Awesome-Mirrors/decentralized-id.github.io
1
0
Fork 0
mirror of https://github.com/Decentralized-ID/decentralized-id.github.io.git synced 2024-10-01 01:05:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
d88e61056a
decentralized-id.github.io/_posts/identosphere-dump/open-standards/standards.md
⧉ infominer d88e61056a aries and non-ssi + oidc
2022-12-03 02:23:23 -05:00

81 KiB
Raw Blame History

published
false

Standards

  • FYI: What makes a standard world class? Michael Herman (Trusted Digital Web) (Saturday, 14 August)

  •   A world class standard should have well-defined objectives that respond to real needs in a timely manner.

  •   Its technical content should be complete and accurate.

  •   It should be easy to understand (or as easy as the subject matter allows!) and easy to implement.

  •   Its requirements should be expressed clearly and unambiguously.

  •   It should be validated.

  •   It should be well-maintained.

Reference: A Guide To Writing World Class Standards

In the 17 years i worked at W3C, the formal objections were

(1) "we [the objector] wanted to be on record as saying this but go ahead and publish" (the most common);

(2) we [the objector] have a product, or are about to ship a product, and the feature(s) in  this spec would cause problems in the short-term for our product, and that's more important to us than the Web (no-one will ever admit to this but it's not uncommon)

(3) we object to this spec, we prefer another approach, so here's a bunch of fake objections to slow things down because we can't share our actual business strategy

(4) we believe there's a technical problem with this spec, but we didn't notice it over the past four years despite a last call  review (this one is actually rare but does happen)

Just a reminder that these "politics" and "other-ing" isn't some weird by product of the "identity community", or DIF, or CCG, or OpenID... it's endemic in any long-lived community composed of human beings.

It's not something you're ever rid of... it's something you manage over time;

  • Decentralised Identity: Whats at Stake? A Position Paper by the INATBA Identity Working Group

    INATBA has a specific Standards Committee to liaison with relevant standardisation committees and bodies. Some relevant standardisation committee and bodies include:

  • distributed ID learning path Christina Yasuda based on VC-Spec Map by Michael Ruminer first describes pre-requisite knowledge, including JSON, JSON-LD, JWT, JWS, JWK, JWA, and sometimes CBOR. She then goes on to break down knowledge areas beginning with the basics: DID-Core, DID-Resolution, DID-Spec, DID Use-Cases. Next, she covers Verifiable Credentials with VC-Data Model, VC Use-Cases, and VC-Implementors Guide, and also Transport, Credential Presentation, and Other Data Formats. CCG Highlights

  • Linked Data Security ( slide deck

The attached slide deck provides a basic overview (with examples) of Linked Data Security as well as the specifications in that orbit. The W3C CCG is  actively developing a number of these specifications.

Green - General data format standards

Yellow - Vocabulary standards (I the mislabeled VC work)

Magenta - Protocol standards (I mislabeled DID Resolution)

Red - Low-level cryptographic primitives

Purple - General crypto packaging/protocol standards

Orange - Application layer standards

  1. A identity standards adoption is driven by its value of the reliability, repeatability and security of its implementations.
  2. A standards value can be measured by the number of instances of certified technical conformance extant in the market.
  3. Certified technical conformance is necessary but insufficient for global adoption.
  4. Adoption at scale requires widespread awareness, ongoing technical improvement and a open and authoritative reference source.
  5. When Libraries/Directories/ Registries act as authoritative sources they amplify awareness, extend adoption and promote certification.
  6. Certified technical conformance importantly complements legal compliance and together optimize interoperability.
  7. Interoperability enhances security, contains costs and drives profitability.

  • Verifier Universal Interface by Gataca España S.L.

    This draft version can be found at https://gataca-io.github.io/verifier-apis/ and has been built using ReSpec. This draft version for VUI includes today 6 APIs:

    • Presentation Exchange
    • Consent Management
    • Schema resolution
    • Issuer resolution
    • ID resolution
    • Credential status resolution

  • Trust Frameworks? Standards Matter Tim Bouma

    He points at the NIST documents about it Developing Trust Frameworks to Support Identity Federations published in 2018. He also points at the Canadian governments definition of standards.

    “a document that provides a set of agreed-upon rules, guidelines or characteristics for activities or their results. Standards establish accepted practices, technical requirements, and terminologies for diverse fields.”  He goes on to highlight a lot of the work being done in Canada and where it all sits relative to being a standard - “In closing, there are lots of trust frameworks being developed today. But to be truly trusted, a trust framework needs to either apply existing standards or become a standard itself.”

  • W3C WebAuthn V2 Now a Standard Mike Jones

    While remaining compatible with the original standard, this second version adds additional features, among them for user verification enhancements, manageability, enterprise features, and an Apple attestation format. (Recommendation) (CTAP also approaching standardization.

