first draft #2
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,150 @@ | ||
| # did-mailto | ||
|
|
||
| ## Editors | ||
|
|
||
| - [Irakli Gozalishvili](https://github.com/Gozala), [DAG House](https://dag.house/) | ||
|
|
||
| ## Authors | ||
|
|
||
| - [Irakli Gozalishvili](https://github.com/Gozala), [DAG House](https://dag.house/) | ||
|
|
||
| ## Language | ||
|
|
||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119](https://datatracker.ietf.org/doc/html/rfc2119). | ||
|
|
||
| ## Abstract | ||
|
|
||
| This specification describes "mailto" [DID Method] that | ||
| conforms to the core [DID-CORE] specification. The method can be used independent of any central source of truth, and is intended for bootstrapping secure interaction between two parties that can span across arbitrary number of devices. It is suitable for long sessions that need to operating under network partitions. | ||
|
|
||
| ## Status of This Document | ||
|
|
||
| This document is draft of a potential specification. It has no official standing of any kind and does not represent the support or consensus of any standards organization. | ||
|
|
||
| ## Introduction | ||
|
|
||
| ### Overview | ||
|
|
||
| > This section is non-normative. | ||
|
|
||
| Most documentation about decentralized identifiers (DIDs) describes them as identifiers that are rooted in a public source of truth like a blockchain, a database, or similar. This publicness lets arbitrary parties resolve the DIDs to an endpoint and keys. It is an important feature for many use cases. | ||
|
|
||
| However, the vast majority of interactions between people, organizations, and things have simpler requirements. When Alice(Corp|Device) and Bob want to interact, there are exactly and only 2 parties in the world who should care: Alice and Bob. Instead of arbitrary parties needing to resolve their DIDs, only Alice and Bob do. | ||
|
|
||
| One to one interactions are excellent fit for [did:key] identifiers, however they suffer from key discovery problem and introduce additional challenges when interaction sessions span across more than two devices. | ||
|
|
||
| Mailto DIDs are designed to be used in conjunction with [did:key] and facilitate bootstrapping sessions between two parties that span across multiple devices. | ||
|
|
||
| Mailto DIDs are more accessible alternative to [did:web] and [did:dns] because a lot more people have an email address than there are people with [did:web] or [did:dns] identifier or skills to acquire one. | ||
|
|
||
| Mailto [did document]s are also verifiable offline, when [domain key][] of the email address is known, implying significantly less network requests than with most other DIDs. | ||
|
|
||
| ## The `did:mailto` Format | ||
|
|
||
| The format for the `did:key` method conforms to the [DID-CORE] specification and is encoding of the [email address]. It consists of the `did:mailto:` prefix, followed by the `domain` part of an email address, `:` character and percent encoded `local-part` of the email address. | ||
|
|
||
| The ABNF definition can be found below. The formal rules describing valid `domain-name` syntax are described in [RFC1035], [RFC1123], [RFC2181]. The `domain-name` and `user-name` corresponds to `domain` and `local-part` respectively of the email address described in [RFC2822]. All "mailto" DIDs MUST conform to the DID Syntax ABNF Rules. | ||
|
|
||
| ```abnf | ||
| did = "did:mailto:" domain-name ":" user-name | ||
|
There was a problem hiding this comment. Are there any advantages to If no then I'd favor There was a problem hiding this comment. My rationale was:
Above said I’m not feeling strongly about this There was a problem hiding this comment. fwiw I also kinda prefer the simplicity of just We could also establish some norms around, regardless of did mailto, what to do if someone sends you a did that is not actually a valid did, e.g. This is a little inspired by how web browsers in practice don't always show you the perfectly encoded URL in the URL bar. It does its best to decode the url-like strings you put in there. If we do something like that, maybe we can avoid the annoyance of There was a problem hiding this comment. Just wanted to add as an additional perspective: we use DIDs as domain-style origins within a human-author-able link syntax. For example, a user may write:
...or...
In the case of But, with There was a problem hiding this comment.
