add representation property

[talltree]

Signed-off-by: Drummond Reed [email protected]

---

Preview | Diff

[talltree]

While I would normally propose two new properties into two separate PRs, @brentzundel wisely suggested that both of these fit neatly as subsections of DID Subject under Core Properties. So I submitted them as one PR.

A suggestion to commenters: put sameAs or representation at the start of your comment so as to make it clear which property you are commenting on.

The representation property addresses issue #199 . Note that the PR references a proposed Appendix A that I will submit (hopefully tomorrow)as a separate PR.

The sameAs property addresses the need to able to assert semantic equivalence of two or more DIDs (i.e., that they all identify the same DID subject). This has been an issue since we put it in the Future Work section 3+ years ago. More recently it has been raised by @OR13 and @peacekeeper.

[iherman]

Reading the text with my Semantic Web hat on, the immediate question is "is this sameAs THE sameAs?". Ie, does the DID JSON-LD context map this term to owl:sameAs (just like type is mapped on rdf:type)?

I presume the answer is (or should be) 'no': it is a term defined for the sole usage in DID Documents for DID subjects. (E.g., I presume it is not acceptable to use sameAs to connect, say, key identifiers.) But, I believe, it is worth making this very explicit in the document to avoid people like me asking stupid questions...

(One could bikeshed on whether the term sameAs is, under the circumstances, a judicious choice for the aforementioned reasons. But it is difficult to find a better one.)

[OR13]

we might want to relax this to be a URI...

did:example:123 owl:sameAs https://example.com/person/456

[talltree]

@OR13 Per the other discussions on this topic, I changed the property name to sameSubject. For reasons I will explain in a new Appendix I am composing, I favor keeping the value of sameSubject restricted to DIDs.

[OR13]

is this a URI? I would expect application/json, application/ld+json... prefer to see examples here.

[talltree]

@OR13 Yes, that's a relative URI. I updated the PR to include your suggestion that the value SHOULD come from the IANA media type registry.

[msporny]

I think @OR13 is stating that using type is the wrong property to use here?

[OR13]

This is excellent, I think we need to discuss:

1. should sameAs work with any IRI (I suggest yes).
2. should type be a value from this list: https://www.iana.org/assignments/media-types/media-types.xhtml

[msporny]

There is a very long discussion happening over here that should be taken into account in this PR -- w3c-ccg/security-vocab#45

I think there is general consensus to support limited "alsoKnownAs" use cases. I will argue very strongly against "owl:sameAs" use cases as I'm almost positive that they violate large swaths of the DID security model... we're playing with fire here. Just calling that out.

[OR13]

I obviously disagree, see the comment manu linked :)

From the charter:

Recommend a data model and syntax(es) for the expression of Decentralized Identifier Documents, including one or more core vocabularies.

Not everyone thinks about linked data the same way... and there is absolutely nothing wrong with using OWL with DIDs... every triple in an RDF representation of a DID Document has the same security issues.... there is nothing different about sameAs... except that its from a vocabulary set thats already widely used...

all the statements about a subject in a did document are the same kind of thing... statements... made by a controller.

did:example:123 capabilityInvocation did:example:123#456
did:example:123 ccg:alsoKnownAs https://twitter.com/@Lord_Voldemort7
did:example:123 owl:sameAs https://twitter.com/@Lord_Voldemort7

Each of these is only as "trustworthy" as the DID Method + the DID Controller's opsec... anyone can claim anything in their decentralized identity document... thats the whole point of being free...

We are not "Solving Identity" on the Web... we can't make statements like "did:example:123 is/is not provably lord voldemort"... and we can't stop did:example:123 from claiming to be a dog, or a software package.... we can recommend for or against it...

I'm in favor of running towards this problem by using OWL, and addressing this issue directly, not creating a new kind of equivalence... which is again only as trustworthy as the controller and did method.

If my use case is I want to use OWL with DIDs... does my using owl:sameAs prevent you from using ccg:alsoKnownAs ?

AFAIK, this might be the first DID Document JSON-LD vocabulary term that is not primarily defined and maintained by the W3C CCG.

