owned this note
owned this note
Published
Linked with GitHub
# UCAN and did:plc
Discussion thread on UCAN community: https://github.com/orgs/ucan-wg/discussions/154
Luma Event: https://lu.ma/az50yb9v
This is a general information and kick off session to talk about DID interop and compatability.
## Agenda
* Daniel: Bluesky, did:plc
* Henri: Privy, did:privy
### Daniel (Bluesky): Description of did:plc, design goals
* Docs https://github.com/bluesky-social/did-method-plc
- service endpoint / personal data server (PDS)
- looking at options, taxonomy of DIDs -- Joel calls generative DIDs, the DID itself, like did:key, the curve and the public key bytes
- resolver DIDs -- endpoint to go to, to resolve a DID, did:web, did:ens
- cryptographic DIDs -- Seed of trust, DID ID is the hash of the genesis document, layer on consensus, and you get current state
- self certifying data -- look at data, look at signatures, is it valid
- problem with self certifying data -- "double spend problem", 2 keys can rotate the same document; need to add consensus of some kind
- resolve forks / conflicts
- called it DID placeholder, this is the shape we want it to be -- we got warnings in the space, don't create a DID consortium
- build the social protocol, don't build the consortium
- get the shape of the DID, and start using the space
- not JSON-LD
- small JSON document, some service endpoints, "also known as" for handles
- unique fields are rotation keys -- allowed to rotate
- separate from signing key
- let's you keep custody of the document while delegating signing key to a service
- recoverability was important
- grace period where you can override in 72 hours
- higher authority "root" in the array -> lesser authority
- also holds a rotation key and a recovery key
- customizable grace period
- adding in some extra rules around what rotation rules are allowed to do what
Dmitri: How is DID resolved?
* plc.directory/did
* ask it for the DID document
* can also download the log
* history is auditable -- auditable history of a DID document, all operations and timestamps, and invalidated ones
* export the dataset
* with auditability, kind of like certificates
* doesn't cover DOS attacks
* wanted a DID method that was super simple -- that anyone can use
* also support did:web -- would like one more, for the cypherpunks
Dmitri -> did:web and did:key co-creator
* wanted to take the direction of did:web
* inspired by did:keri
* the reason it didn't move there was there was community pushback
* like Joel's proposal, around layering UCAN on this
* instead of just one resolution endpoint -- new iteration of did:web -- did:webs, same data format, and backwards linking -- just using did:web's encoding
* optionally paired with digest auth, to make it self certifying
Joel: two main features of this DID
* 1. have a way to point to a resource or service
* 2. managing public keys and authority
* Daniel: assert one root key and then have chains coming off it
* Actually 4 uses:
* 3. bidirectional link with handles -- UUID / DID to mutable handle
* 4. global UIID in the federated network
* Everything else is in PDS, including profiles
### Henri (Privy)
Description of did:privy, design goals
* Where we're going: https://blog.privy.io/the-privy-mindmap-the-path-ahead-746b9647e87b
* Export docs: https://docs.privy.io/guide/frontend/embedded/export
* Interop work: https://blog.privy.io/sweating-the-details-87bf50d26cb
* Spent a lot of time looking at DID methods -- XKCD https://xkcd.com/927/
* We are DID buyers not DID builders!
* Would like to use other stuff
Daniel: what do you see the UX of this seeing it?
* like magic link?
Dmitri: Loose agreement on did:plc direction
* witnesses -- certificate transparency like log
Joel: using UCANs, revoking
* verifiable data registry
* not just one for DIDs, and one for revoked capabilities
* can we have one place for this
Daniel: lot of similiarity
* Anti pattern to collect them all in one place?
Brooke: having them colocated doesn't harm them, but
* difference between auth and identity
* UCAN uses auth, tied to an identity
* take it to the resource and want you to do something with it
* web server -- credential should live on that web server
* more complicated with eg a CRDT -- infinite number of copies
* as a backstop mechanism, makes sense
* not the only source of truth
* as soon as revocation is issued
* timing -- only if you need strong consensus
* Fission -- eventually consistent
## Questions
_Add your questions here_
@bmann PLC Directory consortium plans?
* 13 nodes?
