Create decentralized-identifiers.md

[OR13]

• live

[thomas-tran]

In addition to your diagram, the complete decentralized identifier component should be like this

[OR13]

@thomas-tran I like your additions, how should we merge these?

If you suggest them as changes, I am happy to accept.

[thomas-tran]

@OR13 Here is the live url , please help to merge into your diagram.

[OR13]

updated live

[dhh1128]

I don't think we should confuse "identity" and "identifier." The methods on an identity management service are creating identifiers, not identities, right? An identity may use multiple identifiers, and the relationship between them may or may not be known to an identity management service.

[thomas-tran]

@dhh1128 In my perspective , the identity management service is used to create an identity or the identity card that contains properties such as a unique decentralized identifier (did) , the metadata (did doc) associate with it and optional other information.

The identity provider is in charge of creating the unique identifier in either blockchain or offchain E.g. did:elem:xxx or did:web:xxx

An identity can be an organizational identity, a person, a group or a thing identity. For example, an organizational identity contains name, alias, type(tag), domain_url, business_address, did and did_doc.

interface IOrganization extends IIdentity

You can register the decentralized identifier (did) in the blockchain similar to the domain name in the domain registry. The identity itself can be stored off chain in the local database & secured cloud storage.

[dhh1128]

Is there a 1:1 relationship between "identity" and "identifier" in this design?

How would I model a situation where I rotate my identifier? Have I rotated my identity, or just changed the way I index into it? Can one identity have more than one identifier at the same time?

[thomas-tran]

In the real world, the physical wallet holds multiple identity cards such as a driver's license, employee id card, and medicare card.

The digital wallet is similar to the physical wallet which can hold one or more identities depending on the different types of the wallet. For instance, the user's digital wallet has up to 10 identities, the cloud wallet has unlimited identities and an IoT device wallet has only one identity.

Each identity has a unique identifier so the relationship between the identity and identifier is 1 to 1.

If your identity is compromised, to be more specific, the private key of the key that is used to authenticate to some services or websites is compromised. You will not rotate your identity or your identifier (did:elem:Zsxxxx), instead, you will rotate the key for authentication or assertion ( used to issue a credential) in the identity metadata or identity document (did doc).

You may need to have different keys during the identity creation. For example Authentication: Secp256k1 allow access to website or services Assertion: Ed25519 to issue credentials Key Agreement: X25519 to create a secure communication channel between parties (DIDComm protocol) Capability Invocation: Ed25519 to update the identity document (did doc) , to replace the authentication or assertion key Capability Delegation: Ed22519 to delegate the capability to the other party to act on your behalf.

The method update() in the identity provider will handle the key rotation using the capability invocation key. You must keep the Capability Invocation private key safely as it is the only way to rotate your key or to update the identity document in the registry (blockchain).

[dhh1128]

In the real world, the physical wallet holds multiple identity cards such as a driver's license, employee id card, and medicare card. The digital wallet is similar to the physical wallet which can hold one or more identities depending on the different types of the wallet. For instance, the user's digital wallet has up to 10 identities, the cloud wallet has unlimited identities and an IoT device wallet has only one identity... Each identity has a unique identifier so the relationship between the identity and identifier is 1 to 1.

I don't think we are defining "identity" the same way.

When I became involved in the DID spec 6 years ago, one of the first lectures I got from the W3C CCG community was on the distinction between "identity" and "identifier." I don't remember who delivered the lecture, but whoever they were, they were right. I suggest that we stipulate that: A credential is not an identity (your driver's license and your passport both describe or attach to the same identity, which has a legal meaning quite different from the credential that proves it). An identifier is not an identity (my family calls me "Dan" in most cases, but "Daniel" if they're being formal; you may have a passport number and a driver's license and one or more DIDs that all point to the same identity). A profile is not an identity (it is rather a view or projection of an identity in a context). A pair of crypto keys is not identity (it is rather a way of proving or exercising identity).

This is not just a philosophical argument. As I write this, I have an email sitting in my inbox from YouTube, announcing that after many years and much effort, they've created the ability for users to choose and change their handles (identifiers). When I change handles (identifiers), I have clearly not changed my identity, since YouTube doesn't ask me to change my password and doesn't reset my history or library. There is a sameness (identity) that remains stable across the identifier change. It's taken YouTube over a decade to conclude that they shouldn't equate identity and identifiers; let's learn from their many-millions-of-dollars/euros/yen mistake. (BTW, numerous other services make this same mistake. But there are important examples of the other [correct] model. You can change your Twitter handle or your github handle without resetting your identity.)

