search

WebOfTrustInfo / rwot5-boston

RWOT5 in Boston, Massachusetts (October 2017)
http://www.WebOfTrust.Info
183 stars 61 forks source link

Demo of DID:BTCR / DDO based on reasonable practices #34

Open kimdhamilton opened 6 years ago

kimdhamilton commented 6 years ago

From @ChristopherA on July 11, 2017 21:14

Create a testnet-based DID pointing to a DDO, and document the "reasonable practices" DID scenario (i.e. secure but not truly pseudo-anonymous identity, see #20) for DID:BTCR.

Copied from original issue: WebOfTrustInfo/btcr-hackathon#32

kimdhamilton commented 6 years ago

From @ChristopherA on July 11, 2017 21:16

I have a testnet based DID with a pointer to a DDO functioning.

You can see the transaction at https://live.blockcypher.com/btc-testnet/tx/f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107/

The op_return points to a 69 character value: https://raw.githubusercontent.com/ChristopherA/self/master/ddo.jsonld

From bitcoind here is the transaction:

$ bitcoin-cli -testnet gettransaction f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107
{
  "amount": 0.00000000,
  "fee": -0.05000000,
  "confirmations": 3,
  "blockhash": "00000000b3487880b2814da8c0a6b545453d88945dc29a7b700f653cd7e9cdc7",
  "blockindex": 1,
  "blocktime": 1499502050,
  "txid": "f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107",
  "walletconflicts": [
  ],
  "time": 1499501000,
  "timereceived": 1499501000,
  "bip125-replaceable": "no",
  "details": [
    {
      "account": "",
      "category": "send",
      "amount": 0.00000000,
      "vout": 0,
      "fee": -0.05000000,
      "abandoned": false
    }
  ],
  "hex": "02000000016a3fbcf558d0a7138e45d5eaaf437c36cdcca00d2638f158e7f814382861cba2000000006a4730440220214449ff0d7808f80af8c625a36407500d47b1b7f6d785da8b01915198ff242a0220213263eac922fab71798088b15a4541703f02a10673f9e68be0f3d791dd351d6012102b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71ffffffff020000000000000000476a4568747470733a2f2f7261772e67697468756275736572636f6e74656e742e636f6d2f4368726973746f70686572412f73656c662f6d61737465722f64646f2e6a736f6e6c6440597307000000001976a914a4eef2e89ae20a4bd4e13eda8dc7ad4f4804cad288ac00000000"
}

Converting the txid to a txref gives me:

./txid2bech32 f8cdaff3ebd9e862ed5885f8975489090595abe1470397f79780ead1c7528107
tx1-xxyv-xxxx-fpmf-u0

Still working on the DDO part.

kimdhamilton commented 6 years ago

From @ChristopherA on July 11, 2017 21:23

I can't find a tool to generate a pubkey from a testnet encoded base58check private key (see #21), or to extract one from a signature (#9). I don't have a tool that will sign a JSON-LD properly with a testnet key yet (#21 ). It is unclear that this is a valid verifiable claim (#8 #28) nor how to append verifiable claims issues by this identity (#10).

But it will look something like:

{
  "@context": [
    "https://schema.org/",
    "https://w3id.org/security/v1"
  ],
  "id": "DID:BTCR:TX1XXYVXXXXFPMFU0",
  "type": [
    "Credential",
    "WebOfTrustCredential"
  ],
  "issuer": "DID:BTCR:TX1XXYVXXXXFPMFU0",
  "claim": {
    "id": "DID:BTCR:TX1XXYVXXXXFPMFU0",
    "alternatename": "ChristopherA",
    "url": "https://raw.githubusercontent.com/christophera/self/master/ddo.jsonld",
    "control": "ecdsa-koblitz-pubkey:?????",
    "owner": "ecdsa-koblitz-pubkey-hash:mvZ3MyLgsvYr87GGSbsPBWEDduLRptfzEU"
  },
  "signature": {
    "type": "EcdsaKoblitzSignature2016",
    "created": "2017-07-08T00:21:53Z",
    "creator": "ecdsa-koblitz-pubkey:?????",
    "signatureValue": "H/2e5KiopVH3glkoDf/yP/dwScEP0HPZioxNffvalkyUFYDX7OJ/4uKs6gPqjCISpR3DUe1PKTOVE6MSSTS8AeE="
  }
}
kimdhamilton commented 6 years ago

From @ChristopherA on July 11, 2017 21:32

Some notes on the "reasonable practices" scenario (see #20).

  1. This is not a pseudo-anonymous DID, I am a public figure.

  2. As such this DID a potential source of trust for discovery of web-of-trust networks by both my peers and by attackers. I need to be careful and not reveal too much information about colleagues & peers without their explicit permission.

  3. This is my computer professional persona. My peers in this example are professional colleagues. I will not mix them with other kinds of peers.

  4. I am using a URL pointer (centralized to DNS) to my github account (also centralized). However, both have some distributed if not decentralized properties that are acceptable "reasonable practice".

  5. I am not using TOR to hide my traffic, however, as per 2. above, I should be careful communicating with colleagues & other peers.

  6. I regularly reuse the owner key that I used to close the transaction I confirmed. However, the key resides on its own dedicated minimal bitcoind pruned node that is unassociated with my other bitcoind servers or computers.

  7. I have signed my commitment of this DDO to git, which can be distributed widely beyond github. I should also put my PGP keys into the DDO itself, and find some way to also sign my DDO with my PGP key. This allows me to connect to my long-term legacy web-of-trust network.

  8. I could put my full name into the claim, however, that does not add any value to my claim that I am "a natural person" and my true name is easily correlated elsewhere. However, I do claim that I call myself "ChristopherA". Once I have make some claims to "know" some other people, they can be local name addressed as "ChristopherA's KimH's Spocko's Wife (see https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/topics-and-advance-readings/linked-local-names.md & https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2017/blob/master/topics-and-advance-readings/did-names.md ). My name and Kim's are correlatable, but Spocko and Spocko's Wife are pseudo-anonymous.

(more to come)