W3C home > Mailing lists > Public > public-credentials@w3.org > June 2016

Re: Proof of possession

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 15 Jun 2016 10:30:44 -0400
To: David Chadwick <d.w.chadwick@kent.ac.uk>, public-credentials@w3.org
Message-ID: <57616694.5060502@digitalbazaar.com>
On 06/15/2016 06:00 AM, David Chadwick wrote:
> [snip]
>
> On 15/06/2016 02:25, Manu Sporny wrote:
>>
>> The point isn't that something is irreparable - yes, most things can be
>> fixed. It just takes an enormous amount of time, energy, money, and stress.
>>
>> ... and we can avoid all of this by using identifiers that are not
>> cryptographic in nature (e.g. DIDs).
>
> But one still has to prove possession of the DID. Sure, it can be shown
> that the DID was created at some point in the past, but what proves that
> it was you who created it, and not some imposter saying that they
> created it?

I think what Manu meant is that a system where an identifier must be a 
fingerprint of a public key *and* the only way to prove
ownership of it is to possess the matching private key is too brittle.

It would be fine, IMO, to originally generate a DID from the fingerprint
of a public key, provided that this mechanism was only used to assert
ownership when registering the identifier with other pieces of
information that could be later used to also assert ownership should you
lose the private key or should it become obsolete.

At some point you should be able to essentially treat the DID as opaque
and prove ownership through some other mechanism.

I think we want *more* than just a public key fingerprint, but using
that concept to bootstrap the process is perfectly fine.


-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com
Received on Wednesday, 15 June 2016 14:31:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:29 UTC