-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide what to do about 'proof' section and other DID Doc Metadata #20
Comments
@dmitrizagidulin Is it correct to say that option 2) might be the more standard way of doing it because it these are registered terms in DID Document Metadata Properties? Option 1) will require extensions to context. Further, would be the |
@awoie - hmm, good question. Option 2 (the DID Resolution Result) is still very much in progress, spec wise. Buuut, you're right, we don't want to mess with the context in option 1. And now that I think about it, if we adopt option 2, it'll give us room to put things like the optional 'audit trail' (KERI-like), and other sorts of metadata. |
@OR13 - do you have any strong preferences here? |
I personally don't like the idea of attaching proofs to did:web.... I had done the same thing with did:github, and it made it super frustating to update.... we even tried getting github actions to add the proof, which worked but is still not as elegant as just relying on the web server... I guess end of the day, if you really need the extra security, you can sign your did document. just be prepared to manage all the update complexity that comes with that. |
regarding "audit trails".... I think this is a waste of time... did web is not meant to be like other did methods, and leaving some obvious reasons to upgrade for higher security scenarios makes sense. The simpler the spec, the better, did:web should be a gateway to better did methods, not try to compete with them. |
@OR13 I see, ok. That still leaves the question open about what to do with "did doc metadata" and did:web. Which option do you prefer? |
@dmitrizagidulin I prefer to pull caching / expiration / headers from the resource and simply reflect them in the did doc meta data. |
@OR13 got it, ok. So that seems like a vote for option 2. |
@mirceanis would also be good to get your opinion on that. |
I also don't see a good reason to add |
I'm not reading it that way :) Also, I'm not putting any weight on either of the two options presented. I guess I'm opting for a third where the JSON that is served is the actual DID document and the server is free to present metadata as headers. It would be the resolver's option to present some of the headers as metadata. |
So, the reason I'm reading it as a vote for Option 2 is -- the question here is what's the data model of a did:web DID Doc stored on disk. In order for the web server to present those metadata headers, it's gotta get them from somewhere. Which assumes the need for an envelope document like in option 2.
But it does add one important part to the result - it adds the fact that the DID Document has not been tampered with (it's signed by the DID controller...). |
And just to clarify, with option 2, the |
So this would be applicable to documents that are served by "dumb" webservers, where the DID controller does not have too much control over the returned headers, right?
The reason why it looks like ceremony to me is that did:web already relies a lot on the trust in the webserver. On a separate note, I'm not very familiar with how DID document metadata is supposed to be used in practice, so my opinions here should not carry much weight. |
if the |
That's right, yeah. Which applies to a large chunk of the use cases
I'm not sure if I fully understand the question. It's exactly the same as with Verifiable Credentials. Whoever is consuming the DID (so, holder, verifier, etc) can verify it. And which type of proofs - whatever the DID Method (or even your use case) agrees on.
So.. again, that seems like an argument for Option 2. "Trust in the VDR and DID Method" -- so, having a |
@dmitrizagidulin JSON-LD Proofs do not help increase trust with did:web. IMO, did:web should not have any normative requirements on JSON-LD Proofs. did:web trust flows from web server control, and |
@OR13 but again, the question is not about |
@OR13 so far, if I'm understanding your argument correctly, you seem to be saying "no metadata in the DID Document at all". I think that's too limiting, and that there are several use cases that would be well served with a general metadata mechanism, on the data model level. |
Yes, the DID WG has decided specifically to not put meta data in the did document, and the did spec registries has a separate section to make this even clearer: https://w3c.github.io/did-spec-registries/#did-document-metadata I'm not against some "extension" which places meta data in the did document, but I think encouraging meta data in the did document generally for did web will be viewed as wrong by anyone familiar with other did methods. |
@OR13 I remember that debate, sure. And one of the points that was made was -- the metadata belongs in the Resolution Result document. Which is exactly what we're talking about / proposing here. |
https://w3c-ccg.github.io/did-resolution/#output-resolutionmetadata ^ all of these are places that are fine to put metadata imo... |
I assume we are talking about the normative requirements did:web has on "resolution metadata" and "document metadata" This issue is not very specific, and appears to be addressing both proof and meta data, hence the confusion. |
To be crystal clear:
|
@OR13 ok, that seems pretty clear. (And like I said, that is exactly Option 2. Using the Resolution Result doc, which has 3 sections, the |
@OR13 so the next question is.. so what does that look like, implementation wise? Is the |
@dmitrizagidulin yes, imo, it should be possible for the web server operator to control all 3 sections via vanilla JSON. I would not be opposed to fancy HTTP Header based overrides for the did:web resolver to consider as well. While we are on this subject, we might as well also consider did:web in JSON / CBOR / YAML... IMO, a did web resolver builds a URL from https://w3c-ccg.github.io/did-resolution/#resolving-input Makes a GET Request to the URL, and optionally considers headers returned in the response as taking priority over the field members. |
did:web resolvers should implement:
over http... they should support representations other than JSON, such as CBOR. I think its fine to "default them" to JSON, but we should allow to different JSON / JSON-LD at a minimum. |
