Limit DID VerificationMethods to specific key types and encodings

[dwight-holman]

We have some language limiting the key formats to secp256k1 and ed25519, but nothing about a consistent key format in the DID Documents.

I think we should also limit the DID Document's Verification Method types to JsonWebKey2020 or EcdsaSecp256k1VerificationKey2019, using the publicKeyJwk field instead of publicKeyMultibase or a deprecated field.

[peacekeeper]

Related to this, there's an extension DID resolution option called "transformKeys", which you can use to instruct a resolver to convert between key formats. E.g. if a DID method uses EcdsaSecp256k1VerificationKey2019 in its DID documents, then a resolver can convert that to JsonWebKey2020.

See here: https://github.com/decentralized-identity/did-spec-extensions/blob/main/parameters/transform-keys.md

[dwight-holman]

@peacekeeper: I saw that, and I can't tell if it's been implemented anywhere, or just described. "transformKeys" as a string doesn't appear anywhere in decentralized-identity outside of documentation.

Do you know if anyone has a resolver which actually does that? It seems like it would be very expensive to implement as described.

[Sakurann]

I think we should also limit the DID Document's Verification Method types to JsonWebKey2020 or EcdsaSecp256k1VerificationKey2019, using the publicKeyJwk field instead of publicKeyMultibase or a deprecated field.

I would be in favor of a simpler solution of limiting Verification Method types as proposed above.

[quartzjer]

I'm also in favor of this for compatibility.

[jischr]

@dwight-holman to make PR as proposal to discuss in next meeting

[Sakurann]

if key types are bound to DID methods rather than signature suites, I think we can address the issue of limiting to JWK, and not mandating multibase (any one can still implement it outside this profile) in a way other than mentioning concrete sig suites? ie just clarify, JWK is used with the DID methods currently chosen in the spec.