Add more detail to DID Authentication section.

index.html

@@ -188,6 +188,9 @@ <h2>Overview</h2>
 
       </section>
 
+      <section id="conformance">
+      </section>
+
       <section class="informative">
         <h2>Terminology</h2>
 
@@ -196,7 +199,7 @@ <h2>Terminology</h2>
     </section>
 
     <section class="normative">
-      <h2>Query Types</h2>
+      <h2>Query and Response Types</h2>
 
       <p>
 The <dfn>query type</dfn> serves as the main extension point mechanism for
@@ -303,36 +306,146 @@ <h3>Query By Frame</h3>
       </section>
 
       <section>
-        <h3>DID Authentication Request</h3>
+        <h3>DID Authentication</h3>
+
+        <p>
+This section defines how a <a>verifier</a> can request that a
+<a>holder</a> performs a Decentralized Identifier-based Authentication
+[[?DID-CORE]]. In its simplest form, the authentication protocol is comprised
+of a challenge by the <a>verifier</a> and a response by a <a>holder</a>:
+        </p>
 
-        <pre class="example nohighlight" title="A DIDAuth request">
+        <pre class="example" title="A DID Authentication request">
 {
-  query: [{
-    type: 'DIDAuth'
+  "query": [{
+    "type": "DidAuthentication"
   }],
-  challenge: '99612b24-63d9-11ea-b99f-4f66f3e4f81a',
-  domain: 'example.com'
+  "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
+  "domain": "example.com"
 }
         </pre>
 
-        <p>Response:</p>
+        <p>
+The DID Authentication request above specifies that the <a>verifier</a> would
+like the <a>holder</a> to demonstrate control over a DID by generating a
+digital signature over the provided challenge. The <a>holder</a> might respond
+by providing the following response:
+        </p>
 
-        <pre class="example nohighlight" title="A DIDAuth response">
+        <pre class="example" title="A DID Authentication response">
 {
-  "@context": ["https://www.w3.org/2018/credentials/v1"],
+  "@context": ["https://www.w3.org/2022/credentials/v2"],
   "type": "VerifiablePresentation",
   "holder": "did:example:12345",
   "proof": {
-    "proofPurpose": "authentication",
-    "type": "Ed25519Signature2018",
+    "type": "DataIntegritySignature",
+    "cryptosuite": "eddsa-2022",
+    "verificationMethod": "did:example:12345#key-1",
     "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
     "domain": "example.com",
-    "created": "2020-06-06T21:05:13Z",
-    "verificationMethod": "did:example:12345#z6Mkkg...",
-    "jws": "..."
+    "created": "2022-02-25T14:58:42Z",
+    "proofPurpose": "authentication",
+    "proofValue": "z3FXQjecWufY46...UAUL5n2Brbx"
   }
 }
         </pre>
+
+        <section>
+          <h3>The DID Authentication Query Format</h3>
+
+          <p>
+The DID Authentication query format enables a <a>verifier</a> to request that a
+<a>holder</a> authentication in specific ways. A DID Authentication query
+MUST be of the following form:
+          </p>
+          <table class="simple">
+            <tr>
+              <th>Property</th>
+              <th>Description</th>
+            </tr>
+            <tr>
+              <td>type</td>
+              <td>
+a REQUIRED string value that MUST be set to <code>DIDAuthentication</code>.
+              </td>
+            </tr>
+            <tr>
+              <td>didMethod</td>
+              <td>
+An optional set of one or more values that conveys the DID Methods that are
+supported by the <a>verifier</a>. If only one DID Method is listed, the value
+MUST be a string containing the DID Method name. If more than one DID Method is
+listed, the value MUST be an array of string values and each string value
+MUST be a string containing the DID Method name. Listing multiple values
+expresses that the <a>verifier</a> would accept any DID Method listed. Valid
+example values include: <code>"key"</code> and <code>["key", "web"]</code>.
+              </td>
+            </tr>
+            <tr>
+              <td>cryptosuite</td>
+              <td>
+An optional string value that conveys a cryptography suite that MUST be
+used by the <a>holder</a> to generate a cryptographic proof. Valid example
+values include: <code>"eddsa-2022"</code>, <code>"ecdsa-2022"</code> and
+<code>"bbs-2022"</code>.
+              </td>
+            </tr>
+          </table>
+
+          <p>
+The following example demonstrates that the <a>verifier</a> would like the
+<a>holder</a> to utilize the DID Web Method and the 2022 ECDSA cryptography
+suite to authenticate over the established communication channel, such as the
+Credential Handler API (CHAPI):
+          </p>
+
+          <pre class="example"
+            title="A DID Authentication request using did:web and ecdsa-2022">
+{
+  "query": [{
+    "type": "DidAuthentication",
+    "didMethod": "web",
+    "cryptosuite": "ecdsa-2022"
+  }],
+  "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
+  "domain": "example.com"
+}
+          </pre>
+
+          <p>
+The next example demonstrates that the <a>verifier</a> would like the
+<a>holder</a> to utilize either the DID Key or DID Web Method and the 2022 EdDSA
+cryptography suite, and optionally also include a cryptographic proof that they
+are capable of performing a 2022 BBS proof, and authenticate over a different
+communication channel, in this case utilising a Verifiable Credential API HTTP
+endpoint:
+          </p>
+
+          <pre class="example" title="A complex DID Authentication request">
+{
+  "query": [{
+    "type": "DidAuthentication",
+    "didMethod": ["key", "web"],
+    "cryptosuite": "ecdsa-2022"
+  }, {
+    "type": "DidAuthentication",
+    "required": false,
+    "didMethod": ["key", "web"],
+    "cryptosuite": "bbs-2022"
+  }],
+  "challenge": "zLEwtBYgQVNR4tyeo",
+  "domain": "didauth.example",
+  "interact": {
+    "service": [{
+      "type": "UnmediatedHttpPresentationService2021",
+      "serviceEndpoint": "https://didauth.example/exchanges/zYRo25k7G2UVWkrNt"
+    }]
+  }
+}
+          </pre>
+
+        </section>
+
       </section>
 
       <section>