- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Wed, 15 Jun 2016 16:30:14 +0100
- To: Dave Longley <dlongley@digitalbazaar.com>, public-credentials@w3.org
On 15/06/2016 15:30, Dave Longley wrote: > On 06/15/2016 06:00 AM, David Chadwick wrote: >> [snip] >> >> On 15/06/2016 02:25, Manu Sporny wrote: >>> >>> The point isn't that something is irreparable - yes, most things can be >>> fixed. It just takes an enormous amount of time, energy, money, and >>> stress. >>> >>> ... and we can avoid all of this by using identifiers that are not >>> cryptographic in nature (e.g. DIDs). >> >> But one still has to prove possession of the DID. Sure, it can be shown >> that the DID was created at some point in the past, but what proves that >> it was you who created it, and not some imposter saying that they >> created it? > > I think what Manu meant is that a system where an identifier must be a > fingerprint of a public key *and* the only way to prove > ownership of it is to possess the matching private key is too brittle. I think we are all agreed on that. After all, how do you prove that the original public key belongs to the physical you? There has to be a registration procedure. And a recovery procedure after losing your private key will be very similar to it. > > It would be fine, IMO, to originally generate a DID from the fingerprint > of a public key, provided that this mechanism was only used to assert > ownership when registering the identifier with other pieces of > information that could be later used to also assert ownership should you > lose the private key or should it become obsolete. Exactly. This is also done today to recover lost passwords, is it not? > > At some point you should be able to essentially treat the DID as opaque > and prove ownership through some other mechanism. Then we are in agreement about this. > > I think we want *more* than just a public key fingerprint, but using > that concept to bootstrap the process is perfectly fine. > > My point is that some other random DID that is secured with a public key is no better as an ID than the public key (fingerprint) itself. regards David
Received on Wednesday, 15 June 2016 15:30:46 UTC