Web's Go Crazy (did:web, Part 1)

April 12, 2023 00:44:06
Web's Go Crazy (did:web, Part 1)
The Rubric
Web's Go Crazy (did:web, Part 1)

Apr 12 2023 | 00:44:06

/

Show Notes

did:web takes advantage of existing World Wide Web infrastructure for DIDs. Instead of relying on a distributed ledger or embedding key material in the DID itself, did:web uses websites to resolve DID documents, giving anyone who controls a web page the ability to host DID documents. We talk with the editors of did:web about this innovative DID method: Orie Steele, CTO at Transmute, and Oliver Terbu, Tech Lead at Spruce Systems, Inc.   https://diddirectory.com/web      References DID Method Traits  https://blog.spruceid.com/upgradeable-decentralized-identity/  did:web Specification https://w3c-ccg.github.io/did-method-web/  Domain Name System (DNS)  https://en.wikipedia.org/wiki/Domain_Name_System  Facebook https://www.facebook.com/  International Organization for Standardization (ISO) https://www.iso.org/home.html  Legendary Requirements http://legreq.com/ Pretty...
View Full Transcript

Episode Transcript

Speaker 1 00:00:07 Welcome to the Rubric. I'm your host, Joe Andrew. Speaker 2 00:00:10 I'm Erica Connell. Speaker 3 00:00:11 And I'm Eric Shu. Speaker 2 00:00:13 Today on the show we talk with the editors of DID Web about this Innovative DID method or a steel C T O at Transmute and Oliver Turbo Tech Lead at Spruce Systems Incorporated. This is part one of a two-part interview with Orie Steele and Oliver Turbo regarding DID Web. The continuation of the conversation can be found in part two. Speaker 4 00:00:37 Part of building Simple and usable software and standards is keeping them short. Speaker 1 00:00:45 On the rubric, we talk to folks making decentralized identity happen. We chat about the technologies and motivations behind decentralized identifiers, including DIDs did documents and did methods so our listeners can make better decisions about which did method is appropriate for their use. Speaker 2 00:01:03 Decentralized identifiers enable robust identity-based services without dependence on a trusted third party. So instead of being forced to use centralized identity verification services like Facebook, Google, or the Department of Motor Vehicles, DDS can be created by anyone anywhere and be used for any purpose Speaker 3 00:01:23 Did methods or the magic ingredient that give DIDs their flexibility before creating any specific Did you first choose a did method, which determines how you perform the create, read, update, and deactivate operations on a did of that method once created each did includes the name of its method in the identifier itself, so that when you use the, did others know how to retrieve the associated Did document that contains the cryptographic material for secure interactions Speaker 2 00:01:48 Different Did methods use different underlying mechanisms with different performance, security and privacy trade-offs. Speaker 1 00:01:56 This show the rubric reviews different, did methods with their creators and implementers so you can make better decisions about when and how to use DIDs in your applications. Speaker 2 00:02:07 Orry Steele is the CTO O and co-founder at Transmute, where he leads all architecture, design, and execution for the Transmute platform. Orry has an MS in computer science and a BS in cybersecurity from Steven's Institute of Technology, he is an author of the W three C decentralized identifiers DDS version 1.0 specification, and an editor of the W three C verifiable credentials data model. ORI has managed security concerns for startups and publicly traded companies. He has built secure web applications in finance, energy, and healthcare. Ori, welcome to the show. Speaker 4 00:02:45 Thanks for having me. Speaker 3 00:02:47 Oliver Taboo is tech Lead at Spruce Systems Incorporated. He has been working in the digital identity space for about a decade and was involved as chair, lead editor, author, and contributor in various organizations such as ISO, c e n slash c e n e l e c W three c Diff, and o i df. Before joining Spruce, Mr. Turbo joined Walt Dot IDs advisory board was head of architecture at Consensus Mesh identity and standards lead and solutions architect at U Port, part of Consensus sis at the Austrian State Printing Office. He worked as a solutions architect on mobile identity solutions for the public and private sectors, and became delegated expert into various identity related ISO working groups. He also received the Austrian Standards Award in 2018. Oliver, thanks for joining us today. Speaker 5 00:03:40 Hey, thanks for having me. Speaker 1 00:03:42 Great. Let's get started. Did web takes advantage of existing worldwide web infrastructure for dds instead of relying on a distributed ledger or embedding key material in the DID itself, did web uses web websites to resolve, did documents given anyone who controls a webpage the ability to host did documents? So with that brief intro, why don't you tell me what is did Web Speaker 5 00:04:09 To me, did Web is a very easy way and convenient way for issuers to participate in the decentralized identity ecosystem? Speaker 4 00:04:16 That's a good answer. I think, you know, to me, did Web is both a bridging technology, you know, a way to connect, uh, the systems that we've relied on to build, um, identity systems in the past to decentralize identifiers, which is sort of a newer, you know, way of representing identity concerns. And so did Web has some characteristics that sort of fit into both of those worlds. I think it's a great bridging, uh, technology, um, for folks who are interested in diving into decentralized identifiers, but they don't want to go all the way into, uh, you know, fairly heavy, um, distributed ledger system as a way of, uh, starting to explore, um, the space. Speaker 5 00:04:58 Yeah, then we invented IT web at, uh, the Upul project, um, which was part of, uh, consensus in 2018. So we had to deal with a lot of clients that had all reservations towards blockchain based debts, uh, since the tech was very nascent back then and, uh, certain scalability and usability issues had to be resolved. And those companies were usually interested in participating as issuers, and then we thought that, uh, did web was a good fit. Whereas for NCUs, we usually would recommend it, it would've recommended. Um, other did methods that didn't rely on D N s and in general, I believe in a evolutionary approach and did Web is a good starting point to enter the decentralized identity entity space. Speaker 2 00:05:40 So did Web did work through my web browser, do I need a plug in? Speaker 4 00:05:46 Did, did. Web, um, is fairly easy, easy to register and easy to resolve. So in, in order to create, uh, a new identifier using, did web need to host a JSON file at a specific place on a web server, and in order to resolve a did web, you need to be able to resolve, uh, a dns uh, request to that web server and then obtain that did document. Um, and so it's, it's pretty straightforward to, to create a new did web-based, uh, decentralized identifier. If you have the ability to host a file on a web server, and if you have the ability to make network requests, uh, it's fairly easy to, to get up and running and pre perform this too. You know, the most fundamental did operations, the create operation and the resolve operation. And once you've got those working, you might get to the point where you wanna make some updates and in order to make those updates, you just change the file content at that location and that new up changes are, are available the next time someone resolves that identifier. Speaker 5 00:06:50 So to answer your question, there is no web browser needed to use this web. Um, there is actually just a HDP h DP agent needed to resolve dead webs, but yep, that's, that's the answer. Speaker 3 00:07:04 So what is the target audience for Dead Web in your mind? Or maybe ask another way, what use cases do you see as did Web's, uh, niche? Speaker 4 00:07:14 So I think, you know, because of the way did Web Works and the need to sort of control a web server to have confidence in the long term identifier, it's naturally suited to situations where you have an organization or a government that's already used to protecting resources on the web. Um, and, and that makes it a little bit biased towards the sort of government or organization use cases as opposed to the sort of individual, uh, you know, human user use cases. So I think it's a great, um, did method if you're, uh, a, a brand out there today and you have a website and folks are used to go navigating to your website to look at your products or to connect with your company, did Web is is good for those use cases, but it's, it's maybe not as good for use cases where you'd want to connect to a specific friend unless that friend is a web developer and runs their own website. Uh, did web might not be the best did method for individuals like that? Speaker 5 00:08:18 Yeah, I would agree with that. And that's also why I mentioned in the intro that, um, we use did Web primarily for issuers in the very far credential ecosystem. Speaker 3 00:08:30 So it's really the group of kind of entities that make large use of the traditional internet as far as producing content instead of consuming it. Right, Speaker 5 00:08:40 Right. Yeah, Speaker 3 00:08:41 It's the the big web con Yeah. Content producers, Google, Facebook, any of those big guys. Okay. Speaker 5 00:08:47 Not necessarily only those big guys, just any company that produces, um, or can produce data about end user test data about end users. It could be banks, it could be, um, online shops. I don't know what there, there's actually no limitation. So a typical issue in the very far credential, um, ecosystem. Speaker 4 00:09:08 Yeah. And one other thing to keep in mind is most decentralized at NFR methods that you encounter or in this space of, you know, public globally resolvable. Um, and some of them have a directory sort of structure built into them where you can enumerate the entire space of, of, you know, that particular did method and, and did web fits well into the sort of public, you know, use case scenarios for, for did methods. But it, it is maybe, uh, you imagine trying to enumerate the entire space of did web, it's, it's very big space and you can't easily enumerate, um, all of the different DIDs that might exist. I mean, it's possible to, but it would be hard. So if you compare, you know, did, uh, did web to like a, a side tree based did method where you can see ev every single identifier that's ever been created, it's a little bit different. Um, there isn't like a single place you can go to to look up all of the DID webs that have ever been registered. Speaker 2 00:10:12 So relatedly, and you may have just answered this