Update trustping.md

[brianorwhatever]

closes #271

[TelegramSam]

I vote that from is required for this protocol, even if no response is required. The point of the ping is to verify a trusted relationship. If no from, no relationship.

[kdenhartog]

I vote that from is required for this protocol, even if no response is required. The point of the ping is to verify a trusted relationship. If no from, no relationship.

How is identifier authentication being done now? Couldn't we rely on that methodology to get it instead?

[TelegramSam]

How is identifier authentication being done now? Couldn't we rely on that methodology to get it instead?

You mean authenticated encryption? That is the method I'm expecting we rely on.

[brianorwhatever]

So I think the issue here is that the "Trust Ping" protocol becomes just the "Ping" protocol when completed using anonymous encryption. I don't believe there is a way to authenticate in this case and all we will be able to rely on is a self declared from value

[swcurran]

If you just send out a trust ping to a previously unknown contact using anoncrypt, yes. But you can use an existing connection and (I think, if I've been following the conversation), the message would be delivered using authcrypt.

I don't see a need to change the name. The information about using the DIDComm 2 with and without a connection should be general information and need not be tied to each protocol.

[TelegramSam]

I've proposed in #274 that we make from required. That clears up several things, including this confusion about a trustpring without a from. Thoughts?

[awoie]

@brianorwhatever I guess we can remove the from after we merged #274

[awoie]

@brianorwhatever I guess we can remove the from after we merged #274

[brianorwhatever]

thanks @awoie

[awoie]

lgtm after removing the from language, but merge should wait until #274 got merged

[kdenhartog]

You mean authenticated encryption? That is the method I'm expecting we rely on.

Yup, I've started to rephrase my language to prevent conflation between what we mean when we say "authenticated encryption"/Authcrypt and what's more commonly used in symmetrical encryption where they're describing a specific security property that's slightly different than what we mean.

In my mind identifier authentication utilizes traditional "authenticated encryption" (they normally just mean the encryption is integrity protected and tamper resistant by people without the secret key) and that we're binding the integrity to a specific identifier (e.g. the did) that can be inferred. This may not be exactly correct terminology, but just looking to stray away from conflating language when describing different security properties. Let's open a separate issue to discuss this further if you want to just so that we don't slow down this PR from being merged.