* Or -- like Dmitri mentioned, each service runs it, annotate in did identifier
* auditability
## Meeting Chat
<pre>
08:59:46 From Boris Mann to Everyone:
https://hackmd.io/MFqGxWiVTO-G_bz1MLS3Ow
09:01:22 From Brooklyn Zelenka (@expede) to Everyone:
Mane-net
09:01:35 From Brooklyn Zelenka (@expede) to Everyone:
🦁
09:01:38 From Zachary to Everyone:
Reacted to "Mane-net" with 😂
09:01:47 From Blaine Cook to Everyone:
We’re gonna need new stickers.
09:01:59 From Jeff Griffiths to Everyone:
Reacted to "We’re gonna need new..." with 👏
09:02:58 From bengo to Everyone:
Idc how the did method works, but can the logo be a lion with a toucan beak strapped on
09:03:29 From Dmitri Zagidulin to Everyone:
Reacted to "Idc how the did meth..." with 🤩
09:04:04 From Juan Caballero to Everyone:
Reacted to "Idc how the did meth..." with 🤩
09:05:21 From Boris Mann to Everyone:
https://hackmd.io/MFqGxWiVTO-G_bz1MLS3Ow
09:07:06 From Joel Thorstensson to Everyone:
Not me actually, Wayne from spruce came up with this name!
09:07:19 From Andy to Everyone:
Reacted to "Idc how the did meth..." with 🤩
09:07:54 From Steven V. to Everyone:
Reacted to "Idc how the did meth..." with 🤩
09:09:08 From Juan Caballero to Everyone:
3!??!?
09:09:14 From Juan Caballero to Everyone:
like 10 😭
09:09:40 From Boris Mann to Everyone:
Personal Linked Content
09:10:36 From Aaron Goldman to Everyone:
PDS Location Consortium 😂
09:17:59 From Juan Caballero to Everyone:
did:keri refers to them as "pre-rotation keys"
09:18:27 From Juan Caballero to Everyone:
publishes commitments in advance as part of the security model
09:20:20 From Blaine Cook to Everyone:
(Whispers nns)
09:20:32 From Hugo Dias to Everyone:
Reacted to "(Whispers nns)" with 🤓
09:20:33 From Dmitri Zagidulin to Everyone:
@blaine LOL nice
09:20:42 From Blaine Cook to Everyone:
(But don’t want to divert the conversation that way rn)
09:22:05 From bengo to Everyone:
Can signingKey be the verification method that signs rotate_signing_key operation ?
09:22:25 From Dmitri Zagidulin to Everyone:
@bengo - I hear that bsky updated the data model (but not the docs) to use verification method
09:24:13 From Aaron Goldman to Everyone:
@bengo you can put the same key in the verification method and the rotation keys list but you need to repeat the key to be clear on your intent
09:26:07 From Boris Mann to Everyone:
@Dmitri — the link here is updated docs
09:26:17 From Boris Mann to Everyone:
https://github.com/bluesky-social/did-method-plc
09:26:26 From Dmitri Zagidulin to Everyone:
@boris - oh sweet, thanks!
09:26:49 From Aaron Goldman to Everyone:
Having a did:web and did:plc that each AKA each other it useful.
09:26:51 From Boris Mann to Everyone:
You’re right that atproto.com has stale info
09:27:23 From Dmitri Zagidulin to Everyone:
Reacted to "Having a did:web and..." with 👍
09:29:15 From Dmitri Zagidulin to Everyone:
hahahaha wooooot! +1 to not creating more did methods. (Except for this once. we do actually need some more new ones :) )
09:30:07 From Dmitri Zagidulin to Everyone:
omg, this is fabulous. is there /any/ way we can have a consortium for user profile object 🙂
09:30:24 From Dmitri Zagidulin to Everyone:
kills me that every service (Fediverse, etc) is rolling their own
09:30:54 From Boris Mann to Everyone:
@dmitri … I’d like to get there
09:30:58 From Boris Mann to Everyone:
We also need “Login with X"
09:31:04 From Dmitri Zagidulin to Everyone:
YES! that too!
