back to article W3C overrules objections by Google, Mozilla to decentralized identifier spec

The World Wide Web Consortium (W3C) has rejected Google's and Mozilla's objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month. The two tech companies worry that the open-ended nature of the spec will promote chaos through a …

  1. ShadowSystems

    JS & trust?

    If you're using JavaScript & trust in the same sentance without a "will never earn any" inbetween, you're not paying attention. There is no trust in JS unless the only JS you run is the locally stored, locally vetted, & locally secured code you've written yourself. Everyone else's JS code, especially if stored/run from a 3rd party server, is no longer secure nor trusted.

    I know I'm insane, my Dried Frog Pills say as much, but if *I* think using JS is a bad idea, why aren't supposedly saner heads not putting the concept out of it's misery with extreme prejudice?

    1. ThatOne Silver badge
      Devil

      Re: JS & trust?

      Money talks - louder than you...

      Seriously: How else can you create those bells and whistles which will dazzle the victim while you run off with his wallet? JavaScript is the only random code people routinely download from the internet, and willingly run on their computers hoping for some "awesome" singing/dancing gizmo feature. If you remove this, Web 2.0 is dead and we're back to Web 1.0: Hipsters will drown themselves in their double venti organic, chocolate brownie, caramel frappucchinos.

      1. dajames

        Re: JS & trust?

        If you remove this, Web 2.0 is dead ...

        You say that like it's a bad thing ...

      2. Greybearded old scrote
        Joke

        Re: JS & trust?

        Promise?

      3. M.V. Lipvig Silver badge

        Re: JS & trust?

        "If you remove this, Web 2.0 is dead and we're back to Web 1.0: Hipsters will drown themselves in their double venti organic, chocolate brownie, caramel frappucchinos"

        I'M ON BOARD! MAKE IT HAPPEN!!!

      4. Blackjack Silver badge

        Re: JS & trust?

        If Flash for Web could get killed, how long it will take until we get a HTML that can do most things Javascript for Web can and finally kill this abomination?

        It was like "Oh this new HTML can play audios and videos and run some simple games" and then... progress stopped.

        What the heck happened?

    2. Mobster

      Re: JS & trust?

      I am not sure why it has to be JS. The specification calls for use of JSON, which is an object specification scheme, not JS, which is a programming language.

    3. Robert Grant

      Re: JS & trust?

      Two things:

      - Article didn't mention JavaScript, I think.

      - Something running on someone else's server can be just as untrustworthy in any language.

  2. Anonymous Coward
    FAIL

    You know something's wrong

    When Google and Mozilla agree.

    When it's based on blockchain.

    And when one of the undefined DID methods is named DID-meme.

    It makes me wonder what the W3C is up to.

    1. Dan 55 Silver badge

      Re: You know something's wrong

      Seems most of the working group belong to companies involved in online identity so I guess they were there to push their own solution and nobody agreed on anything, other than they wanted the browser makers to make it magically work.

      And thus defeat is snatched from the jaws of victory and we're still stuck with usernames and passwords or "Log in with Google/Facebook/Apple/etc...".

      1. Anonymous Coward
        Anonymous Coward

        Re: You know something's wrong

        I'm good with usernames and passwords.

        A single identifier to track me everywhere and give full access to my everything when a company fucks their security up?

        No, tbanks.

        1. Dan 55 Silver badge

          Re: You know something's wrong

          If it defined a truly decentralised standard you could point it to a server running on your router or NAS and be in control of your own identity, so this is a lost opportunity.

          1. Tomato42

            Re: You know something's wrong

            Oh, just so I couldn't log in on my phone when away from home because the crappy ISP provided router shit its pants because it saw 2000 packets in one second?

            Yes, that would be progress /s.

