In the following example DID Document:

{
  "@context": "https://w3id.org/did/v1",
  "id": "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14",
  "assertionMethod": [
    "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14"
  ],
  "authentication": [
    "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14"
  ],
  "capabilityDelegation": [
    "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14"
  ],
  "capabilityInvocation": [
    "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14"
  ],
  "keyAgreement": [
    {
      "id": "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14#zC3hrJ5iJGYJ8FmaChkJf66ttRGkMh6gtpZuqM2hc9dEcK",
      "type": "X25519KeyAgreementKey2019",
      "controller": "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14",
      "publicKeyBase58": "4D8aiXV5AYqpfXEFLp67wjD82UYjXzHKg2YKBcokWzW7"
    }
  ],
  "publicKey": [
    {
      "id": "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14",
      "type": "Ed25519VerificationKey2018",
      "controller": "did:key:z6MknxumoAwcGrjM3M4N8bWSTDZLwRgMxChytWqqWe2E4d14",
      "publicKeyBase58": "9WejCvhAwKEsvrDfT2Ybc81M7rQWYKTdCVvugN4D9QDg"
    }
  ]
}

... the id of the public Ed25519VerificationKey2018 is the same as the id of the subject of the DID Document. Isn't the idea that id values should be unique and refer to one specific thing?

Update the x25519 fingerprint prefix bytes to 0xec, as per multiformats/multicodec#144.

It appears the private key material is getting dropped on the floor in the generate API. I expect that I would be able to get the LDKeyPair instance returned along with the DID document. Is that an improper expectation?

https://github.com/digitalbazaar/did-method-key-js/blob/master/lib/driver.js#L88-L91

Ideally, verification suites would be renamed to key types -- and a driver instance could support N-many of these. Otherwise N-many driver instances must be created and mapped and managed externally.

This is particularly true for using get() -- where systems may want a driver that can resolve multiple different did:key types. The driver should support detecting the multikey header used and use the appropriate key type to import and generate the DID document.

Previously when I used this library the methodFor function would act as a

convenience function that returns the public/private key pair instance for a given purpose (authentication, assertionMethod, keyAgreement, etc). - See current code comment here

It no longer appears to do this.

Is there now a different way to use this library to get the requisite private keys (with id and controller) required for the vc.js library?

So I understand that the multibaseMultikeyHeader is the first 4 characters of a multibase public key and that the first character is the algorithm identifier as defined by this spec.

Example: This public key from the docs z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH has a header of z6Mk

Where do the other 3 characters come from? Are these 3 characters where I could use a mnemonic for hierarchical deterministic wallets?

The recent update to CI has setup lint and coverage to be run in two separate nodejs runtimes, no need for that, please make lint and coverage run only in node 14.

https://github.com/digitalbazaar/did-method-key-js/blob/master/.github/workflows/main.yml#L22-L41

Not compiling in Node 12:

npm i

> [email protected] install ~/code/_DigitalBazaar/uni-resolver-did-v1-driver/node_modules/equihash
> node-gyp rebuild

  CXX(target) Release/obj.target/khovratovich/lib/khovratovich/addon.o
../lib/khovratovich/addon.cc:28:11: error: no member named 'Handle' in namespace 'v8'

I am attempting to use this library with https://github.com/digitalbazaar/ecdsa-secp256k1-verification-key-2019.

This requires a few tweaks like adding the fromFingerprint method. But after I get round that I run into an error when running:

const secpDidController = await didKeyDriverSecp.fromKeyPair({
    verificationKeyPair: secpKeyPair
});

The error is Error: Cannot derive key agreement key from verification key type "EcdsaSecp256k1VerificationKey2019".
After digging into the code it appears that the error comes from here

My question is why is this an error, can't you just generate the DID document without a key agreement key?

I added a specific case for EcdsaSecp256k1VerificationKey2019 with just a break, similar to the Multikey case and the DID doc generated fine.

Now using node v12.16.0 (npm v6.14.4)

[email protected] /Users/orie/Desktop/Code/Transmute/did.actor
└── [email protected] 

const didKeyDriver = require("did-method-key").driver();

 FAIL  __tests__/make-degree.spec.js
  ● Test suite failed to run

    /Users/orie/Desktop/Code/Transmute/did.actor/node_modules/x25519-key-pair/node_modules/node-forge/lib/aes.js:1
    TypeError: Cannot read property 'modes' of undefined
    at Object.<anonymous> (node_modules/x25519-key-pair/node_modules/node-forge/lib/aes.js:254:43)

The did:key spec now contains multiple normative statements about did:key. While we do throw many errors related to those statements, we don't throw them in a way that conforms to the spec.