09:31:19 From bengo to Everyone:
Ooh does that use did:x
09:31:20 From Blaine Cook to Everyone:
ERR_927 TOO_MANY_STANDARDS https://cdn.discordapp.com/attachments/1025439591903277086/1108793722717622392/Screenshot_2023-05-18_at_09.29.34.png
09:31:22 From Juan Caballero to Everyone:
Reacted to "omg, this is fabulou..." with 💪
09:31:26 From Juan Caballero to Everyone:
Reacted to "kills me that every ..." with 🌶️
09:31:26 From Joel Thorstensson to Everyone:
I give you “sign in with X”:
https://chainagnostic.org/CAIPs/caip-122
09:31:36 From Juan Caballero to Everyone:
Reacted to "We also need “Login ..." with 💪
09:31:40 From Boris Mann to Everyone:
@Joel …. But focused on web2 side of things, too
09:31:51 From Juan Caballero to Everyone:
Reacted to "I give you “sign in ..." with 💪
09:31:52 From Dmitri Zagidulin to Everyone:
@Joel - daamn, says so right there on the tin!
09:31:53 From Joel Thorstensson to Everyone:
Yeah it’s not complete for sure
09:31:56 From Boris Mann to Everyone:
And really want I mean, is “someone” needs to have a brand around this
09:32:05 From Boris Mann to Everyone:
That is consumer facing
09:32:30 From Dmitri Zagidulin to Everyone:
@blaine - LOL perfect nns graphic there
09:32:37 From Blaine Cook to Everyone:
Reacted to "@blaine - LOL perfec..." with ❤️
09:33:06 From Aaron Goldman to Everyone:
If octa added “sign in with X” have of all corporate single signon would have it
09:33:10 From Dmitri Zagidulin to Everyone:
Reacted to "And really want I me..." with 👍
09:33:32 From Blaine Cook to Everyone:
Reacted to "If octa added “sign ..." with 👆
09:34:06 From Juan Caballero to Everyone:
If octa added “sign in with X” have of all corporate single signon would have it
https://github.com/ChainAgnostic/CAIPs/issues/128
09:34:27 From Dmitri Zagidulin to Everyone:
Reacted to "If octa added “sign ..." with 👍
09:35:11 From Brooklyn Zelenka (@expede) to Everyone:
Reacted to "If octa added “sign ..." with 👍
09:35:24 From Blaine Cook to Everyone:
Replying to "If octa added “sign ..."
This runs dangerously close to engaging my rant mode. 😅
09:35:24 From Juan Caballero to Everyone:
(at the time he opened that issue, he worked at okta and said so in his bio. wonder what he's been up to since...)
09:35:32 From Juan Caballero to Everyone:
Reacted to "This runs dangerousl..." with 😄
09:35:42 From Juan Caballero to Everyone:
Replying to "If octa added “sign ..."
hold the floodgates!
09:36:10 From Blaine Cook to Everyone:
Replying to "(at the time he open..."
Jared is really great. Quiet hero of this space.
09:36:19 From Blaine Cook to Everyone:
Replying to "(at the time he open..."
(But yeah, not sure what he’s working on now)
09:36:24 From Juan Caballero to Everyone:
the chicken-egg problem of account portability and meaningful, context-rich DATA portability
09:36:54 From Juan Caballero to Everyone:
DWN = a piece of PDS prior art
09:37:09 From Juan Caballero to Everyone:
that was a little too tightly coupled to one version of the DID/VC/account portability/PKI stack
09:37:13 From Juan Caballero to Everyone:
for many of us here
09:37:19 From Joel Thorstensson to Everyone:
Lol, I read “a piece of …” and thought you wrote something else
09:37:23 From Aaron Goldman to Everyone:
DWN, PDS co-art
09:37:36 From Dmitri Zagidulin to Everyone:
Reacted to "for many of us here" with 👆
09:37:45 From Juan Caballero to Everyone:
it's not a total piece of
09:37:50 From Dmitri Zagidulin to Everyone:
Reacted to "DWN, PDS co-art" with 👍
09:38:04 From Juan Caballero to Everyone:
but doesn't solve all the use cases/goals here without locking you into some designs at other layers
09:38:05 From Blaine Cook to Everyone:
💯 Not just some people, but virtually everyone.
