- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 27 May 2020 10:49:39 -0400
- To: public-credentials@w3.org
On 5/27/20 6:21 AM, Dominic Wörner wrote: > I'm interested in the use case of M2M (Server 2 Server) Authentication. > The machines know each others DIDs. I don't want to reinvent the wheel > and I'd like to reuse standard software as much as possible. Digital Bazaar has been using DIDs + HTTP Signatures to do M2M DID Auth for a number of years now: https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/ Fundamentally, all you need to do is use the "Signing HTTP Messages" spec to digitally sign a set of headers that you send to a server. The signature field ends up looking something like this in the HTTP Header: digest: mh=uEiDZpOV3dMk5HrfX1fyxkKMMlNCwWW4xc8DN9lPuXTzKIQ authorization: Signature keyId="did:v1:z6MkjpLLk1R5BLPcvdd3s5EUDhsfJEagJtKXsMHkoWdkRKBT#z6MkjpLLk1R5BLPcvdd3s5EUDhsfJEagJtKXsMHkoWdkRKBT",headers="(key-id) (created) (expires) (request-target) host content-type digest",signature="ZQeG4EJ3Ea7gYkhIeHGuGPA8UrDitPlk6zK7qGwSuXq/nki589HsVJ97o/4+PyEN3m8qCcyAp0ivtil45wDXAQ==",created="1590590592826",expires="1590591192826" In the example above (pulled from our digital wallet implementation when speaking w/ an Encrypted Data Vault)... the digest field is digitally signed using a did:v1 key. Fundamentally, all you need is a DID and the "Signing HTTP Messages" spec to do M2M DID Auth. We also have M2M Authorization Capability invocation working in the same way. All of this is well beyond the experimental/proof of concept phase, with the newest code bases headed toward production (so we feel pretty good about where the solution is at right now). -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Wednesday, 27 May 2020 14:49:52 UTC