Just to chime in here as well, I'm leaning more towards the direction of option 2 over option 1. I don't see many benefits to option 1 that don't eventually lead to On the topic of representation I think what Orie brings up is a potential answer to supporting multiple representations by storing multiple representations on the server independently. This does open the potential for the different representations to be in different states though, so I lean more towards the option of having a resolver fetch the JSON representation translating it to the ADM and then translating it to the requested representation instead. The downside to this approach is that different representations will likely have different signature formats used such that some requesting parties (the client of the resolver doing the translator) may be unable to verify the signature method of the JSON representation. However, as @mirceanis points out here there are ways to subvert the integrity of document in ways that aren't going to be detectable. At best for these types of things we'll want to state "MUST use TLS 1.2 or greater" and warn about DNS injection issues in the security section as well. |
Just as an update -- as the DID Core spec is nearing its first CR, the editors of the |
The DID Core specification is very consistent with existing HTTP content negotiation, using an accept element to specify desired representations and content types to identify those representations. In HTTP, This should be more efficient than mapping to specific URLs in the resolver, in that server-side logic would be able to identify the best available representation and deliver it in a single request. The explicit |
Pros and cons: If in the headers then we might need to define a mapping function for each representation to an HTTP header. Maybe a dumb Base64 encoding of the raw DID Document Metadata contents in the chosen representation? Two documents require two HTTP calls. Not super efficient, but not the end of the world either. Are there any security concerns when the web infra diverts the two calls to two different servers? If inside the DID Document, then the spec should define that the |
From a practical perspective, HTTP response headers are often limited in size, with 8k being a common default. This is not required by the specification, and it is configurable, but it's worth noting. |
Here is the limit of the most popular web servers:
@gribneau would the map->HTTP header conversion require a dynamic web server? Are custom HTTP headers per file easy to set up/deal with on static servers and CDNs? |
It is plausible that one might be able to accomplish this with pre-rendered metadata in files that are then included as headers in the response document, which would not require a scripting engine. Rendering those files will necessarily be dynamic, but if they don't change they could (plausibly) be served as static files.
This would fall squarely into the advanced category. Relatively few people are familiar with the layout of headers vs. content in HTTP responses.
CDNs cache what the origins send, and this can include headers. Expect an 8k limit. |
This requirement, particularly, is a non-starter for me. Without TLS / SSL, an HTTP GET, together with any request headers, is visible in the clear to any network device that handles the traffic. The response, together with any headers, is similarly visible. This change would expose use of |
I agree. Next time, I am not going to suggest a crazy example :) |
So, looks like idea 3 is the leading contender. Do we all like this option? Please signal with a Like/Dislike reaction.
{
"@context": "https://w3id.org/did-resolution/v1",
"didDocument": {
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:web:example:com",
"authentication": [{
"id": "did:web:example:com#keys-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:web:example:com",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
}],
"service": [{
"id": "did:web:example:com#vcs",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://example.com/vc/"
}],
},
"didDocumentMetadata": {
"created": "2019-03-23T06:35:22Z",
"updated": "2023-08-10T13:40:06Z"
"proof": {
// signature over the "didDocument" would go here.
}
}
} |
It's one fundamental problem of the did:web method that it is easy for intermediary infrastructure to replace the entire DID document. I mean it's all relative, but a did:web is easier to manipulate than let's say a did:btcr.
This question is definitely in scope for a DID method spec, and I have been wondering myself how this could work for did:web. I don't have any preference here at all, but the original idea of DID document metadata was that it could originate from the DID controller and/or the DID method, or some combination of the two. For example, in my mind it would be perfectly legitimate to say that in did:web, some DID document metadata (such as "updated") would be mapped from an HTTP header (such as "Last-Modified"). Note that the DID controller typically doesn't "manually" control such headers, it's the DID method that controls them. Whereas other DID document metadata (such as proofs) could come from a separate file on the webserver that the DID controller can edit however they like. But again, I don't really have an opinion if and how exactly this should be supported by did:web. |
I just realized that idea 3 breaks backward compatibility since most DID:WEB documents deployed right now have only the didDocument properties in the JSON. Since there is no versioning in the DID:WEB spec, DID:WEB resolvers would have to accept the old method (a direct DID Document in the JSON) and a new method (a JSON structure that includes the DID Document). Is backward compatibility important at this stage? Or, because this is still a draft spec, we shouldn't care too much about it? |
Backwards compatibility is not important at this stage. Until |
Hi all, Please review PR #63. Following the discussion here, the PR proposes:
|
Hi all, @msporny requested to move the proposed (#63) I am happy to do it either way (in the DID Document or in the DID Document Metadata). But since so many of you have said here that |
I am comfortable either way. I view adding signatures as a net positive, but remain agnostic on the question of placement in the DID document vs the DID metadata. |
I think the only viable answer here is "both". Implementers will want to secure the DID Document itself (provided by the DID Controller), and they will also want to provide a digital signature on the metadata associated with the DID Document (provided by the Verifiable Data Registry and/or the DID Resolver), and possibly over the entire resolution result (provided by the DID Resolver). All of those are valid use cases, and luckily, Data Integrity allows for all of that to happen. That said, if people want to use JWTs or some other mechanism that requires base64 encoding before signature, it will complicate matters. Something to keep in mind as people weigh in... this isn't an either/or decision, IMHO. |
Maybe we need a table on what types of proofs are acceptable in what places.