09:38:48 From Juan Caballero to Everyone:
https://github.com/ChainAgnostic/secure-design/blob/main/meetings.md
09:38:52 From Joel Thorstensson to Everyone:
That’s a lot actually!
09:38:53 From Henri S to Everyone:
Way higher than id thought
09:39:02 From Dmitri Zagidulin to Everyone:
yeah, I'm impressed it's that high!
09:39:42 From Blaine Cook to Everyone:
(35% of people _claim_ to use password managers 😅)
09:40:02 From Dmitri Zagidulin to Everyone:
Reacted to "(35% of people _clai..." with 😂
09:40:07 From Boris Mann to Everyone:
https://talk.fission.codes/t/odd-sdk-passkey-syncing-with-google-password-manager/4748
09:40:32 From Boris Mann to Everyone:
PWA version https://talk.fission.codes/t/odd-sdk-passkeys-pwa-and-sharing-demo/4747
09:40:51 From bengo to Everyone:
(Microsoft too yall)
09:41:00 From Blaine Cook to Everyone:
Reacted to "(Microsoft too yall)" with 👍
09:41:01 From Juan Caballero to Everyone:
Reacted to "(Microsoft too yall)" with 🌶️
09:41:03 From Juan Caballero to Everyone:
Reacted to "(Microsoft too yall)" with 👍
09:41:18 From daniel to Everyone:
Reacted to "(35% of people _clai..." with 😂
09:41:29 From Blaine Cook to Everyone:
Replying to "(Microsoft too yall)"
Hotmail is _huge_ but not in our purview.
09:41:31 From Dmitri Zagidulin to Everyone:
yeah, +1 boris
09:41:44 From Blaine Cook to Everyone:
Replying to "(Microsoft too yall)"
It’s like Android for designers 😂
09:41:55 From bengo to Everyone:
Replying to "(Microsoft too yall)"
My first email provider. They let me have 4 letter password back then
09:42:13 From Dmitri Zagidulin to Everyone:
Reacted to "My first email provi..." with 😮
09:42:31 From bengo to Everyone:
Replying to "(Microsoft too yall)"
No password manager needed 😎
09:43:47 From Blaine Cook to Everyone:
Reacted to "My first email provi..." with 🔐
09:43:53 From Juan Caballero to Everyone:
Reacted to "My first email provi..." with 🔐
09:45:18 From Juan Caballero to Everyone:
it shouldn't be this way 😭
09:45:33 From Dmitri Zagidulin to Everyone:
share a link! :) (re elliptic blog post)
09:46:12 From Boris Mann to Everyone:
https://fission.codes/blog/everything-you-wanted-to-know-about-elliptic-curve-cryptography/
09:46:50 From Juan Caballero to Everyone:
i would like to see those diagrams
09:47:28 From Boris Mann to Everyone:
https://github.com/oddsdk/passkeys/blob/main/notes/passkey.md#5-support
09:50:41 From Jeff Griffiths to Everyone:
Simple demo that includes an email confirmation loop as a fallback in eg Firefox https://www.passkeys.io/
09:51:06 From Henri S to Everyone:
A cool demo here: https://p256.alembic.tech/
09:51:17 From Henri S to Everyone:
Issue is it’s extremely expensive to run today (for this specific use case)
09:53:35 From Boris Mann to Everyone:
This needs some more documentation and will mostly work with a Yubikey right now https://passkeys.fission.app/ — it’s in the examples directory of the oddsdk/passkeys
09:53:53 From Dmitri Zagidulin to Everyone:
Reacted to "This needs some more..." with ❤️
09:55:30 From Juan Caballero to Everyone:
Reacted to "(35% of people _clai..." with 😂
09:57:24 From Juan Caballero to Everyone:
is the problem that they're in two diff LOCATIONS or that they could be non-interoperable?
09:58:01 From Dmitri Zagidulin to Everyone:
I forget, do UCANs specify the revocation check endpoint, inside each ucan?
09:59:28 From Chris "cdata" Joel @ Subconscious to Everyone:
@dimitri no, I believe the revocation is intended to be implied by the resource in question
09:59:41 From Jeff Griffiths to Everyone:
Replying to "it shouldn't be this..."
What shouldn’t be what way?
10:00:04 From Dmitri Zagidulin to Everyone:
Replying to "@dimitri no, I belie..."
via a well-known url suffix, or out of band?
