Did-core: Encrypted serviceEndpoint values?

Created on 6 Oct 2019  路  8Comments  路  Source: w3c/did-core

Would it be possible to add a mechanism for encrypting the value of either a) serviceEndpoint URLs, or b) _both_ serviceEndpoint and service types?

Context: this came up in the context of the Solid spec, where there's interest in adopting the DID Document mechanism to replace or augment the existing WebID Document mechanism. One of the service endpoints that Solid webid docs use is to point to the OpenID Connect Issuer endpoint (similar to how we have OpenIdConnectVersion1.0Service type endpoint in the DID spec examples).
And so, the question that came up was: so right now we point to the user's OIDC endpoint in plain text. Would it be possible to obfuscate or encrypt this, instead?

I realize that this opens up a lot of really difficult topics, like how to combine encryption and access control (so that the DID Doc is still useful for discovery, but not for _everybody_, only for those who have appropriate keys/credentials).

I'm curious if others have came up against this use case or requirement, and how you're thinking of handling it.

discuss pending close
Source
picture dmitrizagidulin

Most helpful comment

I think this problem would be better solved with a layer of indirection. So, specify some generic looking proxy service in your DID Document -- and it can map to something else where encryption (or whatever) can take place.

picture dlongley on 9 Oct 2019
👍3

All 8 comments

Related issue: #25 - (Partially) Encrypting DID Documents

dmitrizagidulin picture dmitrizagidulin on 9 Oct 2019

I think this problem would be better solved with a layer of indirection. So, specify some generic looking proxy service in your DID Document -- and it can map to something else where encryption (or whatever) can take place.

dlongley picture dlongley on 9 Oct 2019
👍3

@dlongley I agree; that sort of privacy-preserving proxy will be a useful mechanism. I'd love to have at least a straw proposal of what that would look like (and what the protocol would be for interacting w it).

dmitrizagidulin picture dmitrizagidulin on 9 Oct 2019

@dlongley

.. specify some generic looking proxy service in your DID Document -- and it can map to something else

This has also come up in DID Resolution: https://w3c-ccg.github.io/did-resolution/#proxy, https://github.com/w3c-ccg/did-resolution/issues/35. I think it's a good idea to support something like this. Not sure if any change is needed to the DID spec itself.

peacekeeper picture peacekeeper on 9 Oct 2019

Recommend we close this issue.
As mentioned in earlier comments, this use case can be solved either via:

  1. An anonymizing service endpoint proxy
  2. Encrypting via a Hashlink or similar mechanism; out of scope for the DID Doc.
dmitrizagidulin picture dmitrizagidulin on 18 Feb 2020

so, from my comments on the DID resolution calls, we have been overloading the #frag to add decryption data to handle this.

jonnycrunch picture jonnycrunch on 18 Feb 2020
👍1

@jonnycrunch Good point.

Although the idea of this issue is not just encrypting the _contents_ of the linked-to resource, but encrypting _the link itself_. Does ipld's usage of the hash fragment cover that use case?

dmitrizagidulin picture dmitrizagidulin on 18 Feb 2020

marked pending close for over a week. Not seeing objections to close. Closing.

brentzundel picture brentzundel on 28 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

OR13 picture OR13  路  8Comments
oed picture oed  路  8Comments
jonnycrunch picture jonnycrunch  路  5Comments
mitfik picture mitfik  路  7Comments
selfissued picture selfissued  路  3Comments