Its also fundamental to the public DID use cases that @csuwildcat and others are so excited about: https://rubenverborgh.github.io/WebFundamentals/semantic-web/#timbl-linked-data

See also:

• https://en.wikipedia.org/wiki/Semantic_reasoner
• http://dig.csail.mit.edu/2006/Papers/AAAI/
• https://pdfs.semanticscholar.org/360e/ee82db5317b22754bd94429fa78133eec00e.pdf
• https://github.com/semantalytics/awesome-semantic-web#reasoners
• https://github.com/mdesalvo/RDFSharp

I'm not opposed to supporting more than 1 kind of equivalence relationship... but specifically blocking support for existing semantic reasoning / software out of the gate feels like a bad move... OWL exists already... DIDs are new... let's build a bridge not an island.

[talltree]

First, I was not aware of the CCG Security Vocab thread on @OR13 's sameAs PR when I posted this PR. Thanks to @msporny for pointing it out.

As I posted there, I think I understand the concerns @msporny articulates on that thread. And I also appreciate @OR13 's desires to be able to pursue full owl:sameAs semantics.

So let me just clarify that the purpose of this PR (despite the proposed sameAs name for the property) was just to establish a standard way for a DID controllers to assert that one DID identifies the same DID subject as a different DID. Full stop. No additional semantics or DID document equivalence or RDF graph merging were implied.

So I'm wide open to giving this property a different name, and leaving sameAs for a separate PR for a separate property that would convey the full OWL semantic graph meaning (if @OR13 wants to pursue that).

Since I don't personally like the human semantics of the term "alsoKnownAs" (it feels too colloquial to me), I'd like to propose the property name sameSubject.

Thoughts?

[talltree]

This is excellent, I think we need to discuss:

1. should sameAs work with any IRI (I suggest yes).

@OR13 First I just want to clarify that my answer to your question assumes (per the comment I just posted) that we will split into two different properties—one called sameAs for the full OWL semantic graph equivalence that you are seeking and one called something else (I have proposed sameSubject) to assert only that two DIDs identify the same DID subject.

This PR only covers the latter (I will update it to the new property name as soon as we settle on it).

Now, in that context, my answer is "No" to allowing IRIs (or other URIs that are not DIDs) because I think it is very important to restrict the sameSubject property to identification by DIDs. Ironically, the reasons do in fact go deep into semantic web questions. But a full explanation demands more time that I can give this right now—I plan to address this with a proposed Appendix that I'm currently drafting. I'll update the comment thread as soon as I post it.

[talltree]

This is excellent, I think we need to discuss:

1. should sameAs work with any IRI (I suggest yes).
2. should type be a value from this list: https://www.iana.org/assignments/media-types/media-types.xhtml

@OR13 on #2, I agree that the value SHOULD be from that list. I'm wary of making it a MUST as a DID controller may have a reason to assert a type that has not yet been registered. What do you think?

[talltree]

I think there is general consensus to support limited "alsoKnownAs" use cases.

@msporny Would you be okay with sameSubject as the property name (vs. alsoKnownAs)?

[OR13]

This is excellent, I think we need to discuss:

1. should sameAs work with any IRI (I suggest yes).

@OR13 First I just want to clarify that my answer to your question assumes (per the comment I just posted) that we will split into two different properties—one called sameAs for the full OWL semantic graph equivalence that you are seeking and one called something else (I have proposed sameSubject) to assert only that two DIDs identify the same DID subject.

This PR only covers the latter (I will update it to the new property name as soon as we settle on it).

Now, in that context, my answer is "No" to allowing IRIs (or other URIs that are not DIDs) because I think it is very important to restrict the sameSubject property to identification by DIDs. Ironically, the reasons do in fact go deep into semantic web questions. But a full explanation demands more time that I can give this right now—I plan to address this with a proposed Appendix that I'm currently drafting. I'll update the comment thread as soon as I post it.

interested to hear more about this, I would assume that such a restriction is not actually legal for JSON-LD / OWL / RDF...

https://www.w3.org/TR/json-ld11/#iris
https://www.w3.org/TR/owl-ref/#sameAs-def
https://w3c.github.io/did-core/#json-ld

When I add these up... I feel like making a restriction to DIDs only for owl:sameAs... is a bad idea... but I could see such an argument for sameSubject ( which I am fine with, and also prefer over alsoKnownAs )

[talltree]

@OR13 to be clear, I'm not proposing to restrict sameAs to just DIDs. Only sameSubject.

I agree with you that if a sameAs property will have the same semantics as owl:sameAs, then the domain needs to be all IRIs as it is in RDF/OWL.

