W3C overrules objections by Google, Mozilla to decentralized identifier spec
Oh no, he DIDn't
The World Wide Web Consortium (W3C) has rejected Google's and Mozilla's objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.
The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.
The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.
"They are designed to enable individuals and organizations to generate their own identifiers using systems they trust," the specification explains. "These new identifiers enable entities to prove control over them by authenticating using cryptographic proofs such as digital signatures."
The goal for DIDs is to have: no central issuing agency; an identifier that persists independent of any specific organization; the ability to cryptographically prove control of an identifier; and the ability to fetch metadata about the identifier.
These identifiers can refer to people, organizations, documents, or other data.
DIDs conform to the URI schema:
did:example:123456789abcdefghi. Here "
did" represents the scheme, "
example" represents the DID method, and "
123456789abcdefghi" represents the DID method-specific identifier.
"DID methods are the mechanism by which a particular type of DID and its associated DID document are created, resolved, updated, and deactivated," the documentation explains.
This would be expressed in a DID document, which is just a JSON Object that contains other key-value data describing things like how to verify the DID controller (the entity able to change the DID document, typically through control of cryptographic keys) in order to have a trusted, pseudonymous interaction.
What Google and Mozilla object to is that the DID method is left undefined, so there's no way to evaluate how DIDs will function nor determine how interoperation will be handled.
"DID-core is only useful with the use of 'DID methods', which need their own specifications," Google argued. "... It's impossible to review the impact of the core DID specification on the web without concurrently reviewing the methods it's going to be used with."
A DID method specification represents a novel URI scheme, like the
http scheme [RFC7230] but each being different. For example, there's the trx DID method specification, the web DID method specification, and the meme DID method specification.
These get documented somewhere, such as GitHub, and recorded in a verifiable data registry, which in case you haven't guessed by now is likely to be a blockchain – a distributed, decentralized public ledger.
- Firefox kills another tracking cookie workaround
- Ad-tech firms grab email addresses from forms before they're even submitted
- We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother
- HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens
However, there is a point of centralization: the W3C DID Working Group, which has been assigned to handle dispute resolution over DID method specs that violate any of the eight registration process policies.
Mozilla argues the specification is fundamentally broken and should not be advanced to a W3C Recommendation.
"The DID architectural approach appears to encourage divergence rather than convergence & interoperability," wrote Tantek Çelik, web standards lead at Mozilla, in a mailing list post last year. "The presence of 50+ entries in the registry, without any actual interoperability, seems to imply that there are greater incentives to introduce a new method, than to attempt to interoperate with any one of a number of growing existing methods."
Mozilla significantly undercounted. There are currently 135 entities listed by the W3C's DID Working Group, up from 105 in June 2021 and 86 in February 2021 as the spec was being developed. If significant interest develops in creating DID methods, the W3C – which this week said it is pursuing public-interest non-profit status – may find itself unprepared to oversee things.
Google and Mozilla also raised other objections during debates about the spec last year. As recounted in a mailing list discussion by Manu Sporny, co-founder and CEO of Digital Bazaar, Google representatives felt the spec needed to address DID methods that violate ethical or privacy norms by, for example, allowing pervasive tracking.
Both companies also objected to the environmental harm of blockchains.
"We (W3C) can no longer take a wait-and-see or neutral position on technologies with egregious energy use," Çelik said. "We must instead firmly oppose such proof-of-work technologies including to the best of our ability blocking them from being incorporated or enabled (even optionally) by any specifications we develop."
Despite these concerns, as well as resistance from Apple and Microsoft, the W3C overruled the objections in a published decision, a requirement for advancing the spec's status. ®