Re: DID-Auth

I think it was mostly Kyle Den Hartog (who attended RWoT#5) with some
input from others who used that Google doc for brainstorming on
DID-Auth, and yes we've had some discussions on this during the DIF calls.

Thanks for your feedback and adding some pointers, +1 to re-using what's
already there.

Personally, think the term DID-Auth has been used quite a bit but is
currently not really well-defined.
It could be understood as an umbrella term for "proving control over a
DID", and perhaps also more broadly as "proving something else such as
possession of a credential".

This high-level concept of DID-Auth can manifest itself in various ways:

- /Proof of control over a DID on a transport layer/ -> DID-TLS,
CurveCP, CurveZMQ

- /Proof of control over a DID on the HTTP layer/ -> HTTP-Signatures

- /Proof of control over a DID and proof of possession of a credential
inside a browser/ -> Credential Handler API

- /Proof of control over a DID via more complex flows involving
browsers, redirects, mobile apps, etc., potentially transport-agnostic/
-> Some kind of challenge/response pattern using LD-Signatures, see
DID-Auth diagrams from RWoT#4

For the BCGov project, I feel like a mix of these will be required,
looking forward to further discussions during the calls and at RWoT.

Markus

On 02/06/2018 05:03 PM, Manu Sporny wrote:
> On 02/06/2018 08:20 AM, Markus Sabadello wrote:
>> I would love this group's input on how to approach this in a way that
>> is re-usable and complementary with other community efforts.
> Hmm, just found this in the link you sent, Markus:
>
> https://docs.google.com/document/d/1Lt0uMvSuv094Bb-5XvVKNqNFEDrlWm3acy1O5-vVZu4/edit#
>
> Feels like DIF is duplicating work that is also being done in this CG.
> We should talk about making sure we're not duplicating effort when we
> discuss this in the CG.
>
> -- manu
>