already in our previous question, but I own Wonderland stage and screen.com, another part of my life I teach theater and film classes to kids. Can I use, did Web to create DIDs for business use, like, uh, confirming class registration or receipt of payments, that kind of thing. Is that a good use of DID Web Speaker 4 00:10:35 Could be. Um, like, like I was saying before, when you create your, your, your Did web, you have this document that you can use to express the different relationships that you want to expose for that identifier. So if you want to expose key material that you're gonna use to create, you know, credentials for completing an education certificate program, you could use did Web to do that. If you wanna expose, uh, cryptocurrency addresses so that you can receive donations, you can do that with DID Web. One of the nice things about DID Web is it's very generous and flexible in terms of the kinds of structures that you can include in it. Whereas other DID methods are tend to be really strict in terms of what kind of content can you put inside of your, your your DID document. Um, and that's actually one of my favorite parts about did Web because as a developer I'm often experimenting with something new that might not be well supported. Did Web is is really great tool, um, in the toolbox for, you know, for that kind of thing. There are some challenges that come with that. Like, you know, if I put a new interesting data structure in my DID web did document, many folks may not understand how to process that content sort of consistently. So it's a, it's a bit of a double-edged sword, but I think, um, did Web is definitely a really great tool if you're experimenting with sort of new verification relationships, it's very well suited for that. Speaker 1 00:12:05 So it sounds like it's good for any situation where your website may already be the definitive publication point for a did for example, Wonderland Stage and Screen could, could publish a different did on their website and just say, Hey, this is the did we're using to sign our credentials, which means that your anchor of which did is Wonderland stage and screen is already mediated by your website. Yep. So it feels like that would be an easy place to just put the d the entire did document and host it via d did web. There's no decrease in security there cuz people already heard about the definitive d i d through the web. Speaker 4 00:12:44 Yep, that's, that's a great point. One of the things that we use did web for is to, to use the also known as feature for that identifier so that you can link to other kinds of decentralized identifier methods. So I could use a did web on a, on a web origin that's well known and associated with the brand, but then I can link from that did Web to did Ether or did Ion or other did Methods that might have other properties. Um, and, and that that can be a good way of sort of, there's one, you know, easy way to find the, the did for a a given brand based on knowing its website, but then you can find other DIDs associated with that brand through its did Web. Speaker 1 00:13:25 Nice. Now you had mentioned earlier this, this pattern where did Web is for the two of you at least primarily used for issuers and you mentioned the facility that typically either large corporations or large governments have with managing and securing websites. But what about government employees and staff? Is there a way to think about, you know, so I'm a, I'm a federal agent or I I work at the irs, um, but now I'm an individual and so are there privacy issues or are there trade offs or are there still a good pattern where maybe for, for entities who are agents of, of that government entity that it makes sense? Speaker 4 00:14:05 So are you asking about sort of maybe delegated authority for within an organization? Or are you asking about, uh, corporate individual, um, sort of employee identity? Speaker 1 00:14:21 I think the latter. Um, I'm thinking in terms of, um, I talked to an IRS agent on the phone cuz I got a letter from the IRS and they could identify to me, here's my did web from irs.gov. Is, is that a pattern that you think ah, is a good fit? Speaker 4 00:14:43 I think, I think it, it can be, if you think about what social media account accounts identity sort of looks like today, now your username on twitter.com or your username on github.com, GitHub and Twitter are are trusted to maintain that identity and service and the capabilities that come with it. And I think some companies might take the same approach with, with did web, you know, you could have child identity underneath an a well well known web origin. So you know, you could convert Twitter usernames to did webs if you really wanted to, and Twitter could help manage that, you know, process. The important thing to keep in mind about that though is that the web origin still in control of that identity. And so you might trust Twitter to, you know, allow you to have that identity and to protect your identity so long as you comply with their terms of service. Speaker 4 00:15:44 But if you start violating their site policy, they're in complete control of that identity and they can, you know, remove your ability to make updates to it and, you know, censor you if you've, you know, violated their policy. Or even if you haven't. So there are cases where depending on your threat environment, you might not want to rely