Comments (7)
dhh1128
commented on September 28, 2024
3
I don't think we have this risk, if the KEL/TEL has to record the URL at which the KEL is published. Am I wrong?
from tswg-did-method-webs-specification.
2byrds
commented on September 28, 2024
I don't think we have this risk, if the KEL/TEL has to record the URL at which the KEL is published. Am I wrong?
Yes, I agree that anchoring the did:webs to the KEL/TEL is a simple/thorough strategy. It looks like we have agreement in the group on that. So we'll add information about the events that support this.
IF in the future there will be other options as well, like a DID document published for discovery purposes and thus using the BADA RUN security characteristics.... then we need to document that for the reader so that they can understand the difference between the two, especially from a security PoV.
from tswg-did-method-webs-specification.
peacekeeper
commented on September 28, 2024
Is this really a problem, if I publish somebody else's KERI event stream on my domain name?
What attacks or other problems can this possibly enable?
In pretty much any DID method, I can add somebody else's public keys into my DID document, so what, what's the harm? I can't prove control of the DID anyway, since I don't have the private keys.
from tswg-did-method-webs-specification.
2byrds
commented on September 28, 2024
Is this really a problem, if I publish somebody else's KERI event stream on my domain name?
What attacks or other problems can this possibly enable?
In pretty much any DID method, I can add somebody else's public keys into my DID document, so what, what's the harm? I can't prove control of the DID anyway, since I don't have the private keys.
I believe there were two discussed goal, both relying on the did:webs document becoming non-verifiable if it is retrieved on an unsanctioned domain:
-
Domains carry associated meaning for most users. Therefore, the domain I choose to host my did:webs should be under my control (via verification) so that I can choose that association (domain). We are hopefully creating an internet with real identity verification where users can 'tune out' resources/sites/information that aren't verifiable. So if you recreate my did:webs identifier on your domain without my consent, no user who has the verification filter turned on will ever see it there.... Hopefully I'm not conflating concepts by adding that this seems similar to the checks my browser does with web certs and the domain of a website that i visit
-
We want to create a verifiable way to track the movement away from previously verifiable domains. That is related to number 1 but is more about tracking where I have chosen to host my did:webs over time. You used to be able to find my verifiable identifier hosted at domainOld but now it is hosted at domainNew.
Wondering a little more.... for verifications that are expensive (giant KELs/TELs that reference other giant KELs/TELs, etc), could an attacker force expensive verifications by creating did:webs documents that drive users to out-dated or incorrect information that takes significant resources to verify? I would want users/systems to know where they can find my sanctioned/most-up-to-date did:webs and I would choose a domain and associated infrastructure that is most reliable.
from tswg-did-method-webs-specification.
swcurran
commented on September 28, 2024
IMHO — there is no problem with publishing a DID and all of it’s data on another web server. The “id” and any “alsoKnownAs” entries in the DIDDoc would not match the location of the DID, but there is not a problem.
The use of “id” and the ability to (in Web terms) redirect the discovery of the DIDDoc (etc.) to use another web location is so that after the redirection, DIDs that may exist in published documents anywhere in the world (e.g. in registries, verifiable credentials, and so on) that point to the old site can be seen verified on the new as being intentional synonyms defined by the controller.
Of course, that works fine if the web redirection is automatic. It doesn’t do so well if there is not a web redirection and the resolver has to use some other discovery technique. The AID and the KERI log enables verification wherever they are found.
from tswg-did-method-webs-specification.
2byrds
commented on September 28, 2024
We will discuss this and related issues at today's meeting
from tswg-did-method-webs-specification.
2byrds
commented on September 28, 2024
Designated aliases feature as documented, handles the authority of the domain hosting the did:webs identifier
from tswg-did-method-webs-specification.
Related Issues (20)
- Reorder section 7 to emphasize the DID Method Operations and add Create/Update details HOT 5
- Security Characteristics are difficult to relate to did:webs HOT 2
- ABNF definition of method in section 6.2 not a full ABNF specification HOT 1
- Terminology needs to be aligned and KERI only question (related) HOT 10
- International and Unicode domain names
- Too much informative text; normative requirements not clear enough HOT 2
- Glossary Terms - ToIP & did:webs alignment HOT 3
- KERI Version strings all legacy in example jsons
- State document conventions regarding normative statements, informative statements, etc.
- Request to add did:webs to the DID method registry HOT 1
- Align blog post with Muggles session HOT 1
- attribute more contributors or editors HOT 2
- Direct mode AIDs are not the simplest, are they? HOT 1
- Discuss spec versioning and did document verification
- Spoofing did:webs didDocs HOT 7
- Cleanup defs and/or terminology.md HOT 4
- Remove the “Transformations” section, or at least the “did:peer” part of it HOT 2
- Full Example section paragraph is difficult for a newbie to parse and match with JSON HOT 2
- Can we shift or somehow de-emphasize the terminology section? HOT 4
- why must FQDN not include IP addresses? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tswg-did-method-webs-specification.