Did-core: (Partially) Encrypting DID Documents
@RieksJ moved from the CCG (https://github.com/w3c-ccg/did-spec/issues/172)
brentzundel
All 6 comments
Editors should add a section to the security considerations section of the specification stating that encryption can be used to encrypt data, but that encrypting data placed on DLTs is generally a bad idea, and should only be done for data that is sensitive in the short term (weeks, months), and not for data that's sensitive over years (e.g., banking records, long lived PII, etc.)
msporny
on 1 Oct 2019
Whether the data is on DLTs isn't necessarily the main thing that is relevant; it's more that it's a publicly available document. Encryption should be used in confidential channels -- or it should be assumed that it will eventually be broken and the cleartext information will be made available to the same audience that the encrypted information is available.
dlongley
on 18 Feb 2020
This security consideration continues to be raised, and I agree it that this consideration should be added to the Security Considerations section. I have this action item.
talltree
on 18 Feb 2020
This is on the list of editorial tasks I have tasked for this week.
talltree
on 24 Mar 2020
PR was merged to add text about this to security considerations. Can this be closed?
rhiaro
on 31 Mar 2020
Yes. Thanks.
RieksJ
on 1 Apr 2020
Related issues
oed
路
8Comments
oed
路
8Comments
jonnycrunch
路
5Comments
shigeya
路
7Comments
selfissued
路
3Comments
Most helpful comment
Editors should add a section to the security considerations section of the specification stating that encryption can be used to encrypt data, but that encrypting data placed on DLTs is generally a bad idea, and should only be done for data that is sensitive in the short term (weeks, months), and not for data that's sensitive over years (e.g., banking records, long lived PII, etc.)