on that kind of identifier for certain kinds of activity. But I think there are also a lot of cases where you have a pretty comfortable business relationship with an organization and that organization already manages an identity on your behalf and people have come to know you through your work with that organization. And I think did Web's kind of growing to, I think those use cases can make a lot of sense for, for DI web and it's especially sort of familiar for folks who are used to having, you know, their social media identities all with the same kind of, you know, username. They're, they're reusing their alias, they're handle on several different social media platforms, but they're used to this concept of each social media platform. I have a relationship with them and you know, I'm, I'm using them as, as part of my business, you know, if I'm a content creator, that kind of thing. Speaker 5 00:17:02 Yeah. So if you use the web in that way, basically giving each user edited web, then it's very similar to the traditional Twitter account model. So you would have introduced DDS to your end users, but the end users are not really in control of the identifier because Twitter in that case, could always decide to no longer host those DDS on behalf of the users. But in that case, what you still would get is that, um, you would allow other Twitters, uh, like other social media platforms, um, to reference, um, user accounts by ui, um, issuing credentials, um, to them. And then those new Twitter accounts, this, um, it web user accounts would then be able to prove, um, cryptographically that, um, they will own certain credentials, for instance. So there would be still some benefits, but it's very similar to the traditional, um, user account model that Twitter has. To answer your question, it's possible <laugh>. Speaker 1 00:18:05 So talking about how Twitter or Facebook could use did web, uh, and be definitive for their, their accounts, um, it reminds me of the phrase that's popular. Let me put it differently. Uh, there's a phrase in the Bitcoin world, not my Keys, not my coins, and yet Coinbase, you know, has millions of users and they're using Coinbase as keys. So I feel like it's a, it's, it's an almost exactly analogous sort of role in that people trust Coinbase to be in that position and to hold the keys and to, to take care of things because they're the experts. They have the CIS admin that are, they're 24 7, they have the people who are actually dealing with watching the network and monitoring and making sure it's not being attacked. Whereas if it's on my system, I'm on the hook for all of that expertise. You know, I've had some really interesting arguments with folks who absolutely don't believe decentralized can be more secure because then you're asking every individual to be that security expert. So you just brought in a focus that it's the same trade off in some ways for certain uses of did Web, they have the same topology of how we use Coinbase or other sort of, uh, custodial services, uh, for cryptocurrency. Speaker 4 00:19:20 Yeah, that's, that's right. I mean, I, I think it's, it's interesting to think about the transition to the cloud, right? You know, what drove businesses to invest in cloud technology and start to trust cloud service providers as opposed to running their own infrastructure. And there's these natural cycles and technology, you know, we go to the mainframe and then we go back to the individual PC and then we go back to the mainframe again. Um, and I think, uh, like, like you said, you know, the, not not my keys, not my coins sort of analogy. When you apply it to web web ownership, it, you have to think about really what would it take to fully own the, the web stack for your did web. And it's, it's not just, you know, can I put a file at a specific path on a web server? It's also thinking about who controls the DNS own files and what about, you know, the nation state level internet infrastructure that also comes into play when resolving, you know, DNS records and those kinds of concerns. So it can feel, um, sort of did web, in some ways it feels very simple, but then the, the deeper you dig, the more you sort of realize that the web infrastructure we rely on today for online banking is actually fairly complex and somewhat decentralized even, even in and of itself. Speaker 5 00:20:40 I think while you can actually build this weapon in way, so imagine the Twitter examples of Twitter could decide to give the users did webs under their Twitter domain, but Twitter would still own the domains. And Twitter could decide though to give users control over the keys in the user own did web, um, documents, but Twitter would still control the domain. And so it's then, then they would basically have, um, control over the keys, but they would still not have control over the domain. Um, which is not the same as exactly as, um, not your crypto or not the Keys, not your crypto, but, um, goes in the same direction Speaker 3 00:21:23 Before moving on. Uh, just wanted to clarify something that's been said a few times, which is that in your minds, did Web is primarily for issuers? Um, I just wanted to clarify issuers of what, I believe it is verifiable credentials, but wanted to get that out from you guys. Speaker 5 00:21:40 Yes, that's correct. Yeah, usually, um, lot of our use cases, they are using DDS and VERIFI credentials and DDS as the identifier of the issuer in the credential. And um, that's where we would use did webs for, um, enterprises like banks or insurance companies and so on. Speaker 4 00:22:02 Yep. That's the exact same sort of view that we have about, about did Web, it's great for an non-person entities that are issuing verifiable credentials. So a lot of our use cases are sort of supply chain use cases where you have a company that's producing, you know, trade documents associated with an import and they might, you know, want to use, uh, a decentralized identifier that's sort of similar to the web origins that they're already using to be known in the supply chain. Speaker 3 00:22:33 As we've already talked about, did Web is somewhat unique in the DID space in that it both does not make use of a backend distributed ledger as many of the DID methods we look at do. And it is not meant to be either somewhat ephemeral or peer-to-peer, such as methods like did Key and did peer. Uh, what are the implications of having a did method based on existing web technologies to you? Speaker 4 00:22:56 I think, I'm not sure I'm answering the question properly, but for me the, the primary value of DID Web comes from you're on a web origin interacting with a brand, and then you're able to confirm that that same entity has exposed a certain set of keys for a cryptographic purpose. So to me, the primary value of DID Web when compared to some of these other DID methods is it's sort of in the same in, you're in the same kind of channel with the brand that you were before. So if you think about being on microsoft.com and looking for their PGP keys to encrypt a, a vulnerability disclosure, you wanna send a vulnerability disclosure to Microsoft, and because it's sensitive, you wanna make sure it's encrypted so that only the right recipient will will read that information. You can, you know, Google, Microsoft, uh, vulnerability disclosure PGP keys, and you'll come to a website and there'll be a PGP key right there on the webpage from Microsoft. Speaker 4 00:24:01 And if you trust that that key is really theirs, you'll then encrypt to that key and send them a vulnerability disclosure. If you think about what the key agreement relationship in, uh, did, did web did document is is doing it, it's exactly the same thing, but at a sort of in with some standards packaging around it so that you don't have to guess, you know, where is the vulnerability disclosure key, you know, on this website, you know, maybe this other web provider, they put it at a different webpage that those problems sort of go away. If you're looking at the, the DID web, you can discover a key that you could use to encrypt a vulnerability disclosure to just by having that identifier. Speaker 1 00:24:44 So the root authority for did web ends up being, uh, the domain name system anchored by tls. So why do we need a did method if d n s already provides this certificate mechanism with tls? So like what, what's the, what do we get for this extra work? Speaker 4 00:25:03 That's, that's a great question. Speaker 5 00:25:06 I can try to answer it. Speaker 4 00:25:08 Yeah, go Speaker 5 00:25:08 Ahead. So I saw it primarily as a interoperability layer between web two identity and Dev three identity. Um, web three in that case means, um, the new, um, blockchain ecosystem that, um, is emerging. Um, people could then upgrade the services easier, uh, to another mass at once they are ready. Another advantage of having a did method like that, um, so instead of t ls is, um, you typically want to have different keys for different use cases. Uh, so you don't wanna encrypt data with your T LS certificate or with the keys in your T ls certificate just for a security reasons. So you wanna have different keys for encryptions and for encryption and signatures. Um, it's one of the, one of the reasons <laugh>. Speaker 4 00:25:53 Yep, I totally agree with that. I mean, one of the nice things about relying on DID web is there's a certain set of key material that you might be using to protect your DNS records, certain set of key material you might be using to protect that TLS connection, and then trusting those, you know, two sets of cryptographic material and potentially Cipher suites, you can then discover additional cipher suites that you might want to rely on to interact with that identifier. And the, the cipher, the, the key material that's going into the, the Dead document itself, that can be newer, sort of more experimental cryptography that you wouldn't find at DNS stack layer or at TLS layers, and yet you're gonna be able to easily make that key material available to certain parties that might wanna start relying on it earlier. So it's, uh, you know, not to get into a totally different topic, which would be, you know, post quantum cryptography or hybrid cryptography schemes. But did web is, is actually a really excellent technology for thinking about some of those use cases because you might rely on traditional TLS and D N S to discover a post quantum capable key, and then you might use that post quantum capable key for digital signatures or for key encapsulation, other forms of encryption or privacy oriented use cases. So it's, it's a, again, a really excellent bridging technology because of that flexibility that comes built into it. Speaker 5 00:27:22 Yeah, and I think, um, selective disclosure and the <inaudible> credential, whereas this