Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add did management design doc #3375

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

dbluhm
Copy link
Contributor

@dbluhm dbluhm commented Dec 3, 2024

This PR closes #3343.

This adds a design document synthesized from the discussion and comments of #3343.

Feedback is welcome!

Copy link
Contributor

@PatStLouis PatStLouis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great document!

- **Value:** The key material
- **Tags:**
- `KeyAlg`: Implicit tag indicating the key algorithm (e.g. `ed25519`)
- `did`: The DID associated with the key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this limited to 1 did or can it be a list of dids?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intent is for this one to be a single DID. If this key is bound to multiple DIDs, there will be multiple key records, each one uniquely identified by the verification method ID of the key in that DID's document.

@jamshale
Copy link
Contributor

jamshale commented Dec 4, 2024

Looks good to me. I'm going to read it over a couple more times this week, but I think it addresses concerns I've had with my limited experience of the problem.


[Askar](https://github.com/openwallet-foundation/askar) is the secure storage solution used by ACA-Py. Askar encrypts all data and provides a tagging mechanism to enable lookup of encrypted records. An entry in Askar is composed of the following elements:

- **Category:** The major group or "bucket" that the entry belongs to.
Copy link
Contributor

@swcurran swcurran Dec 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice to have examples of what we use these for. That does comes later, but nice to have up front. :-)


### Goals

- **Support Multiple Keys per DID:** Allow DIDs to have multiple associated keys and verification methods.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add that we would like to track whether a key is active or historical/archived/no longer in use. When we add did:webvh we will have keys referenced only in older versions of the DID/DIDDoc that should no longer be used for signing.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting question... If they should no longer be used for signing, do we have a need to keep the private key material around? If yes, then marking a key as inactive makes sense. If not, we could just remove the key from storage.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would still be able to do point-in-time verification of a previously issued credential if we choose since the verification process wouldn't depend on what keys we have stored in our wallet. The public key material would be taken directly from the DID Document.

@swcurran
Copy link
Contributor

Looks good. How do we get this implemented? Is this a one person job, with support for review and testing, or is it worth trying to split up the work?

Would also like to understand how an AnonCreds issuer interacts with this. Presumably, it is just about the DID, and the rest of the objects are “standalone” and will have different implementation methods.

@dbluhm
Copy link
Contributor Author

dbluhm commented Dec 11, 2024

Would also like to understand how an AnonCreds issuer interacts with this. Presumably, it is just about the DID, and the rest of the objects are “standalone” and will have different implementation methods.

DIDs feed into the AnonCreds issuer interface by supplying issuer_id to the creation of various AnonCreds objects. The "global" AnonCreds interface uses that issuer ID to determine which method-specific AnonCreds registry should handle the request. Then, the method specific implementation will (most likely) use the issuer ID to generate signatures or do whatever operations are required for the method.

So the method specific registries would need to be aware of how to look up the right key material to perform those operations. A good default operation would be to look up the first key in the authentication relationship of the issuer ID (DID). But aside from that, I believe DID management and AnonCreds object management have very little overlap.

@swcurran If that's the detail you were looking for, I can add that into the doc somewhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

DID Management Proposed Update
4 participants