This repository contains documents related to RWOT7, the seventh Rebooting the Web of Trust design workshop, which ran near Toronto, Canada, on September 26th to 28th, 2018. The goal of the workshop was to generate five technical white papers and/or proposals on topics decided by the group that would have the greatest impact on the future.
Please see the Web of Trust Info website for more information about our community. Watch for our next event March 1st-3rd in Barcelona, Spain.
The Bitcoin Reference (BTCR) DID method supports DIDs using the Bitcoin blockchain. This method has been under development through Rebooting Web of Trust events and hackathons over the past year. The BTCR method's reliance on the Bitcoin blockchain presents both advantages and design challenges. During RWOT7, the authors made a number of design and implementation decisions -- largely scope-cutting in nature -- in order to lock down a Minimum Viable Product (MVP) version, which we'll refer to as v0.1. This paper documents those decisions, which will apply to the upcoming v0.1 BTCR method specification and associated v0.1 BTCR reference implementation.
Shaun Conway, Andrew Hughes, Moses Ma, Jack Poole, Martin Riedel, Samuel M. Smith Ph.D., and Carsten Stöcker
The decentralized identifier (DID) is a new and open standard type of globally unique identifier that offers a model for lifetime-scope portable digital identity that does not depend on any centralized authority and that can never be taken away by third-parties. DIDs are supported by the W3C community and the Decentralized Identity Foundation (DIF). They are the "atomic units" of a new layer of decentralized identity infrastructure. However, DIDs can be extended from identifiers for people to any entity, thus identifying everything. We can use DIDs to help us identify and manage objects, machines, or agents through their digital twins; we can expand them to locations, to events, and even to pure data objects, which we refer to as decentralized autonomic data (DAD) items.
The paper will present novel use-cases for DIDs and DADs and propose a new cryptographic data structure that is a self-contained blockchain of DADs. This enables the verification of the provenance of a given data flow. It builds on a prior paper and an associated reading.
Mikerah Quintyne-Collins, Heather Vescent, Darrell O'Donnell, Greg Slepak, Michael Brown, Christoper Allen, Michael Ruther
Digital Credential Wallets (DCWs) are becoming more commonplace as more of our physical credentials become digital. In this paper, we provide requirements for digital credential wallet design, offer considerations for key management of DCWs, and go over several real-life use cases.
Engineers of identity systems, both digital and non-digital, have assumptions and requirements that often lead to fundamentally different ideas about useful solutions. One’s preferred use cases establish mental models tailored to those uses, which in turn shape discussion and engineering of identity systems. The differences between these mental models consistently cause confusion and disagreement when advocates of different models collaborate, often without the parties realizing that others may be speaking from a distinctly different, yet valid, notion of identity. Considering different mental models allows for constructive dialogue and reconciliation of requirements, creating opportunities to address a wider set of use cases and to build systems with better overall applicability and quality.
We present five distinct mental models observed in conversations among technologists and laypeople when discussing identity. We then discuss observed patterns of discussion and design that result from the intersection of some pairs of mental models. Finally, we close with guidance for incorporating all five mental models when evaluating or designing any real-world or digital-identity system. We propose that understanding and considering these different mental models will result in more fruitful collaboration and ultimately in better identity systems.
One of the major problems with bootstrapping self-sovereign identity is that it requires adoption by a large number of people. Pushing self-sovereign identity from the top-down is most likely to result in a technology that’s not actually used, but instead encouraging the average person to demand self-sovereign identity from the bottom-up will result in the organic development of a vibrant, well-utilized decentralized web-of-trust ecosystem.
This paper addresses that need by offering arguments to a variety of people who might be reluctant to use self-sovereign identity, uninterested in its possibilities, or oblivious to the dangers of centralization. By focusing on the needs of real people, we hope to also encourage developers, engineers, and software business owners to create the apps that will address their reluctance and fulfill their needs, making self-sovereign identity a reality.
Since the emergence of the Decentralized Identifier (DID) specification at the Fall 2016 Rebooting the Web of Trust [1], numerous DID method specifications have appeared. Each DID method specification defines how to resolve a cryptographically-tied DID document given a method-specific identifier. In this paper, we describe a way to represent the DID document as a content-addressed Merkle Directed Acyclic Graph (DAG) using Interplanetary Linked Data (IPLD). This technique enables more cost-efficient, scaleable creation of DIDs and can be applied across different DID method specifications.
Aunthenticity is a challenge for any identity solution. In the physical world, at least in America, it is not difficult to change one's identity. In the digital world, there is the problem of bots. The botnet detection market is expected to be worth over one billion USD by 2023, in a landscape where most digital activity is still heavily centralized. These centralized digital solutions have the advantage of being able to track IP addresses, request phone verification, and present CAPTCHAs to users in order to authenticate them. If this problem is so difficult to solve in the centralized world, how much more challenging will it be in the decentralized world, where none of these techniques are available?
In this paper, we explore the idea of using a web of trust as a tool to add authenticity to decentralized identifiers (DIDs). We define a framework for deriving relative trust degrees using a given trust metric: a "trustworthiness" score for a given identity from the perspective of another identity. It is our intent that this framework may be used as a starting point for an ongoing exploration of graph-based, decentralized trust. We believe this approach may ultimately be used as a foundation for decentralized reputation.
Currently, the Web provides a simple yet powerful mechanism for the dissemination of information via links. Unfortunately, there is no generalized mechanism that enables verifying that a fetched resource has been delivered without unexpected manipulation. Would it be possible to create an extensible and multipurpose cryptographic link that provides discoverability, integrity, and scheme agility?