I'm proposing that checks that can be made at the general level of any did:key be made here and then checks related to key material be made in their respective libraries.

That means the following checks need to be made in this library:

• MUST raise invalidDid error if scheme is not did (NOTE: this check might be needed elsewhere)
• MUST raise invalidDid error if method is not key (this check is did:key specific)
• MUST raise invalidDid if version is not convertible to a positive integer value.
• MUST raise invalidDid if the multibaseValue does not begin with the letter z.

The errors might be specific to the didResolver:

• If "didDocument.id" is not a valid DID, an invalidDid error MUST be raised
• If verificationMethod.id is not a valid DID URL, an invalidDidUrl error MUST be raised.
• For Signature Verification Methods, if options.enableExperimentalPublicKeyTypes is set to false and publicKeyFormat is not Multikey, JsonWebKey2020, or Ed25519VerificationKey2020, an invalidPublicKeyType error MUST be raised.
• For Encryption Verification Methods, if options.enableExperimentalPublicKeyTypes is set to false and publicKeyFormat is not Multikey, JsonWebKey2020, or X25519KeyAgreementKey2020, an invalidPublicKeyType error MUST be raised.
• If verificationMethod.controller is not a valid DID, an invalidDid error MUST be raised.

We can throw an error like this:

export class InvalidDid extends Error {
  constructor(message) {
    super(message);
    this.name = 'InvalidDidError';
    this.code = 'invalidDid';
  }
}

export class InvalidDidUrl extends Error {
  constructor(message) {
    super(message);
    this.name = 'InvalidDidUrlError';
    this.code = 'invalidDidUrl';
  }
}

Related:
digitalbazaar/ed25519-verification-key-2020#18
w3c-ccg/did-method-key#60

The did:key 0.7 spec introduces some options (with defaults) in the document creation algorithm.

The options are:

• publicKeyFormat (should be multiKey or Ed25519VerificationKey2020)
• enableExperimentalPublicKeyTypes (defaults to false)
• defaultContext (defaults to [https://www.w3.org/ns/did/v1])
• enableEncryptionKeyDerivation (should be true to enable keyAgreementKey )

These options should be passed in on didDocument creation regardless of if creating from from privateKey or publicKey seed.

These options also have some validation rules behind them:

• If publicKeyFormat is not known to the implementation, an unsupportedPublicKeyType error MUST be raised.
• If options.enableExperimentalPublicKeyTypes is set to false and publicKeyFormat is not Multikey, JsonWebKey2020, or Ed25519VerificationKey2020, an invalidPublicKeyType error MUST be raised.
• If options.enableExperimentalPublicKeyTypes is set to false and publicKeyFormat is not Multikey, JsonWebKey2020, or X25519KeyAgreementKey2020, an invalidPublicKeyType error MUST be raised.

I noticed that the dh key uses a fragment in the identifier, but the ed25519 key doesn't use the identifier. Is this intentional @dmitrizagidulin ?

https://github.com/digitalbazaar/did-method-key-js/blob/a224aec5097c9f083a91982a752b9e3a0d453e4f/lib/driver.js#L58

I propose we rename this repo to something like did-method-key-driver or did-method-key-js. And open the current did-method-key name for the repo that contains the DID Method Definition spec (so it can be submitted to the CCG).

We should add examples and tests showing X25519-based DIDs. These are different from DIDs that use Ed25519 and then include a converted X25519 keyAgreement verification method. These DIDs use only X25519 and use the X25519 multibase-multikey header in the DID itself.

It would be fantastic to have Typescript declaration files.

P-256 multikeys should have a keyAgreement section in DID docs so they can be used as key agreement keys if that's the desirable use for the key (as opposed to for signature verification via the other typical verification relationships).

Wondering if there is way to use did:key to encode a root public key and an hd path...

This would let you use the same entropy source for many different did:keys... At resolve time, each did:key would be decoded, and then the hd path would be applied... bonus points if you can ask for ethereum or bitcoin addresses via the hd path... this would make did key a weird cousin of did:ethr and did:btcr...

Its only referenced in the package.json,

Top of the readme should point to the Method Spec imo:

https://digitalbazaar.github.io/did-method-key/

Refactor did:key resolver lib to reflect the API changes in digitalbazaar/did-io#50. (did-io now contains the DIDDocument class, changes the get() return type to a plain JSON object instead of did doc instance.)