[talltree]

I just revised the PR to change the name of the sameAs property to the sameSubject property. I also added a note to explain that the semantics of the sameSubject assertion are limited to asserting that two or more DIDs identify the same DID subject. They do NOT assert owl:sameAs semantics, i.e., the ability to merge the RDF graphs represented by the respective DID docs.

That's not to say that owl:sameAs semantics do not have value or should not be pursued by those who might need them, but that's out of scope for this PR.

[msporny]

Let's split this PR up into two PRs... one for sameSubject and another for representation... I expect they will progress on different timelines, with sameSubject being less controversial than representation.

[msporny]

Suggested change

	true. A malicious <a>DID controller</a> may attempt to impersonate a
	true. A malicious <a>DID controller</a> might attempt to impersonate a

[msporny]

Suggested change

	Therefore it is STRONGLY RECOMMENDED that a requesting party obtain
	Therefore it is strongly advised that a requesting party obtain

[msporny]

Suggested change

	inverse <code>sameSubject</code> assertion (i.e., a backpointer). See
	inverse <code>sameSubject</code> assertion, also known as a back pointer. See

[msporny]

Suggested change

	<a>DID subject</a>.
	<a>DID subject</a>. Implementers are strongly advised against the use of <code>owl:sameAs</code> when processing <a>DID documents</a> as its use could expand the attack surface in a way that was not considered by the Working Group.

[msporny]

This property is begging to be abused from a GDPR perspective. :)

There are better and more specific properties in schema.org... image, url, etc. We shouldn't advise implementers to express this sort of information in the DID Document... it should be done externally.

Please split the representation PR into a separate PR... as the sameSubject PR is far less controversial. I'm concerned that this PR is going to be held up because of the representation PR... they should progress on different timelines.

[msporny]

This should be id

[kdenhartog]

+1

[msporny]

type is being re-used in a way that is not compliant with the DID spec... this really should be mediaType and the value isn't a URI.

[peacekeeper]

I agree with that, but also want to mention that this PR seems to serve a similar purpose as various web linking and discovery technologies such as JRD and the HTML <link> element. Both of those use type to declare a media type, not an RDF class.

[OR13]

if we have an opportunity to pick a better name, we should... id and type are used all over the place... +1 for not continuing to overload them.... Content-Type isn't type... https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type

[msporny]

Waiting on this to be resolved to do a re-review of this PR.

[msporny]

Hrm, no, we should be using data URIs if we want to embed values directly... and we should put that value in id (see above). Also see https://en.wikipedia.org/wiki/Data_URI_scheme for explanation on data URIs.

[brentzundel]

Suggested change

	of doing this is to resolve the <code>sameAs</code> <a>DID</a> to its
	of doing this would be to resolve each <code>sameAs</code> <a>DID</a> to its

[brentzundel]

an example of this would be very helpful

[talltree]

Let's split this PR up into two PRs... one for sameSubject and another for representation... I expect they will progress on different timelines, with sameSubject being less controversial than representation.

@msporny Agreed. I probably should have done that at the outset. I will try to do that by EOD tomorrow (Wed 22 July).

I'll wait to do the new PR before responding to some of your comments on representation (all of which I believe there are good answers to).

[talltree]

Revised PR to remove the sameSubject property, which is now addressed by PR #355.

[kdenhartog]

Please ignore my original approval. I thought I was reading the sameSubject property addition and saw it was moved to PR #355

For the representation property can, I'm not really sure I'm following the purpose of this. The only thing I'm coming up with is when the DID Subject is a online resource, but in that case I'm not understanding the advantages of using a DID rather than something like a URN. Could you provide me any additional use cases for this so I can understand it and reason about it better?

[talltree]

For the representation property can, I'm not really sure I'm following the purpose of this. The only thing I'm coming up with is when the DID Subject is a online resource, but in that case I'm not understanding the advantages of using a DID rather than something like a URN. Could you provide me any additional use cases for this so I can understand it and reason about it better?

@kdenhartog You nailed it—the whole reason for this PR is that a DID can, in certain cases, be much better than a URN. Just take every use case for a URN, and add these advantages of a DID:

1. No centralized registry required. Almost all URNs require centralized or federated registry services (the exception is URNs like UUIDs that are not resolvable at all).
2. Cryptographically verifiability. The DID controller of the immutable object that serves as a DID subject—for example a schema—is able to publish a series of versions of that schema that each can be cryptographically verified as published by that same DID controller. While not all persistent digital objects need that (there is a whole class of immutable objects the Decentralized Semantics folks call "ungoverned objects" that are just "fire and forget" and are never versioned). But if you need verifiable provenance of an immutable object, a DID is perfect.
3. Standardized resolution. First of all, not all URNs are resolvable (e.g., UUIDs). But if they are resolvable, DIDs have a significant advantage because every URN scheme needs to define not just its URN identifier format and resolution protocol, but also its own metadata format. Check out the IANA URN Namespaces registry for a sense of how many resolution protocols and metadata formats are involved.