  • Federated Identity, InCommon, and Enabling Federated Access to Research Services

    The panel will review the concepts of federated identities, authentication, and the role attributes play in managing access to services. Theyll further describe how the InCommon Federation and eduGAIN enable academic collaboration across local, regional, national, and international scales, discuss technical alternatives for participation in InCommon, and delve a bit into how research communities and research cyberinfrastructures manage federated access to their services.

  • An overview of blockchain technical standards

This October report is the most comprehensive review of global standards around blockchain tech that weve seen. Heres a list of standards bodies included in a chart towards the end:

  • OASIS releases KMIP 2.1

    The Key Management Interoperability Protocol (KMIP) is a single, comprehensive protocol for communication between clients that request any of a wide range of encryption keys and servers that store and manage those keys. By replacing redundant, incompatible key management protocols, KMIP provides better data security while at the same time reducing expenditures on multiple products.

  • OMG ISSUES RFI FOR DISPOSABLE SELF-SOVEREIGN IDENTITY STANDARD

    This RFI aims to gain a better understanding of the self-sovereign identity space. In particular, the Blockchain PSIG is exploring the potential for standards setting in the area of contextually constrained or disposable self-sovereign identity arrangements, building on top of existing W3C standards for self-sovereign identity [DID] and verifiable credentials [VC]. The aim of this RFI is to determine whether new standards for this specific aspect of self-sovereign identity are necessary, desirable and timely, and are not already being developed elsewhere. (The RFI)

A public presentation on the Disposable Self-sovereign Identity RFI will be held on February 3, 2021 at 11:00 AM ET.

The Object Management Group® (OMG®) is an international, open membership, not-for-profit technology standards consortium, founded in 1989. OMG standards are driven by vendors, end-users, academic institutions and government agencies. OMG Task Forces develop enterprise integration standards for a wide range of technologies and an even wider range of industries.

Identity not SSI

The W3C WebAuthn and FIDO2 working groups have been busy this year preparing to finish second versions of the W3C Web Authentication (WebAuthn) and FIDO2 Client to Authenticator Protocol (CTAP) specifications

SDTT is a tool from Google which began life as the Rich Snippets Testing Tool back in 2010. Last year Google announced plans to migrate from SDTT to successor tooling, the Rich Results Test, alongside plans to "deprecate the Structured Data Testing Tool". The newer Google tooling is focused on helping publishers who are targeting specific schema.org-powered search features offered by Google, and for these purposes is a huge improvement as it contextualizes many warnings and errors to a specific target application.

Standards

This isnt new, but its new to us, and thought our readers might appreciate it, in case you have also wondered about the nuts and bolts behind OntID

In the W3C VC-EDU call on June 7, 2021 we discussed Open Badges asserted as W3C Verifiable Credentials (VCs). This call began the public discussion of Open Badges as Native VCs (potentially as Open Badges 3.0) to inform the IMS Open Badges Working Group. Why are we discussing this? Why does it matter? How will it work?

A history of procedural trust, leading to an overview of the TOIP stack.

Interactive

DIF

At its core, WACI can be thought of as a handshake using classic, industry-standard JWTs: the “Relying Party” signs a token given to the end-users wallet, and the wallet signs over a “challenge” contained within it, proving ownership of a DID.

Strongly-typed Code to Generate Bobs UDID Document

Schema.org was founded on the idea of making it easier and simpler for the ordinary, everyday sites that make up the web to use machine-readable data, and for that data to enable an ecosystem of applications used by millions of people. While it's hard to predict exactly what the next decade will bring, if we can all keep these founding concerns in mind as we improve, refine and curate our growing collection of schemas, we'll be doing our part to continue improving the web.

DIF announces its first community microgrant, sponsored by Microsoft and rewarding the timely creation of a comprehensive test suite for detached-JWS signatures on Verifiable Credentials

Before we dive into how Federated systems like OIDC and SAML along with Verifiable Credentials (VC) can help improve customer onboarding to your application, let us first understand what are the current methods being used for onboarding.

talks like “Simplify Your Least-Privilege Journey with Access Analysis” and “Managing and governing workload identities” definitively provide greater insight. [...] UberEther showed in “User Behavior Analytics: Marrying Identity and the SOC Like Peanut Butter and Jelly” how UBA (User Behavior Analytics) and UEBA (User Events Behavior Analysis) deliver additional value to help avoid threats in real-time and provide visibility to analysts.

our latest series examining the evolution of digital identity, and how self-sovereign identity, specifically, can advance a consent-based economy.

The Claims and Credentials Working Group will be overseeing a new work item open to all DIF members that creates and harden a JWS test suite, with this grant funding a lead editor to drive the work and keep it to a pre-determined timeline, paid upon stable and complete release.