10:00:12 From Juan Caballero to Everyone:
Replying to "it shouldn't be this..."
I meant all of fission having a mental elliptical tracker 😄
10:00:38 From Boris Mann to Everyone:
Replying to "it shouldn't be this..."
Haha. Juan I will intro you to our marketing lead Becky. She knows curves!
10:01:14 From Juan Caballero to Everyone:
Reacted to "Haha. Juan I will in..." with 😭
10:01:21 From Juan Caballero to Everyone:
Replying to "it shouldn't be this..."
jesus wept
10:01:33 From Chris "cdata" Joel @ Subconscious to Everyone:
Replying to "@dimitri no, I bel..."
e.g., my UCAN gives authority over some resource foo, and resource foo is known to record any revocations in a particular way.
Out of band. Yah, it's the responsibility of whatever process is acting on the resource to check for revocations.
10:01:53 From Henri S to Everyone:
Have to run — this was awesome. Thank you for inviting me @boris!
10:01:54 From Dmitri Zagidulin to Everyone:
Reacted to "e.g., my UCAN gives ..." with 👍
10:02:00 From Juan Caballero to Everyone:
Reacted to "Have to run — this w..." with 💪
10:02:03 From Dmitri Zagidulin to Everyone:
Reacted to "Have to run — this w..." with 💪
10:02:17 From Juan Caballero to Everyone:
Replying to "@dimitri no, I belie..."
https://github.com/ucan-wg/spec/blob/04f46205f0e2be64c96e0b69bf44bfcd8fc8e006/README.md?plain=1#L783
10:02:30 From bengo to Everyone:
Reacted to "Have to run — this w..." with 💪
10:02:34 From Dmitri Zagidulin to Everyone:
Reacted to "https://github.com/u..." with 👍
10:02:59 From Jeff Griffiths to Everyone:
Reacted to "I meant all of fissi..." with 😃
10:03:47 From Juan Caballero to Everyone:
sudo ucan --hide-my-tracks
10:04:31 From Chris "cdata" Joel @ Subconscious to Everyone:
In practice, making sure all the proofs in the chain are consistently available for all verifying processes is.. an endeavor :)
10:05:14 From bengo to Everyone:
Tbt https://en.wikipedia.org/wiki/Self-certifying_File_System
10:06:55 From Juan Caballero to Everyone:
it's a legal concept 🌶️
10:07:12 From Dmitri Zagidulin to Everyone:
Reacted to "it's a legal concept..." with 💯
10:07:21 From Juan Caballero to Everyone:
we've inherited the actor model from private-property capitalism haha
10:07:23 From Juan Caballero to Everyone:
Reacted to "it's a legal concept..." with 💯
10:07:25 From Juan Caballero to Everyone:
Removed a 💯 reaction from "it's a legal concept..."
10:07:25 From Dmitri Zagidulin to Everyone:
@Boris - yeah, can you say more about did account?
10:07:36 From Dmitri Zagidulin to Everyone:
Reacted to "we've inherited the ..." with 👆
10:07:48 From Aaron Goldman to Everyone:
AKA is a type of delegation
10:08:16 From Juan Caballero to Everyone:
human wants to delegate content to humans, computer wants to delegate tokens to devices, you need both identity and authZ to bridge the spheres 😄
10:08:23 From Boris Mann to Everyone:
@Dmitri —> it’s my “let’s not call it did:plc, and what we need”
10:08:29 From Dmitri Zagidulin to Everyone:
Reacted to "@Dmitri —> it’s my “..." with 😂
10:08:36 From Brooklyn Zelenka (@expede) to Everyone:
Yeah exactly Juan
10:08:47 From Brooklyn Zelenka (@expede) to Everyone:
They’re separate layers
10:08:48 From Dmitri Zagidulin to Everyone:
Reacted to "human wants to deleg..." with 👍
10:09:04 From Jeff Griffiths to Everyone:
Dan - in this cinematic universe you Paul and jay are a super team
10:09:12 From Juan Caballero to Everyone:
because FOR NOW computers belong to humans
10:09:13 From daniel to Everyone:
Reacted to "Dan - in this cinema..." with 😂
10:09:18 From Juan Caballero to Everyone:
(as does content, for now)
10:09:31 From Joel Thorstensson to Everyone:
Human identity is not really as binary as we imagine it in the digital realm imo
10:11:08 From Juan Caballero to Everyone:
private property is a very old consensus mechanism for social identity
10:11:26 From Juan Caballero to Everyone:
can't have property without debt, can't have debt without consensual identifiers
10:11:53 From Blaine Cook to Everyone:
Reacted to "can't have property ..." with ❤️
10:12:22 From Blaine Cook to Everyone:
Reacted to "Dan - in this cinema..." with 🦸♀️
10:13:00 From Chris "cdata" Joel @ Subconscious to Everyone:
I think I see where Joel is coming from: for the purpose of constructing identity out of a web of delegations, what is the "resource" where UCAN revocations should exist? It's probably logically very close to where the log that proves key rotation/revocations...
