search

decentralized-identity / did-registration

A specification for DID create/update/deactivate operations.
https://identity.foundation/did-registration/
Apache License 2.0
11 stars 4 forks source link

Specify format of returned secrets #2

Closed peacekeeper closed 3 years ago

peacekeeper commented 3 years ago

In cases when a DID Registrar returns generated secrets (such as private DID controller keys) to a client, we should specify the format of those secrets (probably re-using JWK and other standards).

Depending on the DID method, not all returned secrets may be private keys, they could also be seeds or other things.

See https://identity.foundation/did-registration/#didstatesecret.

peacekeeper commented 3 years ago

Possible options:

  1. Use JWKS for returned private keys, e.g.:
{
    "keys": [{
            "kty": "EC",
            "d": "-s-PwFdfgcdBPTDbJwZuiAFHCuI8r9vR13OGHo14--4",
            "crv": "secp256k1",
            "x": "htusHse5FMBnT_4266kn9T2yMmjDllwWvVSc_I2-WZ0",
            "y": "RjE_GjsRMELYJ6XuNSFDu3mCbyJnCQ26X_YtmyM9Bfo"
        },
        {
            "kty": "EC",
            "d": "-SMrR50X50l36Ex5UcC-tOQHCrBM5XbSgVVnfZ0SjcI",
            "crv": "secp256k1",
            "x": "4WnV5ec5KFfpO6vrXWmYBukWs2bJ50GMjXPfKbc5_II",
            "y": "2vouQMwP1UaWEwGML4cemyS59Ck_ie8XoA4fayX940g"
        }
    ]
}
  1. Use structure similar to verification methods in DID documents, but with private keys included, e.g.:
{
    "verificationMethod": [{
            "id": "did:example:123#key-0",
            "type": "JsonWebKey2020",
            "controller": "did:example:123",
            "purpose": ["authentication", "assertionMethod", "capabilityDelegation", "capabilityInvocation"],
            "privateKeyJwk": {
                "kty": "EC",
                "d": "-s-PwFdfgcdBPTDbJwZuiAFHCuI8r9vR13OGHo14--4",
                "crv": "secp256k1",
                "x": "htusHse5FMBnT_4266kn9T2yMmjDllwWvVSc_I2-WZ0",
                "y": "RjE_GjsRMELYJ6XuNSFDu3mCbyJnCQ26X_YtmyM9Bfo"
            }
        },
        {
            "id": "did:example:123#key-1",
            "type": "Ed25519VerificationKey2020",
            "controller": "did:example:123",
            "purpose": ["authentication"],
            "privateKeyMultibase": "z5TVraf9itbKXrRvt2DSS95Gw4vqU3CHAdetoufdcKazA"
        }
    ]
}
  1. Consider "Key" data structure in Universal Wallet: https://w3c-ccg.github.io/universal-wallet-interop-spec/#Key
peacekeeper commented 3 years ago

Note: Private keys could be returned to the client in an encrypted/locked form.

peacekeeper commented 3 years ago

Some ideas I showed on the 02 Jun 2021 DID Registration Work Item Call:

return-private-keys.pdf return-private-keys.odp

peacekeeper commented 3 years ago

Note, this is only relevant in internal secret mode, since e.g. in client-managed secret mode the registrar will never return secrets.

peacekeeper commented 3 years ago

Closing this after merging https://github.com/decentralized-identity/did-registration/pull/11. If necessary, we can re-visit this in the future.