Comments (15)
If all signature methods are out of scope, we should still have examples in the document. All examples need to have concrete references and clear pointers to the required bits to understand things. In particular, RsaSignature2018 needs references to JWS, JWS detached, and a few others. These can be informative if it's not a normative example.
An aside, normative statements still need to be in the document for where the signatures interact with the document itself.
from did-core.
@OR13 wrote:
I think both RSASignature2018 and RS256 / JOSE are external references
Yes, they're both external references, but of very different kinds. One is to an ad-hoc registry administered by a community group that will eventually dissolve. The other is to an IANA registry backed by stable standards (mostly RFC). We should excise external references of the first kind, due to the instability of the reference target. We should embrace external reference of the latter kind, to reuse existing standards and implementations.
from did-core.
As described in #9 , using existing JSON based signature methods would reduce the footprint of new standards that we would have to create to build a functioning DID and DID method ecosystem.
from did-core.
The specification should clearly state that proof mechanisms are outside of the scope of the specification. I'd argue that the specification should probably remove the proof property as well. If people want to use JSON-LD + Linked Data Security mechanisms they can do that... if folks want to use JWS, they can do that too, but protecting DID Documents using either mechanisms shouldn't be mandated or prevented by the spec.
from did-core.
This will need to be discussed in the group. We had previously (at the 2019 DID WG meeting at W3C TPAC) agreed that we were not going to put normative statements like this into the specification as how a DID Document is secured was out of scope.
from did-core.
I believe this is blocked by the discussion of the registries. I tend to agree with concern of external dependencies, being a risk... separate from the discussion of the defintion of a signature suite and where that would happen. I think both RSASignature2018 and RS256 / JOSE are external references.... so this does seem like a tricky topic, worth tackling after we have better registry conversation.
from did-core.
Normative functionality used by the specification should either be in final specifications, such as W3C recommendations or IETF RFCs, or defined by the specification itself. This is closely related to issue #169, where RsaSignature2018 is an example of functionality not currently normatively defined in this manner.
This is also closely releated to the decision to establish registries for use by the specification.
from did-core.
@selfissued I mostly agree with your position on this. I'm worried about external dependencies that will become stale / difficult to update.
from did-core.
We have made progress in not pointing to external dependencies, we have stuff in our registry now to half-solve this issue:
https://w3c.github.io/did-core-registries/#publickey
from did-core.
We need to decide what Signature Suites and Verification Keys are in DID Core, and what go in extensions.
from did-core.
The other part of this issue is if the spec should say anything about signature formats. My assertion is that it shouldn't and leave that to other specs to define. However, doing things like key representations should be in scope.
from did-core.
The original issue was about RsaSignature2018 and RsaVerificationKey2018. PR #307 replaces these examples. The rest of the discussion in this issue - about defining things that are mentioned in the spec - I think is covered in #272, and by ongoing work on the Registries (so, propose closing?).
from did-core.
I recommend we close this for the same reasons expressed in #9 for closing.
from did-core.
The RSA Verification Key examples have been changed to Ed25519 ones. There is a different issue opened for updating the JWK examples, see #171.
That means that this issue can be closed now.
from did-core.
No comments since marked pending close, closing.
from did-core.
Related Issues (20)
- [Question] Confusion about DID creation process HOT 6
- How to apply new DID Method Specification? HOT 1
- DID Spec PDF? HOT 1
- did:web:example.com:@bengo should be a valid did - can we add '@' to the syntax for 'idchar'? HOT 6
- [email protected]
- Fix assertion narrative clearly define the authoritative claims made when DID Key Controllers are not the DID Controller of the Document HOT 21
- Broken links
- Dock throws exception while verifying VC HOT 1
- Can we create DID in godiddy ? HOT 2
- What is revocation? HOT 1
- One foundational key representation please HOT 5
- How to actually identify the DID subject? HOT 12
- DID Document processing when media type is unknown HOT 4
- Confusion regarding threshold for DID controllers HOT 2
- Request for Guidance on Normalization Rules Enforcement HOT 4
- DID Resolution: Proof of inclusion of DID document in state of Verifiable Data Registry HOT 9
- How to Understand the DID Identification
- Move normative definition of Verification Methods and Controller Documents to Data Integrity HOT 8
- Missing comma in JSON-LD snippet for Example 1 of DID core HOT 1
- DID Parameters: Service - only fragment or complete id? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from did-core.