did:tag Method Specification

Unofficial Draft

More details about this document
Latest published version:
none
Latest editor's draft:
https://github.com/bobwyman/did_method_tag/
History:
Commit history
Editor:
Bob Wyman (Self)
Author:
Bob Wyman (Self)
Feedback:
GitHub bobwyman/did_method_tag (pull requests, new issue, open issues)
public-credentials@w3.org with subject line [did-method-tag] … message topic … (archives)

Copyright © 2022 the document editors/authors. Text is available under the Creative Commons Attribution 4.0 International Public License; additional terms may apply.

Abstract

The did:tag DID method enables any controller of an HTTP accessible domain or subdomain, or of an email address, to create unique, interoperable, persistent DIDs with minimal dependencies on other technologies or systems. By leveraging a subset of the tagURI specification [RFC4151], the did:tag DID method enables the creation of DIDs which are "unique across space and time while being tractable to humans," without preventing the creation of DIDs which are largely intractable to humans. did:tag DIDs can be resolved either synchronously, via the web, or asynchronously, via email or other defined alternative resolution services.

Status of This Document

This document is a draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organization.

1. Introduction

The goal of this proposal is to go beyond the already good work done with other DID methods, particularly the did:web method, and address several issues for which satisfactory solutions are not already provided. The key issues addressed here include:

  1. The persistence of identifiers' uniqueness across time.
  2. Expanding the realm of DID issuers and resolvers to include all those who have an email addresses but may not have sufficient control over web resources to host web-accessible did documents.
  3. Asynchronous access to DID documents.
  4. The provision of alternative DID resolution mechanisms.

Persistence: It is generally accepted that ideal decentralized identifiers would be memorable, secure from misuse, and globally unique. But, an identifier should also not become less memorable as time passes, or less secure, or less likely to be unique. Thus, to the set of three basic naming qualities, we should add a fourth quality; that of persistence. [WYMANS-TETRAHEDRON]

Unfortunately, as Zooko Wilcox-O'Hearn [ZOOKOS-TRIANGLE] pointed out in 2001, it is not possible to simultaneously optimize all of the base qualities of decentralized identifiers. For example: identifiers may be secure, global, and even likely to remain so for quite some time, perhaps by using very long cryptographic hash functions to mint them, but such names are typically not very memorable, at least not by human beings. Thus, our process for creating names needs to incorporate a tradeoff between the various desirable attributes of ideal identifiers.

Web DIDs do a good job of addressing three of the desirable qualities of a decentralized identifier. [WEB-DID] The DID Document provides the data needed to make them secure, the ability to structure them with human readable components allows them to be memorable, and their linkage to DNS records provides an ability to ensure that they are unique by limiting the number of those who can mint them.

Example 1: A Web DID, memorable, unique, secure, but not persistent. 
did:web:example.com:user:alice

However, while an issuer of Web DIDs may work hard to ensure that duplicate DIDs are not issued, maintaining uniqueness over time can be challenging. A Web DID might be issued to a user named Alice in one year, but then Alice may cease to become a user in some future year. Once that happens, some new Alice may wish to have the simple, memorable identifier "user:alice," but be told that that identifier was issued to a long-gone user in some previous year. Alternatively, the new Alice may be assigned the name she desires, thus causing potential confusion for all those who once interacted with the old Alice. Of course, domains tend to change owners over time and a domain owner may not even be aware that there had once been another Alice.

These issues of identifier persistence were considered and addressed in the preparation of the IETF's tagURI scheme. [RFC4151] The solution was to define a scheme, very much like that used for Web DIDs, but with an added component that specifies a date during which the issuer of the identifier claims to have had authority to use the domain name incorporated within the name. Using tagURIs, it is becomes possible to create only slightly less memorable names for multiple Alice's at different times. For instance, the following are several possible tagURIs that might identify different Alice's without conflict. Each of these DID could be minted by a different issuer without a need to know of any earlier issuer who might have had authority to use the same domain name. Each of these DIDs might also have been minted by the same Alice -- although it would generally be preferred if users were consistent in the DIDs they use.