See also veres-one/did-veres-one#56

  console.log tests/__fixtures__/documentLoader.js:23
    did:key:z6MkfBth5EfE8HgwtA9YfGgBCqqerTaeSKPPjy5aFHumngqj

  console.log tests/__fixtures__/documentLoader.js:23
    https://w3id.org/did/v1

 FAIL  tests/did-method-spec-conformance.spec.js
  did core spec > method conformance
    ✕ did:key (313ms)

  ● did core spec > method conformance › did:key

    The property "assertionMethod" in the input was not defined in the context.

      at Object.<anonymous>.module.exports.info (node_modules/jsonld-signatures/lib/expansionMap.js:9:11)
      at _expandObject (node_modules/jsonld/lib/expand.js:439:26)
      at Object.<anonymous>.api.expand (node_modules/jsonld/lib/expand.js:246:9)

https://w3id.org/did/v1 does not define assertionMethod, despite did:key relying on it.

• Update lib to use cryptold@4 which has simplified dependencies.
• Possibly change the name of the repo to did-method-key
• scope the 1.0.0 package under @digitalbazaar

Others?

@dlongley @dmitrizagidulin I assume you may prefer for this to actually be added to crypto-ld. I'm eager to get this into DID Key, any quick advice that I might be able to follow to get a PR started on this.

We use https://github.com/bitauth/bitcoin-ts WASM module for browser support.

There are also:

• https://www.npmjs.com/package/elliptic

https://www.npmjs.com/package/did-method-key

The HomePage on npm still points at:
http://github.com/digitalbazaar/did-method-key

that should probably be updated to the newer spec repo.

The repo link should probably point here:
https://github.com/digitalbazaar/did-method-key-js

When using the npm page for did-method-key it's not immediately apparent where the code base and/or spec are.

This library is nearly there with JsonWebKey2020 support it just needs:

1. to remove the representationNotSupported check for publicKeyFormat JsonWebKey2020`
2. Add logic to convert an Ed25519 2020 key to JsonWebKey2020
3. Add tests to ensure resulting didDocument is ok

error: Error: While trying to resolve module @digitalbazaar/did-method-key from file C:\Users\***\Work\***\app\lib\did.ts, the package C:\Users\***\Work\***\\node_modules\@digitalbazaar\did-method-key\package.json was s
uccessfully found. However, this package itself specifies a main module field that could not be resolved (C:\Users\***\\Work\***\\node_modules\@digitalbazaar\did-method-key\index. Indeed, none of these files exist:

• C:\Users*\Work*\node_modules@digitalbazaar\did-method-key\index(.native|.android.jsx|.native.jsx|.jsx|.android.js|.native.js|.js|.android.ts|.native.ts|.ts|.android.tsx|.native.tsx|.tsx|.android.cjs|.native.cjs|.cjs|.
• C:\Users*\Work*\node_modules@digitalbazaar\did-method-key\index\index(.native|.android.jsx|.native.jsx|.jsx|.android.js|.native.js|.js|.android.ts|.native.ts|.ts|.android.tsx|.native.tsx|.tsx|.android.cjs|.native.cjs|
  .cjs|.android.json|.native.json|.json)

https://digitalbazaar.github.io/did-method-key/#the-did-key-format

{
  "crv": "P-256",
  "ext": true,
  "key_ops": [
    "verify"
  ],
  "kty": "EC",
  "x": "FJ6hTzeQwP93G3gE1B-2M5nlOHQl-kWw7uhQ-oNWop8",
  "y": "96FI6LJJ5dOM9ew4whZqfFOTFiJ81Ejz4HqEYFymvJE"
}

Feels like this should be pretty easy to accomplish... x and y need to be converted to a single buffer: Buffer.concat([base64url.toBuffer(x),base64url.toBuffer(y)]) ?

and we need a new entry here: https://github.com/multiformats/multicodec/blob/545181e8038b2112e92636cbc5395ac3fabb855c/table.csv#L73

for the multicodec representation of p-256 public key.

This would allow did:key to be used with nonextractable browser keys, and would unlock a lot of other functionality, including in browser JOSE support...

Apparently we should be using
https://w3id.org/did/v0.11
rather than the not-yet-standardized:
https://www.w3.org/ns/did/v1
The recent changes should be reverted.

@dlongley What story should docs, changelogs, etc have for developers to understand how to deal with this issue and the eventual migration issue?

We have API changes to properly multiple key types (as identified by multibase-multikey headers) in #55. We should figure out how we want to layer using different public key formats on top of it -- or decide that it's not appropriate to do that at all and either:

1. A different driver instance should be created with different fromMultibase plugins, OR
2. Presume that cryptosuites should allow all the different formats they accept and perform the necessary conversions.