search

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT
https://w3c.github.io/wot-security/
18 stars 22 forks source link

Consider using DIDs to refer to public keys and authentication #161

Open mmccool opened 4 years ago

mmccool commented 4 years ago

DID documents include information about public keys and authentication requirements, and DID URLs with fragments can be used to refer to this information.

Should we consider adding DID references of this type to particular TD security schemes, eg PSK, OAuth2, etc?

mmccool commented 4 years ago

action: Create a PR into the TD spec for discussion. Note however that DIDs are still in flight, so...

mmccool commented 4 years ago

Something like the following: in a security scheme that requires keys, like "psk", allow fields like:

"publickey": didURL#keyid;

where didURL#keyid is the URL of a did pointing at a public key. As noted in issue https://github.com/w3c/wot-security/issues/166, this requires integrity protection of TDs (at the very least). So if there is an "optional" integrity proof section (for instance), it would be required if there are any references like this.

This would not be for the "update" to the TD, but to "version 2.0" (TD Next). By then I would expect DIDs and JSON-LD signing would be normative or at least REC-track, so we can refer to them cleanly.