Update README; add clarifying language around DIDs and VCs #122
Conversation
Co-authored-by: Frank Hinek <[email protected]>
|
A few discussion topics that come to mind -- raising to discuss but not state a strong preference:
|
|
Responding in place.
Some DID methods, like did key don't do this. I know we already have impls for these so I didn't want to break them.
Similarly, this is a requirement of our existing did:key support. We may encounter keys encoded like this with did:web but that's less of a concert to me.
Good call out. I will remove the property entirely. |
It appears that the DID Key method requires that the Are there well used DID Key libs that use relative DID URIs that you're aware of? |
|
@frankhinek my mistake! you are correct. I will update the guidance to require fully qualified URIs. |
README.md
Outdated
| | In-Memory Key Manager | | ||
| | AWS KMS | | ||
| | Device Enclave | | ||
| | Keychain | |
There was a problem hiding this comment.
keychain is the only one that's specific to swift, right? would it be appropriate to call that out in this one column of feature list?
There was a problem hiding this comment.
Good question @jiyoontbd
I'm wondering if we should even include Device Enclave? I'm a newb when it comes to native mobile dev, but to my knowledge we can't store Ed25519 or secp256k1 keys in any iOS or Android device's enclave (only NIST P-256/secp256r1 is supported). Perhaps we leave out requiring the implementation of a Key Manager for mobile device secure enclaves?
On Keychain: Perhaps include both iOS and Android? As noted here and implemented here, it is possible to stored Ed25519 and secp256k1 keys in iOS Keychain.
Do we already have a preferred approach for Android? AFAIK Android Key Store has no support for Ed25519 or secp256k1. Perhaps an approach similar to the one Samsung took?
There was a problem hiding this comment.
so right now we only have inmemory + aws kms (in all languages i think?), and ios keychain (swift only).
currently i'm not sure if android key management or general mobile device enclave should be listed in this column since:
- we haven't implemented them yet and
- we also have not decided how to write a key manager against either android phones or device enclaves
created issues here
TBD54566975/tbdex#271
TBD54566975/tbdex#272
please feel free to close these if needed, i am probably wrong / not up to date on this subject.
There was a problem hiding this comment.
I'm going to keep spec text as-is until we have a clearer view of what we should support
| | `@context` | Array of strings | No | Depends on the DID method. | | ||
| | `controller` | Array of strings | No | Depends on the DID method. Strings must be URIs. | | ||
| | `alsoKnownAs` | Array of strings | No | Depends on the DID method. Strings must be URIs. | | ||
| | `verificationMethod` | Array of [Verification Methods](#verification-method-data-model) | Yes | There must be at least one Verification Method in each DID Document. | |
There was a problem hiding this comment.
i want to say that there's a scenario in building did dht diddocument where i know the id of the verificationMethod (which makes their way into one of 5 array of strings below), but not the verif method itself... but not 100% sure.
either way, requiring this field to be present is a departure from the spec, yea?
There was a problem hiding this comment.
yes...have an upcoming dht pr to make that bit clearer with required relationships
and yes this is a departure from the spec
without a key I don't see the point in a DID Doc (feel free to convince me otherwise)
There was a problem hiding this comment.
this being a departure from the spec is a-ok with me!
i did think that bit of including the id but not linking it back to an actual vm was weird, so i'm on board with this.
also side note, i am also probably going to be refactoring dht stuff in kt, so if you have a kt pr in flight we should coordinate
There was a problem hiding this comment.
Perhaps we've yet to encounter a practical scenario, but I agree with the above and don't see much utility for any use cases we're contemplating to have a DID Document that lacks at least one verificationMethod entry.
Additionally, I've personally not run into a case where "embedded" verification method usage in a verification relationship property is necessary. In other words, a scenario where the only solution is to include a verification method embedded in a verification relationship property and NOT within the verificationMethods array. I'd imagine the W3C spec contributors had some reason for including this in the DID Core spec, but I've come up blank in trying to identify the motivation?
Seems like a question we might ask later -- but only to be prepared for a future Jeopardy round where 'Obscure DID Chronicles' is the surprise category.
spec/did.md
Outdated
| | `nextUpdate` | String | No | [XML Datetime](https://www.w3.org/TR/xmlschema11-2/#dateTime) value for when the next update of the DID. | | ||
| | `versionId` | String | No | Represents the version of the last update operation. | | ||
| | `nextversionId`| String | No | Represents the version of the next update operation. | | ||
| | `equivalentId` | Array of Strings | No | A stronger form of the `alsoKnownAs` property, guaranteed by the DID method. | |
There was a problem hiding this comment.
what do you mean by stronger form here? 😃
There was a problem hiding this comment.
the language is taken directly from https://www.w3.org/TR/did-core/#did-document-metadata
open to suggestions to make it clearer
There was a problem hiding this comment.
maybe providing an example would help
There was a problem hiding this comment.
