-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for optional full path in the method specific identifier. #5
Add support for optional full path in the method specific identifier. #5
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dmitrizagidulin uPort is implementing an approach where they provide an indication in their UI that a selective disclosure request came from a particular domain, e.g., github.io. |
@gribneau can you please provide the corresponding language in the security considerations section? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see one issue with having full paths and we have to at least point that out under security considerations what could be dangerous about it. Resolving a did:web and verifying some piece of signed data would no longer proof that the did:web controller is the controller of the domain. In your example, you are the controller but proofing control of that did won't proof that you are under control of github.io.
@awoie good points, that stuff is important to consider. So, I think that having paths does not necessarily increase security risk, in the sense of, it has very similar semantics as URLs do in general. For example: Resolving a web DID without a path:
Resolving a web with a path:
I think developers are used to reasoning about the two kind of URLs? One that represents the organization that controls the domain, and the other just a given user on that domain? |
I've added a section in Security Considerations to indicate that full paths very probably indicate user control of keys rather than domain operator control of keys. Does this meet the need @awoie ? |
@dmitrizagidulin According to the DID spec, "/" is not in the range of
So, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you pls update the PR to address the URL encoding part: #5 (comment)
Right right - so, in this case, the / is part of the DID Path actually, not the id. |
Percent encoding is pretty ugly.
We could use How does that sound @awoie ? |
@gribneau - wait, I don't think we need to encode at all. We're using it as a DID url path (like any url path) |
That's right - I recall looking this up. https://www.w3.org/TR/did-core/#path Example 7:
We're using:
|
So, the DID will be `did:web:example.com`in both cases? I think that does
not work for the following reason...
Example 1:
`did:web:github.com/scammerorganization/scammingdids/blob/master/did.json`
Example 2:
`did:web:github.com`
That means that both refer to the same DID but they are clearly not under
the control of the same entity. Would you agree with that?
Oliver
…On Tue, Dec 10, 2019 at 5:39 PM Christian Gribneau ***@***.***> wrote:
That's right - I recall looking this up.
https://www.w3.org/TR/did-core/#path
Example 7:
did:example:123456/path
We're using:
did:web:example.com/path/to/did.json
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#5?email_source=notifications&email_token=AKLN3MDKPK6FER6AGN4LZADQX7A4VA5CNFSM4JU2XCRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGP4XQY#issuecomment-564120515>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKLN3MG4F3OZ3VDXNWUONA3QX7A4VANCNFSM4JU2XCRA>
.
|
@gribneau What problem do you want to solve with using the path notation? Regardless of the domain binding, I am asking because I am concerned that having the path version and the .well-known version of did:web will have two separate security guarantees:
They might even fall into two separate W3C DID method rubrics. |
This thread began with a member of the public noting that most DID methods support resolution of many DIDs rather than just one. I agree with that observation, and am trying to make it possible for a website to offer DID resolution for an arbitrarily large number of users.
The first example resolves to the DID document of the domain itself. The second example resolves to a DID document hosted on that domain, probably of a user. I do not think any person with a technical background would confuse these identifiers:
If the concern is that the DID Path is used inappropriately, we can make a very simple modification to resolve this.
becomes
This would then be more consistent with the use of "should" in the DID Path definition, and requires a very minor adjustment.
