feat(identity): DID-anchored identifier branch for domainless publishers (§4.2.1, §5.1.1, Appendix C.1)#49
Conversation
…ers (§4.2.1, §5.1.1, Appendix C.1) Additive support for publishers with no controllable FQDN, rooted in a W3C DID (did:plc, did:web) instead of DNS. Closes the identity hole raised in ards-project#47. The FQDN mainline is untouched. - §4.2.1: DID-anchored URN branch urn:air:did:<method>:<method-specific-id>:<namespace>:<agent-name>, initial set {did:plc, did:web host-only}; existing schema pattern already admits it (no schema change). - §5.1: additive authority-alignment carve-out for identityType "did". - §5.1.1: normative 4-step DID resolution path; canonicalization pinned to JCS (RFC 8785), not implementation-defined. - Appendix C.1: shows the DID branch preserves all five federation properties; written to compose with ards-project#24. - §4.4: domainless (DID-anchored) worked example. - ADR 0010. Companion artifact-side field: drknowhow/install-manifest-spec#37. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Clean scope discipline. The §5.1/§5.1.1 carve-out stays genuinely additive and the JCS pin (RFC 8785) is the right call for interoperability. |
Per review feedback on ards-project#49 (litzki-systems): the detached JWS in §5.1.1 shares the RFC 8785 (JCS) canonicalization baseline with SOVP-v1's attestation payload (ards-project#48, §5.2.1). Note the shared signing primitive as a composition property — disjoint sections, no normative coupling. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@litzki-systems — agreed, and thanks for naming the shared primitive. The JCS pin wasn't incidental: it was chosen to keep one signing mental model across the spec, so it lining up with SOVP-v1's RFC 8785 baseline (#48, §5.2.1) is the intended shape rather than a coincidence. Folded a short composition note into Appendix C.1 ( |
2 participants
Closes the domainless-publisher identity gap from #47. Additive throughout — the FQDN mainline is untouched.
What this does
Lets a publisher with no controllable FQDN — identity rooted in a W3C DID (
did:plc,did:web) and a signed data store — appear in an ARD catalog with cryptographically verifiable authority.urn:air:did:<method>:<method-specific-id>:<namespace>:<agent-name>. Initial setdid:plc+did:web(host-only); DID occupies exactly 3 colon-segments.did:key/did:peer/path-bearingdid:webdeferred.identityType: "did"— verified DID control satisfies alignment; FQDN alignment not required. No rewrite of the FQDN rule.verificationMethod(kid, else first compatible) → verify detached JWS over JCS-canonicalized (RFC 8785) bytes → reject on failure.Maintainer guidance from #47, applied
did:plc+did:web(web = DNS migration on-ramp); no open-ended method registry.MUST NOTbe implementation-defined.Conformance / schema
No schema change required. The existing
ai-catalog.jsonidentifierpattern (^urn:air:[a-zA-Z0-9.-]+(:[a-zA-Z0-9._-]+)+$) already admits the DID-anchored form — the DID's internal colons parse as additional segments (verified againsturn:air:did:plc:…andurn:air:did:web:…). CDDL and conformance fixtures unchanged; CI stays green.Review
Per CODEOWNERS and the process note on #47, this touches normative §5.1 + Appendix C — tagging @rvguha as the final approver for those sections. Happy to split into a separate Design issue per #19 if a different shape is preferred.
Neighbors
Companion
Artifact-side field lives in drknowhow/install-manifest-spec#37 — optional
publisherblock (did+ detached JWS over canonical manifest bytes), same JCS constraint, so an install-manifest can carry the identity binding this path verifies.