I suggest that the interface in @OR13 's beautiful picture should have methods that are about creating and updating identifiers and their associated metadata (e.g., DID documents), but should not have methods that are about creating and updating identities. This doesn't really change the function signatures; it just changes the names to accurately reflect what's really going on -- because wallets don't actually create identities; they help you manage the artifacts associated with an identity that already exists. The (normal) scope of concern for one identity manager instance = 1 (pre-existing) identity. It is this identity that is associated with biometrics and similar things that unlock the wallet, and it is this entity that projects itself in various contexts using one identifier or another. It is this entity that gives the wallet its configuration and policy choices, and it is to this entity that the wallet owes allegiance. Its security model should be geared to protecting this identity, which has a broader meaning than just protecting one identifier worth of stuff; it must take into consideration how all the identifiers are or are not correlated, in order to do its protection and management job correctly.

The normal work that's done to manage that identity is at the identifier level, which is more granular than a full identity. Providing that granularity -- and allowing it to exist comfortably without bogging the identity controller down with the underlying details -- is one of the value propositions of a digital wallet.

[thomas-tran]

@dhh1128 I think you are right @OR13 I've changed the name in the live URL, please help to update the diagram

[OR13]

@thomas-tran I think the link you shared is stale... it does not have changes.

I think it's ok to do a find replace on "identity" to "identifier" and take the changes as WIP.

lets keep PR feedback focused on specific change requests and move discussion to discord or issues.

[Parsifal-M]

In the real world, the physical wallet holds multiple identity cards such as a driver's license, employee id card, and medicare card. The digital wallet is similar to the physical wallet which can hold one or more identities depending on the different types of the wallet. For instance, the user's digital wallet has up to 10 identities, the cloud wallet has unlimited identities and an IoT device wallet has only one identity... Each identity has a unique identifier so the relationship between the identity and identifier is 1 to 1.

I don't think we are defining "identity" the same way.

When I became involved in the DID spec 6 years ago, one of the first lectures I got from the W3C CCG community was on the distinction between "identity" and "identifier." I don't remember who delivered the lecture, but whoever they were, they were right. I suggest that we stipulate that: A credential is not an identity (your driver's license and your passport both describe or attach to the same identity, which has a legal meaning quite different from the credential that proves it). An identifier is not an identity (my family calls me "Dan" in most cases, but "Daniel" if they're being formal; you may have a passport number and a driver's license and one or more DIDs that all point to the same identity). A profile is not an identity (it is rather a view or projection of an identity in a context). A pair of crypto keys is not identity (it is rather a way of proving or exercising identity).

This is not just a philosophical argument. As I write this, I have an email sitting in my inbox from YouTube, announcing that after many years and much effort, they've created the ability for users to choose and change their handles (identifiers). When I change handles (identifiers), I have clearly not changed my identity, since YouTube doesn't ask me to change my password and doesn't reset my history or library. There is a sameness (identity) that remains stable across the identifier change. It's taken YouTube over a decade to conclude that they shouldn't equate identity and identifiers; let's learn from their many-millions-of-dollars/euros/yen mistake. (BTW, numerous other services make this same mistake. But there are important examples of the other [correct] model. You can change your Twitter handle or your github handle without resetting your identity.)

I suggest that the interface in @OR13 's beautiful picture should have methods that are about creating and updating identifiers and their associated metadata (e.g., DID documents), but should not have methods that are about creating and updating identities. This doesn't really change the function signatures; it just changes the names to accurately reflect what's really going on -- because wallets don't actually create identities; they help you manage the artifacts associated with an identity that already exists. The (normal) scope of concern for one identity manager instance = 1 (pre-existing) identity. It is this identity that is associated with biometrics and similar things that unlock the wallet, and it is this entity that projects itself in various contexts using one identifier or another. It is this entity that gives the wallet its configuration and policy choices, and it is to this entity that the wallet owes allegiance. Its security model should be geared to protecting this identity, which has a broader meaning than just protecting one identifier worth of stuff; it must take into consideration how all the identifiers are or are not correlated, in order to do its protection and management job correctly.

The normal work that's done to manage that identity is at the identifier level, which is more granular than a full identity. Providing that granularity -- and allowing it to exist comfortably without bogging the identity controller down with the underlying details -- is one of the value propositions of a digital wallet.

Really good write-up on this :+1: I also agree.