search

w3c-ccg / did-method-web

DRAFT: did:web Decentralized Identifier Method Specification
https://w3c-ccg.github.io/did-method-web/
Other
32 stars 17 forks source link

Add language that explicitly deters IDPs (Facebook, Google, MSFT etc.) from abusing subdomain-based IDs #6

Open csuwildcat opened 4 years ago

csuwildcat commented 4 years ago

I feel we should add language to the spec that specifically warns against and deters use of did:web with subdomains in ways that are not in keeping with the purpose if DIDs. For example: a large IDP may try to create subdomains on its centralized IDP service domain and 'issue' DIDs to users/customers, which would essentially lock their DID to that provider, the exact opposite of what DIDs were designed to do.

gribneau commented 4 years ago

I am not sure I fully understand the concern.

Let's examine a use case involving an email service idpmail.com with users Alice and Bob. If I am reading the above correctly, it would be abusive for this IDP to resolve:

did:web:alice.idpmail.com and did:web:bob.idpmail.com

to enable Alice and Bob to expose public keys so that they could send, receive, verify or decrypt signed or encrypted email.

Similarly, user Charlie with a private server could participate by exposing: did:web:charlie.privatemail.com

Why would this be abusive?

OR13 commented 3 years ago

I recommend closing this, I don't see this an issue, in fact it would be awesome to see more adoption by larger tech companies of did:web... for example, github already supports something very similar....

https://github.com/OR13.gpg

wouldn't it be better if they did this instead?

did:web:github:OR13 :)

gribneau commented 3 years ago

I agree with closing the issue, and I agree that it would be great if github embraced DID:WEB, which now does what they need.

:)

OR13 commented 3 years ago

I am currently squatting on did:github, would love to hand that over to them as well... https://github-did.com/resolver