While it is true that each DID method also has its own concrete resolution protocol, the abstract DID resolution contract—and most importantly the resolution result (a DID document)—is standardized for all DIDs.

That's a major advantage over URNs. Furthermore, with the representation property, we are uniting persistent, resolvable, cryptographically verifiable identification of the world of digital objects (what the Semantic Web folks call "information objects") with persistent, resolvable, cryptographically verifiable identification of the world of all non-digital objects. So we can use one comprehensive standard for both.

How cool is that?

[msporny]

Waiting for other folks to weigh in on this PR... I personally feel it's a bit misguided -- the use case seems too generic -- but I may not understand the use case. Even if it isn't misguided, the PR uses uri and type in strange ways. Waiting for the PR to get revised or for the PR submitter to provide a clarifying use case and/or to review the use of uri, type, and value.

[msporny]

Waiting on this to be resolved to do a re-review of this PR.

[msporny]

I think @OR13 is stating that using type is the wrong property to use here?

[kdenhartog]

For the representation property can, I'm not really sure I'm following the purpose of this. The only thing I'm coming up with is when the DID Subject is a online resource, but in that case I'm not understanding the advantages of using a DID rather than something like a URN. Could you provide me any additional use cases for this so I can understand it and reason about it better?

@kdenhartog You nailed it—the whole reason for this PR is that a DID can, in certain cases, be much better than a URN. Just take every use case for a URN, and add these advantages of a DID:

1. **No centralized registry required.** Almost all URNs require centralized or federated registry services (the exception is URNs like UUIDs that are not resolvable at all).

2. **Cryptographically verifiability.** The DID controller of the immutable object that serves as a DID subject—for example a schema—is able to publish a series of versions of that schema that each can be cryptographically verified as published by that same DID controller. While not all persistent digital objects need that (there is a whole class of immutable objects the Decentralized Semantics folks call "ungoverned objects" that are just "fire and forget" and are never versioned). But if you need verifiable provenance of an immutable object, a DID is perfect.

3. **Standardized resolution.** First of all, not all URNs are resolvable (e.g., UUIDs). But if they are resolvable, DIDs have a significant advantage because every URN scheme needs to define not just its URN identifier format and resolution protocol, _but also its own metadata format_. Check out the [IANA URN Namespaces registry](https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml) for a sense of how many resolution protocols and metadata formats are involved.

While it is true that each DID method also has its own concrete resolution protocol, the abstract DID resolution contract—and most importantly the resolution result (a DID document)—is standardized for all DIDs.

That's a major advantage over URNs. Furthermore, with the representation property, we are uniting persistent, resolvable, cryptographically verifiable identification of the world of digital objects (what the Semantic Web folks call "information objects") with persistent, resolvable, cryptographically verifiable identification of the world of all non-digital objects. So we can use one comprehensive standard for both.

How cool is that?

In this case, I'd put myself at a +0 then. I'm not thinking we'll (Mattr) use this for resource descriptions at this point, but I expect that down the road it will be useful for implementers who are expanding on the ways in which DIDs are used. I'd be much more willing to move to a +1 if we saw more use cases adopting DIDs in this manor. Do you know of any implementations already doing this (I was thinking the rich schemas might go in that direction, but I haven't see that happen yet.)

[OR13]

did we agree that created and updated go in the did document? I recall strongly objecting to that.

[msporny]

We did not agree to put created and updated in the DID Document. We left it open that some DID Methods may choose to do that, but if they do, it's a statement asserted by the controller of said document.

[talltree]

I just pushed a rewrite of this property based on input from this thread and the discussion on today's DID WG special topic call on the proposed DID Appendices (see #373). This rewrite removes any direct references to those proposed Appendices so it can now stand on its own (though the proposed Appendices may still be helpful for understanding this property).

[talltree]

This PR has been superseded by the proposed type property in #410. I am going to mark this PR "pending close".

[brentzundel]

No comments since marked pending close, closing