Newcomer: How to specify multiple keys (RSA, SECP256K1) in a DID document

[kaimeinke]

Dear did-core community,

as a newcomer to the DID specs I would like to learn how I can specify multiple keypairs in a DID document. In this example it should be RSA (incl. the certificate to validate the chain of trust) and SECP256K1 (for use in transactions in EVM-compatible DLT context).

If this is not the right place to ask, please excuse me for bringing it here. I would gladly take any recommendation where to turn with my question. Thanks a lot for your patience.

From the specs I anticipate I need to complete every of the following properties twice for each keypair:

• authentication
• assertionMethod
• verificationMethod

For the RSA keys I want to expose a serviceEndpoint to retrieve the X509 certificate to check it against Trust Anchors in the eIDAS context.

Is this valid with one id and controller?

This is an example of how I envision it right now and I would be happy to take any advice as I could not find a fitting straightforward example, but a similar example like EXAMPLE 31: DID Document with many different key types.

Thanks a lot for your help.
Kai

    "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1",
        "https://w3id.org/security/suites/secp256k1-2019/v1",
      ],
    "id" : "did:web:exampledomain.com",
    "assertionMethod" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
    ],
    "authentication" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
    ],
    "verificationMethod" : [
        {
            "controller": "did:web:exampledomain.com",
            "id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
            "type" : "EcdsaSecp256k1VerificationKey2019",
            "publicKeyJwk" : {
                "alg" : "ES256K",
                "crv" : "secp256k1",
                "kid" : "918a8e68f4374c7ea347cd765f754617",
                "kty" : "EC",
                "use" : "sig",
                "x" : "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
                "y" : "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
            }
          },
        {
            "controller" : "did:web:exampledomain.com",
            "id" : "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
            "type" : "RsaVerificationKey2018",
            "publicKeyJwk" : {
                "alg" : "RS256",
                "kid" : "6b8779c2a89143fa8969337aab1673ed",
                "kty" : "RSA",
                "use" : "sig"
            }
        },
        ],
    "services": [
        {
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
    ]
}

[peacekeeper]

@kaimeinke No need to repeat the keys.. I think this is what you want:

{
	"@context": [
		"https://www.w3.org/ns/did/v1",
		"https://w3id.org/security/suites/jws-2020/v1",
		"https://w3id.org/security/suites/secp256k1-2019/v1"
	],
	"id": "did:web:exampledomain.com",
	"assertionMethod": [
		"did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
		"did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
	],
	"authentication": [
		"did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
		"did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
	],
	"verificationMethod": [{
			"controller": "did:web:exampledomain.com",
			"id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
			"type": "EcdsaSecp256k1VerificationKey2019",
			"publicKeyJwk": {
				"alg": "ES256K",
				"crv": "secp256k1",
				"kid": "918a8e68f4374c7ea347cd765f754617",
				"kty": "EC",
				"use": "sig",
				"x": "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
				"y": "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
			}
		},
		{
			"controller": "did:web:exampledomain.com",
			"id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
			"type": "RsaVerificationKey2018",
			"publicKeyJwk": {
				"alg": "RS256",
				"kid": "6b8779c2a89143fa8969337aab1673ed",
				"kty": "RSA",
				"use": "sig"
			}
		}
	],
	"services": [{
			"id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey",
			"type": "X509PublicKey",
			"serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
		},
		{
			"id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509CertificateChain",
			"type": "X509Certificate",
			"serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
		}
	]
}

[peacekeeper]

Regarding the service endpoints, did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed#x509PublicKey is not a good idea, since multiple # characters are invalid per the DID URL syntax and generic URI syntax.

[OR13]

You can look at the examples from did;key here: https://did.key.transmute.industries/

and find replace the did:key:...# part...

[kaimeinke]

Dear @peacekeeper and @OR13 thank you very much, this was super helpful.

Will check the DID:KEY example right away.

I will remove the multiple # characters as they are not allowed. Then I would replace these IDs with URIs such as

"services": [
                {
			"id": "exampledomain.com/.well-known/x509PublicKey",
			"type": "X509PublicKey",
			"serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
		},
		{
			"id": "exampledomain.com/.well-known/x509CertificateChain",
			"type": "X509Certificate",
			"serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
		}
]

[kaimeinke]

I think we can close this one for now and I would go from here with the following DID Document. Thanks for your quick and great help, I'll come back when we did the next steps of our integration.

{
	"@context": [
		"https://www.w3.org/ns/did/v1",
		"https://w3id.org/security/suites/jws-2020/v1",
		"https://w3id.org/security/suites/secp256k1-2019/v1"
	],
	"id": "did:web:exampledomain.com",
	"assertionMethod": [
		"did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
		"did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
	],
	"authentication": [
		"did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
		"did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed"
	],
	"verificationMethod": [{
			"controller": "did:web:exampledomain.com",
			"id": "did:web:exampledomain.com#918a8e68f4374c7ea347cd765f754617",
			"type": "EcdsaSecp256k1VerificationKey2019",
			"publicKeyJwk": {
				"alg": "ES256K",
				"crv": "secp256k1",
				"kid": "918a8e68f4374c7ea347cd765f754617",
				"kty": "EC",
				"use": "sig",
				"x": "GbAPnwci7RSsF8eiE7WdMlMfxUBnnywglxAiDru0Jjk",
				"y": "BNsZpL09OdMzDR-daDfDvJPN8i8suVM62LZd8UcyR4k"
			}
		},
		{
			"controller": "did:web:exampledomain.com",
			"id": "did:web:exampledomain.com#6b8779c2a89143fa8969337aab1673ed",
			"type": "RsaVerificationKey2018",
			"publicKeyJwk": {
				"alg": "RS256",
				"kid": "6b8779c2a89143fa8969337aab1673ed",
				"kty": "RSA",
				"use": "sig"
			}
		}
	],
	"services": [
        {
            "id": "exampledomain.com/.well-known/x509PublicKey",
            "type": "X509PublicKey",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509PublicKey.pem"
        },
        {
            "id": "exampledomain.com/.well-known/x509CertificateChain",
            "type": "X509Certificate",
            "serviceEndpoint": "https://exampledomain.com/.well-known/x509CertificateChain.pem"
        }
    ]
}