search

WebOfTrustInfo / btcr-hackathon-2017

Virtual hackathon to create spec and code for Bitcoin-based Decentralized Identifiers (DIDs)
https://weboftrustinfo.github.io/btcr-hackathon-2017/
14 stars 7 forks source link

"id=?" in verifiable claims #23

Closed ChristopherA closed 7 years ago

ChristopherA commented 7 years ago

I tried to puzzle through a valid DDO as a verifiable claim at https://raw.githubusercontent.com/ChristopherA/self/master/ddo.jsonld a number of issues came up.

{
  "@context": [
    "https://schema.org/",
    "https://w3id.org/security/v1"
  ],
  "id": "DID:BTCR:TBD#SOMEVALUE",
  "type": [
    "Credential",
    "WebOfTrustCredential"
  ],
  "issuer": "DID:BTCR:TBD#SOMEOTHERVALUE",
  "claim": {
    "id": "DID:BTCR:TBD#SOMETHIRDVALUE",
    "alternatename": "ChristopherA",
    "url": "https://raw.githubusercontent.com/christophera/self/master/ddo.jsonld",
    "publicKey": "02c490e19e936efab022bd9fc12833db082706473fd96cec14c4a8dac058a0dbee"
  },
  "signature": {
    "type": "EcdsaKoblitzSignature2016",
    "created": "2017-07-08T00:21:53Z",
    "creator": "ecdsa-koblitz-pubkey:1P8BWgokGDiqPYc3kgDDgn5Vm9XD1YUjEe",
    "signatureValue": "H/2e5KiopVH3glkoDf/yP/dwScEP0HPZioxNffvalkyUFYDX7OJ/4uKs6gPqjCISpR3DUe1PKTOVE6MSSTS8AeE="
  }
}

First as per #21 we don't have the right format for koblitz public keys (ecdsa-koblitz-pubkey isn't a public key, it is a hash). There are questions regarding issuer and owner.

But there are a number of questions about the ID numbers.

First, walking through the scenario: We will have a master public key that is same as the one on the DID transaction. I presume this is what the DDO verifiable claim would be signed with. I presume this key can be referred to as "DID:BTCR:TX1RK63UVXF9PQCSY" (btw, @jonasschnelli's actual DID).

It there is no DDO (which would be true for DID:BTCR:TX1RK63UVXF9PQCSY) that key is the only key — there are no others.

However, if the DDO exists it could, and probably should, have other public keys in it. As long as the key signing the DDO has not been revoked, they can be used to sign other verifiable claims (possibly with some future designe limitations). These keys could be non-koblitz keys (for instance, my PGP key or my 25519 miniLock key (BTW, which is 7rXYBKi1Xf9g9nupb9f8u6MHbobEJCMK3r3sChjN5RmGN )

How should we point to these other keys? I presume that is where the #SOMEVALUE is used. In the DID spec these are called DID Fragments:

DID fragment. The portion of a DID reference that follows the first hash sign
character ("#").

A DID fragment MUST be used only as a method- independent pointer into the DDO
to identify a unique key description or other DDO component. To resolve this pointer,
the complete DID reference including the DID fragment MUST be used as the value of
the id key for the target JSON object.

So in my example above, is the public key in my claim # 1? How do we mark them? For my prototype, I'd like be able to refer to 3 keys, a master koblitz, a second koblitz only valid for signing keys during the duration of this ddo, and my pgp key.

kimdhamilton commented 7 years ago

confirm with Manu and Dave that we're doing correctly

kimdhamilton commented 7 years ago

This issue was moved to w3c-ccg/did-spec#18