WebOfTrustInfo / btcr-hackathon-2019

BTCR Hackathon 2019
https://weboftrustinfo.github.io/btcr-hackathon-2019/
MIT License
2 stars 0 forks source link

Maybe BTCR has registration backwards? #18

Open msporny opened 5 years ago

msporny commented 5 years ago

For whatever reason, this has been percolating in the back of my head over the past several weeks and I wanted to write it down before it disappeared again.

Perhaps BTCR has registration backwards? I'm sure I'm missing something, but...

The way Veres One works is you create/import the public/private Ed25519 keypair first, then sign a transaction, and send it to the ledger.

BTCR kinda does it in reverse, where you create a primordial DID document that doesn't have an identifier, anchor something to the Bitcoin chain pointing to an external document, and then create the final DID document.

The problem that this creates is this weird primordial DID document that doesn't have an identifier and then this complicated UTXO mechanism to crawl the UTXO spent/unspent transactions to get to the latest DID Document.

What if you just started w/ a did:btcr:ENCODED_PUBLIC_KEY, that is your DID. You can create your DID Document w/ that and sign the whole thing (putting the value in proof). So, at this point, you have a fully formed DID Document, that is digitally signed w/ the PRIVATE_KEY. It's valid, but not anchored in the Bitcoin blockchain yet.

Now, to anchor it in the public chain, you do a transaction w/ the PRIVATE_KEY, staking some Bitcoin and putting the URL (a hashlink, because you want cryptographic certainty) to where you publish your DID Document. You can then take that Satoshi Audit Trail and tack it on to your DID Document proof, meaning you now have two proofs. The first proof is a regular Secp256k1 signature on the DID Document, and the other proof is a SatoshiAuditTrail2019 proof on the DID Document. You verify the Secp256k1 using regular crypto. You verify the SatoshiAuditTrail2019 using that proof verification algorithm (get the transaction described by the proof, make sure it points back to the document you have, follow the UTXO stuff to discover any updates, etc.).

Have the BTCR folks considered this option before? It feels cleaner than what is being done right now (from my very limited knowledge of how BTCR works). I also haven't thought through the details, so there may be something lurking in here that's unworkable.

Thoughts?

peacekeeper commented 5 years ago

I believe the reason why the DID's method-specific identifier is an encoded TxRef rather than an encoded public key is that the latter would be very difficult to look up unless you index all the keys in the entire blockchain, whereas the TxRef points straight to the transaction you need for resolving the DID.

As a second comment, if you "take that Satoshi Audit Trail and tack it on to your DID Document proof" as you suggest, wouldn't that invalidate the hashlink in the transaction, but you can only construct the Satoshi Audit Trail after the transaction is accepted?

ChristopherA commented 5 years ago

On Fri, Aug 9, 2019 at 11:04 AM Manu Sporny notifications@github.com wrote:

What if you just started w/ a did:btcr:ENCODED_PUBLIC_KEY, that is your DID. You can create your DID Document w/ that and sign the whole thing (putting the value in proof). So, at this point, you have a fully formed DID Document, that is digitally signed w/ the PRIVATE_KEY. It's valid, but not anchored in the Bitcoin blockchain yet.

There are some other misinterpretations on how this works with Bitcoin in your writeup, but this is the biggest one. Bitcoin does not index public keys, and in fact, is only able to access them by extracting them from ECDSA signatures of legacy P2PKH keys, of which there are 4 possible private keys (in future upgrades like Schnoor signatures the public keys can not be extracted from the signature). We have to use txref to get around this, but we don't know what the txref will be until the block is confirmed.

I would like to do some version of BTCR for non-registered peers, along the lines of how the L2 Lightning Network works, but I'm not quite yet sure the best method. I see some things I like in the did:peer method that might be more like what you propose, but did:peer as written also a lot of sovrin'isms that don't fit well in the bitcoin ecosystem.

— Christopher Allen

ChristopherA commented 5 years ago

Brainstorming through what I think @msporny is thinking about, but integrating it with BTCR ideas, here are some thoughts. To be clear, I'm not proposing this as it has real serious problems. However, I want to demonstrate that I'm listening to Manu's idea and maybe someone will come up with something better.

The BTW method spec could define a special DID type which is a legacy P2PKH address, i.e. did:btcr:16k47uCffEkGkzX37d7Bt7mNnpzpu3hjvs — it is a bit long, but it is a base58 check of a hash(160) of a bitcoin public key. We'll call this variant of a "legacy" BTCR DID.

It is trivial to find out that there is no current UTXO on this address, and it has never been spent. Hundreds of bitcoin explorers exist that can be used to establish that, such as https://blockstream.info/address/16k47uCffEkGkzX37d7Bt7mNnpzpu3hjvs

If someone sent you a DID Document, you could validate the authentication public key defined in the document as matching the did:btcr:16k47uCffEkGkzX37d7Bt7mNnpzpu3hjvs by confirming the hash(160) of that address. You can also confirm that a private key does exist by verifying the signature of that DID Document matches the key, which matches the DID.

If a Verifiable Presentation was made with a VC issued by this DID, and the VP included as evidence the DID document itself, you can make some claims to the validity of that VC. If other VCs were presented at the same time from issuers you know, you might be willing to offer some trust to that VC and DID.

So far, we have replicated what a number of early decentralized CID systems offered, which is "peer" or "p2p" identifier, but using secp256k1 and an eclectic hash technique for the identifier. One major reason why didn't go with CID based systems is that they could not be updated, rotated or revoked.

The first thing we can do is use the bitcoin network to revoke the CID simply by using the private key in a way that the BTCR method knows is invalid. In addition, these CIDs could maybe be transitioned into full BTCR texref DIDs with all the update, rotate and revocation capabilities, making them potentially useful.

These could be the rules (which BTW don't work, see if you can spot the problem):

Some challenges:

Maybe someone has a suggestion on how to solve these above challenges, but I at least wanted to share that I was taking Manu's ideas seriously.

-- Christopher Allen