search

w3c / did-core

W3C Decentralized Identifier Specification v1.0
https://www.w3.org/TR/did-core/
Other
407 stars 95 forks source link

Newcomer: How to specify multiple keys (RSA, SECP256K1) in a DID document #823

Closed kaimeinke closed 2 years ago

kaimeinke commented 2 years ago

Dear did-core community,

as a newcomer to the DID specs I would like to learn how I can specify multiple keypairs in a DID document. In this example it should be RSA (incl. the certificate to validate the chain of trust) and SECP256K1 (for use in transactions in EVM-compatible DLT context).

If this is not the right place to ask, please excuse me for bringing it here. I would gladly take any recommendation where to turn with my question. Thanks a lot for your patience.

From the specs I anticipate I need to complete every of the following properties twice for each keypair:

For the RSA keys I want to expose a serviceEndpoint to retrieve the X509 certificate to check it against Trust Anchors in the eIDAS context.

Is this valid with one id and controller?

This is an example of how I envision it right now and I would be happy to take any advice as I could not find a fitting straightforward example, but a similar example like EXAMPLE 31: DID Document with many different key types.

Thanks a lot for your help. Kai


    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://w3id.org/security/suites/secp256k1-2019/v1",
      ],
    "id" : "did:web:exampledomain.com",
    "assertionMethod" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
    ],
    "authentication" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
    ],
    "verificationMethod" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
        ],
    "services": [
        {
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
    ]
}
peacekeeper commented 2 years ago

@kaimeinke No need to repeat the keys.. I think this is what you want:

{
    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://w3id.org/security/suites/secp256k1-2019/v1"
    ],
    "id": "did:web:exampledomain.com",
    "assertionMethod": [
        "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
        "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
    ],
    "authentication": [
        "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
        "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
    ],
    "verificationMethod": [{
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type": "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk": {
                "alg": "ES256K",
                "crv": "secp256k1",
                "kid": "918a8e68f4374c7ea347cd765f754617",
                "kty": "EC",
                "use": "sig",
                "x": "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y": "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
        },
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type": "RsaVerificationKey2018",
            "publicKeyJwk": {
                "alg": "RS256",
                "kid": "6b8779c2a89143fa8969337aab1673ed",
                "kty": "RSA",
                "use": "sig"
            }
        }
    ],
    "services": [{
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
    ]
}
peacekeeper commented 2 years ago

Regarding the service endpoints, did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey is not a good idea, since multiple # characters are invalid per the DID URL syntax and generic URI syntax.

OR13 commented 2 years ago

You can look at the examples from did;key here: https://did.key.transmute.industries/

and find replace the did:key:...# part...

kaimeinke commented 2 years ago

Dear @peacekeeper and @OR13 thank you very much, this was super helpful.

Will check the DID:KEY example right away.

I will remove the multiple # characters as they are not allowed. Then I would replace these IDs with URIs such as 

"services": [
                {
            "id": "exampledomain.com/.well-known/x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "exampledomain.com/.well-known/x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
]
kaimeinke commented 2 years ago

I think we can close this one for now and I would go from here with the following DID Document. Thanks for your quick and great help, I'll come back when we did the next steps of our integration.

{
    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://w3id.org/security/suites/secp256k1-2019/v1"
    ],
    "id": "did:web:exampledomain.com",
    "assertionMethod": [
        "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
        "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
    ],
    "authentication": [
        "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
        "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
    ],
    "verificationMethod": [{
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type": "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk": {
                "alg": "ES256K",
                "crv": "secp256k1",
                "kid": "918a8e68f4374c7ea347cd765f754617",
                "kty": "EC",
                "use": "sig",
                "x": "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y": "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
        },
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type": "RsaVerificationKey2018",
            "publicKeyJwk": {
                "alg": "RS256",
                "kid": "6b8779c2a89143fa8969337aab1673ed",
                "kty": "RSA",
                "use": "sig"
            }
        }
    ],
    "services": [
        {
            "id": "exampledomain.com/.well-known/x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "exampledomain.com/.well-known/x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
    ]
}