Does this make sense? What's an example of a Verifiable Data Registry for DID WEB? |
For JWTs, do we prefer something like: {
"didDocument": {
"id": "did:web:example:com",
"authentication": [{
"id": "did:web:example:com#keys-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:web:example:com",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
}],
"service": [{
"id": "did:web:example:com#vcs",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://example.com/vc/"
}],
},
"didDocumentMetadata": {
"created": "2019-03-23T06:35:22Z",
"updated": "2023-08-10T13:40:06Z",
"proof": {
"type": "JwtProof2020",
"jwt": "xxxx.yyyyy.zzzz"
}
}
} or like this: {
"didDocument": {
"id": "did:web:example:com",
"authentication": [{
"id": "did:web:example:com#keys-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:web:example:com",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
}],
"service": [{
"id": "did:web:example:com#vcs",
"type": "VerifiableCredentialService",
"serviceEndpoint": "https://example.com/vc/"
}],
"proof": {
"type": "JwtProof2020",
"jwt": "xxxx.yyyyy.zzzz"
}
},
"didDocumentMetadata": {
"created": "2019-03-23T06:35:22Z",
"updated": "2023-08-10T13:40:06Z",
}
} and since the JWT has a copy of the payload within itself, do we allow this? This is the equivalent to the LD-Signatures proof format, but for native JWT, where the {
"didDocument": "xxxx.yyyyy.zzzz"
"didDocumentMetadata": {
"created": "2019-03-23T06:35:22Z",
"updated": "2023-08-10T13:40:06Z",
}
} This is important because there is also a CWT (using CBOR), where the same questions have to be asked. |
I generally prefer detached signatures to avoid duplicating data. |
I don't like the confusion of the Maybe we need a different field name when the |
-1 to "the
-1 to this as well. This conversation is reviving all that is terrible about how JWS and JWTs are used in practice. If you want to use You could add things like If you're going to use If you want to try and shoe-horn non-embedded signatures into these responses, you're going to have to standardize something to do that, or create a one-off special purpose signature for DID Document Metadata. If you are going to do the latter, I expect there will be strong push-back due to the application layer complexity introduced with those type of half-baked approaches. The only other alternative for JWT-based signatures that feels possibly workable is embedding the entire object being signed in the metadata, which results in duplication of content. |
It's also reminding us that VC WG has not yet defined You could make the entire resolution response be a JWS for JSON + JSON-LD and a CWS for CBOR. |
I agree, but we can either say that JWS and JWT MUST NOT be used OR we MUST provide the right way for people to use them. Not addressing the issue with finality is terrible for interoperability. There is also SAML2 Assertions to deal with when the representation is XML Of course, Linked proofs can be written in XML-LD and CBOR-LD as well. But that would simply follow the same solution for JSON-LD. |
Please provide a complete proposal so that we can evaluate it. Note the requirements, there are three pieces of information that need to be digitally signed by three different parties, and then carried in the DID Resolution Response. That proposal exists for Data Integrity (just add a
Yep, exactly. So we have at least one solution that is serialization format agnostic (granted, XML-LD doesn't exist yet... but the JSON and CBOR serializations certainly do exist). I suggest we don't try to support XML at this point in time unless we get large customer demand for it.
Who is currently planning to return SAML2 Assertions in XML format in a DID Resolution response? |
I don't want to diverge the discussion, but the XML-loving community is as big as the JSON-loving community. Anyone working with verifiable schema definitions (i.e. XSD) and data transformations (i.e. XSLT) is probably running XML-based services and wouldn't want to change it. JSON just doesn't provide the same level of tooling yet. Personally, I have two customers in that mindset. Since these are just representations of the common data model we are trying to spec out, I would argue the idea here is to be inclusive of people's needs. |
Once VC WG defines |
Maybe we segment the spec into Data Integrity proofs and other proof packaging needs? (Independent from the representation choice) |
Assuming |
Signing the DID Document itself (adding an OPTIONAL/recommended
proof
section, for example) would offer integrity protection / move towards the did docs being self-certifying.Since the
proof
property (as well as other metadata fields such ascreated
andupdated
) were removed from the DID Core spec, we need to make a decision on how to handle these in thedid:web
method.Our options:
proof
,created
etc) into the DID Document itself..json
file on the web server, but instead embed it in a structure similar to the DID Resolution Result.Example structure for option 1:
Example structure for option 2:
The text was updated successfully, but these errors were encountered: