Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Verification Method Revocation section. #742
Update Verification Method Revocation section. #742
Changes from 1 commit
39c64dc
365e0b3
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe I understand the intent of this sentence, and agree 100% with it. However, I think this sentence is very hard to parse, because of ambiguity in the phrase "applies only to the latest version." I suggest this be reworded to something along the lines of "Verification method revocation can only be embodied in changes to the latest version of a DID document; it cannot retroactively adjust previous versions."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree with this summary of the semantics of revocation. Previous text in this same section says that revocation can take place immediately after a key rotation to prevent the rotated key from a future compromise. This is at odds with the sentence here, which claims that revocation is understood as communicating doubt about the current security of the method.
Revocation does not always imply a belief that existing proofs or signatures might have been created by an attacker. Rather, it always implies an intention that future proofs or signatures shall not be creatable by an attacker, and it may or may not also imply a concern that existing proofs or signatures are suspect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was dealt with by a set of changes that @dlongley put forward, which were then agreed to by @dhh1128 and then merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is at odds with the sentence that says that all DID methods support removing a method from a DID document as a form of revocation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggested a few words to remedy this above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the suggestion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree with the phrase "only safe interpretation" -- because it implies that retroactive cancellation is safe. It isn't. Just like unwise use of revocation when the two constraining safety conditions (knowing when the cryptographic statement was made, and knowing what the state of the DID doc at that instant were) rewrites history, interpreting revocation to apply backward in time ALSO REWRITES HISTORY; the difference is that it rewrites that history to maximize protections for the controller instead of rewriting it to maximize protections for the recipients of cryptographically signed assertions. Either way, there's still a winner and a loser -- a protected party and a party treated cavalierly.
I do agree (strongly) with the third sentence, "DID ecosystems that take this approach..." What I would suggest as a revision would be to say, "When this is true, or when the state of a DID at the time of a cryptographically verifiable statement cannot be reliably determined, then the only safe course is to disallow any consideration DID state with respect to time, except the present moment. DID ecosystems that take this approach..."
What I am trying to do with this revision is to remove the phrase "apply both forward and backward in time" in its link to safety -- because I think describing it that way is problematic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with this content in its narrow sense, but I don't like how it gives the impression (by focusing only on trustless systems) that the only way to achieve trust is to provide all these properties as part of the cryptographic inputs. The date that a mortgage was signed may not be part of the cryptographic inputs to a verifiable statement, and yet it may be possible to achieve full trust, by deciding that metadata about the event from some other source (e.g., banking records, independent witnesses) is also reliable. In fact, this is likely to happen in a courtroom in many scenarios: metadata from many sources will be evaluated and accepted/rejected.
My suggestion is to add an extra paragraph right after the </ul> that says something like: "In systems that are willing to admit metadata other than those constituting cryptographic input, similar trust may be achieved -- but always on the same basis (making a careful judgment about whether a DID document's content at the moment of a signing event authorized the verification method)."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a minor variation of your language to the specification here: https://github.com/w3c/did-core/pull/742/files#diff-0eb547304658805aad788d320f10bf1f292797b5e6d745a3bf617584da017051R4839