search

w3c-ccg / did-spec

Please see README.md for latest version being developed by W3C DID WG.
https://w3c.github.io/did-core/
Other
124 stars 45 forks source link

Signature on DID #42

Closed ChristopherA closed 6 years ago

ChristopherA commented 6 years ago

A few points on 4.7 "Signature (Optional)" and 7.2.1 "Proving Ownership of a DID and DID Document"

a) The spec in 4.7 says "A signature on a DID Document is cryptographic proof of the integrity of the DID Document". However, in the BTCR method, it isn't truly a signature, it is a proof. It only confirms the first private and public key, the timestamp, and the DID document URL.

This is what currently is being proposed.

"signature": {
    "type": "SatoshiBlockchainSignature2017",
     "chain": "testnet3",
    "blockhash": "00000000b3487880b2814da8c0a6b545453d88945dc29a7b700f653cd7e9cdc7",
    "blockindex": 1,
    "blocktime": 1499502050,
    "time": 1499501000,
    "timereceived": 1499501000,
    "burn-fee": -0.05
  }

Using the proof of that first key now can be used for another signature that can be used for integrity of additions to the DID document.

  "signature": {
    "type": "EcdsaKoblitzSignature2016",
    "created": "2017-07-16T00:48:44Z",
    "creator": "ecdsa-koblitz-pubkey:02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71",
    "signatureValue": "HyV/c/DFdAigxSAuqE9O6yRqUk5wpobUaj63ig3hZMZxKJ/l2lNduWFKsN6aR5twAFurD3pJx2ZgVpu/fRb/lLo="
  }
}

b) I think the early examples should show some signature.

msporny commented 6 years ago

A signature on a DID Document is cryptographic proof of the integrity of the DID Document

This is not true, we should fix the specification text. Not even Veres One does this anymore (the ledger operation is signed, which wraps the DID Document).

b) I think the early examples should show some signature.

I suggest we do the opposite and note that a valid DID Document does not require a signature at all given that no implementation has a signature on the DID Document.

To resolve this issue, we should submit a PR stating either 1) stay completely silent on the matter of signatures on DID Documents, or 2) state that signatures are optional on DID Documents.

talltree commented 6 years ago

I agree with Manu on this issue. Who wants to write/submit this PR?

On Thu, Mar 8, 2018 at 2:25 AM, Manu Sporny notifications@github.com wrote:

A signature on a DID Document is cryptographic proof of the integrity of the DID Document

This is not true, we should fix the specification text. Not even Veres One does this anymore (the ledger operation is signed, which wraps the DID Document).

b) I think the early examples should show some signature.

I suggest we do the opposite and note that a valid DID Document does not require a signature at all given that no implementation has a signature on the DID Document.

To resolve this issue, we should submit a PR stating either 1) stay completely silent on the matter of signatures on DID Documents, or 2) state that signatures are optional on DID Documents.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/w3c-ccg/did-spec/issues/42#issuecomment-371403040, or mute the thread https://github.com/notifications/unsubscribe-auth/ADLkTViK02GN6iJxzMS0wfcCAToYsjknks5tcNzwgaJpZM4RfC3n .

talltree commented 6 years ago

@mikelodder7 and I discussed and we agreed that the spec text should add a sentence explaining that a signature on a DID document is optional and, if used, should be explained and specified by the DID method spec. Mike agreed to take on the issue.

ChristopherA commented 6 years ago

We may still want to say more specifically the requirements. The DID document MUST be both cryptographically verifiable and timestamped, and that the method spec MUST define how those both are validated.

mikelodder7 commented 6 years ago

I noticed that section 4.7 is no longer signatures. I have raised a PR #91