The OpenID Foundation formed the “Shared Signals and Events” (SSE) Working Group as a combination of the previous OpenID RISC working group and an informal industry group that was focused on standardizing Googles CAEP proposal. These represented two distinct applications of the same underlying mechanism of managing asynchronous streams of events. Therefore the SSE Framework is now proposed to be a standard for managing such streams of events for any application, not just CAEP and RISC. In effect, it is a standard for generalized Webhooks.

I recently pointed out in a TechCrunch contribution that the open source and open standards communities need to find ways to team up if they are to continue driving innovation and  development of transformative technologies to push our society forward.

JSON has its place. But I think we're overusing it in places where a good notation would serve us better.

Since February he has also been the informal chair of the Hospitality and Travel Special Interest Group, a subset within the Decentralized Identity Foundation, an organization creating technical specifications and reference implementations for decentralized identity and working with industries for commercial applications of such technologies.

OpenID trying to make play in the “trusted identities” online space

Already used throughout web3, this is an effort to standardize the method with best practices and to make it easier for web2 services to adopt it.

Why would you have 75 logins when you could have 1?

WAYF has now been certified according to the standard for information security ISO 27001. This is the result of the audit that DNV conducted at WAYF on 23 September 2021. Language Danish Read more about WAYF certified according to ISO 27001

Verifiable credentials is a beautiful set of technology that allows people and organizations to get the data in a verifiable form that still respects agency.”

Lohan Spies, Technical Lead, Yoma

Ive defined an Authentication Method Reference (AMR) value called “pop” to indicate that Proof-of-possession of a key was performed. Unlike the existing “hwk” (hardware key) and “swk” (software key) methods [...] Among other use cases, this AMR method is applicable whenever a WebAuthn or FIDO authenticator are used.

If you are a developer and want to write a DApp [...] you probably are using API-Keys in your front-end. If this is the case, then you should consider the security risk the publication of the API-Key in your front end represents and ask yourself if it would make sense to switch to a user authentication scheme.

DIDs are a critical part of a technical foundation for the products and activities of many of our members. Many of the implementations in the DID Working Groups implementation report were developed by engineers and companies who collaborate openly at DIF on points of technical interoperability, and at ToIP on points of policy and governance.

We have a new suite of badges to encourage participation, create value for others, and reflect on that experience. Participants will be able to both earn AND award badges, so theyll have a chance to prove that theyve understood the theory surrounding CoPs and badges as well as put those theories into practice.

Considering that the group has accomplished these goals, there is currently no more need for dedicated calls. Work on the Universal Resolver work item will continue on Github (under the Universal Resolver and Identifiers &Discovery and on DIF Slack in the Identifiers & Discovery Working Group channel, #wg-id.

In a sense, this recommendation is a kind of abbreviation of the key things that our specifications test for. And youll be able to see that soon as the Me2B Safe Website Specification for Respectful Technology is currently in the membership review stage of the approval process.

The position of Indicio is that the DID Specification is of signal importance to creating a better digital world. We recognize that, as with any specification, improvements can and will be made in the future; but we back its recommendations and its approval.

  1. Check out the (accepted) Open Badges 3.0 proposal
  2. Watch a video from the ePIC conference giving an overview of what Open Badges 3.0 will enable (or view the slide deck
  3. Discuss what this means for you, your organisation, or your community in this thread

We make a link between a domain and a DID by implementing an open standard written by the Decentralized Identity Foundation called Well-Known DID configuration. The verifiable credentials service in Azure Active Directory (Azure AD) helps your organization make the link between the DID and domain by including the domain information that you provided in your DID, and generating the well-known config file:

Recently, the WAO team took the opportunity to update the badge platforms page on Badge Wiki, a knowledgebase for the Open Badge community. As the ecosystem continues to evolve were seeing some early platforms fall by the wayside and new platforms emerge.

EBSI4Austria is a CEF funded project with two main objectives. First, EBSI4Austria aims to set up, operate and maintain the Austrians EBSI node. Second, we pilot the diploma use case on the Austrian level supported by two Universities and data providers as well as verifiers.

The main change is the alignment with the W3C Verifiable Credentials specification 3.

Regarding the standard itself metadata and display are entering the default standard. metadata comes in replacement of metadataJson and remains a stringified JSON that will allow consumers to register specific data which are too unique for issuances to be defined in the context.

display brings in a little bit of novelty 2 images or pdfs, in addition to the more classic HTML.