I word is another use case. Um, so I think you won't be able to include the B Ls key, um, in your key L Ls certificate. Um, and um, but because the web is so flexible and allows you to add any key, any key type, um, you can also add B L LS key and then it would be able to support, um, BBS plus signatures, um, which is one of the ways we are currently standardizing for selective disclosure in the very far credential ecosystem. Speaker 1 00:27:54 So is it fair to sum up what you both just said as, um, did Web as a democratization of that key infrastructure so you can use it for more and, uh, varied sort of use cases? Speaker 4 00:28:09 Yeah, I think so. I mean, I remember though that the, the root of trust, you know, the system that's providing the security properties is the sort of older system out there. So, you know, it's, it is I think, highly consumable and usable did method, but it comes with the baggage of the DNS and TLS ecosystem. And that baggage is, is a feature to some folks because there's a large, you know, well-trained, experienced user base that are used to securing web servers. And for other folks, they look at the, that particular part of DID Web and they feel, you know, saddened that we're still handling security using, you know, DNS and, and tls and isn't there a better way of handling these things and did web sort of doesn't, doesn't give you very much, you know, moving beyond them. Um, and at the fundamental sort of base layer, you know, when you think about what's ultimately securing this, this method, Speaker 2 00:29:14 Well, did web work on a hosted content management service like a WordPress or other common low-cost web options of that kind that maybe individuals or small businesses might be using? Speaker 5 00:29:26 I haven't seen that yet, but um, in my opinion it should work. Yeah. Speaker 4 00:29:30 Yep. I've heard folks, um, have been exploring different, uh, attempts at WordPress plugins for it. I mean, one thing we should, we should probably say is it's still, uh, a, a draft method specification, so it's not been standardized yet, so there might be changes and what we're talking about right now might not be true, you know, several years from now, depending on how the method specification evolves. Um, but today, if you want to build a plugin for a CMS system like WordPress, uh, to manage did Webs, that's pretty easy to do. The plugin's primary job is to allow you to put a file at a specific path on the web server, and if you need multiple, uh, did methods for the same web server, you can do that with DID Web or you can just rely on the single well known path, um, which is for the whole origin itself. So if you, there's different use cases, you know, why you might want to be easily be able to create many different DID Webs on the same web server, and then the plugin would have to manage that ability to have many different, uh, identifiers on the same server, or you could just have a single file on that web server, um, that represents that origin as a whole. Speaker 1 00:30:49 Okay. Let's talk about people starting with you two. How did you get involved with, DID Web, Speaker 5 00:30:57 I mean, I was one of the original authors of the DID web specification and which is the DID web in the WS C did Mess of Registry. Speaker 4 00:31:08 Yeah, I, I joined the DID web later, um, and I didn't really start using, did Web UN until it had the ability to represent multiple, did documents on the same web web origin. So I used the, the first version of it, the one that Oliver, uh, and others created. And I was immediately hit this limitation that was frustrating of I have to register a new origin every time I want to create a new identifier. And, and that made it kind of difficult to experiment with. Um, and so I really started getting into using DID Web once it got the ability to have these path based routing identifiers, because then I could create a single web origin for a given purpose and I could create unbounded number of identifiers underneath that web origin. I could start exploring, uh, features, uh, as I used did web a lot as we were testing the, the DID spec did core specification because there are features of Dior that are, the speck sort of said were legal, but that no one was really implementing because every ledger decentralized ledger, blockchain based method system didn't support that feature. Speaker 4 00:32:23 So arbitrary integer properties or really deeply nested object structures, some of these edge cases were hard to find even a single DID method that you could provide an example of. But did web made it really easy to test those kinds of features? And I could use several different identifiers so I could create, uh, an identifier that's sole purpose was to express a certain Edge case of the DID specification. So I started using it for those kinds of cases. And then to test interoperability features, you know, for certain kinds of cryptography to two identifiers, want to agree, um, to using a particularly new cryptographic suite did WEB was a really useful tool for testing those kinds of new cryptographic suites because if the suite changed, you could easily change the DID document. It wasn't like I have to pay Testnet Ether or Main net ether to change my identity document. I can just change the file on the web server. And so it was very helpful for evaluating whether a specification that was built on top