Need a way to specify multi-factor key/proof relationships

[msporny]

@csuwildcat wrote:

I would like to see DID Documents support the notion of keys/proofs being reliant on a combination of keys/proofs to be valid. Some attestations and auth requirements are what I would call 'mission critical', for example:

Say a government adopts decentralized identity systems, and integrates it into their court system. There may be many things that take just one signature from one key linked to the court entity to be authoritative, but some attestations may be so sensitive, with such a severe impact, that the court entity would want to put extra measures in place to up the ante on what it takes to be a valid attestation.

One such case: criminal conviction proofs.

In this case, a court entity may want to exclude any chance that a criminal conviction data object is ever created/signed with just a single key. They may want to specify that a set of three keys are reliant factors that must all sign something for it to be valid.

To do this, we could add a property on key descriptors that allowed the specification of another key in the owning entity's DID Document (or an external key ref, e.g. another DID's keys) that must be included for the key's use to be valid.

Pseudo code:

  {
    "id": "did:example:fooCountyCourt#keys-1",
    "type": "RsaCryptographicKey",
    "owner": "did:example:fooCountyCourt",
    "publicKeyPem": "-----BEGIN PUBLIC KEY...END PUBLIC KEY-----\r\n",
    "factors": [{
         "id": "did:example:fooCountyCourt#keys-2",
         "requirement": "sig"
       },
       {
         "id": "did:example:courtClerkOne#keys-3",
         "requirement": "sig"
       },
       {
         "id": "did:example:courtClerkTwo#keys-1",
         "requirement": "sig"
       }
     ]
  }

Migrated this issue from w3c-ccg/did-spec#29

[msporny]

Duplicate of #12. Closing.