What already exists, more recently: fine-grained permissions 1:

  1. Marketplace-level fine-grained permissions for browsing, publishing, etc within a marketplace frontend
  2. Asset-level fine-grained permissions on consuming the asset itself
  • did:ens:mainnet:vitalik.eth

This has two purposes:

  1. to wrap existing ENS names as DIDs to facilitate interoperability of emerging technologies in the Decentralized Identity and Ethereum community,
  2. to define a canonical way to augment ENS names with DID capabilities (e.g., encryption) as mentioned above.

At a superficial level, a decentralized identifier (DID) is simply a new type of globally unique identifier. But at a deeper level, DIDs are the core component of an entirely new layer of decentralized digital identity and public key infrastructure (PKI) for the Internet. This decentralized public key infrastructure (DPKI) could have as much impact on global cybersecurity and cyberprivacy as the development of the SSL/TLS protocol for encrypted Web traffic (now the largest PKI in the world).

The official voting period will be between Tuesday, February 1, 2022 and Tuesday, February 8, 2022, following the 45-day review of the specifications.

Summary: The hype over NFTs and collectibles is blinding us to their true usefulness as trustworthy persistent data objects. How do they sit in the landscape with verifiable credentials and picos? Listening to this Reality 2.0 podcast about NFTs with Doc Searls, Katherine Druckman, and their guest Greg Bledsoe got me thinking about NFTs.

Different types of DIDs can be registered and anchored using unique rules specific to the set of infrastructure where theyre stored. Since DIDs provide provenance for keys which are controlled by DID owners, the rules and systems that govern each kind of DID method have a significant impact on the trust and maintenance model for these identifiers.

Open standards should be developed openly because not enough people work to ensure that equity is central to innovation and development. We believe that openness is an attitude, and one which bears fruit over time from which everyone can benefit.

This is the Use Case Implementation Workstream of the COVID Credentials Initiative (CCI). This workstream identifies privacy-preserving verifiable credentials (VCs) that are most useful to the COVID-19 response and provides a forum and platform for those who are implementing COVID VCs to present their projects/solutions.

  • @csuwildcat shares

    As of Friday, we believe v1 of ION is functionally code complete, and the Sidetree Working Group at DIF (@DecentralizedID) should have a v1 spec candidate ready for the underlying protocol by Jan 21st. Public v1 launch of the ION network on Bitcoin mainnet is just weeks away.

  • What Is ISO 27018:2019? Everything Executives Need to Know

    ISO 27018 is part of the ISO 27000 family of standards, which define best practices for information security management. ISO 27018 adds new guidelines, enhancements, and security controls to the ISO/IEC 27001 and ISO/IEC 27002 standards, which help cloud service providers better manage the data security risks unique to PII in cloud computing.

  • What's New in Passwordless Standards, 2021 edition! (Microsoft)

    The Web Authentication API (WebAuthn) Level 2 specification is currently a Candidate Recommendation at the W3C. "Level 2" essentially means major version number 2.

The version 2.1 of theClient to Authenticator Protocol (CTAP) specification is a Release Draft at the FIDO Alliance. This means the spec is in a public review period before final publication. We think you might want to hear about what we think is especially fun about WebAuthn L2 and CTAP 2.1.

  • What Is ISO 27001:2013? A Guide for Businesses

    ISO 27001 is also the cornerstone of a growing international consensus about data security best practices. Australia based its federal Digital Security Policy on ISO 27001. Likewise, ISO 27001 can provide guidance on how to meet the standards of other data privacy laws, such as the GDPR, which often direct companies to it as an example of universal best practices. So if you abide by ISO 27001s recommendations, youre on the right track for legal compliance, not to mention improved data security.

Data Privacy Vocab

The language consists of

  • International standard vocabulary for security and privacy frameworks provides roles and actors to govern the transfer of personal data.
  • The active state notice and consent receipt - is a format for generating consent records from notice/policy - which provides people with information to use rights. .
  • W3C Data Privacy Control Vocabulary and ISO/IEC 29100, Legal Framework Vocabulary

This language can be used to auto generate receipts to process rights and negotiate terms ..  At Kantara we are working to use the standards to auto read the notices/polices to provide a conformance / trust assessment for people so they can see risk independently of the service provider

We discussed these projects and have some links

For more info

Goto Kantara ANCR WG https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=140804260

W3C DPV CG - https://dpvcg.github.io/dpv/

ToiP -  ISWG - Notice & Consent Task force for a Privacy Controller Credential

ToiP Privacy Risk -

Data Privacy Impact Assessments

  • Breaking down -

Kantara - ANCR -

Showing off the work and topics

  • Privacy as Expected - a gateway to online consent
  • 2 Factor Consent (2FC)

W3C Data Privacy Vocabulary Control

This session had the objective to gather (and discuss) a set of recurrent questions people experience when trying to build their first mobile agents.

This was the end result of the session:

FAQ

Whats the best place to start creating your own mobile agent?

