peacekeeper
commented
1 month ago @hrstoyanov thanks for your comment..
How is that different from WebAuthn/Passkeys?
I agree it's similar. The main difference between using DIDs and using plain public keys is that DIDs are persistent identifiers that do not change when keys are rotated. So you can change the keys but keep the same identifier, and you wouldn't have to change anything in e.g. your XMPP server's configuration when you want to login using DID-based SASL after you rotated your keys. Also, in the case of DIDs, public keys are not simply uploaded to servers, but managed using what we call VDRs (verifiable data registries - can be web servers, or blockchains, or other decentralized networks). Resolution of DIDs to public keys happens according to the DID Core specification and the applicable DID method.
how is DID/SASL taking care of distributing the private key
To be honest, we haven't worked on this topic in the scope of this project here. And I agree that this is a challenge for adoption. It's an issue for many decentralized technologies out there...
Do you have any docs that compares DID/SASL to AwWebuthn/Passkeys?
Not really a comparison, but here is an older paper that covers some general ideas on DID-based authentication: https://github.com/WebOfTrustInfo/rwot6-santabarbara/blob/master/final-documents/did-auth.md
WebAuthn/Passkeys also provide authentication by having the subject hold a private key and publishing a related public key to the servers (sort of like DID) depending on no 3rd parties (in theory)?
The reason why WebAuthn/Passkeys was very much hyped in 20223/2024 but in practice failes, is because the private key is locked to a specific device, or depends on a 3rd party (Google/Apple) to move it around your devices.
if you agree with the similarities - then how is DID/SASL taking care of distributing the private key around user's devices, without involving 3rd parties, or awkward QR codes, emails?
Do you have any docs that compares DID/SASL to AwWebuthn/Passkeys?