            1. David 132 Silver badge
              Happy

              Re: You know something's wrong

              > Yes, that would be progress /s

              Ah, I see you’re still using DOS. The cool kids are on PowerShell now, so in this case it would be

              Progress Set-CommentTone sarcastic

              :)

              1. logicalextreme

                Re: You know something's wrong

                You'd probably also need a -Force switch in there to get it to work, for no discernible reason why, and not much in the way of documentation on what precisely the switch does.

            2. Dan 55 Silver badge

              Re: You know something's wrong

              You're right. There's no way on earth you could change your ISP router or use a 2nd router in bridging mode. It's a good thing that the W3C didn't give any person or business the option to self-host their online identities because that crappy ISP router scenario would make it unworkable for everyone on the planet who tried to do this.

              /s

              1. Anonymous Coward
                Anonymous Coward

                Re: You know something's wrong

                Yes, I trust that a server you told me to goto is telling me the truth of who you are so I can trust you.

                Which dumb fuckwit thought this up?

                and which fuckwits would trust the data from it?

                1. Dan 55 Silver badge
                  FAIL

                  Re: You know something's wrong

                  You're absolutely right, nobody in the entire history of the internet ever logged in as user@server.domain.com.

                  It would be absolutely impossible to query server.domain.com to authenticate user. You could never trust server.domain.com with DANE and you could never trust the user with a certificate instead of a password.

                  It's utterly unworkable. We must stick with crackable passwords and "Log in with Bigcorp".

              2. Anonymous Coward
                Anonymous Coward

                Re: You know something's wrong

                Ah, I guess there's no way your crap tin-can-and-string last mile connection can go down when it rains, or when it's sunny, or when it's windy, or when there's a bird sitting on the line, or when there *isn't* a bird sitting on the line, or when the line has been eaten by a random tiger, or because it's a day ending in "y", or....

                1. Dan 55 Silver badge

                  Re: You know something's wrong

                  So you mean your internet connection is good enough for browsing but not good enough for logging in, if I understand you correctly? Have you thought of changing ISPs?

              3. Tomato42

                Re: You know something's wrong

                Right, because your average netizen is going to do just that. Maybe even set up a microtik so they can administer it remotely too! /s

                Residential network connections aren't reliable enough to really, really depend on them. Especially if we're talking about public at large. Nobody is going to get two network connections, router beefy enough to be able to handle failover and a cellphone backup! Hardly anybody is replacing their ISP provided routers already.

          2. Anonymous Coward
            Anonymous Coward

            Re: You know something's wrong

            " you could point it"

            Why the fuck would I use this, who the fuck trusts random internet servers to tell you the fucking truth for ID/authorisation?

            Thats just fucking stupid.

          3. Anonymous Coward
            Anonymous Coward

            Re: You know something's wrong

            I recently switched ISPs. The new connection doesn't have an external IP address.

            Yes, that's actually true - it's 5G-based, and the IP is in use by a number of different people in the area. It's not possible to have a public-facing server without setting up a VPN through some other company just to get an IP. Not worth it.

            1. Fred Goldstein

              Re: You know something's wrong

              That's normal now. IPv4 addresses are too scarce, and IPv6 is such a badly-written fustercluck that it doesn't make matters any better, just more filling and less secure. So residential clients get NAT addresses and work around their disadvantages, which most people don't notice. And residential ISP agreements usually discourage setting up servers anyway; that's what cloud services are for.

        2. Anonymous Coward
          Anonymous Coward

          Re: You know something's wrong

          Agreed. Sounds like something baked up[ by the CCP & the PLA.

    2. elsergiovolador Silver badge

      Re: You know something's wrong

      Isn't Mozilla being partially funded by Google?

      Seems like a gaping conflict of interest.

    3. Howard Sway Silver badge

      Re: You know something's wrong

      Just wait until they introduce DID-nft.

      1. Doctor Syntax Silver badge

        Re: You know something's wrong

        I prefer DID-n't

      2. FIA Silver badge

        Re: You know something's wrong

        Just wait until they introduce DID-nft.

        Wait?

    4. ChoHag Silver badge

      Re: You know *Google are desperate* ...

      ... when their "we have competetion, honest" mouthpiece parrots their own lines.

      Fixed that for you.

  3. MajorDoubt
    Happy

    Since google pretty much control the browser market

    they can just refuse to support it

    1. Zygous

      Re: Since google pretty much control the browser market

      I was thinking something similar. Since the developers of Firefox and Chrome objected, and there was resistance from the developers of Safari and Edge, it sounds like the story is that the W3C shot themselves in the foot with this one and (missing my metaphors) the “recommendation” is dead in the water.

      1. Androgynous Cupboard Silver badge

        Re: Since google pretty much control the browser market

        W3C isn't just browsers - for example, XML, XSLT are W3C specs.

        1. Michael Wojcik Silver badge

          Re: Since google pretty much control the browser market

          Yes, but most authentication these days happens in interactive HTTP user agents – browsers. Browsers refusing to support DID will likely slow adoption. In practice, there will be a thousand DID Javascript libraries in npm by the end of the year, only 998 of which will be either horribly insecure or actively malicious, so we'll be seeing DID support in lots of web apps; but browser resistance will still be a drag on adoption.

          I haven't looked at DID closely yet, but it seems fairly stupid on casual inspection. And, of course, we already have technologies deployed for identities that aren't tied to a single vendor and can be decentralized. Those (OpenPGP keys, X.509 in non-hierarchical PKIX arrangements) are also terrible, but they're the terrible we know.

          Identity is a hard problem, and "mumble mumble something plus half-assed baby Merkle graphs!" is not likely to be a good solution.

    2. aerogems Silver badge

      Re: Since google pretty much control the browser market

      Was just about to post something similar. What happens if Firefox and Chrome, which make up like 95%+ of the browser market -- including Chromium based browsers -- just refuse to support it? And if Apple decides not to add it to Safari in iOS/iPadOS, that probably brings the total up to around 99% of all browser users. It may technically be part of the spec, but no one can do anything with it unless they go out of their way to use a browser that supports it, and everyone else visiting that specific site also goes out of their way to find a supporting browser.

      Then either the W3C goes back and addresses the concerns of the browser makers or just accepts that their pet project is stillborn.

  4. Greybearded old scrote
    WTF?

    Huh?

    So it's opposed by Google, Mozilla, Apple and Microsoft. Effectively everyone except Meta and Amazon, out of those who can actually make this thing be more than a waste of electrons.

    So who do they think they are pushing this crap through for?

  5. Anonymous Coward
    Anonymous Coward

    One of the rare times I agree with the corporations, and one of the rare times the W3C rejects them!

  6. Yes Me Silver badge
    Thumb Down

    DID end

    I think this is DID on arrival.

    did:whatever_you_like:random_identifier is a recipe for an unholy mess. The only ones that will work out of the box are did:dns:<valid DNS domain name> or did:email:<valid email address>.

    Tim has blown this one big time IMNSHO.

  7. stiine Silver badge

    Who's Tim?

    1. Fazal Majid

      Tim Berners-Lee

      1. TimMaher Silver badge
        Coat

        Tim

        Nothing to do with me.

        1. David 132 Silver badge
          Happy

          Re: Tim

          Well you say that, but how do we know it’s really you? If only there were some sort of agreed standard for confirming people’s identities. Preferably decentralized.

  8. YetAnotherJoeBlow
    Unhappy

    What makes it so difficult to give people what they want? Time and time again another spec gets forced down our collective throats. Nobody listens anymore - companies think that they are far too important to actually listen to anyone who knows what they are talking about - from program features to security to ease of use. Especially security.

    1. ThatOne Silver badge
      Unhappy

      > companies think that they are far too important to actually listen

      No, they just think there is money to be made, and that is reason enough to not listen to anybody. Money, man! Who cares about sanity when there is easy money to be made!

  9. Anonymous Coward
    Anonymous Coward

    DID Cloudflare have a say?

    ....because when CloudFlare goes down (see last week's news)....then all of this DID stuff just stops!

    ....sorry....no blockchain, no authentication, no email.....

    DID I make myself clear? The fundamental problem is "the cloud"!!

    1. Anonymous Coward
      Anonymous Coward

      Re: DID Cloudflare have a say?

      > DID I make myself clear? The fundamental problem is "the cloud"!!

      Sorry, I can't see what can possibly be wrong with being reliant on "Someone else's computer"

  10. Pascal Monett Silver badge

    Ah, blockchain

    So it has finally wormed its way into the minds of the those who participate in defining the Internet as we know it.

    Somebody get a flamethrower, please ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah, blockchain

      "Somebody get a flamethrower, please ?"

      better to nuke it from orbit, just to make sure!!!.

      1. TimMaher Silver badge
        Mushroom

        Re: Nuke it from orbit.

        I’ll provide the icon @AC.

        1. Zack Mollusc

          Re: Nuke it from orbit.

          Nicely provided!

  11. Anonymous Coward
    Anonymous Coward

    Good article

    I was in on this discussion on the W3C mailing list, this summary is fairly accurate. The objection of Mozilla, Google (you forgot Apple, who also made a formal objection), along with bunch of others who waded in, was essentially that the DID people were asking the W3C to rubberstamp a specification which was going to launch with no interoperability. And with 150 odd "schemes", analogous to URL schemes (http, ftp etc) it doesn't look like interop was going to be forthcoming any time soon.

    As a technical argument this made a lot of sense to me, and I got the clear impression it comes from the W3C being much less inclined to put its stamp on specifications which are at idea stage than it was 20 years ago. Now, they want testcases, they want interop across vendors, they want practical examples and I agree with all of that. However the DID folk came back and said this should to be approved as a standard first, with schemes to follow. Ultimately it's a judgement call, and this one favoured the DID folk. They had clearly worked hard on it, the objections were just that it needed a bit more first and what was the rush for a publication? But good luck to them I suppose. I hope they make something useful of it. And if it dies on it's arse for being too handwavy, it won't be the first spec that's gone that way.

    A parallel side debate was whether the W3C should be approving anything based on proof-of-work. Fortunately what was approved this week has not sanctioned that, but it's a fight we're going to see again in the W3C - some very principled and entrenched positions were on display, and in my opinion some very blinkered ones too. One for another day.

    1. Brewster's Angle Grinder Silver badge

      Re: Good article

      This is why we have WHATWG, eh?

      But I'm glad to hear they didn't approve proof-of-work. In this day and age, it shouldn't be on the table.

      1. jmch Silver badge

        Re: Good article

        "I'm glad to hear they didn't approve proof-of-work. In this day and age, it shouldn't be on the table."

        Maybe I'm missing something, but isn't proof of work as implemented in Bitcoin insanely computationally expensive because the algorithm increases the processing difficulty every time it starts becoming too easy? Is it possible to have a proof of work algorithm where the work proof needed to be done can be done in a reasonable non-planet melting computational time? Or does that then undermine the security?

        1. Brewster's Angle Grinder Silver badge

          Re: Good article

          Yeah, proof-of-work is ice-cap meltingly expensive. The solution is proof-of-stake - Google tells me Etherium is on track to switch later in the year or early next year - and that will reduce the energy cost. And I can't see why you would be designing new systems around proof-of-work.

          1. J. Cook Silver badge
            Trollface

            Re: Good article

            ... Didn't they say that last year? Or is this a Cybertruck sort of thing that's promised for "next year" for the next 10 years until it's quietly taken out back and put down like an old hound that's developed rabies?

  12. TeeCee Gold badge

    So, in a nutshell.

    You know all that shit that still happens with trusted certificates generated by trusted authorities?

    Imagine that without the trusted authorities to refer to...

  13. This post has been deleted by its author

  14. This post has been deleted by its author

  15. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    Forgive me if I'm naive…

    …but how does this improve on PGP's web of trust?

    1. Anonymous Coward
      Anonymous Coward

      Re: Forgive me if I'm naive…

      > …but how does this improve on PGP's web of trust?

      It doesn't. The PGP web of trust means you actually trust (albeit indirectly in many cases) the other party.

      Because this new system is blockchain driven, you're not actually being asked to trust that someone is who they claim to be, just being asked to accept that they got control over the 'name' they're using first and can prove it via the BC.

      1. Anonymous Coward
        Anonymous Coward

        Re: Forgive me if I'm naive…

        Not to mention that blockchains are way centralised in practice. Even the bitcoin blockchain, which I believe is the largest, has an "interesting" profile.

  17. elsergiovolador Silver badge

    Ethics

    Have Google solved the problem of ethics of their high flying employees flying private jets?

    1. Androgynous Cupboard Silver badge

      Re: Ethics

      Yeah, and what about overfishing? Or the VW diesel emissions scandal? Or horsemeat being certified as beef and getting into the food chain?

  18. Surrey Veteran

    Interesting article, Meta may be pleased on the introduction of Web3 by stealth.

    However not bad news, the once safe walled gardens of meta are opening the door to the Web3 hell, hopefully Zuk will be a bad memory in the times to come.

    For instance a crypto bank based on Metaverse was already hacked, lost 3.8 M USD in ETH.

    And things are getting better, is somebody remembers DIEM (formerly Libra and now formerly NOVI)? https://web3isgoinggreat.com/?id=meta-hammers-another-nail-into-the-coffin-of-libra-announcing-the-shutdown-of-their-novi-project

    Any serious organisation needs to stay away of the crypto madness, is not just hacking is reputation too.

  19. Tim from IAMX

    Welcome

    Welcome web3 with open arms.

    1. J. Cook Silver badge
      Coat

      Re: Welcome

      I welcome it with open arms, and daggers in each hand, but that's just me. :D

  20. Anonymous Coward
    Anonymous Coward

    Not to be that guy but when something approaching half the working group on decentralized identity management appear to be directly and explicitly linked to the Chinese state shouldn't we be asking some fundamental questions about whether working groups are even fit for purpose? Regardless of the technical acumen of the individuals, absolutely no weight whatsoever should be given to the state-sponsored views of state-sponsored actors from overtly authoritarian and illiberal states, and that applies doubly when dealing with a specification inherently linked to user privacy, user tracking and balkanization of the internet by identity provider. What a lunatic state of affairs.

    1. Anonymous Coward
      Anonymous Coward

      And which half would that be then?

      The DID WG meeting minutes are online. Unless they've all cleverly given themselves European names to mask their dastardly allegiance to SPECTRE, I think you might have got yourself confused.

  21. Anonymous Coward
    Anonymous Coward

    "What Google and Mozilla object to is that the DID method is left undefined not controlled by Google."

    I am conflicted on this. On the one had, it seems good that Google, et al, were opposing what appears to be a rabbit hole of a standard. On the other hand, I have no doubt that if this idea had originated at Google and they had some crazy idea of how to use it to push more ads, they'd be smoothing over all the cracks and promising the same exact things that these DID folks are promising.

  22. Barry Rueger

    My prediction

    I'm honestly way over my head technically, but this sounds like yet another Internet disaster in the making. I'm just printing out anything critical on paper and waiting for the inevitable day when the whole mess comes crashing down around us.

    Besides, I'm also working on the assumption that, like damn near everything else on-line, this scheme will somehow demand that you have a smartphone to make it work.

    Three-factor Authentication! Here we come!

  23. AdamWill

    Who's pushing this?

    Uh, so if Google, Mozilla, Microsoft and Apple were all against this, who the hell is in favor of it? Cryptobros? What hold have they got over the W3C?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like