How do you get updates once you ship your first version?

Do I actually have to support a fork for every mobile agent I create?

Do I need to use a Mediator?

Presentation slides: https://docs.google.com/presentation/d/1UO25DzVmq25ya2S4_tV5UKTSP6NtBggln9vP1TEXSzE/edit

Goal of the Oberon protocol when building an API:

  • Super effective: no separate session token to required for accessing the API; very fast to issue and verify tokens; 128 bytes required per message
  • Privacy preserving
  • No new crypto, uses BLS signature keys and Pointecheval saunders Construction

Read more about timestamping and its concepts at Trusted Timestamping Part 1: Scenarios and Trusted Timestamping Part 2: Process and Safeguards.

Family of standards related to timestamping

This past November, the GBBC released The Global Standards Mapping Initiative 2.0, updating the standards published in 2020. The GBBC is a strong proponent of standardization and intends to serve as a baseline for establishing frameworks and standards that will allow for adoption and innovation.

The arrow for “Issue Credentials” is exactly the same as “Send Presentation,” leading us to believe these activities are similar, but how are they similar? We cant adequately answer these questions by looking at the above picture and the specification doesnt provide a ton of help either…

WG Meeting of the week

to inform and educate the readers about the work on the OpenID for Verifiable Credentials (OpenID4VC) specifications family. It addresses use-cases referred to as Self-Sovereign Identity, Decentralized Identity, or User-Centric Identity.

Badges as credentials includes approaches that are well understood and largely replace or augment existing certification practices. Badges for recognition, however, include approaches that remain somewhat confusing to many people.

BlueSky

Bluesky Community Voices #6: Interoperable Formats https://twitter.com/i/spaces/1vAxRkVrMPzKl Moderator @kimdhamilton Speakers @kevinmarks @mfosterio @JoeAndrieu @harlantwood

Today were releasing ADX, the “Authenticated Data Experiment”. Our company's name, “bluesky,” describes the open-ended nature of this project, and the freedom we were given to start from first principles. As we get more concrete, well give more specific names to what were building, starting with ADX.

DID Core advances to recommendation

The DID core specification is approved to advance to W3C Recommendation.

In its next chartered period the Working Group should address and deliver proposed standard DID method(s) and demonstrate interoperable implementations.  The community and Member review of such proposed methods is the natural place to evaluate the questions raised by the objectors and other Member reviewers regarding decentralization, fitness for purpose, and sustainable resource utilization. -Ralph Swick, for Tim Berners-Lee

Announcing the Decentralized Identifiers (DID) v1.0 specification as an open web standard signals that it is technically sound, mature, and ready for widespread adoption. Having an established v1.0 specification allows work to continue with renewed energy and focus, not only at the many groups meeting at DIF, but across the digital identity community.

Harrison Tang, CEO of Spokeo, is the new co-chair of the CCG

W3C CCG (World Wide Web Consortiums Credentials Community Group) aims to explore the creation, storage, presentation, verification, and user control of credentials (i.e. a set of claims made about someone, or a person record).

Neighboring Standards

An alternative to passwords that includes QR Codes is described, and typical use cases are described. This document also provides an overview and context for using QR Codes for security purposes.

every pico is serverless and cloud-native, presenting an API that can be fully customized by developers. Because they're persistent, picos support databaseless programming with intuitive data isolation. As an actor-model programming system, different picos can operate concurrently without the need for locks, making them a natural choice for easily building decentralized systems. W3C Press Release - Decentralized Identifiers (DIDs) v1.0 becomes a W3C Recommendation worth reading to see who contributed comments (and notice who didnt)

For individuals in particular, DIDs can put them back in control of their personal data and consent, and also enable more respectful bi-directional trust relationships where forgery is prevented, privacy is honored, and usability is enhanced.

“I would summarize the overall impact of DIDs on cybersecurity as making digital signing and encryption much more widely available than todays conventional X.509-based public key infrastructure (PKI),” Drummond Reed, director of trust services at Avast

The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple as a verifying entity.

Table of contents: 1. Foundation News; 2. Group Updates; 3. Member Updates; 4. Digital Identity Community; .5. Funding; 6. Events; 7. Hackathons; 8. Jobs; 9. Metrics; 10. Get involved! Join DIF

Since verification is off-chain (and generally fast/inexpensive, depending on the provider), and since this avoids on-chain storage of potentially correlatable data, this is often the preferred solution.

Part 2 of this 2-part series explains the did:pkh/CACAO variation for Verite data models and flows, which provides an entry path for wallets that may not support sufficient functionality for emerging decentralized identity patterns

Through the DID Specification, service endpoints and DIDComm, Impervious has interlaced DIDs with Bitcoin Lightning, IPFS, WebRTC and resilient relays to introduce a new peer-to-peer internet standard with practical applications for mitigating censorship and surveillance risk.

