What is the relationship between DAPS and DID

[harnvo]

From a IDSA talk held in 2024/5/17 I noticed the terms VC/VP DID show up in the identity part, and DAPS seems to be not mentioned anymore.

I have also noticed your implementation is compatiable with omejdn-daps, but within the newest MinimumViableDataspace you are now using DID.

According to my personal understanding, DID and DAPS are not contradictory, and that DID could be used as a implementation for Dynamic Attribute Provisioning Service. However, both the talk and implementation makes me feel like one is the subsitution of another.

Is DID and subsitution for DAPS? Or it is just an alternative implementation to inplace oauth2? Are there any good reason we favor DID over oauth2?

[paullatzelsperger]

One thing to remember is that DID is not an authentication system per se and thus cannot be compared with OAuth2.
DIDs are merely unique identifiers (hence the nam Decentralized IDentifier), that can be used to derefence informatino about the holder, such as service endpoints, public keys, etc. This is comparable to your personal website where you publish information about yourself.

Similarly, VerifiableCredentials are merely a way to present claims about oneself that have been verified by a trusted (third) party, i.e. the issuer. This is comparable to presenting a driver's license.

By themselves, neither DIDs nor VCs provide any means to establish a secure channel or allow for a trusted relationship, but they can be used to build one.

In EDC we still support DAPS (which is a special non-standard way to do OAuth2) for historic reasons, but we advise against its use for several reasons, decentralization being just one.

Instead, we recommend using the Decentralized Claims Protocol (DCP, formerly known as IATP), which uses DIDs as identifiers, VerifiableCredentials as envelopes to present claims and a set of message types and flows.

OAuth2 is by definition centralized, i.e. there is one central server that is in control of everyone's identities and which - trust issues aside - is also a single point of failure. In heterogenous dataspaces, this might not be feasible.

TL;DR: DIDs do not replace DAPS, they are one building block to build a decentralized identity solution, i.e. DCP.

[harnvo]

Would it be better if EDC includes DCP in the connector's documentation? It seems DCP is not a well-known term. It is not mentioned by IDSA and is under-documented on the Internet.