W3C home > Mailing lists > Public > public-credentials@w3.org > November 2020

Multi-sig DID auth & credentials

From: Oleksandr Brezhniev <oleksandr.brezhniev@gmail.com>
Date: Tue, 24 Nov 2020 13:30:01 +0200
Message-ID: <CABsvQ0cV6X+yDn_nwD_4bewaOLUm==qenwGWfY93pNcouD2AfQ@mail.gmail.com>
To: public-credentials@w3.org
Hi everyone!

I wonder if multiple signatures are supported by DID&VC standards. For
example, a credential wallet on a child's phone could create
DID requiring all VC presentations to be signed by the child and one of the
parents. Or DID Auth requiring signatures from an employee
and a manager to deploy to production or access strictly confidential
information.

While it's possible to request multiple credentials to cover such cases, it
puts too much responsibility and trust on the requesting party.
And also there's a whole range of real world credentials that require
multiple signatures (where some of them may be optional / conditional),
it would be strange to split them in separate credentials for each party's
signature.

I have found that both JWS and JSON LD Proofs allow to include several
signatures, but there are no strong rules for the verifier on
how to proceed with this data. Also DID document VerificationMethod field
description contains this information: “Verification methods
might take many parameters. An example of this is a set of five
cryptographic keys from which any three are required to contribute to
a threshold signature”. And I assume all of them should be evaluated on DID
auth/credential presentation (but don't think any wallet
has implemented it).

Anyway, in both cases it’s not clear where to specify the threshold (2 of 3
/ 3 of 5). Is a custom Verification Method with defined
properties needed? Or am I missing something?


Best regards,
Oleksandr Brezhniev
Received on Tuesday, 24 November 2020 18:13:47 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 24 November 2020 18:13:49 UTC