@decentralgabe Both Moe and I had included some form of an explanation for equivalentId in web5-go and web5-js, which are both based on the DID Core spec language.
Perhaps including the pre-registration / post-registration example that is referenced would be a happy medium that tries to provide more context without being overly verbose?
There was a problem hiding this comment.
Could also link directly to this note https://www.w3.org/TR/did-core/#h-note-10
Pre-registraion/post-registration as the example case is really good, but may be too wordy for this doc (not sure?)
Co-authored-by: Jiyoon Koo <[email protected]>
spec/did.md
Outdated
|
|
||
| | Property | JSON Representation | Required | Notes | | ||
| | ------------- | ------------------- | -------- | -------------- | | ||
| | `error` | String | No | Required if there was an error during resolution. One of [`invalidDid`, `notFound`, `representationNotSupported`]. | |
There was a problem hiding this comment.
thoughts on including methodNotSupported?
There was a problem hiding this comment.
we also have internalError as one of the error enums
There was a problem hiding this comment.
➕ 1 on adding methodNotSupported and internalError.
I also think we ought to consider registering additional errors in the DID Resolution Spec that are particularly relevant for DID DHT resolution:
invalidDidDocument: The DID document supplied does not conform to valid syntax.invalidDidDocumentLength: The byte length of a DID document is not within an acceptable range, similar to the Web IDL / DOM RangeError
There was a problem hiding this comment.
will add both
what should internalError mean?
There was a problem hiding this comment.
@decentralgabe Missed this question. I've always interpreted internalError similar to the role HTTP Status code 500 plays. The (draft) spec text reads:
When an unexpected error occurs during DID Resolution or DID URL dereferencing, the value of the DID Resolution or DID URL Dereferencing Metadata error property MUST be internalError.
Given that the error is "unexpected" it covers cases of errors that aren't mapped to a more specific error code.
spec/did.md
Outdated
| | `type` | String | Yes | Must be a URI. | | ||
| | `controller` | String | Yes | Must be a URI. | | ||
| | `publicKeyJwk` | Object | No | Preferred. Represents a [JWK](https://www.w3.org/TR/did-core/#bib-rfc7517). Either this or `publicKeyMultibase` must be present. | | ||
| | `publicKeyMultibase` | String | No | Not preferred. Either this or `publicKeyJwk` must be present. | |
There was a problem hiding this comment.
are we cool with dropping this or adding it in later on? will be tough to find time to implement in dart. can find time if we feel it's important
There was a problem hiding this comment.
To add my personal opinion to the question, I am comfortable dropping publicKeyMultibase as a requirement for the first iteration of this spec.
@decentralgabe if you know of any significant adoption of Multibase format for DIDs by US state DMVs or EU member states, that could be a reason to include. However, given our heavy reliance on the JWK format in every SDK we've built to date and that DID JWK and DID DHT currently have no plans to support verification material in any format other than publicKeyJwk, it doesn't seem unreasonable to exclude if it adds work to our plates.
Side note: Juan/Protocol Labs & Manu continue to work on getting the multibase spec ratified.
| | Signing and verification of Verifiable Credentials as `vc-jwt` | | ||
| | Signing and verification of Verifiable Presentations as `vp-jwt` | |
There was a problem hiding this comment.
Any relevant links (specs, docs, etc?) for vc-jwt and vp-jwt?
README.md
Outdated
| | Feature | | ||
| | ---------------------------------------------------------------- | | ||
| | Data model | | ||
| | Validation (data model, JSON Schema, status) | |
There was a problem hiding this comment.
Does status here refer to this https://www.w3.org/TR/vc-data-model-2.0/#status? (wondering why it's called out specifically)
There was a problem hiding this comment.
oh I see because status is a property which is a set of specs (the status lists below) as opposed to just another property of the data model
| | Data model | | ||
| | Signing and verification | |
There was a problem hiding this comment.
No Validation feature here? (maybe safely assumed?)
There was a problem hiding this comment.
+1 to validation ?
Also, are we going to implement the "decoys" functionality for sd-jwt?
There was a problem hiding this comment.
I will add validation back
spec/did.md
Outdated
|
|
||
| ## DID Resolution Metadata Data Model | ||
|
|
||
| DID Resolution Metadata is _always optional_. |
There was a problem hiding this comment.
Feeling dumb, what does it mean for this to be "always optional?" (same is true in the doc metadata below)
Does it mean that any web5 conformant implementation need not implement support for this data model, such that during application execution the data may exist for the given DID but the SDK need-not throw an exception?
