Adds the technical definition of watchers to the specification

[swcurran]

Adds the concept of watchers to the spec. As always, provides a relatively short/simple technical implementation, and leaves the governance / implementation details out of the spec. That said, it does add more implementation details than, say, the witness implmentation.

Watchers are a list of URLs that monitor the DID. The URL must respond to a core set of 5 endpoints to return the cached DID Log, return the cached witness.json file, return a cached resource, webhook about an update to the DID, webhook about an update to a resource.

It's a slippery slope to define how much to include.

Questions from me:

1. Feedback on what is there so far?
2. What details need to be added about the list as DID Metadata?
3. Should the webhooks have an attached proof for "authorization"?

Signed-off-by: Stephen Curran [email protected]

[swcurran]

Updated the PR to add items discussed at the 2025-03-13 Meeting. Notably:

• Added a "DELETE" endpoint that requests removal of a SCID from the watcher's cache -- governance outside of this specification.
• Added that all POST and DELETE must respond to the successful receipt of a message with a 202, indicating asynchronous processing will occur. This eliminates the possiblity of a POST of the entry for a witness responding in any way other than via the callback.
• Added that the URLs can be any type, and that if they are HTTP(S) URLs, they MUST adhere to the defined endpoints.

Not done yet:

• attach an OpenAPI definition of the API (@PatStLouis ?)
• define if/how any of the POSTs can/should be associated with the DID Controller -- a proof and if so the impact on the API. For example, should a DELETE have to have a proof, if it is possible that the DID Controller no longer exists? Which is of course, back to governance.
• anything for the sender about POSTs/DELETE if a 202 is not received -- e.g. retries, etc.

[brianorwhatever]

here we have the watcher URL in the witness but above there is a watchers array. I'm confused on this is this intended mixing witnesses and watchers feel strange to me.

[swcurran]

The idea is that if a witness is a watcher, we want the resolver to know that as it provides additional metadata about who the witness is that can be helpful for governance (which is outside the scope of the spec.). The DID Controller also uses that with the “watcher API” that it can send the witness a notification of a new entry before it is published, to allow getting back a witness proof. I think it is logical that a witness for a DID also be a watcher and so we should encourage it and tie the two together.

That said, it does add a bit of complication, and I’m not 100% tied to it. I can see removing that and the watcher entry notification API endpoint.

[brianorwhatever]

I don't know if tying the two concepts together this tightly makes sense although I do understand the desire to have a URL for a witness. I don't think cheating and calling it a watcherURL is the way 😄

[brianorwhatever]

I don't know if the reference to did:webplus is a good idea it might confuse people

[swcurran]

Reasonable. My hope was that the it would encourage the did:webplus folks to formalize their VDG as a watcher as we have defined it. It’s non-normative, so not a spec issue.

[brianorwhatever]

Why have the differences? Can't a witness watcher euro just be put into the standalone watchers?

[swcurran]

It can — it just has to be done explicitly. If the witness is dropped, they are removed from the witness and the (implied) witness-watcher list. If the DID Controller redefines the watcher list with that watcher, that’s fine.

[brianorwhatever]

It feels like we have three different concepts now

1. a witness
2. a witness-watcher
3. a watcher

[swcurran]

Yes. But for the reasons given, that second category is useful.

[brianorwhatever]

Maybe 1 isn't then? This comes back to the question about how to get a proof from a witness. Previously, we had said this was out of spec and now we sort of have this in spec in the second category, but not in the first category.

[swcurran]

Interesting idea…requiring that all witnesses be a watcher and provide a Watcher URI? Others?

[PatStLouis]

Strong -1 from me, as we have significant work done with the didcomm witness protocol and this would effectively scrap the current did webvh server work and acapy witnessing work.

[PatStLouis]

It's not clear to me where the desire to have an endpoint to get a witness signature in the log file comes from. Who does this benefit? Surely the controller already knows how to get a witness signature prior to adding this witness to an entry. The witness parameter is there for resolvers to ensure the log has been properly witnessed.

[swcurran]

We can leave it off — it was a bit of throw in and perhaps not well thought out.

It has value in that it defines an optional way to retrieve a witness proof. A DID Controller/Witness is not forced to use it if the witness is also a watcher — it is just possible. So the approach you are using is completely valid. It is just that since we have this option, it can be used. That said, we can remove it from the Watcher spec, and a DID Controller can have its witnesses use such as endpoint.

As I write this, I think it is best that we drop it from the spec — it is not obvious why it is there. I’ll remove it, and let’s add an article to the information site about the different ways DID Controllers and Witnesses can interact — including what you have done, @PatStLouis and this approach.

[brianorwhatever]

this added complexity is it worth it?

[swcurran]

See comment above. In the calls we’ve had and where this was explained, no one said anything against it…

[brianorwhatever]

Sorry, I wasn't very clear here. I'm at the added complexity of allowing DID URIs. I think we should just focus on HTTP or else we have a ton of interoperability questions that open up

[swcurran]

That was guidance from the Work Item group (looking at @andrewwhitehead :smiling). The directive I received was to say that URIs were valid, but to provide API details only if the URI was an HTTP URL. Leaves the door open for someone defining (for example) a watcher with a DID URI and services for the Watcher endpoints. But we definitely don’t want to put that into the spec.

[PatStLouis]

jsonl support for openapi is being discussed, there's no clear way to define it at the moment besides documenting it.

[swcurran]

We have this in the spec, The content type for the did.jsonl file SHOULD be text/jsonl., so I think the OpenAPI spec should say that. If not that, any suggestions?

[PatStLouis]

yes I think that's good

[PatStLouis]

I took some text from the spec and suggested a description for the response

[swcurran]

@PatStLouis -- removed the witness entry request from the API. I think I got the OpenAPI right. Please review.

[PatStLouis]

Some small tweaks