W3C home > Mailing lists > Public > public-credentials@w3.org > December 2018

Re: Ideas about DID explanation

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 11 Dec 2018 10:00:49 -0500
To: Lucas T├ętreault <lucas@vivvo.com>, Tom Jones <thomasclinganjones@gmail.com>, "daniel.hardman@evernym.com" <daniel.hardman@evernym.com>, "kim@learningmachine.com" <kim@learningmachine.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <aea42c73-6801-0ecb-ec6c-cb8b2f461b38@digitalbazaar.com>
On 12/11/18 8:43 AM, Lucas T├ętreault wrote:
> What I'm stuck on right now is keys that have been breached vs. keys
>  that were rotated for some other reason?

We are exploring the possibility of annotating the reason for the key
rotation (expiration, revocation due to loss, etc.)

> If a key was breached then presumably any and all credentials that 
> were signed with it should be revoked. Thoughts?

If you can note when the key was breached in the DID Document (or
elsewhere) when you revoke it, then you don't need to revoke all
credentials that were signed with it.

Also note that many high-stakes issuers are most likely going to use
HSMs, so if there is a breach, they will only revoke credentials during
when they thought their system was vulnerable due to the private keys
being difficult/impossible to exfiltrate from their hardware-secured
storage.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Tuesday, 11 December 2018 15:01:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 11 December 2018 15:01:18 UTC