I made this today: https://github.com/OR13/endor [...]

nice thing about endorsing W3C Verifiable Credentials is that they are

already an abstraction that applies to "non software supply chain" use

Cases [...] we model cyber physical supply chain flows

^^^ inspired by : IETF 114: Plenary (video)

vLEI will provide a cryptographically secure chain of trust that will replace manual processes needed to access and confirm an entitys identity across all industries.

members from across the community come together to test interoperability between systems, networks, agents and more.

Driven by our motivation to make SSI more adoptable, we built the worlds first turn-key, open source trust registry solution. This work was sponsored by the European Self-Sovereign Identity Framework Lab, which is an EU consortium that provides funding for projects that build SSI open source tools. Any ecosystem provider can use the trust registry implementation to enable governance in their verifiable data ecosystem.

The concept behind a Trust Registry is that a Wallet needs to know which decentralized identifiers (DIDs) to “trust” as a source of truth. At many levels, this “trust” translates to “authority” knowing that somebody, centralized or decentralized, is responsible for maintaining a list of trusted DIDs.

  • Keys can be given different capabilities using Verification Relationships
  • We support 4 Verification Relationships: Authentication, Assertion, Key Agreement, and Capability Invocation.
  • DIDs can now be controlled by other DIDs
  • DIDs can now have service endpoints
  • Dock now supports off-chain DID Documents

tldr :: DID is just an URI :: VC is a cryptographically verifiable credential using DID :: SSI is a self-sovereign and privacy-preserving identity :: Non-human (Machines, Bots, Goods, anything) also able to have DID, VC, and SSIs

Digital credentials can be checked in real time, expediting access to trustworthy information. These trusted, verifiable digital credentials are the core digital trust technologies being piloted and the trust ecosystem in which they operate are defined in ToIP architecture, governance, and related documents.

The Universal Resolver can now resolve 45 DID methods, and more are being added regularly. Visit https://dev.uniresolver.io/ to see the full list of supported methods, and visit this github page to contribute a driver for a DID method.

Mobile Document Request API

The API is concerning because it lists "Define the native communication between the User Agent and the application holding the mdoc." as out of scope. That is, digital wallet selection is out of scope. Also out of scope is "issuing" and "provisioning". The specification focuses on delivery from a digital wallet to a website.

Standards Work

Heres my premise we dont have standards nor interoperability at least not as people really need. We have been through a process that is powerful and good but what we have is what I call “premature standardization.” Its a great start but nowhere near where things will be.

  • Steel, Oil Agriculture Shipment into US Customs ($2.3T in good/year)
  • European Digital Wallet (€163M funding, 450M people)
  • Digital Education Credentials in Uganda, Nigeria, Kenya (323M people)
  • Digital Age Verfication (152k retail stores, 200M people)
  • Content Authenticity Initative (30M Adobe customers)
  • Digital Permanent Resident Cards (14M people)

The goal of IATA One ID is to set industry standards that further streamline the passenger journey with digitalization of admissibility and a contactless process through secure biometric enabled identification.

Cardano showing interest in our work

Good news to see Cardano jumping on the bandwagon, looks like they will join the fray and bring DID\VC to Atla Prism.

The recent DID core specification approval at the World Wide Web Consortium (W3C) provided clearer and stronger foundations for identity platforms building decentralized identifiers.

Circle joined other crypto and blockchain companies in February 2022 to introduce Verite as a open-source framework for decentralized identity credential issuance, custody and verification. Verite is designed to help make it safer, easier and more efficient to do business across the transformative worlds of DeFi and Web3 commerce.

TBD and Circle are collaborating on a set of open standards and open source technologies aimed at enabling global-scale, mainstream adoption of digital currency in payments and financial applications. The first step of which will support cross-border remittances and self-custody wallets that can hold stablecoins.

The new FPX Junction cloud software suite is designed for fine-grained API authorization and user-centric digital identity management. The digital wallet and user-managed access 2.0 authorization server work together to enable single-sign on federation. An optional user interface SDK for the digital wallet provides native mobile and web support.

Yesterday, the draft Verifiable Credentials for Education, Employment, and Achievement Use Cases report was published [...] The next version of the Open Badges specification (v3.0) will be compatible with Verifiable Credentials (VCs).

By producing an accessible, open-source wrapper library, Tangle Labs provides any business or development team the opportunity to easily explore SSI and to test and prototype solutions that can bring added value to your business.

The discussion gets very concrete when Daniel describes selective disclosure JWT, or SD-JWT, a new IETF specification he is coauthoring that offers a simple and easy-to-adopt approach to produce JWTs capable of supporting selective disclosure. Here at Identity, Unlocked, we are huge fans of this new specification, and we hope this episode will help you get started!

