On Wed, Feb 14, 2024 at 9:46 AM Drummond Reed <Drummond.Reed@gendigital.com>
wrote:
> Vigas, if you want more insight into the vulnerability of the DID doc (and
> how to address it), I recommend this blog post
> <https://www.trustoverip.org/news/2023/12/15/announcing-public-review-of-the-didwebs-method-specification/>
> that explains the purpose of the did:webs method task force at ToIP.
>
You might also want to look at did:onion
https://github.com/BlockchainCommons/did-method-onion . It basically used
the did:web style of /well-known paths and DID documents, but has the
advantage that a) you know that you can't connect to the onion server to
download the DID document unless the holder has a working private key that
matches the public key in the onion address, b) you can include that key in
the DID document you offer, and c) you can sign the entire DID document
with that same key.
We did a minimal proof of concept at
https://github.com/BlockchainCommons/torgap-demo — I'm not sure that the
demo server is still live, but the code works. It was written a few years
ago, so not sure the "did:web"-like functionality is current, but should be
close.
We are also working this month on something related, which uses SSH keys,
SSH detached signatures, and SSH signed git commits. SSH offers an IETF
alternative for signing, and is already in use by GitHub as an alternative
to GPG. Let me know if anyone is interested in that project.
-- Christopher Allen