10:13:36 From Dmitri Zagidulin to Everyone:
yeyyyy privy!
10:14:02 From Juan Caballero to Everyone:
Replying to "I think I see where ..."
you mean like a ceramic stream?
10:14:30 From Juan Caballero to Everyone:
Replying to "I think I see where ..."
or an IPLD-logged mutable-but-self-certifying resource, to speak more generally?
10:14:31 From Blaine Cook to Everyone:
Replying to "I think I see where ..."
I think my understanding is “it depends”, but maybe there’s value in having a regular (see me not say standard 😂) way to do it?
10:14:42 From Brooklyn Zelenka (@expede) to Everyone:
Chris — it depends on the resource that you’re delegating. If you want it to control the keys associated to an ID, then it totally needs to live next to the source of truth for that ID. That’s different from e.g. “able to read my DMs”
10:15:56 From Chris "cdata" Joel @ Subconscious to Everyone:
Replying to "I think I see wher..."
Maybe. I guess I just mean that in the same stroke as verifying an individual key (which is a facet of my identity), I *also* need to verify that the delegation of authority to that key is valid. It takes both parts to prove my identity.
10:16:22 From Brooklyn Zelenka (@expede) to Everyone:
Reacted to "Maybe. I guess I jus..." with 💯
10:17:24 From Chris "cdata" Joel @ Subconscious to Everyone:
Replying to "I think I see wher..."
So: it makes sense to me that Joel would say the revocations should be close to each other (I think he actually said they should be the same place).
10:18:19 From Brooklyn Zelenka (@expede) to Everyone:
Replying to "I think I see where ..."
Totally: they should be as close to the resource that they’re referring to as possible 💯
10:18:34 From Juan Caballero to Everyone:
that happens on another level, tho
10:18:36 From Dmitri Zagidulin to Everyone:
+1 daniel. and I suspect that will happen anyway
10:18:44 From Brooklyn Zelenka (@expede) to Everyone:
Replying to "I think I see where ..."
One of those may be the right to update the keys
10:18:53 From Blaine Cook to Everyone:
did:wasm:zTrust_root:zMethod
10:18:54 From Brooklyn Zelenka (@expede) to Everyone:
Replying to "I think I see where ..."
And so should live next to the e.g. PDS
10:18:56 From Juan Caballero to Everyone:
to put it another way, that's out of our hands, trying to make it happen is as much a waste of time as trying to stop it from happening
10:19:34 From bengo to Everyone:
Last April at Manny’s in SF, there was a meetup after IIW and Dmitri, me, jay, Golda, Aaron?, some others. This consortium thing came up, and the desire to NOT make a new one, and we discussed briefly that did:v1 exists and veres.one is a consortium for that. It could be good to do a survey of existing consortiums
10:19:50 From Juan Caballero to Everyone:
Reacted to "Last April at Manny’..." with 💪
10:21:42 From bengo to Everyone:
@blaine 🫡
10:22:28 From Dmitri Zagidulin to Everyone:
thanks for organizing this, Boris & crew!
10:22:36 From Chris "cdata" Joel @ Subconscious to Everyone:
Reacted to "Last April at Manny..." with 👍
10:22:43 From Benedict Lau to Everyone:
Thanks!
</pre>
Google Drive
Gist
Clipboard
Sign in with Wallet