Example 2: tagURIs for several unique Alices 
tag:example.com,2000:user:alice
tag:example.com,2050:user:alice
tag:example.com,2090-10-15:user:alice
tag:example.com,2090-10-16:user:alice

In order to gain the benefits of persistence provided by tagURIs, this proposal describes a DID method that relies on tagURIs as its base rather than the web URLs which were the focus of the Web DID.

Enabling all to be issuers: Ideally, everyone would be able to generate useful DIDs without needing to rely on other issuers or needing to invest in complex technical capabilities such as those provided by virtue of obtaining a DNS domain name and operating a web site. Unfortunately, most existing DID methods assume that an issuer has ready access to capabilities that are not commanded by the vast majority of users. Even something as "simple" as registering domain name and maintaining a web site to host DID documents is far beyond the capacity of many. Nonetheless, individuals will often need to generate identifiers.

While only a small percentage of those who may need to issue DIDs maintain, or could maintain, their own web sites, almost every user of the Internet has a unique email address that can be used to exchange content with others. And, crude as it may seem, the email protocol provides much the same ability to engage in "request/response" exchanges as is provided by the HTTP and similar protocols. Thus, the needs of users without web sites could be addressed by providing a mechanism for minting DIDs from tagURIs which incorporate an email address rather than a domain name. For instance, the following are valid tagURIs incorporating email addresses:

Example 3: tagURIs using email addresses 
tag:john@example.com,2000:sender_key
tag:paul@example.com,2021:living_room_tv
tag:admin@example.com,2022:
tag:lookup@example.com,2022:vp_sales

Each of these tagURIs can be easily converted into a DID, using the tag method, by simply prepending the text did:.

The simplest way to support such email-based DIDs would be to define a resolution method that allows one to send an appropriately structured email message to the specified address. The appropriate response to such a message would be another email message containing the requested DID Document as an attachment. Such a system could be implemented by having custom software monitor and respond to messages sent to a particular email inbox. It could also be implemented using completely manual means. A "john@example.com" might receive a message with a subject of RESOLVE: did:tag:john@example.com,2000:sender_key and know that the desired response was an email with the corresponding DID document as an attachment. With only a little difficulty, the appropriate response could be prepared and sent.

Asynchronous Resolution: An email based DID resolution method, unlike a web-based method, allows asynchronous DID resolution. In some cases, the resolution might occur hours, days, even weeks after a resolution request was made. But, even a very slow response might actually be the fastest possible response. An asynchronous resolution capability would be particularly useful in environments when connectivity is difficult to maintain or where bandwidth is very slow. As an extreme example, it is very unlikely that one would be successful in using https to fetch a DID document from a web server in New York City if one were making the request from a habitat on Mars or one of its moons.

Alternative DID resolution mechanisms. Just as web addresses can sometimes be temporarily unavailable due to technical issues, a web address's availability is sometimes limited by local or regional administrative policy. One's employer, or one's government, might block web access to sites that traffic in either pornography or discussions of human rights and liberty. However, even though a user may be blocked from directly accessing a web site, and thus from resolving DIDs normally resolved by doing so, it is often the case that it is possible to exchange email with addresses on that site, if only because email doesn't require direct, point-to-point connections. Thus, it is useful to define a mechanism by which even a normally web-accessible DID document could be retrieved via indirect, asynchronous email protocols. In order to provide this mechanism, I propose that an ``AltResolution'' service be provided as a means to inform users of an alternative to web-based DID resolution that may be employed when web-based resolution is ineffective.

1.1 Preface

The tag DID method specification conforms to the requirements specified in the Decentralized Identifiers v1.0 Specification [DID-CORE]. For more information about DIDs and DID method specifications, please also see the [DID-PRIMER]

1.2 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MUST and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.3 Example DID doc with AltResolution

Example 4: Example did:tag DID document 
{
  "@context": "https://www.w3.org/ns/did/v1",
  "id": "did:tag:example.com,2021-10-26:Bob",
  "verificationMethod": [{
    "id": "did:tag:example.com,2021:faHiOpRlPVQcY_-tA4A",
    "type": "JsonWebKey2020", 
    "controller": "did:tag:example.com,2021:123",
    "publicKeyJwk": {
      "crv": "Ed25519", 
      "x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ", 
      "kty": "OKP", 
      "kid": "_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A" 
    }
  }],
  "service": [{
    "id": "did:tag:example.com,2021:asynch",
    "type": "AltResolution",
    "serviceEndpoint": "mailto:did@example.com"
  }],
}

2. tag DID Method Specification

2.1 Target system

The target system of the tag DID method is either:

2.2 Method name

The namestring that shall identify this DID method is: tag. A DID that uses this method MUST begin with the following prefix: did:tag. Per the DID specification, this string MUST be in lowercase. The remainder of the DID, after the prefix, is specified below.

