Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypted serviceEndpoint values? #64

Open
dmitrizagidulin opened this issue Oct 5, 2019 · 4 comments
Assignees
Labels

Comments

@dmitrizagidulin
Copy link

@dmitrizagidulin dmitrizagidulin commented Oct 5, 2019

Would it be possible to add a mechanism for encrypting the value of either a) serviceEndpoint URLs, or b) both serviceEndpoint and service types?

Context: this came up in the context of the Solid spec, where there's interest in adopting the DID Document mechanism to replace or augment the existing WebID Document mechanism. One of the service endpoints that Solid webid docs use is to point to the OpenID Connect Issuer endpoint (similar to how we have OpenIdConnectVersion1.0Service type endpoint in the DID spec examples).
And so, the question that came up was: so right now we point to the user's OIDC endpoint in plain text. Would it be possible to obfuscate or encrypt this, instead?

I realize that this opens up a lot of really difficult topics, like how to combine encryption and access control (so that the DID Doc is still useful for discovery, but not for everybody, only for those who have appropriate keys/credentials).

I'm curious if others have came up against this use case or requirement, and how you're thinking of handling it.

@dmitrizagidulin

This comment has been minimized.

Copy link
Author

@dmitrizagidulin dmitrizagidulin commented Oct 9, 2019

@dlongley

This comment has been minimized.

Copy link
Contributor

@dlongley dlongley commented Oct 9, 2019

I think this problem would be better solved with a layer of indirection. So, specify some generic looking proxy service in your DID Document -- and it can map to something else where encryption (or whatever) can take place.

@dmitrizagidulin

This comment has been minimized.

Copy link
Author

@dmitrizagidulin dmitrizagidulin commented Oct 9, 2019

@dlongley I agree; that sort of privacy-preserving proxy will be a useful mechanism. I'd love to have at least a straw proposal of what that would look like (and what the protocol would be for interacting w it).

@peacekeeper

This comment has been minimized.

Copy link
Contributor

@peacekeeper peacekeeper commented Oct 9, 2019

@dlongley

.. specify some generic looking proxy service in your DID Document -- and it can map to something else

This has also come up in DID Resolution: https://w3c-ccg.github.io/did-resolution/#proxy, w3c-ccg/did-resolution#35. I think it's a good idea to support something like this. Not sure if any change is needed to the DID spec itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.