of decentralized identifiers was gonna work well. It was a very lightweight way of, of concretely testing some of those use cases. Speaker 2 00:33:37 Cool. And as a follow up, what is important about this work to you personally? Another way of asking that might be, you know, you're the, you're the superheroes who have created, did Web, what's your origin story? Why'd you do it? Speaker 5 00:33:53 So my personal motivation to actually, uh, coor Auto the did that method in the first place, um, was to, to make decentralized identity technology more accessible and lower the implementation barrier, um, by using existing technology that have been approved. Um, and, uh, when understood. Speaker 4 00:34:12 Yeah, I think, uh, sort of a similar motivation for, for getting involved in the work. I, I think it's easy, especially in, you know, cryptography standards to get really attached to complexity. And so you, you look at some of these specifications that are really complicated and interesting and you get really sucked into how important all this complexity was to creating this new standard and this new specification. And what I like about DID Web is how simple it is. It's very, very simple. And that simplicity is what makes it so easy for folks to, to implement themselves, to explore, to adopt. And every piece of complexity that we add to did Web might make it harder for people to adopt did Web, and that's a thing as we build standards, we should always kind of keep in mind because the adoption of the technology is, is really the most important piece. Speaker 4 00:35:09 It's the standard is not gonna matter at all if nobody's using it. And so did Web's Simplicity makes it really usable. And there's trade-offs that come with that. Like, you know, you might wish that did Web had some better long-term integrity management tracking capabilities, but adding them to it would make it a lot more complex. So there's a trade off there. Do we want the did data model to be adopted or do we want, you know, did Web to have the same properties that a blockchain base did method would have? And you know, maybe I think a lot of folks look at the diversity within the DID ecosystem as if it's a bad thing. Like there should only be one did method and we all could agree to just one ring, then we'd, we'd have this great, uh, amount, great amount of interoperability, right? But if you think about tools in the tool boxes, you don't have one tool that you use for everything. Speaker 4 00:36:08 If you think about database systems, it's not like everyone's running one database system for all of those use cases. There's special purpose tools and in the DID ecosystem there are DIDs that are better than did Web for certain things. And there there's did web and it is better than many other DID methods for certain kinds of things. So it's a, it's a sort of specialized did method. I don't think it's the last DID method that folks will use, but I think it has a place right now where it's, it's kind of king of a particular class of DID method, which is DIDs that are built on existing standards and technologies that are well adopted. Did Web is the king of that class today, or Queen, whichever you prefer. Speaker 2 00:36:54 Yeah, I know what I'm hearing through that is that these are tools, uh, to advance self-sovereign identity or get more people using the tools for their own self-sovereign identity. And a follow-up question might be like, why is that, why is that important? Speaker 4 00:37:10 That's an awesome question. Um, I, my interest in this entire space comes from my experience in college. So my undergraduate was in cybersecurity and I was exploring social, social network, malware and information warfare and these issues on social networks where you're trying to convince people to believe things or you're trying to create, you know, various forms of advertising fraud. And so my first experience with identity, you know, in college as a security researcher was looking at how, what, what the bad guys are doing with, uh, social media identity. And I started realizing they're using cryptography, they're using digital signatures. They're, they're really taking advantage of these cryptographic tools and they're pretty hard to defeat in some cases because they're really using this technology very effectively. And I, I started to wonder whether individuals could use the same cryptographic tools to protect themselves and their own digital rights. Speaker 4 00:38:13 And, and then, you know, the Bitcoin paper came out and started to see hints that other people, you know, were thinking a also about these same sort of scenarios. How can cryptography protect my ability to, uh, express my, my rights as a human being? And it, the decentralized identifier standard is supposed to, to give interoperability to, I think that intention sort of broadly. It's not just about, you know, whether or not you should control things that have money like properties or whether or not you should be able to produce digital signatures or, you know, encrypt communications for another identifier. It's really about giving a framework to folks who want to create an identifier for a purpose and then use cryptography to protect their intention behind that, that that choice that they made. They might have many different reasons that they, they want to create that, that identifier and, and use it. Speaker 4 00:39:13 I