Related resources:

Call for Comments/Feedbacks for DPV v1.0 release

Please provide your comments by 15-OCT-2022 via GitHub or public-dpvcg@w3.org (mailing list).

We are walking this path step-by-step by documenting the results and lessons from the DHS sponsored multi-platform, multi-vendor interoperability plug-fests and other rigorous plug-fests with similar goals to develop a “DHS Implementation Profile of W3C Verifiable Credentials and W3C Decentralized Identifiers” to ensure the use of Security, Privacy and Interoperability implementation choices that are acceptable to the USG such that these capabilities can be deployed on and connect to USG networks and infrastructure.

please find attached the DHS Implementation Profile of W3C VCs and W3C DIDs normative guidance on:

·         Credential Data Model Representation Syntax

·         Credential Data Model Proof Format

Extending OAuth and OIDC to support the issuance and presentation of verifiable credentials provides for richer interactions than merely supporting authentication. All the use cases weve identified for verifiable credentials are available in OpenID4VC as well.

  • Trinsic Basics: What Are SSI Standards?

    There are two kinds of standards that Trinsic implements to enable interoperability and avoid vendor lock-in: data model standards and protocol standards.

  • Manifesto: Rules for standards-makers

    I've used all kinds of formats and protocols in a long career as a software developer, even created a few. My new manifesto summarizes what I've learned about what works and what doesn't.

RDF

  • Technical Report on the Universal RDF Dataset Normalization Algorithm - Bill Bradley

    The goal of this technical report is to review the Universal RDF Dataset Normalization Algorithm (URDNA2015) for correctness and to provide satisfactory evidence that possible issues with URDNA2015 have been considered and dismissed. We do not lay out the algorithm in its considerable technical detail here, but refer the reader to the proposed technical specification 1 [Longley], a set of proofs by Rachel Arnold and Dave Longely [Arnold], and a reference implementation in Python [DigitalBazaar]

  • Importing Verifiable Data as Labeled Property Graphs  Orie Steele (Wednesday, 15 June)

I think what happens is that a first blank node is created for the proof, and since that node has @container @graph, instead of being able to trace the relationships directly from credential to proof to verification method...

Each proof is being treated as a disjoint subgraph, and the relationship is not being preserved during import… [...]

I suspect this is solvable with a more complicated graph config: https://neo4j.com/labs/neosemantics/4.0/config/

But I wonder if we might correct this behavior in VC Data Model 2.0, such that RDF representations don't have this odd behavior when imported as labeled property graphs. [...]

answer on the github issue for the standard, I raised it here: https://github.com/w3c/vc-data-model/issues/881

The goal of this group is to standardize the way many of us digitally sign Verifiable Credentials. This working group has been about decade in the making (some would say two decades) and is important for achieving things like BBS+ selective disclosure as well as standardizing the way we format Verifiable Credentials before they are digitally signed.

The announcement is here

The proposed charter is here

I've instrumented the rdf-canonicalize library so I can inspect the order of execution, and it appears that what differs between my implementation and the Javascript one is the order of the permutations. The spec doesn't say how the permutations should be ordered, and my intuition is that the order does indeed matter - though I'm happy to be corrected if I'm wrong.

So, here is my question(s):

  • Does the order of the permutations matter?
  • If so, what order should they be in?

DIDs

  • DID test suite GitHub

    DID test suite is not for runtime, but the Universal Resolver could do a few simple checks on a driver's responses. But there's also a philosophical question: Should the Universal Resolver be "allowed" to check and potentially transform driver responses, or should it just "pass through" everything that comes from a driver?

  • did:orb slides Troy Ronda (SecureKey)

    • Decouple witness ledgers from the critical path.
    • Allow for Trust but Verify model.
    • Leverage the Certificate Transparency model
    • Witnesses observe VDR objects and promise to include in their ledgers.
    • Provide a signed timestamp and a maximum merge delay.
    • Enable monitoring to ensure witnesses follow their promises.
    • Use trusted Witness (and origin) timings to resolve late publishing.
    • Use origin to enable observers to know if they have the latest operations.

  • re: Defining load balanced, failover clusters for DID Document serviceEndpoints? (Monday, 10 January)

#didlang 0.3 includes support for round-robin, load-balanced DID Agent serviceEndpoint clusters. Here's a demo

This is the final step of the W3C global standardization process.

