-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add language about correlation risk to individuals #9
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This more or less address #6 I think.
enables the DID Method registry to know when and where every did:web DID on the | ||
ledger is used, which is useful when tracking behaviour of the DID subject. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is "DID method registry" in this context? Does that mean the server which hosts the DID doc? I'd change the language to avoid confusion with this DID method registry. We could say "Verifiable Data Registry" to be consistent with the DID Core spec?
In this case I also wouldn't use the word "ledger" here.
(I haven't reviewed the rest of the spec to make sure language aligns with the latest in DID Core, so I'll do that too.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to using the term VDR.
enables the DID Method registry to know when and where every did:web DID on the | ||
ledger is used, which is useful when tracking behaviour of the DID subject. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
enables the DID Method registry to know when and where every did:web DID on the | |
ledger is used, which is useful when tracking behaviour of the DID subject. | |
enables the DID Method registry to know when and where every did:web DID on the | |
ledger is used, which enables anyone with access to the sever to track behaviour of the DID subject. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor typo with 'sever'
for individuals from a privacy perspective. | ||
|
||
It is strongly advised that a privacy violation will occur if this DID Method | ||
is used for DIDs where the DID subject requires privacy. Examples of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is used for DIDs where the DID subject requires privacy. Examples of | |
is used for DIDs where the DID subject requires privacy and the Verifiable Data Registry infrastructure (e.g. the domain name and Web server) is not under direct and exclusive control of the DID subject. Examples of |
and website-issued DIDs to people that are not in control of the website | ||
infrastructure. | ||
|
||
To put a finer point on the privacy concerns of this particular DID Method. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To put a finer point on the privacy concerns of this particular DID Method. |
(this doesn't stand on its own as a sentence)
It is strongly advised that governments and corporations strongly advise | ||
individuals pick a DID Method that is more auditable and privacy-preserving | ||
than this DID Method. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is strongly advised that governments and corporations strongly advise | |
individuals pick a DID Method that is more auditable and privacy-preserving | |
than this DID Method. | |
It is strongly advised that individuals do not use this DID method unless they have absolute confidence in their control over the underlying infrastructure of the implementation; that is, that the individual controls and has access to the domain name and Web server being used. It is strongly advised that individuals do not agree to or make use of a did:web DID that is issued on their behalf by a centralized authority which can control the underlying infrastructure without notice or auditability. | |
It is strongly advised that where governments and corporations need to issue DIDs for individuals (as opposed to companies, departments or assets for example) they use a DID method that is more auditable and privacy-preserving than did:web. | |
individuals pick a DID Method that is more auditable and privacy-preserving | |
than this DID Method. |
@msporny +1 to this PR overall (we've been meaning to add this section for a while). We should get more specific with the warnings, though.
The "when and where every did:web DID ... is used" is not quite right. We should say something more like: "For example, the verification of a Verifiable Presentation might result in a verifier resolving a did:web DID. As with any HTTP request, this resolution enables the Verifiable Data Registry (the server where the DID is hosted) to track a number of things, both about the verifier and the DID itself. (Incidentally, these concerns apply to any DID methods accessed through an http-based Universal Resolver of any sort hosted on a public website.) DID:
Verifier:
|
unclear what changes need to be accepted to see this merged. |
PR is stale and should be closed. |
Yes, it's stale. If we close this, the text should be preserved and integrated into the new spec. |
This PR should be closed if the requested changes cannot be implemented in a timely manner. @dmitrizagidulin @awoie I recommend adding a "pending-close" / 1 week tag. |
@msporny this PR has conflicts and changes requested, if they are not addressed in 1 week it will be closed, if you wish for these concerns to be addressed, please open issues to track them. |
Closing the PR, feel free to open another one at any time. |
No description provided.