kdenhartog
commented
4 years ago Closing in favor of keeping this discussion in #1 which seems like it falls within the realm of where I was going with this.
Closed kdenhartog closed 4 years ago
kdenhartog
commented
4 years ago Closing in favor of keeping this discussion in #1 which seems like it falls within the realm of where I was going with this.
msporny
commented
4 years ago Have anyone thought about more granular updating to the DID Document yet?
Yes, it's possible via capabilityInvocation... remember, capabilities can have caveats, and the caveat can say "only allow updating of verification methods associated with authentication". That said, we don't think we're going to enable this for Veres One in the near future as it's going to be software doing most of the management with the DID Document, so don't expect user errors in that way. If developers blow away their DID Document, well... with power comes responsibility. rm -rf * as root is still a thing on most Unix systems and the world is still here 50+ years later. :)
On the other hand, I feel the complexity isn't warranted at this point and it could be too much flexibility that could lead to people using DID Documents to easily miss-configure things that cause security issues.
Yes, that. :)
Have anyone thought about more granular updating to the DID Document yet?
E.g. capabilityInvocation that allow a key to be able to update the serviceEndpoint section, but not the publicKey section. On one hand, I feel this is very beneficial for the principle of least authority. On the other hand, I feel the complexity isn't warranted at this point and it could be too much flexibility that could lead to people using DID Documents to easily miss-configure things that cause security issues.
@msporny @dlongley