RE: Ideas about DID explanation

All testing for X.509 and CRLs includes testing at different times to validate the expiry conditions. I would expect that DID testing would be at least as good.

Peace ..tom

________________________________
From: Daniel Hardman <daniel.hardman@evernym.com>
Sent: Monday, December 10, 2018 11:47:50 AM
To: kim@learningmachine.com
Cc: thomasclinganjones@gmail.com; Credentials Community Group
Subject: Re: Ideas about DID explanation

On Sat, Dec 8, 2018 at 1:18 PM Kim Hamilton Duffy <kim@learningmachine.com<mailto:kim@learningmachine.com>> wrote:
I’m not sure if I understand the question, but for some longer-lived claims it’s useful to be able to determine the keys associated with a DID at a given point in time. I think I’m the only one that keeps harping on this, so the need for this capability may be quite rare.

I don't think it will be rare at all.If I sign a legal contract in June and then someone is trying to verify it in December, surely it's the state of my key in June, NOT December, that matters? By that same reasoning, if I get a message signed by a DID's key, I should test whether the key was valid at the time the signature occurred--not the time of verification. In fact, if the key on the message is valid today, but it was NOT valid at the time of signing, I should reject the message, because that key only becomes valid when the public record says so. No?

The common operation of testing for the current keys associated with a DID is only useful to the extent that the act of using the keys to sign/encrypt and the act of decrypting/verifying are nearly simultaneous. If any of us are building systems where that is a strong assumption, I think we're creating fragility.

--Daniel