There was a problem hiding this comment.
yes exactly, I will clarify
| | `id` | String | Yes | A URI representing a unique identifier for the credential. Recommended to be of form `urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5`. | | ||
| | `type` | Array of strings | Yes | Type(s) of the credential. Must include `VerifiableCredential`. | | ||
| | `issuer` | String | Yes | A DID representing a unique identifier for the entity that issued the credential. | | ||
| | `issuanceDate`| String | Yes | [XML Datetime](https://www.w3.org/TR/xmlschema11-2/#dateTime) value for when the credential was issued. | |
There was a problem hiding this comment.
we will accept XmlSchema112 and RFC3339 and then represent internally and output only XmlSchema112 right?
There was a problem hiding this comment.
yeah, in practice I've used rfc3339 which is a subset of ISO8601 which is a subset of xml date time
spec/vc.md
Outdated
| **Additional Notes:** | ||
| - The `credentialSubject` property can be any JSON object. It is recommended that this object is defined by an associated `credentialSchema`. | ||
| - No [JSON-LD processing](https://www.w3.org/TR/vc-data-model/#json-ld) is performed. | ||
| - Embedded proofs, using the `proof` property must not be present. |
There was a problem hiding this comment.
if we accept an outside vc with proofs we can still accept it and just drop it?
Or there should be no such thing as a vcjwt with proofs too ?
There was a problem hiding this comment.
should be no such thing
spec/vc.md
Outdated
| - The `credentialSubject` property can be any JSON object. It is recommended that this object is defined by an associated `credentialSchema`. | ||
| - No [JSON-LD processing](https://www.w3.org/TR/vc-data-model/#json-ld) is performed. | ||
| - Embedded proofs, using the `proof` property must not be present. | ||
| - The `type` property may only contain `VerifiableCredential` or the URI of a JSON Schema, if one is used for the credential. |
There was a problem hiding this comment.
This is not how we do it as of now.
Currently:
const vc = await VerifiableCredential.create({
type : 'TBDeveloperCredential',
subject : did.uri,
issuer : did.uri,
data : {
legit: true
}
});
So from what you are saying our type "TBDeveloperCredential" cannot be added as a type unless we include the URI of the json schema is that correct?
If that is a hard rule then we will need to refactor our codebase
There was a problem hiding this comment.
yes, this isn't useful IMO and breaks the spec
if we have a need for a concrete type to switch on we should be using a JSON Schema
| - No [JSON-LD processing](https://www.w3.org/TR/vc-data-model/#json-ld) is performed. | ||
| - Embedded proofs, using the `proof` property must not be present. | ||
| - The `type` property may only contain `VerifiableCredential` or the URI of a JSON Schema, if one is used for the credential. | ||
| - We do not support multiple credential subjects. |
|
|
||
| Following from [this data model](https://www.w3.org/community/reports/credentials/CG-FINAL-vc-status-list-2021-20230102/). | ||
|
|
||
| **StatusList2021Entry** |
There was a problem hiding this comment.
Are you still going to add BitstringStatusListEntry section?
There was a problem hiding this comment.
when we support v2 of the data model I will add an entire section on that and bitstring status list
Co-authored-by: Kendall Weihe <[email protected]>
Co-authored-by: Kendall Weihe <[email protected]>
spec/vc.md
Outdated
| | `credentialSubject.id` | String | Yes | A DID representing a unique identifier for whom the credential's claims are made. | | ||
| | `credentialStatus` | Object defined by [Credential Status](#credential-status) | No | Only to be used with [Status List 2021](https://www.w3.org/community/reports/credentials/CG-FINAL-vc-status-list-2021-20230102/). | | ||
| | `credentialSchema` | Object defined by [Credential Schema](#credential-schema) | No | Recommended. Only to be used with the type [`JsonSchema`](https://w3c.github.io/vc-json-schema/#jsonschema). | | ||
| | `evidence` | Object | No | Any JSON object as per [Evidence](https://www.w3.org/TR/vc-data-model/#evidence). | |
There was a problem hiding this comment.
There was a problem hiding this comment.
this is the one I was least sure of I know we need evidence, but I'm not sure where.
yes each type field is required
I am open to making this an array of objects for future proofing or alternatively dropping it all together until we have more info wdyt @mistermoe
There was a problem hiding this comment.
updating this to array and adding a note on not implementing evidence until we have a type we can rely upon
Co-authored-by: nitro-neal <[email protected]>
Co-authored-by: Kendall Weihe <[email protected]>
Co-authored-by: Kendall Weihe <[email protected]>
|
Going to merge tomorrow pending objections/final review. cc: @mistermoe @frankhinek @phoebe-lew @KendallWeihe @nitro-neal @jiyoontbd @kirahsapong |
There was a problem hiding this comment.
this one and vp-11.json are empty?
edit: actually all *.json in this pr is empty 🤔
There was a problem hiding this comment.
yes, intending to address these in a follow up #126
|
merging but open to putting additional feedback in an upcoming PR |
PR is ready for review. Two follow ups: