mitfik
commented
2 years ago Deliberately signing procedure is not part of the OCA spec and probably it would stay that way. This allows us to split data integrity layer from data authenticity.
The signing part (authentication) is taking on the level of credential issued by Governance who want's to assure about specific OCA bundle within their ecosystem. How we are recommending to do it is to construct Verifiable Credential/ACDC where OCA bundle SAID is included.
Technically speaking OCA repository provides OCA Bundles + ACDC which can be requested via signal API call. On the client side you can then verify integrity of the OCA Bundle checking SAID and authentication of the bundle verifying ACDC.
Feel free to reopen that issue if something would not be clear or would need more explanation.
Soon (~4 weeks) we would publish (and I will update that issue to reflect that) exact description how such scenario can be implemented with technical and governance details. The information would be available at https://oca.colossi.network/.
swcurran
We have a requirement that an OCA Bundle be signed by the publisher. In our case, the publishers will use a public DID to sign the OCA Bundle as the publish it. Is there any plan to include signing an OCA Bundle as being in the scope of the spec. If not, any suggestions on how to do that in a useful way? It would be really nice to retrieve a bundle that includes a signature in a standard way, so that the processing of the Bundle can include verification of the signature.
We will come up with a way to do that for our use case (e.g. for use by at least Hyperledger Aries frameworks), but I think the requirement is more broadly applicable.