-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor DID support to use 3ID's #2
Comments
Need to consider how to connect in a server (or mobile) environment v connect in a web environment.
Both separate process will result in the creation of a DID object that can be used to sign and encrypt data via a 3ID. Proposed architecture
However, the above fails to work in a web environment if we are wanting a user to authorize access to a specific application context. Under the above model, the web environment has granted full access to the current website to the 3ID, rather than delegating access to an application context that has limited access (ie: can't write to the user's profile). I have asked the Ceramic team on Discord about this application context issue. Can hopefully build into |
From Ceramic discord:
A read of this indicates any support will require changes to Ethereum libraries, while the current I don't feel we can rely on ceramic / IDX for this capability at this stage, so will need to roll out own. Security: At the moment web applications using 3ID's gain full access to sign and encrypt using that 3ID, providing no ability to restrict access between different web applications. We can solve this by enforcing our single sign on to only work via a mobile application, but that's not ideal long term. |
From the proposed architecture above:
After further investigation
This has been implemented with working tests as |
Doing some basic tests with https://self.id shows a variable time to connect anywhere from 4-8 seconds. This isn't great, however this should only be required on the mobile app when a user first connects and will then be cached. Tests of fetching an existing user's IDX profile returned a result in ~1 second, which should be fine. |
According to Ceramic discord others are working on this, so assume it's not an issue.
Decision is to use Verida's Single Sing on to support this as Ceramic won't support it any time soon. |
The core packages that support this are now complete:
|
Verida currently has its own DID generation approach. This has served it well for a PoC, but it's better to migrate to an alternative DID solution. In this issue I will outline a migration plan to use Ceramic network's 3ID DID provider.
Current architecture
Verida currently generates a DID on a per application basis:
Do you want to login to the Verida Vault application?
)Verida DID
document is created that lists the public keys of those keypairs, which is then stored in a centralized APIDID service
definition)This offers the following benefits:
Ceramic architecture
Ceramic provides an alternative approach, whereby multiple blockchain wallets can be used to control a 3ID DID via their 3ID DID Provider. Utilizing the Ceramic network and IDX protocol, it's possible to store public or encrypted data for each 3ID.
Under this model a user will need a 3ID in order to use the Verida network. A user will authenticate (or sign up) as follows:
In the future, it may be possible for the Verida Vault QR code auth to be integrated into 3ID Connect.
Behind the scenes, the following needs to occur:
Why Ceramic?
Risks to eliminate
The text was updated successfully, but these errors were encountered: