forked from w3c/did-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
terms.html
348 lines (281 loc) · 14 KB
/
terms.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
<p>
This section defines the terms used in this specification and throughout
<a>decentralized identifier</a> infrastructure. A link to these terms is
included whenever they appear in this specification.
</p>
<dl class="termlist">
<dt><dfn>authenticate</dfn></dt>
<dd>
Authentication is a process (typically some type of protocol) by which an
entity can prove it has a specific attribute or controls a specific secret
using one or more <a>verification methods</a>. With <a>DIDs</a>, a common
example would be proving control of the private key associated with a public
key published in a
<a>DID document</a>.
</dd>
<dt><dfn data-lt="blockchains|blockchain technology">blockchain</dfn></dt>
<dd>
A specific type of <a>distributed ledger technology</a> (DLT) in which ledger
entries are stored in blocks of transactions that are grouped together and
hashed into a cryptographic chain. Because this type of <a>DLT</a> was
introduced by <a href="https://en.wikipedia.org/wiki/Bitcoin">Bitcoin</a>, the
term <em>blockchain</em> is sometimes used to refer specifically to the Bitcoin
ledger.
</dd>
<dt><dfn>binding</dfn></dt>
<dd>
A concrete mechanism used by a caller to invoke a <a>DID resolver</a> or a
<a>DID URL dereferencer</a>. This could be a local command line tool, a
software library, or a network call such as an HTTPS request.
</dd>
<dt><dfn data-lt="decentralized identifiers|DID|DIDs">decentralized identifier</dfn> (DID)</dt>
<dd>
A globally unique persistent identifier that does not require a centralized
registration authority because it is generated and/or registered cryptographically.
The generic format of a DID is defined in <a href="#did-syntax"></a>.
A specific <a>DID scheme</a> is defined in a <a>DID method</a> specification.
Many—but not all—DID methods make use of <a>distributed ledger technology</a>
(DLT) or some other form of decentralized network.
</dd>
<dt><dfn>decentralized identity management</dfn></dt>
<dd>
<a href="https://en.wikipedia.org/wiki/Identity_management">identity
management</a> that is based on the use of <a>decentralized identifiers</a>.
Decentralized identity management extends authority for identifier generation,
registration, and assignment beyond traditional roots of trust such as
<a href="https://en.wikipedia.org/wiki/X.500">X.500 directory services</a>,
the <a href="https://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System</a>,
and most national ID systems.
</dd>
<dt><dfn>decentralized public key infrastructure</dfn> (DPKI)</dt>
<dd>
<a href="https://en.wikipedia.org/wiki/Public_key_infrastructure">Public key
infrastructure</a> that does not rely on traditional
<a href="https://en.wikipedia.org/wiki/Certificate_authority">certificate
authorities</a> because it uses <a>decentralized identifiers</a> and
<a>DID documents</a> to discover and verify <a>public key descriptions</a>.
</dd>
<dt><dfn data-lt="did controllers|did controller(s)">DID controller</dfn></dt>
<dd>
An entity that has the capability to make changes to a <a>DID document</a>.
A <a>DID</a> might have more than one DID controller. The <a>DID controller(s)</a>
can be denoted by the optional `controller` property at the top level of the <a>DID
document</a>. Note that one <a>DID controller</a> might be the <a>DID subject</a>.
</dd>
<dt><dfn>DID delegate</dfn></dt>
<dd>
An entity to whom a <a>DID controller</a> has granted permission to use
a <a>verification method</a> associated with a <a>DID</a> via a <a>DID document</a>.
For example, a parent who controls a child's <a>DID document</a> might permit
the child to use their personal device in order to <a>authenticate</a>. In
this case, the child is the <a>DID delegate</a>. The child's personal device
would contain the private cryptographic material enabling the child to
<a>authenticate</a> using the DID. However the child might not be permitted to
add other personal devices without the parent's permission.
</dd>
<dt><dfn data-lt="DID documents">DID document</dfn></dt>
<dd>
A set of data describing the <a>DID subject</a>, including mechanisms, such as
public keys and pseudonymous biometrics, that the <a>DID subject</a> or a
<a>DID delegate</a> can use to <a>authenticate</a> itself and prove its
association with the <a>DID</a>. A DID document might also contain other
<a href="https://en.wikipedia.org/wiki/Attribute_(computing)">attributes</a> or
<a href="https://en.wikipedia.org/wiki/Claims-based_identity">claims</a>
describing the <a>DID subject</a>. A DID document might have one or more different
<a>representations</a> as defined in <a href="#representations"></a> or in
the W3C DID Specification Registries [[DID-SPEC-REGISTRIES]].
</dd>
<dt><dfn data-lt="DID fragments">DID fragment</dfn></dt>
<dd>
The portion of a <a>DID URL</a> that follows the first hash sign character
(<code>#</code>). DID fragment syntax is identical to URI fragment syntax.
</dd>
<dt><dfn data-lt="DID methods">DID method</dfn></dt>
<dd>
A definition of how a specific <a>DID scheme</a> must be implemented to work
with a specific <a>verifiable data registry</a>. A DID method is defined by a
DID method specification, which must specify the precise operations by which
<a>DIDs</a> are created, resolved and deactivated and <a>DID documents</a> are
written and updated. See <a href="#methods"></a>.
</dd>
<dt><dfn data-lt="DID paths">DID path</dfn></dt>
<dd>
The portion of a <a>DID URL</a> that begins with and includes the first forward
slash (<code>/</code>) character and ends with either a question mark (<code>?</code>)
character or a fragment hash sign (<code>#</code>) character (or the end of the
DID URL). DID path syntax is identical to URI path syntax. See
<a href="#path"></a>.
</dd>
<dt><dfn data-lt="DID queries">DID query</dfn></dt>
<dd>
The portion of a <a>DID URL</a> that follows and includes the first question
mark character (<code>?</code>). DID query syntax is identical to URI query
syntax. See <a href="#query"></a>.
</dd>
<dt><dfn>DID resolution</dfn></dt>
<dd>
The function that takes as its input a <a>DID</a> and a set of input
metadata and returns a <a>DID document</a> in a conforming <a>representation</a>
plus additional metadata. This function relies on the "Read" operation of the
applicable <a>DID method</a>. The inputs and outputs of this function are
defined in <a href="#resolution"></a>.
</dd>
<dt><dfn data-lt="DID resolvers">DID resolver</dfn></dt>
<dd>
A <a>DID resolver</a> is a software and/or hardware component that performs the
<a>DID resolution</a> function by taking a <a>DID</a> as input and producing a
conforming <a>DID document</a> as output.
</dd>
<dt><dfn data-lt="DID schemes">DID scheme</dfn></dt>
<dd>
The formal syntax of a <a>decentralized identifier</a>. The generic DID scheme
begins with the prefix <code>did:</code> as defined in <a href="#did-syntax"></a>.
Each <a>DID method</a> specification must define a specific DID
scheme that works with that specific <a>DID method</a>. In a specific DID method
scheme, the DID method name must follow the first colon and terminate with the
second colon, e.g., <code>did:example:</code>
</dd>
<dt><dfn data-lt="DID subjects">DID subject</dfn></dt>
<dd>
The entity identified by a <a>DID</a> and described by a <a>DID document</a>. A
<a>DID</a> has exactly one DID subject. Anything can be a DID subject: person,
group, organization, physical thing, digital thing, logical thing, etc.
</dd>
<dt><dfn data-lt="DID URLs">DID URL</dfn></dt>
<dd>
A <a>DID</a> plus any additional syntactic component that conforms to the
definition in <a href="#did-url-syntax"></a>. This includes an optional <a>DID
path</a> (with its leading <code>/</code> character), optional <a>DID query</a>
(with its leading <code>?</code> character), and optional <a>DID fragment</a>
(with its leading <code>#</code> character).
</dd>
<dt><dfn>DID URL dereferencing</dfn></dt>
<dd>
The function that takes as its input a <a>DID URL</a>, a <a>DID document</a>,
plus a set of dereferencing options, and returns a <a>resource</a>. This
resource might be a <a>DID document</a> plus additional metadata, or it might be a
secondary resource contained within the <a>DID document</a>, or it might be a
resource entirely external to the <a>DID document</a>. If the function begins
with a <a>DID URL</a>, it uses the <a>DID resolution</a> function to fetch a
<a>DID document</a> indicated by the <a>DID</a> contained within the
<a>DID URL</a>. The dereferencing function then can perform additional
processing on the <a>DID document</a> to return the dereferenced resource
indicated by the <a>DID URL</a>. The inputs and outputs of this function are
defined in <a href="#did-url-dereferencing"></a>.
</dd>
<dt><dfn data-lt="DID URL dereferencers">DID URL dereferencer</dfn></dt>
<dd>
A software and/or hardware system that performs the <a>DID URL dereferencing</a>
function for a given <a>DID URL</a> or <a>DID document</a>.
</dd>
<dt><dfn data-lt="distributed ledger technology|DLT">distributed ledger</dfn> (DLT)</dt>
<dd>
A non-centralized system for recording events. These systems establish
sufficient confidence for participants to rely upon the data recorded
by others to make operational decisions. They typically use distributed
databases where different nodes use a consensus protocol to confirm the
ordering of cryptographically signed transactions. The linking of digitally
signed transactions over time often makes the history of the ledger
effectively immutable.
</dd>
<dt><dfn data-lt="proofPurpose">proof purpose</dfn></dt>
<dd>
A property of a <a>DID document</a> that communicates the purpose for which the
<a>DID controller</a> included a specific type of proof. It acts as a safeguard
to prevent the proof from being misused for a purpose other than the one it was
intended for.
</dd>
<dt><dfn>public key description</dfn></dt>
<dd>
A data object contained inside a <a>DID document</a> that contains all the
metadata necessary to use a public key or verification key.
</dd>
<dt><dfn data-lt="resources">resource</dfn></dt>
<dd>
As defined by [[RFC3986]]: "...the term 'resource' is used in a general sense
for whatever might be identified by a URI." Similarly, any resource might serve
as a <a>DID subject</a> identified by a <a>DID</a>.
</dd>
<dt><dfn data-lt="representations">representation</dfn></dt>
<dd>
As defined for HTTP by [[RFC7231]]: "information that is intended to reflect a
past, current, or desired state of a given resource, in a format that can be
readily communicated via the protocol, and that consists of a set of
representation metadata and a potentially unbounded stream of representation
data." A <a>DID document</a> is a representation of information
describing a <a>DID subject</a>. The <a href="#representations"></a>
section of the <a href="https://w3.org/TR/did-core">DID Core specification</a>
defines several representation formats for a <a>DID document</a>.
</dd>
<dt><dfn>services</dfn></dt>
<dd>
Means of communicating or interacting with the <a>DID subject</a> or
associated entities via one or more <a>service endpoints</a>.
Examples include discovery services, agent services, social networking
services, file storage services, and verifiable credential repository services.
</dd>
<dt><dfn data-lt="service endpoints">service endpoint</dfn></dt>
<dd>
A network address (such as an HTTP URL) at which <a>services</a> operate on
behalf of a <a>DID subject</a>.
</dd>
<dt><dfn data-lt="URI|URIs">Uniform Resource Identifier</dfn> (URI)</dt>
<dd>
The standard identifier format for all resources on the World Wide Web as
defined by [[RFC3986]]. A <a>DID</a> is a type of URI scheme.
</dd>
<dt><dfn data-lt="verifiable credentials">verifiable credential</dfn></dt>
<dd>
A standard data model and representation format for cryptographically-verifiable
digital credentials as defined by the W3C [[VC-DATA-MODEL]].
</dd>
<dt><dfn data-lt="verifiable data registry|verifiable data registries">verifiable
data registry</dfn></dt>
<dd>
A system that facilitates the creation, verification, updating, and/or
deactivation of <a>decentralized identifiers</a> and <a>DID documents</a>. A
verifiable data registry might also be used for other cryptographically-verifiable
data structures such as <a>verifiable credentials</a>. For more information, see
[[VC-DATA-MODEL]].
</dd>
<dt><dfn>verifiable timestamp</dfn></dt>
<dd>
A verifiable timestamp enables a third-party to verify that a data object
existed at a specific moment in time and that it has not been modified or
corrupted since that moment in time. If the data integrity could reasonably
have modified or corrupted since that moment in time, the timestamp is not
verifiable.
</dd>
<dt><dfn data-lt="">verification method</dfn></dt>
<dd>
<p>
A set of parameters that can be used together with a process or protocol to
independently verify a proof. For example, a public key can be used as a
verification method with respect to a digital signature; in such usage, it
verifies that the signer possessed the associated private key.
</p>
<p>
"Verification" and "proof" in this definition are intended to apply broadly. For
example, a public key might be used during Diffie-Hellman key exchange to
negotiate a shared symmetric key for encryption. This guarantees the integrity
of the key agreement process. It is thus another type of verification method,
even though descriptions of the process might not use the words "verification"
or "proof."
</p>
</dd>
<dt><dfn data-lt="">verification relationship</dfn></dt>
<dd>
<p>
An expression of the relationship between the <a>DID subject</a> and a
<a>verification method</a>. An example of a verification relationship is
<a href="#authentication"></a>.
</p>
</dd>
<dt><dfn data-lt="UUID|UUIDs">Universally Unique Identifier</dfn> (UUID)</dt>
<dd>
A type of globally unique identifier defined by [[RFC4122]]. UUIDs are similar
to DIDs in that they do not require a centralized registration authority.
UUIDs differ from DIDs in that they are not resolvable or
cryptographically-verifiable.
</dd>
</dl>