am, but that was the concern. And then if you have a document, feel free to, um...
… Cut it out

Will Abramson: Yeah, yeah, that's great, thanks, Sue. Yeah, so this is what… this is really me trying to represent what Joe sent me, um...
… I don't know when it was, I saw it on… maybe on
… on Tuesday. Uh, so, he said, maybe we need to revisit this decision. That really is… that's the wrong title, right? The decision is about… do… does the resolution algorithm take a DID URL, or does it just take a DID?
… And the issue that I thought that Steve and Joe came up with was
… This scenario, where, you know, you have a valid key at some date, and then it becomes compromised. And rotate it to key 2
… Um, but the attacker controls G1
… So, consider the attacker is the person who's producing this VC
… they are able to create… put a DID URL in here. that, um
… Defines the version time as in the past for the key that they control. And obviously, this is
… Like, really, a good resolver, like, or really a good client who's verifying this proof should never trust. the, um
… version time and version ID
… that is provided by the proof controller, I don't think, right? Because in this case, this is a malicious buyer who is able to
… you know, manipulate the key that is used to misrepresent or maliciously present themselves as did XYZ. um
… So, you know, I thought this was a problem, and then the more I think about it, like. I think
… Joe was saying, well, really, the verifier should rely on this
… date, the valid from date, right, which is here, but then I was thinking, well, actually, that valid from date is also just a date that the issuer of this credential has put in there
… So, while there's nothing to stop the issuer of this credential from putting in this date as well. Basically
… I think if you've got a compromised key
… Really, you should be verifying proofs based on the current state of the document. Not some past state. If you care about that thing, I think
… So I don't know if I've represented this that well, but if anyone has any questions, I'll try and field them. um

Otto Mora: Guys...

Will Abramson: But, I, I...

Steve McCown: Um, yeah, so that...

Otto Mora: Oh, Steve McCown, go ahead, sorry...

Stephen Curran: But...

Steve McCown: Yeah, it was kind of a complicated issue that we were talking through. That's actually really good right there...
… Um, what we were trying to do was, um, give deference to Marcus's confused deputy problem
… And, um… That one of one of our proposals was to
… Um, not put that version… not pass along the version time
… To the, to the resolver. Uh, as well as the version ID
… Because what you're seeing is there's
… Some conflicts between all these parameters and the resolution and what a hacker might be able to do. And we thought — we didn't —
… we didn't really come down to a, please do this other than don't pass the parameters, as part of the resolution. I think we need a little more study on it
… But the issue that you're pointing out right there causes some confusion with
… With the time and the keys, and keeping them in sync, and whether an attacker has the ability to pass a different time

Will Abramson: Yeah, I think that was what came out, right? Like, what you… what you were saying is it should be that the person… the entity who is relying on this bid should be the entity that is defining all the resolution-specific. Parameters for it, rather than letting. Somebody else who's defined a did URL...
… dictate resolution-specific parameters, because then they can manipulate the state of the DID document that you get back

Steve McCown: Yeah, so...

Will Abramson: in ways that might cause attacks...

Steve McCown: part… part of what… part of what we talked about was stripping off those parameters so that, um, resolution takes a DID instead of a DID URL...

Will Abramson: Yeah...
… But then

Otto Mora: Stephen Curran's on the queue. Sorry...

Will Abramson: Alright, yeah, sorry. Oh, sorry...

Stephen Curran: And this goes back to my claim that we're really at the margins. Yes, you're right, that is an attack. But...
… Um, as PA notes, we… there are absolute legitimate use cases for having version ID and version time referenced as
… options or query parameters, or whatever. However, we want to pass them, and we can't. I I would object if we took those away that you couldn't do it. So those are the types of things that go into security considerations and that. So if this would allow us to get back to dids instead of did Urls. I'm also happy with that, because that would get

rid of
… the formal objection we know was coming already. Um, so, uh, I'm
… Sort of whatever argument you want to make that'll let us get back to that would probably be fine with me. And it's not going to matter at the end of the day. These are not huge issues. You either
… process the parameters before you pass them to the resolver, or the resolver processes them after it receives them
… And that's really somebody's got to process them, and somebody is going to process them, and some of them are going to be done wrong
… Potentially, and we could, and we could try to, um, let people know, but it's not a huge difference either way. So, um, what's the best way forward for getting a spec out versus arguing these little tiny minutiae?
… That… that aren't gonna change… that much. Rant over. Sorry

Otto Mora: Last word, Will...

Will Abramson: No, I… thanks, Stephen. I totally… I actually agree. I think these… these are threats. They are quite obscure, and they should be documented in the threat model and security considerations approach. I also feel that...
… those threats are present, whether we're passing in a DID URL or a DID with options to the resolve algorithm. So, I… I resonate with what he's saying
… Yeah, okay, thanks. I mean, I know it's not the ideal situation we want the group to be in, but I think at least now, the chairs will try and be very, um, tirelessly focused on getting us to wreck. To see our other. In time

Otto Mora: Thank you, Will, for the presentations. Very clear...

Pierre-Antoine Champin: Yes, thank you...

Otto Mora: Thanks, folks. Cheers...

Minutes manually created (not a transcript), formatted by scribe.perl version 248 (Mon Oct 27 20:04:16 2025 UTC).

Diagnostics

Succeeded: s/Otto Mora: Beer?/Otto Mora: Pierre?/

Succeeded: s/Cam,/McCown,/

Maybe present: Dan Pape, Grace Rachmany, Otto Mora, Pierre-Antoine Champin, Stephen Curran, Steve McCown, Will Abramson

All speakers: Dan Pape, Grace Rachmany, Otto Mora, Pierre-Antoine Champin, Stephen Curran, Steve McCown, Will Abramson

Active on IRC: danpape, JennieM, ottomorac, pchampin, smccown, swcurran, TallTed, transcriber-bot, Wip