Re: Confusion regarding Domain linkage

Hi.

To follow the HTTP-01 approach, you’d need a challenge response (you send a challenge to their https endpoint and receive a response signed using the DID key) and of course you check the validity of the TLS certificate.

It is you (verifier of the challenge) who should issue/sign the domain linkage credential.

Alternative approach (I guess) would be to use the TLS certificate to sign the domain linkage credential and counter sign it with the DID key. I’m not sure whether TLS cert could be used for such operation (technically can be done).

BR, Alen

> On 21 Jul 2023, at 07:13, Vishwas Anand Bhushan <vishwas@hypermine.in> wrote:
> 
> Hey Orie,  
> 
> Thank you for quick response and that blog. 
> 
> So, as I understand, keeping did.json and did-configuration.json files in well-known folder is analogous to HTTP-01 challenge verification. And I think it depends on use case whether you need to go for DNS 01 challenge verification or not. I guess for most purpose HTTP-01 works. 
> 
>> You prove control over a DID by signing with keys registered to it
> 
> 
> This I understood.
> 
>> You prove control over an origin, by placing that signature at a well known location.
> 
> 
> When you say signature, are you referring to Domain Linkage credential which will be self signed? 
> 
> The way I was thinking was: 
>  - We ask user to enter their domain name in a form, 
>  - then they generate did:web DID (in did.json file), 
>  - then we ask them to keep did.json in their .well-known folder 
>  - then we verify if they have added did.json file in that folder or not and also if they own that did or not (by verifying the signature)
>  - then we issue them a domain linkage credential (in did-configuration.json) file which they can keep it in their .well-known folder. 
> 
> But not sure if this is correct way to do since as per spec domain linkage credential seems to be “self signed”.  
> 
> Thanks,
> Vishwas, CTO @ hypersign.id <http://hypersign.id/>
> 
>> On 20-Jul-2023, at 6:54 PM, Orie Steele <orie@transmute.industries <mailto:orie@transmute.industries>> wrote:
>> 
>> Sounds like you are trying to prove a bi-directional link exists between 2 identifiers.
>> 
>> You prove control over a DID by signing with keys registered to it.
>> You prove control over an origin, by placing that signature at a well known location.
>> 
>> This was inspired by how Lets Encrypt works:
>> 
>> https://letsencrypt.org/docs/challenge-types/
>> 
>> OS
>> 
>> On Thu, Jul 20, 2023 at 1:47 AM Vishwas Anand Bhushan <vishwas@hypermine.in <mailto:vishwas@hypermine.in>> wrote:
>>> Hi everyone, 
>>> 
>>> We are from hypersign.id <http://hypersign.id/> and our DID method did:hid is approved in w3c did registry. 
>>> 
>>> We are trying to figure out how can we link a DID with domain. Seems like did:web is used for that where in domain owner can generate did.json to keep their DID, and did-configuration.json to keep their self signed domain linkage credential  in their .well-known folder -  as per spec <https://identity.foundation/.well-known/resources/did-configuration/>.  But what I am unable to understand is, how does merely keeping some files in .well-known folder will prove that you own that domain unless you do ACME challenges (like DNS 01 challenge) verification. Say if you add TXT record and verify that then how does this verification can be linked to domain linkage credential since domain linkage credential seems to be a self signed credential by nature (see 5.1 <https://identity.foundation/.well-known/resources/did-configuration/#did-configuration-resource-verification>). It's quite confusing to me. Could someone please clarify this or share any documentation related to this use case? 
>>> 
>>> 
>>> Thanks,
>>> Vishwas, CTO @ hypersign.id <http://hypersign.id/>
>> 
>> 
>> -- 
>> 
>> ORIE STEELE
>> Chief Technology Officer
>> www.transmute.industries <http://www.transmute.industries/>
>>  <https://transmute.industries/>
>