-
Notifications
You must be signed in to change notification settings - Fork 45
Resolvers MUST NOT return properties if signature validation fails #66
Conversation
@@ -1657,7 +1657,8 @@ <h1>DID Resolvers</h1> | |||
</li> | |||
|
|||
<li> | |||
MAY offer the service of returning requested properties of the DID Document. | |||
MAY offer the service of returning requested properties of the DID Document. If this service is offered and the DID Document is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest we change this language to "If this service is offered and the entire DID Document can not be verified per the rules in the corresponding DID Method Specification, then the Resolver MUST return an error."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... which raises another problem w/ the spec. We probably need a separate spec for resolvers. We should take all these resolver requirements out of the DID Spec and put them in a Resolver specification.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Slight tweak to manu's suggestion, I think we can just say "DID Document" not "entire DID Document".
I also don't know if we need a separate spec for resolvers -- perhaps a separate section would suffice. It just depends on how much content there is, IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that verifying the "corresponding DID Method Specification" is not enough. I wanted to stress here that IF the document is signed then that signature MUST be validated and requested properties are only returned by the service IF the signature is valid.
This is different to what @msporny suggests and I would like to keep my text.
If the DID Document is a JSON-LD then it SHOULD also match its @context but first the signature MUST be valid before properties are returned.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i am a bit lost on the purpose of this spec. Is the normative description of the resolver in scope or should that be in a separate document. If it is normative to the resolver, then that fact should be clearly stated somewhere normative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that the above " first the signature MUST be valid before properties are returned" is not correct in the sense that signatures must have been valid at the time they were made, which doesn't require that they are currently valid. This mistake seems to be made over and over in ccg docs. It is important and must not be propagated. The CCG cannot override existing known good security practices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please elaborate? If the resolver is tasked to return content of a signed document then that signature must be valid or the resolver must resolver must not return content of the document if the signature of the document is not valid.
If the signing key was revoked because it was compromised then the resolver should not return content but indicate an error this fatal condition.
What do you mean by the signature being once valid and not being valid at another point in time? Oscillating validity?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not at all - there are a variety of reasons for a signature to be invalid at a point in time. This biggest reason is that the validity period expired. If that is the reason, then the signature could have be valid at the time the documents was signed, but not at the current time. I would not accept the limitation that the did doc should fail to be returned in that case.
This PR is stuck at present, waiting for @AxelNennker to make changes or suggest alternatives. |
Included @manu 's proposal to check for specific DID method checks. Also added a security related note about what went wrong in the past when signature validation and property extraction were separate.
Hi @msporny |
This should be addressed by the DID Resolution spec: https://github.com/w3c-ccg/did-resolution/ |
Based on Example 4 in https://w3c-ccg.github.io/did-spec/#did-subject, is there a strict requirement for a DID Document to be signed to be considered a valid DID Document?
|
@mwherman2000 There is no requirement for a DID Document to be signed, and it is very important to understand that a signature on a DID Document does NOT prove that it is (or ever was) the correct DID Document for a given DID. The only way to ensure that is to go through the DID Resolution process. See Binding of Identity. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is prudent security advise that any system that acts on the content of a signed document should validate the signature and very likely discard the content if the validation fails.
Checking the signing key to something or somebody is a separate and more complicated topic.
@@ -1657,7 +1657,8 @@ <h1>DID Resolvers</h1> | |||
</li> | |||
|
|||
<li> | |||
MAY offer the service of returning requested properties of the DID Document. | |||
MAY offer the service of returning requested properties of the DID Document. If this service is offered and the DID Document is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that verifying the "corresponding DID Method Specification" is not enough. I wanted to stress here that IF the document is signed then that signature MUST be validated and requested properties are only returned by the service IF the signature is valid.
This is different to what @msporny suggests and I would like to keep my text.
If the DID Document is a JSON-LD then it SHOULD also match its @context but first the signature MUST be valid before properties are returned.
Just created issue w3c/did-resolution#13 so we can also track this topic over there in the DID Resolution spec. |
Closing. Thanks, Markus! |
Resolvers MUST NOT return DID Document properties if signature validation fails
Preview | Diff