Re: Single Use Key Pairs: Disposable Private Keys?

I don’t agree with you that some of your proposed use cases below would be best served by single use certificates, as the signer of those “assets” may desire to establish a greater acceptance of their signing credentials.  For example, the Signer of a document (e.g., PO, invoice, etc.) is the legally bound entity, and so you need to have a long-standing certificate.

Leonard

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Monday, December 13, 2021 at 11:33 AM
To: Leonard Rosenthol <lrosenth@adobe.com>, sam@prosapien.com <sam@prosapien.com>, public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Re: Single Use Key Pairs: Disposable Private Keys?
To gently pick on your words a bit Leonard, there's *way too much focus* on Identity ...the infinitesimally smallest class of digitally identifiable objects on the planet.
For any singleton VC (e.g. any NFT asset - photo, calf, kiss, purchase order, invoice, waybill, ...), they can be signed with a single-use key-pair and then the private key can be thrown away/discarded (i.e. not persisted).
This is a tremendous security-driven improvement for the most numerous classes of VCs on the planet and elsewhere.
Cheers,
Michael Herman
Founder
Trusted Digital Web
...inspired by Sam and KERI.

Get Outlook for Android<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=04%7C01%7Clrosenth%40adobe.com%7Cf51fd04564914ecc850908d9be564423%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637750099986800340%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rpIjvshbvrYQdgWRt7AQ1MN3c5FDYNOKAfTCG9G0TG4%3D&reserved=0>
________________________________
From: Leonard Rosenthol <lrosenth@adobe.com>
Sent: Monday, December 13, 2021 6:18:40 AM
To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>; sam@prosapien.com <sam@prosapien.com>; public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Re: Single Use Key Pairs: Disposable Private Keys?


Michael – interesting question.



The main reason for keeping the private key around would be if that key is associated with an identity that wishes to establish a history of “trust” by signing multiple objects/documents over time.  If, however, there are reasons why there is no need to do that or you are situation where it is not possible to keep it around (e.g., hardware/memory/storage), then it is fine to dispose of it.



Leonard



From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Saturday, December 11, 2021 at 11:50 PM
To: sam@prosapien.com <sam@prosapien.com>, public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Single Use Key Pairs: Disposable Private Keys?

If an NFT (for a photo, a calf, or a kiss, etc.) or a unique one-of-a-kind business document (a specific purchase order, invoice, waybill, delivery confirmation, etc.) is represented as a (signed) verifiable credential, once the proof is generated for the VC, is it necessary to persist the private key used to sign the VC?

...can't the private key be thrown away if it is no longer needed to sign anything further?

...that is, only the public key needs to be persisted and keyed to the VC's outer id and stored in the corresponding DID document?

... inspired by the early part of Sam's KERI ssimeetup talk.



Michael Herman

Founder

Trusted Digital Web

Get Outlook for Android<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=04%7C01%7Clrosenth%40adobe.com%7Cf51fd04564914ecc850908d9be564423%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637750099986810314%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=g42kvN3bvGvbGqwJM%2BfNkpB26ZmRk8p1R95Y%2F5o4xXQ%3D&reserved=0>

Received on Monday, 13 December 2021 19:28:31 UTC