Closed Drabiv closed 6 years ago
When keys are being revoked are there any recommendations on whether they should remain in DDoc or be removed comletely?
They should probably remain in the DID Document, and keys should be associated w/ a revocation list of some kind.
When checking validity of signature in a credential there is a need to check if the key of a signer was revoked at the time of signing. To do this check there should be a way to check all DID's keys and retrieve their revocation timestamps.
Yes, agreed.
I would think that to make this check easier it would be better to keep revoked keys in DDoc, but in the spec I see only examples of complete keys removal.
Yes, we don't have this in the spec yet.
Will it be allowed in DID Method spec to have revoked keys stay in DDoc?
Yes, we should allow this or specify that all keys MUST be associated w/ a revocation list.
Maybe we can add "keyRevoked" and "keyRevocationTS" properties?
I suggest we reuse some combination of these existing terms -- "created" and "expires" and "revoked".
Add language that states that if a key does not exist in a DID Document, an implementation MUST assume that the key has been revoked.
Hello! Thanks for tackling this issue. Looking at the diff, it seems that the revocation list structure is not being enforced. Shouldn’t we standardize the data model of the list to improve the interoperability between different DID methods?
Let me know if you want me to create a new issue to discuss this.
Thanks
The text says it’s up to the method spec. To standardize on a method or structure for that I think it should be a separate issue
Shouldn’t we standardize the data model of the list to improve the interoperability between different DID methods?
Yes, we should and that work is sort of happening here (but needs to be generalized to keys, which shouldn't be that difficult): https://w3c-ccg.github.io/vc-status-registry/ and here https://w3c-ccg.github.io/vc-csl2017/
Let me know if you want me to create a new issue to discuss this.
As @mikelodder7 said, yes, please do.
When keys are being revoked are there any recommendations on whether they should remain in DDoc or be removed comletely? When checking validity of signature in a credential there is a need to check if the key of a signer was revoked at the time of signing. To do this check there should be a way to check all DID's keys and retrieve their revocation timestamps. I would think that to make this check easier it would be better to keep revoked keys in DDoc, but in the spec I see only examples of complete keys removal. Will it be allowed in DID Method spec to have revoked keys stay in DDoc? Maybe we can add "keyRevoked" and "keyRevocationTS" properties?