This paper proposes a linking solution that decouples integrity information from link and resource syntaxes, enabling verification of any representation of a resource from any type of link. We call this approach Resource Integrity Proofs (RIPs). RIPs provide a succinct way to link to resources with cryptographically verifiable content integrity. RIPs can be combined with blockchain technology to create discoverable proofs of existence to off-chain resources.
In this paper we cover various scenarios where some or all parties have intermittent, unreliable, untrusted, insecure, or no network access, but require cryptographic verification (message protection and/or proofs). Furthermore, communications between the parties may be only via legacy voice channels. Applicable situations include marine, subterranean, remote expeditions, disaster areas, refugee camps, and high-security installations. This paper then recommends solutions for addressing offline deployments.
In advance of the design workshop, all participants produced a one-or-two page topic paper to be shared with the other attendees on either:
- A specific problem that they wanted to solve with a web-of-trust solution, and why current solutions (PGP or CA-based PKI) can't address the problem?
- A specific solution related to the web-of-trust that you'd like others to use or contribute to?
Here are the advanced readings to date:
- Addressing Global/Local Barriers to Adoption of Decentralized Identity Systems by Eric Brown
- Agent to Agent Communication Protocol Overview by Kyle Den Hartog
- Blockcerts -- Where we are and what's next by Kim Hamilton Duffy, Anthony Ronning, Lucas Parker, and Peter Scott
- Can Curation Markets Establish a Sustainable Technology Commons by Sam Chase
- CapAuth by Manu Sporny, Dave Longley, Chris Webber, and Ganesh Annan
- A Concept Diagram For RWOT Identity Terms by Andrew Hughes
- Cryptocurrency Wallets as a Form of Functional Identity by Mikerah Quintyne-Collins and Abdulwasay Mehar
- Decentralized Error Reporting by Jack Poole
- Decentralized Identities and eIDAS by Oliver Terbu
- Decentralized Identity: Hub Authentication & Message Encryption by Daniel Buchner
- DIDDoc Conventions for Interoperability by Stephen Curran & Olena Mitovska
- DIDs In DPKI by Greg Slepak
- DID Resolution Topics by Markus Sabadello
- Digital Identity for the Homeless by Matthew Wong, T. Tian & CG Chen
- Exploring Browser Web of Trust Use Cases by Peter Snyder and Ben Livshits
- Five Mental Models of Identity by Joe Andrieu
- Identity Hub Permissions / Authorization by Daniel Buchner
- IPLD as a general pattern for DID Documents by Christian Lundkvist
- Is a Decentralized Collective Identity Possible? by Heather Vescent
- Magenc Magnet URIs: Secure Object Permanence for the Web by Christopher Lemmer Webber
- Measuring Trust by Tyler Yasaka
- More Control for Identity Holders by Arturo Manzaneda and Ismenia Galvao
- Nobody REALLY Trusts the Blockchain by Dan Burnett, Shahan Khatchadourian, and Chaals Nevile
- Not-a-Bot: A Use Case for Decentralized Identity using Proximity Verification to generate a Web of Trust by Moses Ma & Claire Rumore
- The Political Economy of Naming by Kate Sills
- A Public Web of Trust of Public Identities by Ouri Poupko and Ehud Shapiro
- Resource Integrity Proofs by Ganesh Annan, Manu Sporny, Dave Longley, and David Lehn
- RWoT Tribal Knowledge: Cryptographic and Data Model Requirements by Manu Sporny, Dave Longley, and Chris Webber
- The Role of Standards in Accelerating Innovation by Michael B. Jones
- Scoped Presentation Request on Verifiable Credentials by Martin Riedel
- Secure Crypto-Wallet Introductions by Wolf McNally, Ryan Grant
- Standards for Agency and Decentralized Information Governance - Early Experience by Adrian Gropper, MD, Michael Chen, MD, and Lydia Fazzio, MD
- Towards Proof of Person by Peter Watts
- A Trustless Web-of-Trust by Ouri Poupko
- The United Humans by Bohdan Andriyiv
- Verifiable Displays by Kim Hamilton Duffy, Bohdan Andriyiv, and Lucas Parker
- Verifiable Offline Credentials by Michael Lodder
- What (and Who) Is In Your Wallet by Darrell O'Donnell
- Digital Identity for the Homeless by Matthew Wong, T. Tian & CG Chen
- Zero Trust Computing with DIDs and DADs by Samuel M. Smith
These primers overview major topics which are likely to be discussed at the design workshop. If you read nothing else, read these. (But really, read as much as you can!)
- DID Primer — Decentralized Identifiers (extended version also available)
- Functional Identity Primer — A different way to look at identity
- Verifiable Credentials Primer — the project formerly known as Verifiable Claims
- DIDs In DPKI - how DIDs fit into Decentralized Public-key Infrastructure
A different repository is available for each of the Rebooting the Web of Trust design workshops:
- Rebooting the Web of Trust I: San Francisco (November 2015)
- Rebooting the Web of Trust II: ID2020 (May 2016)
- Rebooting the Web of Trust III: San Francisco (October 2016)
- Rebooting the Web of Trust IV: Paris (April 2017)
- Rebooting the Web of Trust V: Boston (October 2017)
- Rebooting the Web of Trust VI: Santa Barbara (March 2018)
- Rebooting the Web of Trust VII: Toronto (September 2018)
- Rebooting the Web of Trust VIII: Barcelona (March 2019)
- Rebooting the Web of Trust IX: Prague (September 2019)
- Rebooting the Web of Trust X: Buenos Aires (March 2020)
- Rebooting the Web of Trust XI: Netherlands (September 2022)
All of the contents of this directory are licensed Creative Commons CC-BY their contributors.