Open kimdhamilton opened 5 years ago
peacekeeper
commented
5 years ago Sounds good.. So for example if I try to resolve did:btcr:8kyt-fzzq-qqqq-ase0-d8, then the resolver should throw an error, whereas did:btcr:xkyt-fzzq-q4wq-f2d would work, right?
danpape
commented
5 years ago I just wrote somewhere else, I think maybe in dcdpr's repo, that programs should probably accept the long form as input, like your resolver, but anything that generates the TXrefs should only generate the short form.
On Wed, Aug 7, 2019, 11:12 AM Markus Sabadello notifications@github.com wrote:
Sounds good.. So for example if I try to resolve did:btcr:8kyt-fzzq-qqqq-ase0-d8, then the resolver should throw an error, whereas did:btcr:xkyt-fzzq-q4wq-f2d would work, right?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/WebOfTrustInfo/btcr-hackathon-2019/issues/5?email_source=notifications&email_token=AAJ46WQYFPSLVVAOXCZPKYTQDMF7DA5CNFSM4IJ2MPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ZIKHY#issuecomment-519210271, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ46WQ25AUSYPOSLTMQUXDQDMF7DANCNFSM4IJ2MPIA .
peacekeeper
commented
5 years ago programs should probably accept the long form as input
My sense is that @kimdhamilton is right that it's a potential security risk to allow 2 formats. I can also imagine semantic problems if you have 2 (different, but linked) identifiers for the same resource.
A generic txref library could continue to accept both, but on the DID resolver layer I think it's better to only allow one form.
kimdhamilton
commented
5 years ago +1 that only 1 should be accepted at the DID resolver layer. When we discussed yesterday, we mentioned 2 reasons:
I thought we agreed on this yesterday, but let me know if you want to discuss further @danpape
danpape
commented
5 years ago No - that is fine. I was trying to invoke Postel's law when saying we should accept both, but perhaps I was unclear about what everyone else decided yesterday. I am fine with the did/btcr layer being strict about it.
On Wed, Aug 7, 2019 at 1:04 PM Kim (Hamilton) Duffy < notifications@github.com> wrote:
+1 that only 1 should be accepted at the DID resolver layer. When we discussed yesterday, we mentioned 2 reasons:
- clarity for resolution implementers
- potential security issue
I thought we agreed on this yesterday, but let me know if you want to discuss further @danpape https://github.com/danpape
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/WebOfTrustInfo/btcr-hackathon-2019/issues/5?email_source=notifications&email_token=AAJ46WSJTC2TLXRCME6ULZDQDMTGNA5CNFSM4IJ2MPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3ZRXGI#issuecomment-519248793, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ46WXMP4NFVQLJXCMG4N3QDMTGNANCNFSM4IJ2MPIA .
ChristopherA
commented
5 years ago A test for this should be:
For testnet transaction: f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107
INVALID (as output index is 0): did:btcr:8yv2-xzpq-qqqq-9yce-nk
SHOULD BE: did:btcr:xyv2-xzpq-q9wa-p7t
-- Christopher Allen
This affects code samples, libraries and method spec
When txout is 0, the short form of the btcr did (with testnet, this yields the
xprefix) should be used.BIP136 supports both forms for index 0, but we are making the decision that BTCR supports only the short form when index==0.
Reason: shorter, and it's a potential security risk to allow 2 formats