W3C home > Mailing lists > Public > public-credentials@w3.org > November 2020

Re: Multi-sig DID auth & credentials

From: Orie Steele <orie@transmute.industries>
Date: Mon, 30 Nov 2020 12:50:08 -0600
Message-ID: <CAN8C-_JEMbz5M3PtktgqkfZOcx0bfLaYeK82Kmi0FyurTC18xg@mail.gmail.com>
To: Oleksandr Brezhniev <oleksandr.brezhniev@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
My recommendation would be that each suite for JSON-LD or companion spec in
the case of JOSE establish how multisig / thresholds / policies are

In Linked Data Signatures this is straight forward, you just write a spec
that explains how the proof is formed / validated and what special
configuration was necessary, for example see:


In JOSE, you would need to do something similar, and probably seek to have
it adopted as some kind of standard by IETF.


On Tue, Nov 24, 2020 at 12:15 PM Oleksandr Brezhniev <
oleksandr.brezhniev@gmail.com> wrote:

> Hi everyone!
> I wonder if multiple signatures are supported by DID&VC standards. For
> example, a credential wallet on a child's phone could create
> DID requiring all VC presentations to be signed by the child and one of
> the parents. Or DID Auth requiring signatures from an employee
> and a manager to deploy to production or access strictly confidential
> information.
> While it's possible to request multiple credentials to cover such cases,
> it puts too much responsibility and trust on the requesting party.
> And also there's a whole range of real world credentials that require
> multiple signatures (where some of them may be optional / conditional),
> it would be strange to split them in separate credentials for each party's
> signature.
> I have found that both JWS and JSON LD Proofs allow to include several
> signatures, but there are no strong rules for the verifier on
> how to proceed with this data. Also DID document VerificationMethod field
> description contains this information: “Verification methods
> might take many parameters. An example of this is a set of five
> cryptographic keys from which any three are required to contribute to
> a threshold signature”. And I assume all of them should be evaluated on
> DID auth/credential presentation (but don't think any wallet
> has implemented it).
> Anyway, in both cases it’s not clear where to specify the threshold (2 of
> 3 / 3 of 5). Is a custom Verification Method with defined
> properties needed? Or am I missing something?
> Best regards,
> Oleksandr Brezhniev

Chief Technical Officer

Received on Monday, 30 November 2020 18:50:32 UTC

This archive was generated by hypermail 2.4.0 : Monday, 30 November 2020 18:50:33 UTC