On Wed, Feb 14, 2024 at 9:46 AM Drummond Reed <Drummond.Reed@gendigital.com> wrote: > Vigas, if you want more insight into the vulnerability of the DID doc (and > how to address it), I recommend this blog post > <https://www.trustoverip.org/news/2023/12/15/announcing-public-review-of-the-didwebs-method-specification/> > that explains the purpose of the did:webs method task force at ToIP. > You might also want to look at did:onion https://github.com/BlockchainCommons/did-method-onion . It basically used the did:web style of /well-known paths and DID documents, but has the advantage that a) you know that you can't connect to the onion server to download the DID document unless the holder has a working private key that matches the public key in the onion address, b) you can include that key in the DID document you offer, and c) you can sign the entire DID document with that same key. We did a minimal proof of concept at https://github.com/BlockchainCommons/torgap-demo — I'm not sure that the demo server is still live, but the code works. It was written a few years ago, so not sure the "did:web"-like functionality is current, but should be close. We are also working this month on something related, which uses SSH keys, SSH detached signatures, and SSH signed git commits. SSH offers an IETF alternative for signing, and is already in use by GitHub as an alternative to GPG. Let me know if anyone is interested in that project. -- Christopher Allen
Received on Wednesday, 14 February 2024 19:27:43 UTC