Open tdiesler opened 1 year ago
@TimoGlastra says ...
When AcaPy sends a Request after receiving an Out-of-Band Invitation, it signs the attached Did Document with the key contained in that Document - it does NOT sign it with the invitationKey
This is expected. The requester is not the inviter and therefore wouldn't be able to use the invitation key
When AcaPy sends a DidEx Response as reply of a DidEx Request, it signs the attached Did Document with the invitationKey, instead of the key contained in that Document
There's been a lot of ambiguity around this, but as I understand it, it ONLY needs to be signed if the invitationKey is different than the did document key. In addition, the key used to send the request/response message MUST match with a key inside the did document.
Sure, the request part is expected.
There's been a lot of ambiguity around this, but as I understand it, it ONLY needs to be signed if the invitationKey is different than the did document key. In addition, the key used to send the request/response message MUST match with a key inside the did document.
I found that AcaPy always uses a different key in the DidEx Response than it used in the Invitation. Yes, I verified that here and here.
I wonder, whether we should look at this in the context of a DidDoc Attachment alone. Such an attachment may appear as part of other protocols too and IMHO it'd be reasonable to expect that it is always signed in the same way (i.e. by the key it contains).
How about multiple keys in a DidDoc Attachment? Is that speced somewhere?
In short, why does the Responder (which is also the Inviter) sign the DidDoc Attachment with the invitation key, and not with that from the Did Document as the Requester does?
I looked at this more closely - here is what I found ...
Please clarify whether this is how it is supposed to work.
DidExchange Request
When AcaPy sends a Request after receiving an Out-of-Band Invitation, it signs the attached Did Document with the key contained in that Document. Specifically, it signs the Did Document with
did:key:z6MkgnRbNmHJq8YGdtzxUxgqPkqAZ3qRWWFbntsST6D9CykA
fromjws.header.kid
, which is the did:key representation ofdid:sov:5GzbVeQgVwc48ZcLzUkRdP
DidExchange Response
When AcaPy sends a DidEx Response as reply of a DidEx Request, it signs the attached Did Document with the invitationKey, instead of the key contained in that Document
Specifically, it signs the Did Document with
did:key:z6MkqopNJzgVesySmHK3YthpNvW4bWAKmcTW6kR1VoADjqn3
fromjws.header.kid
, which corresponds toinvitation.services[0].recipientKeys[0]
CrossRef: https://github.com/tdiesler/nessus-didcomm/issues/32