dmitrizagidulin
commented
10 months ago @nikolockenvitz Great questions. I think I added that section to the spec as a general "future work" sort of item? But there has been a lot of discussion on this since then. And some of it is even captured here https://github.com/WebOfTrustInfo/rwot12-cologne/blob/main/advance-readings/did-web-2.0.md#self-certifying-hash-in-did-url -- which is a proposed paper for next week's Rebooting Web of Trust conference.
The spec outlines a basic concept for integrity protection, but it leaves a few important aspects unclear.
https://github.com/w3c-ccg/did-method-web/blob/330264347bd81ea8d1f8139f1506f5b45ccef638/index.html#L533-L551
Like, how would the verifier know, which registry is used to store the hashes and who is authorized to add hashes for the corresponding DID? This should be clearly defined in a spec (did web or an extension to it) and if some of the information can be dynamic (e.g., where the hashes are stored), it may be part of the DID URL itself. Without further specification how integrity protection works in detail, I don't see how it helps at all to protect integrity of the DID documents.
Is there an implementation of this approach or more details that you could provide?