If you are a W3C Member, you can now vote to approve it as a global standard here:

  1.  Governments “lobbying” for single DID method and Non-Interoperability

  •   “tantek: concerned to hear that there are governments looking to adopt, with only single implementation methods and non interop, sounds like lobbying may have occurred, … advocating for single-implementation solutions that are centralized wolves in decentralized clothing”

  •   “ +1 to tantek's concern that governments are responding to lobbying attempts on non-interoperable methods”

  • Mozilla Formally Objects to DID Core  Drummond Reed (Thursday, 1 September)

Now, here's the REAL irony. Mozilla and others are pointing to the URI spec and existing URI schemes as the precedent without recognizing that in in section 9.11 of the DID spec, we specifically compare the DID spec to the URN spec, RFC 8141. In fact we deliberately patterned the ABNF for DIDs  after the ABNF for URNs—and patterned DID method names after URN namespaces. And we set up a registry for the exactly the same way RFC 8141 establishes a registry of URN namespaces.

Now: guess how many URN namespaces have been registered with IANA?

I don't see anyone complaining about interoperability of URN namespaces. Amd RFC 8141 was published over four years ago.

The motivation for verification relationships in the DID spec stems from the general security recommendation of "use separate keys for separate purposes".

You can see this at work in other specifications, such as JWKS (JSON Wek Key Set), specifically in the 'use' (Public Key Use) parameters, from https://datatracker.ietf.org/doc/html/rfc7517#section-4.2

great to see that press release at https://www.w3.org/2022/07/pressrelease-did-rec.html.en

There's a testimonial from UNECE near the bottom.  I thought the community might be interested in the white paper from UNECE on VCs and DIDs for cross border trade - https://unece.org/trade/uncefact/guidance-material

This message is to inform the DID WG and CCG that the W3C intends to write a press release.

To that end, we are seeking testimonials about Decentralized Identifiers.

For an example of the sort of thing we're looking for, please see: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html

The testimonials may be submitted as a reply to this email.

DID Methods

The publication of this DID Method specification realizes, in large part, a 4-year quest (or should I say personal mission) to create a platform to Tokenize Every Little Thing (ELT).

On 8/26/21 12:37 PM, Heather Vescent wrote:

  1. What are the pros of including did methods as work items in the CCG?

Community vetting and approval of particular DID Methods.

Basically, broader and deeper review of DID Methods that we expect to be of

great use to the world. I expect there will be DID Methods that the community

wants to eventually propose as DID Methods for standardization (did:key and

did:web feel like two ones where we could get consensus on doing so).

can't we pick just a small number of un-controversial methods to standardise?  even if it's just did:key and did:web to start with.

The broader generalisation of this question is : "for trust anchors like governments that issue VCs to their constituents, what rules should govern which did:methods they should accept as the subject identifier for the VCs they issue?"  Are those rules context specific?

I'm not sure of the answer - but it's why did:ion was on my list - as an allowed subject of a government issued vc - and as the issuer of trade documents.  should I take it off my list pending a bit more maturity (eg that azure service goes out of beta into full production)?  or is it safe enough for this use case?  if so what others would also be "safe enough"?

https://www.notion.soimages/image2.png

DID:TAGre: Using Email as an Identifier  Bob Wyman (Friday, 12 November)

My did:tag proposal is, I believe, the only proposed DID Method that addresses the use of email addresses and email as a resolution method

There are quite a number of issues with using email addresses as identifiers, or parts of identifiers, and I'm hoping that discussion and development of the did:tag method will illuminate those issues and potentially find solutions for them.

DID:WEB

We have had the same issue... per the did core spec, there are really 2 main key types, in our crypto libraries for the key pair classes themselves, we do our best to support both and handle translation for you:

We then generate a DID Web DID Document from the public keys for the 3 children, and encode the ca chain from them back to the root using x5c.

We then issue a JWT from the private key for 1 of them.

We then verify the JWT signature using the public key.

We then check the x5c using open seel to confirm the certificate chain.

My questions are:

  1. Is it possible to use JOSE to automate this further?

  2. Is there a better way of accomplishing this?

  3. Should the CA chain be pushed into the JWT?

DID:JWK

DID:KEY

I published a did:key creator at

This has been tested to create did:keys from the P-256,P-384, and P-521 curves specified in https://github.com/w3c-ccg/did-method-key and https://w3c-ccg.github.io/did-method-key/ .

The DID Document generation algorithm for did:key is being refined to the

point that we can finish off a first pass of a did:key test suite.

Assorted

Here's an illustration of the relationships between the initial DOMAIN and POOL txns used to bootstrap an example Aries VDR...

Just wanted to update folks here that the C2PA has released version 1.0 of their specification at https://c2pa.org/specifications/specifications/1.0/index.html.  As previously mentioned, it includes native support for VCs for use in identification of actors (be they human, organizations, etc.).  Thanks to everyone here for their input on our work and helping us to deliver.

I've reached the limits of my ability to move this ball forward, and am here to ask for help