I think we can accomodate this by in practice users just typing i.e. if the method-specific-identifier contains a |
||
| user-name = 1*idchar | ||
| idchar = ALPHA / DIGIT / "." / "-" / "_" / pct_enc | ||
| pct_enc = "%" HEXDIG HEXDIG | ||
| ``` | ||
|
|
||
| ##### EXAMPLE 1. A [email protected] | ||
|
|
||
| ``` | ||
| did:mailto:example.com:jsmith | ||
| ``` | ||
|
|
||
| ##### EXAMPLE 2 [email protected] | ||
|
|
||
| ``` | ||
| did:mailto:web.mail:tag%2Balice | ||
|
There was a problem hiding this comment. @blaine and I talked about the %-encoding a bit yesterday. I don't think the ugly A hash seems strange at first, but since you will have that info in the DKIM or similar later, you can validate it at that time. The downside is that it's harder for a human to track visually, but a fringe benefit is that you don't have to worry about encoding and they're constant size. There was a problem hiding this comment.
I was mostly bothered about this in because it would turn I have thought about hashes, but mostly for the user privacy, but then realized it probably won't provide much. At the moment I think %-encoding a reasonable compromise and seems to be expected approach for DIDs, but I'm fine taking it other way.
I would prefer to not to with DKIM assumption, because we already have a system in place that adds did:mailto support without it, which I think will continue to be useful even when we implement DKIM support. |
||
| ``` | ||
|
|
||
| ## Operations | ||
|
|
||
| The following section outlines the DID operations for the `did:mailto` method. | ||
|
|
||
| ### Create (Register) | ||
|
|
||
| There is intentionally no specification for publishing `did:mailto` documents as single source of truth are not implied. Same `did:mailto` identifier MAY (intentionally) correspond to different [DID document] in different sessions. | ||
|
|
||
| Creating a `did:mailto` document is done by: | ||
|
|
||
| 1. Creating a [did:key] identifier. | ||
| 2. Sending an email from [DID Subject] email address with a [key authentication] message in the subject. | ||
|
|
||
| #### Key Authentication | ||
|
|
||
| Key authentication message must conform to the following ABNF definition, which refers to `did-key-format` defined in [did:key] specification | ||
|
There was a problem hiding this comment. It may be good to make a distinction between 'key authentication' and 'subject aliasing'. DID documents support both, but they're not identical. It looks like this section here, because it mentions 'I am also known as' seems like the human-readable instruction is more about subject aliasing and did-core "Key Authentication" could be confused with did-core's If you alias from your So whereas the spec currently calls this "Key Authentication", what it's doing by using did
|
||
|
|
||
| ```abnf | ||
| auth = "I am also known as " did-key-format | ||
| ``` | ||
|
|
||
| ##### EXAMLPLE 3 | ||
Gozala marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ``` | ||
| I am also known as did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK | ||
| ``` | ||
|
|
||
| ### Read (Resolve) | ||
|
|
||
| Specification intentionally does not specify how to resolve [DKIM-Signature] for the given `did:mailto` identifier as those could be arranged out of bound between participants. Optional programmatic resolution over [SMTP] could be defined in the future iterations. | ||
|
|
||
| The following steps MUST be executed to resolve the [DID document] from the [DKIM-Signature]: | ||
|
|
||
| 1. Extract [key authentication] from the `subject` header. | ||
| 1. Extract [did:key] from the extracted [key authentication]. | ||
| 1. Extract sender email address from the `from` header. | ||
| 1. Resolve [DID document] from extracted [did:key]. | ||
| 1. Set `id` of the [DID document] to the `did:mailto` identifier of the sender email address. | ||
| 1. Set `alsoKnownAs` of the document to extracted [did:key]. | ||
|
|
||
| ### Deactivate (Revoke) | ||
|
There was a problem hiding this comment. One of the biggest reasons to revoke would be because the user lost access to the email address. Is there a way to revoke in this case? How do I prevent any other user from claiming my Assuming that is true, anyone could claim they are known as So then, presumably if I have multiple email addresses I can register them all as being aka Without signed proof, you can't revoke the use of There was a problem hiding this comment.
Note that revocation here implies revoking a key as opposed to revoking a whatever permissions email has, which is I think what you’re thinking of. If I don’t have access to the email, I may want to revoke it’s privileges but that is to be done at another layer - delegation to the email address. That is out of scope here. Reason you’d want to revoke here is because you’ve lost a private key, or perhaps key got compromised.
