w3c-ccg · jose-gataca · Nov 12, 2020 · Dec 10, 2020
@@ -343,6 +343,14 @@ <h4><code>no-cache</code></h4>
 
 			</section>
 
+			<section id="resolving-input-authoirzation">
+				<h4><code>authorization<code></h4>
+				<p>The <code>authorization</code> input metadata property CAN be used to provide any kind of Authentication data .</p>
+				<p>This <var>input metadata property</var> is OPTIONAL.</p>
+				<p>The possible accepted values for this property may be defined by the <a>binding</a> implemented.</p>
+				<p>See Section <a href="#authentication"></a> for additional considerations.</p>
+			</section>
+
 		</section>
 
 	</section>
@@ -1082,6 +1090,7 @@ <h2>DID Resolution Metadata</h2>
 		<p>See also section <a href="https://w3c.github.io/did-core/#did-resolution-metadata-properties">DID Resolution Metadata Properties</a>
 		in [[DID-CORE]].</p>
 
+
 	</section>
 
 	<section id="output-documentmetadata">
@@ -1280,19 +1289,52 @@ <h1>Security and Privacy Considerations</h1>
 
 	<section id="authentication">
 		<h2>Authentication/Authorization</h2>
-		<p><a>DID resolution</a> and <a>DID URL dereferencing</a> do not involve any authentication or authorization
+		<!-- Response to Issue #38 -->
+		<p>It is RECOMMENDED that <a>DID resolution</a> and <a>DID URL dereferencing</a> do not involve any authentication or authorization
 		functionality. Similar to DNS resolution, anybody can perform the process, without requiring any credentials
 		or non-public knowledge.</p>
 
-		<p class="issue" data-number="38"></p>
+		<p><a>DID resolution</a> MAY require of Authorization. DIDs, either pairwise or N-wise
+			"peer" DIDs MAY be stored on restricted access DLTs requiring access-control capabilites for querying.</p>
+		<p>
+			Authentication MAY be required for:
+			<ul>
+				<li>
+					Access control
+				</li>
+				<li>
+					Usage statistics generation
+				</li>
+				<li>
+					Fraud detection
+				</li>
+				<li>
+					Compliance with business or IT regulations
+				</li>
+			</ul>
+		</p>
+		<p>
+			DIDs SHOULD be considered as global resources defined like an URI.
+		</p>
+			<p>See [[RFC3986]]:
+				<em> URIs have a global scope and are interpreted consistently regardless of context, though the
+				result of that interpretation may be in relation to the end-user's context.</em>
+		</p>
+
+		<p>
+			Authentication MAY be included on the DID Resolution Algorithm by using the <code>Authorization</code> property on the <a href="#resolving-input-metadata-properties">DID Input Metadata Properties</a>.
+		</p>
+		<p>
+			Errors on authentication or authorization MUST be reflected on the <code>Error code</code> property of the <a href="#output-resolutionmetadata">DID Resolution Metadata</a>
+		</p>
+
+		<p>
+			While specific Authentication protocols are out of scope of this document, they SHOULD be suited to the <a>binding</a> implementation of the <a>DID resolution</a> and <a>DID URL dereferencing</a> algorithms.
+			For the <a href="#bindings-https">HTTP(S) binding</a>, Authorization SHOULD be enforced through the HTTP Authorization Header. See [[RFC2616]] <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">section 14.8</a>.
+			While some bindings might automatically provide some kind of authentication on their definition, including that authentication on the resolution algorithm is OPTIONAL.
+		</p>
 
 		<div class="issue">
-		<p>Explain that DIDs are not necessarily <em>globally</em> resolvable, such as pairwise or N-wise
-		"peer" DIDs.</p>
-		<p>See [[RFC3339]]:
-		<em> URIs have a global scope and are interpreted consistently regardless of context, though the
-		result of that interpretation may be in relation to the end-user's context.</em>
-		</p>
 		<p>An advanced idea is that the result of DID resolution could be contextual or depend on policies,
 		see <a href="https://github.com/w3c-ccg/did-resolution/issues/28#issuecomment-510592199">this comment</a>.</p>
 		</div>