w3c-ccg / did-spec

Please see README.md for latest version being developed by W3C DID WG.
https://w3c.github.io/did-core/
Other
124 stars 45 forks source link

Fix inconsistent use of term 'DID subject' #255

Closed dhh1128 closed 5 years ago

dhh1128 commented 5 years ago

Signed-off-by: Daniel Hardman daniel.hardman@gmail.com


Preview | Diff

dhh1128 commented 5 years ago

The use of the term "DID subject" in section 5.2 DID Subject, section 5.4 Authentication, and 9.3 Binding of Identity is inconsistent:

5.2: "The DID subject is the identifier that the DID Document is about, i.e., it is the DID described by DID Document." --> subject = the DID

5.4: "Authentication is the mechanism by which a DID subject can cryptographically prove that they are associated with a DID...the subject may wish to enable others to update their DID Document...thus be able to impersonate the subject" --> subject = person who owns the DID

I believe that 5.4 could be reworded to use the word "controller", and that this would resolve much of the inconsistency, so that's what I've done in this PR.

However, I also want to note that I find section 9.3.1 to be confusing, both before and after this PR--largely because I don't understand what entity is proving control. DIDs can't prove control; they're inert strings. A controller could prove control of a DID+DID Doc combination--but this requires use of a public key, which is described in section 9.3.2. So I'm left scratching my head a bit. This may mean that my PR is based on faulty understanding--but if so, it's a symptom that the language needs to be clarified, because I have read this carefully, several times, and I have a moderately deep understanding of the problem space, and I can't figure it out.

I apologize that my comment about section 9.3.1 isn't very actionable, and that it turns this comment into a bit of an issue instead of just a PR comment. I tried to turn my confusion into something actionable, but I'm not confident enough of what the section means to propose an edit of that part.

@peacekeeper @msporny @talltree

rhiaro commented 5 years ago

I agree that 5.2:

The DID subject is the identifier that the DID Document is about, i.e., it is the DID described by DID Document.

is confusing because the DID subject isn't the identifier is it? The attributes in the DID Document are not about that string, but about something identified by that string. I hesitate to use the word 'entity', but the intro (which I think was going to get a rework at some point and may not be authoritative text) says

the entity the DID identifies (aka the DID subject)

Unless this is a completely wrong interpretation of what DID Subject is, we could make 5.2 consistent with the intro, to say something like:

The DID Subject is the entity that the DID Document is about, i.e., it is the entity identified by the DID and described by the DID Document.

or hedging a bit:

The DID Subject is the what the DID Document is about, i.e., it is something which the DID identifies and is described by the DID Document.

And we could add the definition of DID Subject to Terminology as well.

peacekeeper commented 5 years ago

the DID subject isn't the identifier is it?

Fully agree with everything @rhiaro said, looks like we need to fix 5.2.

We spent several weeks discussing this, including the question what is it that the DID (URL) identifies. Just for reference, here is a summary of what we discussed back then (no need to repeat the details now).