search

w3c / did-core

W3C Decentralized Identifier Specification v1.0
https://www.w3.org/TR/did-core/
Other
395 stars 93 forks source link

Add advisement about signed DID documents. #753

Closed peacekeeper closed 3 years ago

peacekeeper commented 3 years ago

As discussed in https://github.com/w3c/did-core/pull/738#pullrequestreview-662135911, this adds some language about signed DID documents (similar to what existed before merging https://github.com/w3c/did-core/pull/738).

Preview | Diff

alenhorvat commented 3 years ago

I agree with the statement and is great to add the description. Other things to consider:

samu-gataca commented 3 years ago

As you said in the update, the signature does not prove control over the DID, if we are talking about the creation, but in all the next operations about any update (rotating, revoking or adding new keys), it could help to demonstrate who is the owner for that DID Document (because, just the owner has the private key to be allowed to change de DID). I agree that putting the signature on the document may not be the best option, it could be included in the metadata section.

The main problem here is, if we want to avoid strong dependencies with the infra layer, we need a point of trust. It could be at the DID Registry level, or the DID Document level. At the level of the DID Registry, any party needs to trust in the vendor which is performing the DID Resolution. The same happens when the trust depends on the signature on the DID Document, it's necessary to trust in the DID Registry owner (if the DID Registry try to cheat the other party, it's easy to demonstrate based on the signature), but at the end the end user could check the validity of the DID Document, always basing this idea, not in the creation, however, we can demonstrate, all the updates over the same DID Document provides from the same source. Once we have several keys for several different purposes, and each of them of any type (RSA, ed25519, secp, ...) we can not based our solution in any algorithm feature as correlate the DID with the hash of the public key, because the DID Document is a dynamic object, so we need any external help.

msporny commented 3 years ago

Editorial, multiple positive reviews, one editorial change requested an made (advisement -> note), no objections, merging.