2.3 Method-specific identifier

The syntax of a did:tag method specific identifier is a subset of tagURI syntax as defined in [RFC4151]. The following constraints are applied in order to avoid conflict with DID URLs:

The modified and constrained abnf for tagURIs supported as components of DIDs using this method appears below: 

tag-did = "did:" tagURI_subset
tagURI_subset = "tag:" taggingEntity ":" specific
taggingEntity = authorityName "," date
authorityName = DNSname / emailAddress
date = year ["-" month ["-" day]]
year = 4DIGIT
month = 2DIGIT
day = 2DIGIT
DNSname = DNScomp *( "."  DNScomp ) ; see RFC 1035
DNScomp = alphaNum [*(alphaNum /"-") alphaNum]
emailAddress = 1*(alphaNum /"-"/"."/"_") "@" DNSname
alphaNum = DIGIT / ALPHA
specific = *( pchar / ":" ) ; pchar from RFC 3986
Issue 1: Internationalization

The tagURI syntax pchar definition prevents the use of some email addresses. This should be addressed. Ideally, allowed characters would include all those allowed by RFC 2822/5322, however, that would conflict with the DID specification which supports a smaller set of characters. The conflict could be resolved by requiring that all characters other than ALPHA, DIGIT, ".", and "-" must be %-encoded or otherwise escaped. While that may be a solution, it is not ideal.

Example 5: Example tag Method DIDs 
did:tag:example.com,2021:Alice
did:tag:example.com,2021:Bob
did:tag:example.com,2021:user:Alice
did:tag:www.example.com,2021:user:Alice
did:tag:example.com,2021-10-26:C2AVvLMv6gmMNam3uVAjZpfkcJCwD
did:tag:yaml.org,2002:int

did:tag:did@example.com,2021:Bob

2.4 DID method operations

2.4.1 Create (Register)

Creating a web-accessible DID is done by:

  1. applying at a domain name registrar for use of a domain name and, once that name has been registered,
  2. storing the location of a hosting service, the IP address at a DNS lookup service,
  3. creating the DID document JSON-LD file and storing the file under the domain's .well-known URL if it represents the entire domain, or under the specified path if many DIDs will be resolved in this domain.

For example, for the domain name www.example.com, the domain global DID document will be available under the following URL:

Example 6: Creating the web-accessible DID 
did:tag:www.example.com:
 -> https://www.example.com/.well-known/didtag.json

Because this DID contains no date element, it is read as equivalent to a similar DID that does include the current date and time.

If optional specific data is provided within the tagURI, the DID Document will be available under the specified path:

Example 7: Creating the web-accessible DID with optional specific data 
did:tag:www.example.com,2021:alice
 -> https://www.example.com/alice/didtag-2021.json

did:tag:www.example.com,2021-11-01:user:alice
 -> https://www.example.com/user/alice/didtag-2021-11-01.json

2.4.2 Read (Resolve)

2.4.2.1 Reading/Resolving a web-accessible DID

The following steps MUST be executed to resolve the DID document from a tag DID whose tagURI authorityName is a DNSname:

  1. Extract the DNSname from the tagURI component.
  2. Generate an HTTPS URL to the expected location of the DID document by prepending the DNSname with https://.
  3. If the tagURI contains no specific component, append /.well-known/ to the HTTPS URL.
  4. if the tagURI contains a specific component, replace all colons within it with slashes ('/') and append it to the HTTPS URL.
  5. Append didtag to the string.
  6. Append the date component to the string.
  7. Append .json to complete the URL.
  8. Perform an HTTP GET request to the URL using an agent that can successfully negotiate a secure HTTPS connection, which enforces the security requirements as described in 2.5 Security and privacy considerations.
When performing the DNS resolution during the HTTP GET request, the client SHOULD utilize [RFC8484] in order to prevent Man-in-the-middle attacks as well as to prevent tracking of the lookup.
2.4.2.2 Resolving a tag DID via email