mean, they could be a journalist and they need a new identifier that's brand new that's never been seen before in order to interact with a source. Or they could be, uh, standing up an identifier associated with a brand that's running, uh, a campaign to hand disaster relief and they just want a new identifier that's specific for that campaign to take funds in. Um, so it's not, you know, the use cases are, are broad and varied, but they all come back to this idea that cryptography is, you know, really important. If you're interested in protecting privacy and providing security, uh, you're gonna need to use cryptography. And this is DIDs are the sort of boundary between the cryptography technology and the sort of these identifiers that we use to relate to the entities that we're trying to interact with. And, and, and did Web as a category of identifier is really good at providing that kind of experience if you're trying to interact with a, an organization, you know, some kind that has some business out there, uh, you know, on the internet. Speaker 3 00:40:25 Who else has been important to the evolution of, did Web, anyone you wanna give a shout out to Speaker 5 00:40:30 Wsc, C C G, big shoutout to that group? Speaker 4 00:40:35 Yeah, there's a large, uh, largest number of contributors to, uh, the, the DID web, um, specification document. And I think, you know, Dimitri, uh, I'm not gonna attempt his, his last name <laugh>, Speaker 3 00:40:50 Zach Dolan. Speaker 4 00:40:51 There we go. Uh, Dimitri has done a lot of work. Um, Amy, Amy has done, uh, a good amount of work. Manu and Dave Longley have also contributed really heavily to, did Web, um, Mike Pro Rock, uh, has contributed to, to, did web folks, different folks joined at different times, like Oliver's been here since, since the beginning. I joined sort of later. I think a lot of folks, they come to the DID web specification, they read it, they realize it's really simple, they go off to deploy it, and then they hit an edge case and they come back to the specification and they fix that edge case for themselves and then for everyone else as part of that process. And so the specifications that have evolved as, as folks have, have gone off and tried to use it and hit, hit a problem that they needed solved, and they come back and they help the specification evolve. Speaker 4 00:41:43 You know, one area, um, that we're still sort of struggling with is, is the, the metadata in the, in the DID web did document, and that's an area that's still receiving a lot of active contribution from the community. People are debating how should we handle this? If we extend it, what new properties do we get? Why are those impro properties important to me? Or, you know, my use case. So I think it's still, um, the contributor, there have been a lot of folks that have contributed to it, but I expect there still are many contributors that haven't joined yet that, that will contribute in the future and that will help shape, you know, what did Web will become? Speaker 1 00:42:23 Are there any companies that are particularly involved or particularly standing up behind it? Speaker 4 00:42:30 Well, I will speak for myself. I'm, I'm, you know, or Steel, I'm CTO at Transmute. We use DI Web, uh, today. We're really excited about it for these issuer use cases and especially for identifying non-person entities in in supply chains that rely on verifiable credentials. Speaker 5 00:42:48 SP Systems Inc. Also has an implementation of DID Web, um, but it's not my personal favorite. Um, Dick Methods, um, we can maybe talk about this later. <laugh> <laugh>, it actually is Speaker 2 00:43:02 Here, ends part one of our episode on DID Web and concludes our show today. The conversation continues in part two and that will bring us to the end of our show today. Speaker 1 00:43:15 Ari, thank you for joining us on the show today, Oliver, thank you. Thanks also to our staff, our producer Eric O'Connell and my co-host Eric Chu. I'm your host, Joe Andrew. Speaker 2 00:43:27 Wherever you find the Rubric podcast, please take a moment to subscribe to our feed so you'll be notified when our next episode is released. We look forward to you joining us next time. Speaker 6 00:43:39 The information, opinions, and recommendations presented in this podcast are for general information only and any reliance on the information provided in this podcast is done at your own risk. The views, thoughts, and opinions expressed by the speakers in this podcast belong solely to the speakers and not necessarily to the speaker's employer, organization, committee, or other group or individual.

Other Episodes

Episode 0

June 11, 2022 00:41:22
Episode Cover

Nobody but Us (did:peer, Part 1)

The did:peer method was the first DID method without universal resolution. Designed to facilitate direct one-to-one DIDs, only those parties to the peerage can...

Listen

Episode

January 24, 2024 00:39:45
Episode Cover

DIDs for Any Crypto (did:pkh, Part 1)

did:pkh is the minimalist multi-blockchain DID method, designed to work with any blockchain with minimal fuss. Today we talk with two of the authors–and...

Listen

Episode 0

April 24, 2021 00:01:42
Episode Cover

The Rubric, in Brief

The Rubric helps you understand the technologies behind Decentralized Identity, including Decentralized Identifiers, also known as DIDs (or D.I.D.s), DID documents, and DID methods. ...

Listen