W3C home > Mailing lists > Public > public-credentials@w3.org > November 2020

Re: Multi-sig DID auth & credentials

From: Orie Steele <orie@transmute.industries>
Date: Mon, 30 Nov 2020 12:50:08 -0600
Message-ID: <CAN8C-_JEMbz5M3PtktgqkfZOcx0bfLaYeK82Kmi0FyurTC18xg@mail.gmail.com>
To: Oleksandr Brezhniev <oleksandr.brezhniev@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
My recommendation would be that each suite for JSON-LD or companion spec in
the case of JOSE establish how multisig / thresholds / policies are
configured.

In Linked Data Signatures this is straight forward, you just write a spec
that explains how the proof is formed / validated and what special
configuration was necessary, for example see:

https://github.com/w3c-ccg/ldp-bbs2020

In JOSE, you would need to do something similar, and probably seek to have
it adopted as some kind of standard by IETF.

OS

On Tue, Nov 24, 2020 at 12:15 PM Oleksandr Brezhniev <
oleksandr.brezhniev@gmail.com> wrote:

> Hi everyone!
>
> I wonder if multiple signatures are supported by DID&VC standards. For
> example, a credential wallet on a child's phone could create
> DID requiring all VC presentations to be signed by the child and one of
> the parents. Or DID Auth requiring signatures from an employee
> and a manager to deploy to production or access strictly confidential
> information.
>
> While it's possible to request multiple credentials to cover such cases,
> it puts too much responsibility and trust on the requesting party.
> And also there's a whole range of real world credentials that require
> multiple signatures (where some of them may be optional / conditional),
> it would be strange to split them in separate credentials for each party's
> signature.
>
> I have found that both JWS and JSON LD Proofs allow to include several
> signatures, but there are no strong rules for the verifier on
> how to proceed with this data. Also DID document VerificationMethod field
> description contains this information: “Verification methods
> might take many parameters. An example of this is a set of five
> cryptographic keys from which any three are required to contribute to
> a threshold signature”. And I assume all of them should be evaluated on
> DID auth/credential presentation (but don't think any wallet
> has implemented it).
>
> Anyway, in both cases it’s not clear where to specify the threshold (2 of
> 3 / 3 of 5). Is a custom Verification Method with defined
> properties needed? Or am I missing something?
>
>
> Best regards,
> Oleksandr Brezhniev
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
Received on Monday, 30 November 2020 18:50:32 UTC

This archive was generated by hypermail 2.4.0 : Monday, 30 November 2020 18:50:33 UTC