The following steps MUST be executed to resolve the DID document for a tag DID whose tagURI authorityName is an emailAddress:

  1. Extract the emailAddress from the tagURI.
  2. Send an email message to the emailAddress with a subject line containing the string "RESOLVE: " prepended to the tag DID. (Note: The email may have an empty body or, alternatively, it might contain a message identifying the requester and explaining the reason for making the request.)
  3. If and when a response is delivered, the DID Document will be found in an attachment to the response.

A properly formatted email message might look like:

Example 8: An example email resolution request 
From: bob@example.com
To: alice@example.com
Subject: RESOLVE: did:tag:alice@example.com,2022:public_key

Alice, I'd like to be able to send you encrypted messages. Please
send the appropriate DID document as an attachment to your reply.
Yours,
bob
Issue 2: Email security

Should S/MIME [RFC8551], PGP [RFC4880], DIDComm, or some other means of sending and receiving signed email messages be identified or recommended? Should message encryption be encouraged?

2.4.3 Update

Please note that when a DID document is updated, the DID will remain the same, but the contents of the DID document will change, e.g., by including a new verification key or adding service endpoints.

Please note that this DID method does not specify any authentication or authorization mechanism for writing to the DID Document. It is left to implementations to protect DID documents from unauthorized modification.

2.4.4 Deactivate (Revoke)

To delete the DID document, it has to be removed or has to be rendered no longer publicly available due to some other means.

2.5 Security and privacy considerations

This section is non-normative.

TBD

2.5.1 DID resolution implies nothing about domain or service operator

When optional tagURI specific data is used to resolve DID documents rather than just a bare taggingEntity, verification with signed data proves that the entity in control of DID document has the private keys. It neither proves nor implies that the operator of the service identified by the authorityName has the private keys.

This example:

did:tag:example.com,2020:u:bob

resolves to the DID document at:

https://example.com/u/bob/didtag-2020.json

In this scenario, it is probable that example.com has given user Bob control over the DID document to which the DID resolves, and proofs of control refer to Bob rather than all of example.com.

2.5.2 DIDs are not exclusive

It is important to recognize that a single entity may have any number of DIDs that may or may not be functionally equivalent. There is also no implication that any one DID should be considered ``authoritative."

A. Reference implementations

This section is non-normative.

A reference implementation will be provided at some future time if there is any indication that doing so would be useful.

B. References

B.1 Normative references

[DID-CORE]
Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed. W3C. 19 July 2022. W3C Recommendation. URL: https://www.w3.org/TR/did-core/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC4151]
The 'tag' URI Scheme. T. Kindberg; S. Hawke. IETF. October 2005. Informational. URL: https://www.rfc-editor.org/rfc/rfc4151
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[RFC8484]
DNS Queries over HTTPS (DoH). P. Hoffman; P. McManus. IETF. October 2018. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8484

B.2 Informative references

[DID-PRIMER]
DID Primer. Drummond Reed; Manu Sporny. Rebooting the Web of Trust 2017. URL: https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/did-primer.md
[RFC4880]
OpenPGP Message Format. J. Callas; L. Donnerhacke; H. Finney; D. Shaw; R. Thayer. IETF. November 2007. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc4880
[RFC8551]
Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification. J. Schaad; B. Ramsdell; S. Turner. IETF. April 2019. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8551
[WEB-DID]
did:web Method Specification. URL: https://w3c-ccg.github.io/did-method-web/
[WYMANS-TETRAHEDRON]
The Persistence of Identity (Updating Zooko's Pyramid). Bob Wyman. URL: https://web.archive.org/web/20160331154849/https://wyman.us/main/2006/12/the_persistence.html
[ZOOKOS-TRIANGLE]
Names: Distributed, Secure, Human-Readable: Choose Two. Zooko Wilcox-O'Hearn. URL: https://web.archive.org/web/20011020191610/http://zooko.com/distnames.html