If the Please advise @dmitrizagidulin @awoie . |
Ok, so, we've got several things to unpack here. One is - just like Two - how do we deal with different URLs with the same authority part of the URL potentially representing different controllers / different trust levels? I would argue that this sort of calculation is built into the URL already. All developers and most users are familiar with the trust level difference of
Three - right, ok, so thirdly we have a concern about integrity protection of the contents of the DID Documents (can the web host mess with the contents whenever they want?). This is a legit concern, regardless of whether we allow paths to be a part of the |
The three part breakdown from @dmitrizagidulin above raises issues that should be addressed, but I think it is worth noting that use cases for web resolution of many user DIDs are emerging in mainstream conversations, and this specification is very close to solving the basic user identity problem in a portable fashion. Jack Dorsey announced yesterday that Twitter will fund development of open standards for distributed social media. This will require verifiable identity, and we can easily imagine platforms at the scale of Twitter generating DIDs per user to sign content that will be distributed arbitrarily. For example, Jack's DID Identifier could be:
For a scheme like this to be practical, the specification would need to remain flexible enough to support either user control for platforms that place control of the DID document in the hands of the users, or platform control for use cases in which the platform creates and manages the DID documents but wishes to identify each user discretely. I have no reason to believe that Twitter would necessarily go this route, but the use case presents itself clearly in Jack's announcement: |
Ok, so, we have two main obstacles here. One is technical/ABNF related, and one is conceptual (what sort of trust model are we trying to convey). 1) Technical Obstacle - ABNFSo, like @awoie pointed out, the current DID Core data model / ABNF rules for the DID uri does not allow the
^ that wouldn't work, because the Subject (identified by the Potential solutions: 1.a): Campaign to change the DID Document data model / ABNC rules :) 1.b): Allow the So, an https URL of
(Although, as @gribneau points out, percent-encoding is kind of clunky, UI wise, but we could potentially think of some other encoding.) 2) Strategic/Policy Question - SHOULD we allow this at all?Even more important than the previous item is of course the question "Is this a good idea at all?" (because it's a safe bet that if yes, we can solve obstacle 1)). Part of the reason (I suspect) that @awoie and others are objecting to this PR, is that currently, we have a tidy trust model: One domain (the hostname part of the URL) === One and Only One DID So, the current implication is - a Which means that the current answer to "how do we provide DIDs for our users, on our web site" is "give them subdomains". (Especially since now, wildcard SSL certs are cheap, and Lets Encrypt allows wildcart certs for free.) So here, the main question is - do we want to support multiple DIDs on a hostname (via some solution to item 1 above)? |
My current stance on that question 2) is - I'm not sure. I can see arguments for allowing multiple DIDs on the same hostname -- just due to IT Department difficulties with provisioning new SSL certs for subdomains. Let's wait to hear from various implementers? |
I agree that we can find a solution to issue 1 if there is agreement on issue 2.
We do indeed have a tidy model linking a DID to a domain. The name
It is feasible to support potentially thousands of subdomains with wildcard certificates, but I think it is more likely that My position on the issue is that the specification would support many more use cases if we resolve many DIDs in each domain, and that this would enhance the value of the specification. |
Since my previous comment yesterday, I've grown more convinced that this is a needed feature (to support multiple DIDs per hostname). The ability to create subdomains is a fairly advanced skill set, considerably more so than just registering a domain name. |
Seems like its fine to do :
As for the concern over the trust domain issues, as long as :
We convert the github username to a url to a file in a github repo... You would be doing the same thing, just for websites other than github. |
Agreed, yeah. Except we need to find a way to encode the slashes (due to the ABNF issue I mention above). And so far, I'm kind of liking the idea of using
|
This is quite close to one of my initial drafts. If there is a consensus on this approach, I'll be happy to resolve the conflicts and update the PR. |
@awoie - Would you agree with this direction? |
@dmitrizagidulin two things...
@mirceanis ^^ |
@awoie sounds good! |
@gribneau - thanks for the updates! (Do you mind rebasing on the latest index.bs, so that there's no conflicts?) @awoie -
Correct. Does the language in the Optional path considerations section work, in terms of providing explicit language? |
138aff5
to
0b68cd4
Compare
Besides the uPort/DIF implementation, what are other implementations that need to be notified of this change in spec? |
@mirceanis Great question. I'm working on an implementation as well. The only other one I can think of is @peacekeeper's universal resolver? |
@dmitrizagidulin, the uniresolver uses the uport driver which uses the implementation that is now hosted in DIF. |
This simple extension retains support for well-known URLs on bare domains and adds the option to specify a full path.
It implies that Dmitri's DID will be added to w3c-ccg.github.io.