docs: compose the ADR for DID-linked resources. ATL-3186 [skip-ci] #518
Conversation
yshyn-iohk
force-pushed
the
ATL-3186-ADR-DID-linked-resources
branch
from
372518e
to
cd25afc
Compare
|
Atala PRISM Code Coverage
Minimum allowed coverage is Generated by 🐒 cobertura-action against 9df4dc8 |
There was a problem hiding this comment.
Awesome work @yshyn-iohk!
I actually learned a lot on the subject while reviewing this ADR. Thanks 🙏
| - Provide a concrete proposal for what we would like to implement for PRISM. | ||
| - Provide a generic way of storing and linking the resources for the DID in the PRISM platform. | ||
|
|
||
| Cheqd's approach for linking the resources to the DID is not a part of the current version of DID specification. Even if it's possible to find some information about `linkedResources` and `linkedResourceMetadata` optional field of the DIDDoc, it looks like the current decision is |
There was a problem hiding this comment.
It would be helpful to have direct links to the specs where linkedResource and linkedResourceMetadata are mentioned.
Also, seems the end of the sentence is missing here.
There was a problem hiding this comment.
I'm not sure this sentence should be here, I think it is out of place, and I can't quite figure out what it has to do with "Target"
There was a problem hiding this comment.
@bvoiturier, as I told, it's not a part of the did-core spec, but if you ask ChatGPT to describe you the usage of the linkedResources fields, it points to the did-code v1.0.1
what part of the DID core specification describes the usage of the fields linkedResource?
ChatGPT
The linkedResources field is not defined in the original DID core specification (v1.0), but it is introduced in the DID core specification v1.0.1.
Specifically, section 5.4.4 of the DID core specification v1.0.1 defines the linkedResources field as an optional field that can be included in a DID document. The section describes the purpose of the linkedResources field as follows:
"The linkedResources property expresses relationships between a DID and external resources, such as public keys, verification methods, or other data types. These resources can be described in separate documents or be directly included as part of the DID document."
The section provides more detailed information on the structure of the linkedResources field, including the required and optional fields for each linked resource object.
It is worth noting that the DID core specification v1.0.1 is an update to the original DID core specification (v1.0) and includes several improvements and clarifications based on feedback from the community. The linkedResources field is one of the additions in the updated specification.
There was a problem hiding this comment.
I moved the sentence to the section with Cheqd's solution.
|
|
||
| ## Context and Problem Statement | ||
|
|
||
| Atala Prism platform must be able to store and distribute the various resources such as credential schemas, logos, revocation status lists, and documents (aka any text, JSON, images, etc) |
There was a problem hiding this comment.
To be exhaustive, I would add schema definitions, credential definitions, and revocation registry definitions that are required by AnonCreds.
I would clearly state that we want to leverage this DID-linked resource dereferencing mechanism as a global solution covering all our VDR needs (JWT VC, AnonCreds VC, VC schema, revocation, etc.)
There was a problem hiding this comment.
part of the described data, such as images or logos, is something that may be fine to live in servers or client app side, and are likely not treated in the same way as credential or schema definitions
There was a problem hiding this comment.
In the scope of the Jira ticket, the task was to define the general way of storing the resources.
But the primary intention is to be prepared for AnonCreds integration.
So, I can reduce the scope to the AnonCreds entities: credential schema and credential definition, but the approach will be the same, and it will be possible to extend it to other type of small resources.
|
|
||
| While DLT and IPFS are designed for scalability, they can still face issues with scalability when it comes to storing SSI resources. As more users store their SSI resources on these platforms, it can become more difficult to scale the infrastructure to handle the increased demand. | ||
|
|
||
| DLT and IPFS and other decentralized storages should not be considered for storing large collections of resources. For these cases, the hybrid solutions should be considered when the payload of the resource is stored off-chain and the hash for the resource is stored on-chain. |
There was a problem hiding this comment.
Not sure I understand it correctly. IPFS would be a viable solution for storing a single large file (5Gb), but not for storing a large collection of files?
There was a problem hiding this comment.
Agree. I will remove these two statements.
The main message concerns the general approach for storing the resources in DLT and IPFS. You always need to spin up the additional infrastructure for DLT and IPFS.
| - by signing the payload with one of the DID's keys or | ||
| - by publishing the resource metadata that contains the information about the resource (id, type, name, media type, hash) on-chain or | ||
| - for the resource that is less than the blockchain limitation (up to 64KB) by publishing the resource together with the hash, and/or signature | ||
| - the resource can be stored in the cloud storage - PostgreSQL database - for indexing and lookup API |
There was a problem hiding this comment.
On the above paragraph about resource integrity/trust, my feeling is that we will end-up reimplementing what is described in the ToIP specification in terms of Linked Resource Metadata.
We agree that we need a way to prevent resource content tampering. Signing the resource content with the DID key would work, but means that a client dereferencing the resource would get a payload which is proprietary to Atala PRISM (raw data + proof metadata) - except for Credential Schemas that natively contain a proof attribute. As you say, another possibility is to publish resource metadata, including hash/checksum, on-chain, but this is precisely what the ToIP specification proposes, right?
There was a problem hiding this comment.
Yes it does, ToIP spec defines the resource that is stored in DLT and resource metadata that is stored in DID document that is also published on-chain.
There was a problem hiding this comment.
in this option, we don't need to store the resource metadata together with the DID document.
instead of this, the resource owner must create the DID URL that will be used by other SSI systems.
|
|
||
| Known limitations for concrete decentralized storage: | ||
| - Cardano blockchain (the resource is stored in the metadata space of the Tx): up to 64KB | ||
| - Cheqd blockchain: up to 32KB |
There was a problem hiding this comment.
Where did this idea come from? why would we add yet another blockchain in our stack, if we already have Cardano metadata and on top of that it can store more data
There was a problem hiding this comment.
@shotexa, this ADR describes the existing options that can be implemented using the Cardano blockchain.
We are not going to introduce another blockchain to our stack.
| - Security - resources must be stored in the reliable tamper-proof storage | ||
| - Immutability - resource must be immutable |
There was a problem hiding this comment.
what is the difference between these two? tamper proof means that the content cannot be altered without detection already
There was a problem hiding this comment.
You are right.
immutability is one of the ways to guarantee the security and tamper-proof capability of the resource.
I will remove it for clarify
| - Decentralization - resources must be stored in decentralized storage | ||
| - Security - resources must be stored in the reliable tamper-proof storage | ||
| - Immutability - resource must be immutable | ||
| - Versioning - it should be possible to track the versioning of the resource |
There was a problem hiding this comment.
isn't this contradicting that the resources are immutable? Maybe the language of this list should be refined
There was a problem hiding this comment.
Honestly, I would reconsider the versioning to be the decision maker for this ADR.
versioning is a label or piece of metadata attached to the resource, and it's not essential for making the final decision.
So, if version is a required part of the credential schema, it doesn't mean that it's essential to the SSI ecosystem that there is a previous or next version of the particular resource. Usually, the issuer knows which version is required for the specific case. Other SSI systems should be able to dereference the resource the issuer distributes.
I will remove it.
| All decentralized storage (DLT or IPFS) has storage limitations, and the amount of data that can be stored is limited by the available storage capacity and the way how the resources are stored. | ||
|
|
||
| Known limitations for concrete decentralized storage: | ||
| - Cardano blockchain (the resource is stored in the metadata space of the Tx): up to 64KB |
There was a problem hiding this comment.
the current transaction size limit is 16Kb if I am not mistaken. And I think that blocks have been extended to 80Kb. Details aside, one could "fragment" the data if needed
However, what I would describe as the issue is not exactly max size limits, the inconvenience is the throughput (bytes we can insert to storage per unit of time), latency (multi-second time per insert) and cost (each insertion cost fees)
| Known limitations for concrete decentralized storage: | ||
| - Cardano blockchain (the resource is stored in the metadata space of the Tx): up to 64KB | ||
| - Cheqd blockchain: up to 32KB | ||
| - IPFS: up to 5GB (Go SDK is limited by 255MB by default per file) |
There was a problem hiding this comment.
for IPFS, the challenge I would describe is providing incentives to store the data. One could use a distributed hash table (DHT) (IPFS's basic underlying structure) as a protocol to share/query files. The challenge is how to give incentives to people to store the data. If one does not pay to "pin" files in IPFS, they are actually garbage collected
We could discuss ways to use IPFS and provide incentives, but lets avoid doing this in this thread, I just wanted to highlight the challenge of using DHTs
| - Merkle Tree DAG | ||
| - documentation in the markdown format |
There was a problem hiding this comment.
what is the merkle tree DAG? what are these two needed for? and who would construct them?
There was a problem hiding this comment.
Sorry for the inconsistency, I meant Merkle Tree. I will fix it.
a Merkle DAG is a more general structure that can handle non-binary structures and has nodes with multiple parents
| - the resource is published and indexed by the managed VDR layer (prism-node) | ||
| - the resource is available via REST API & SDK for the product-level applications | ||
| - the resource is dereferenced via the DID URL in the DID resolver | ||
| - the changes to the PRISM DID method are minimal or even not required |
There was a problem hiding this comment.
well, I am not entirely sure about this
First we need to implement information encoding, operations and then both post and index them. This is only on node side
Then, I am not sure what logic we need to add to node/castor to provide the dereferencing logic, not if we need to add this to the spec
There was a problem hiding this comment.
I think you are right.
We need to do the following things:
- add the section about DID-linked resource dereferencing to the DID method.
- implement the encoding and decoding login in the
prism-node - implement the resource indexing logic and REST API in the Pollux and
- the DID URL dereferencing logic in the DID PRISM resolver
There was a problem hiding this comment.
this is a very good document gathering information from multiple places. Great work @yshyn-iohk
I added some comments, and share most of the questions asked by @bvoiturier
yshyn-iohk
force-pushed
the
ATL-3186-ADR-DID-linked-resources
branch
from
05886da
to
2f3efe2
Compare
yshyn-iohk
changed the title
yshyn-iohk
changed the title
…repo subject to the Developer Certificate of Origin (DCO), Version 1.1. 81a2ad9 docs: removed secret-storage from the Tutorials section. (#559) [skip-ci] 130abbd docs: fix secret storage documentation page (#556) 4f413a3 docs: add secret management documentation [skip-ci] (#542) 885870d Fix ATL-4830 verification policies update (#549) f6d1fd4 docs: compose the ADR for DID-linked resources. ATL-3186 [skip-ci] (#518) dc54af8 docs: ADR for data isolation for multi-tenancy (#531) 357273d docs: ADR for HD key derivation in the PRISM v2 (#529) 64b0a2a fix(prism-agent): Alight the error responses according to RFC7807. ATL-3962 (#480) 7fa2e1a fix(prism-agent) Align VerificationPolicy OAS ATL-3909 (#473) 8d42fb1 fix: update mercury to 0.21.0 979b609 chore: update mercury dependency to 0.21.0 (#458) d3a8d15 feat(prism-agent) update schema logic - agent part. ATL-3164 (#452) 6e22bfc feat(pollux): update credential schema logic (#450) ATL-3164 68b8e4a docs: credential schema introduction, creation, update, and delete. ATL-3548 (#443) 91902ce feat(prism-agent): Add OAS specification to the schema registry endpoint. ATL-3164 (#438) 32f9e83 feat(prism-agent): CredentialSchema DAL, model, service and repositor… (#425) 79352f0 feat(pollux): CredentialSchema DAL, model, service and repository #2 (#424) 6e941da docs(pollux): add credential-schema.md to docusaurus (#407) ffa5f7e feat(pollux): CredentialSchema service, repository and sql (#416) c96f804 doc(pollux): verification policy documentation (#384) 1e47ba1 doc(pollux): add schema registry documentation. ATL-1334 (#296) 142ff55 feat(prism-agent): integrate VerificationPolicy DAL into the agent, update OAS and implement REST API for verification policies (#369) b290a18 feat(pollux): implement the DAL for CRUD on the verifiable policy entity. ATL-2478 (#368) edaab33 docs: ADR Quill library for sql statement generation (#318) 3d0c642 feat(prism-agent): implement DAL for the credential schema. ATL-1334 e0831e8 feat(pollux): fix the lookup count in the credential schema DAL (#315) f43320f feat(pollux): add dal for the credential schema ATL-1342 (#298) 6903afa fix(prism-agent): switch datetime format to offsetdatetime. ATL-2723 (#243) e13a1bd fix(connect): bump mercury version to 1.10.1 and touch README.md ee27755 fix(pollux): upgrade mercury lib to 1.10.1 cdd4772 fix(castor): README.md is added to increase the version of the castor library 5ffb0cc fix(mercury): simple commit to increase the version of mercury library 403eb38 feat(prism-agent): verification policies pagination. ATL-1334 (#205) 726e2d9 feat(prism-agent): implement pagination with navigation for schema-registry (#195) 4528c57 feat(pollux): alight the OAS for schema registry (#189) 16d5fdb feat(pollux): cleanup the code of IssueCredentialApi 79170f8 feat(pollux): cleanup the OAS from Issue Credentials and other unused tags d75b36b feat(pollux): schema registry lookup and verification policies REST API ATL-1334 (#168) b3cf828 feat(apollo): add schema registry to the agent using Tapir library. ATL-1334 (#94) 8d8bf56 doc(adr): use Tapir library as a DLS for OAS (#51) 496337b ATL-1334 feat(pollux): add sandbox project to play with Tapir and schema-registry (#62) 95667ba doc(pollux): add JWT encoding and Present Proof endpoints (#37) 234bc06 [ATL-1388] doc(pollux): add Revocation Registry API, remove v1 from the path, apply changes after review (#14) e47242c [ATL-1001] doc: add examples of OpenAPI specification of well-known competitors (#23) 22e37cf doc(pollux): add Pollux open-api specification (schema and issue-credentials) (#8) Signed-off-by: Yurii Shynbuiev <yurii.shynbuiev@iohk.io>
…repo subject to the Developer Certificate of Origin (DCO), Version 1.1. 81a2ad9 docs: removed secret-storage from the Tutorials section. (#559) [skip-ci] 130abbd docs: fix secret storage documentation page (#556) 4f413a3 docs: add secret management documentation [skip-ci] (#542) 885870d Fix ATL-4830 verification policies update (#549) f6d1fd4 docs: compose the ADR for DID-linked resources. ATL-3186 [skip-ci] (#518) dc54af8 docs: ADR for data isolation for multi-tenancy (#531) 357273d docs: ADR for HD key derivation in the PRISM v2 (#529) 64b0a2a fix(prism-agent): Alight the error responses according to RFC7807. ATL-3962 (#480) 7fa2e1a fix(prism-agent) Align VerificationPolicy OAS ATL-3909 (#473) 8d42fb1 fix: update mercury to 0.21.0 979b609 chore: update mercury dependency to 0.21.0 (#458) d3a8d15 feat(prism-agent) update schema logic - agent part. ATL-3164 (#452) 6e22bfc feat(pollux): update credential schema logic (#450) ATL-3164 68b8e4a docs: credential schema introduction, creation, update, and delete. ATL-3548 (#443) 91902ce feat(prism-agent): Add OAS specification to the schema registry endpoint. ATL-3164 (#438) 32f9e83 feat(prism-agent): CredentialSchema DAL, model, service and repositor… (#425) 79352f0 feat(pollux): CredentialSchema DAL, model, service and repository #2 (#424) 6e941da docs(pollux): add credential-schema.md to docusaurus (#407) ffa5f7e feat(pollux): CredentialSchema service, repository and sql (#416) c96f804 doc(pollux): verification policy documentation (#384) 1e47ba1 doc(pollux): add schema registry documentation. ATL-1334 (#296) 142ff55 feat(prism-agent): integrate VerificationPolicy DAL into the agent, update OAS and implement REST API for verification policies (#369) b290a18 feat(pollux): implement the DAL for CRUD on the verifiable policy entity. ATL-2478 (#368) edaab33 docs: ADR Quill library for sql statement generation (#318) 3d0c642 feat(prism-agent): implement DAL for the credential schema. ATL-1334 e0831e8 feat(pollux): fix the lookup count in the credential schema DAL (#315) f43320f feat(pollux): add dal for the credential schema ATL-1342 (#298) 6903afa fix(prism-agent): switch datetime format to offsetdatetime. ATL-2723 (#243) e13a1bd fix(connect): bump mercury version to 1.10.1 and touch README.md ee27755 fix(pollux): upgrade mercury lib to 1.10.1 cdd4772 fix(castor): README.md is added to increase the version of the castor library 5ffb0cc fix(mercury): simple commit to increase the version of mercury library 403eb38 feat(prism-agent): verification policies pagination. ATL-1334 (#205) 726e2d9 feat(prism-agent): implement pagination with navigation for schema-registry (#195) 4528c57 feat(pollux): alight the OAS for schema registry (#189) 16d5fdb feat(pollux): cleanup the code of IssueCredentialApi 79170f8 feat(pollux): cleanup the OAS from Issue Credentials and other unused tags d75b36b feat(pollux): schema registry lookup and verification policies REST API ATL-1334 (#168) b3cf828 feat(apollo): add schema registry to the agent using Tapir library. ATL-1334 (#94) 8d8bf56 doc(adr): use Tapir library as a DLS for OAS (#51) 496337b ATL-1334 feat(pollux): add sandbox project to play with Tapir and schema-registry (#62) 95667ba doc(pollux): add JWT encoding and Present Proof endpoints (#37) 234bc06 [ATL-1388] doc(pollux): add Revocation Registry API, remove v1 from the path, apply changes after review (#14) e47242c [ATL-1001] doc: add examples of OpenAPI specification of well-known competitors (#23) 22e37cf doc(pollux): add Pollux open-api specification (schema and issue-credentials) (#8) Signed-off-by: Yurii Shynbuiev <yurii.shynbuiev@iohk.io>
Overview
Fixes ATL-3186
https://hackmd.io/@YuriiShynbuievIOHK/BkqWWk2zh - for reading
Checklist
My PR contains...
My changes...
Documentation
Tests