If someone say [email protected] associates my key with their email they are essentially granting me all the privileges that email address has, which is opposite of what they would want so there is no initiative to do this.
I think you could put it that way.
I think you’re thinking of association in opposite direction. If I send you an email saying X is my key it’s reasonable to expect that messages signed by that key is from the owner of that email. If I then send you a message (from the same email address) saying I no longer use that X key it is reasonable to expect that if you see message signed with that key X it’s probably an attacker trying to impersonate me. Here you trust that messages are from trusted source (email address) and what you verify is the DKIM signature to ensure that email is indeed from the owner of the address. There was a problem hiding this comment. Ok I understand thanks for the clarification. |
||
|
|
||
| Specification intentionally does not specify how to communicate [DKIM-Signature] for deactivating the DID Document. | ||
|
|
||
| [DID Subject] may deactivate specific [DID document] by: | ||
|
|
||
| 1. Sending an email from [DID Subject] email address with with a [key revocation] message in the subject. | ||
|
|
||
| #### Key Revocation | ||
|
|
||
| Key revocation message must conform to the following ABNF definition, which refers to `did-key-format` defined in [did:key] specification | ||
|
|
||
| ```abnf | ||
| auth = "I revoke " did-key-format | ||
| ``` | ||
|
|
||
| ##### EXAMLPLE 3 | ||
Gozala marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ``` | ||
| I revoke did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK | ||
| ``` | ||
|
|
||
| ### Update | ||
|
|
||
| This DID Method does not support updating the DID Document. | ||
|
|
||
| [did subject]: https://www.w3.org/TR/did-core/#did-subject | ||
| [did method]: https://w3c-ccg.github.io/did-spec/#specific-did-method-schemes | ||
| [did-core]: https://w3c-ccg.github.io/did-spec/ | ||
| [did document]: https://www.w3.org/TR/did-core/#dfn-did-documents | ||
| [did:key]: https://w3c-ccg.github.io/did-method-key/ | ||
| [session keys]: https://en.wikipedia.org/wiki/Session_key | ||
| [did:web]: https://w3c-ccg.github.io/did-method-web/ | ||
| [did:dns]: https://danubetech.github.io/did-method-dns/ | ||
| [email address]: https://www.rfc-editor.org/rfc/rfc2822.html#section-3.4.1 | ||
| [rfc2822]: https://www.rfc-editor.org/rfc/rfc2822.html#section-3.4.1 | ||
| [rfc1035]: https://www.rfc-editor.org/rfc/rfc1035 | ||
| [rfc1123]: https://www.rfc-editor.org/rfc/rfc1123 | ||
| [rfc2181]: https://www.rfc-editor.org/rfc/rfc2181 | ||
| [dkim]: https://www.rfc-editor.org/rfc/rfc6376 | ||
| [key authentication]: #Key_Authentication | ||
| [key revocation]: #Key_Revocation | ||
| [dkim-signature]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail | ||
| [smtp]: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://www.w3.org/TR/did-core/#method-syntax
It's probably good to appease that MUST by having a small section on normalization. e.g. is it safe to canonicalize
did:mailto:dag.house:bEnGotodid:mailto:dag.house:bengo?I think the answer is no?
https://www.rfc-editor.org/rfc/rfc5321#section-2.4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of the canonicalization complexity here. I have a bunch of use-cases for this sort of approach that extend beyond
did:mailto:and can see the complexity spiralling out of control. This is not helped by the fact that these identifiers need to be checked with a simple string comparison; using modified "canonical" identifiers runs the risk of changing the security semantics.tbh, if the intent of the
didscheme is to be opaque, I'd prefer:aud: did:mailto:${multihash(email)}along with some other field (maybe infct?) that clearly states the hashed email address according to 5321 rules (but not canonicalized). (repeat for other schemes as necessary)Looking through the DID/VC specs, it seems like this is the same conclusion that the VC folks came to: https://www.w3.org/TR/vc-data-model/#identifiers – specifically, there's a separate
idfield that is the raw URI identifier, separate from thecredentialSubjectdid(unless I'm misreading this; there's a lot in these specs, and I may very well have missed something).That all said, I would love to be convinced that the canonicalization is possible to do reliably; I just feel like there are too many unknowns there to be confident about it.