owned this note
owned this note
Published
Linked with GitHub
# DID Authentication
TODO:
- add use cases for when this is needed (issuance, what other dids does the other party control, governance framework list dids -> pairwise connection uses a different did)
Options:
- Separate present proof exchange using Verifiable Presentation Request Specification
- Separate present proof exchange using DIF PE
- DIF PE as part of Credential Manifest
- Extend RFC 0593
- Send a didcomm message
- Always use connection did
Related to https://github.com/hyperledger/aries-rfcs/issues/545
## Verifiable Presentation Request Specification
Link: https://w3c-ccg.github.io/vp-request-spec/#did-authentication-request
- VPRS is Not supported in Aries, would need new attachment format in registry
- Needs separate run of Present Proof protocol
- Verify minimal API to do did authentication
Request:
```json
{
"query": [
{
"type": "DIDAuth"
}
],
"challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
"domain": "example.com"
}
```
Response:
```json
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": "VerifiablePresentation",
"holder": "did:example:12345",
"proof": {
"proofPurpose": "authentication",
"type": "Ed25519Signature2018",
"challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
"domain": "example.com",
"created": "2020-06-06T21:05:13Z",
"verificationMethod": "did:example:12345#z6Mkkg...",
"jws": "..."
}
}
```
## Using DIF PE
- Not sure yet how to construct the presentation definition
- Attachment format already supported
- Needs separate run of Present Proof protocol
- Agents need to recognize the specific presentation definition and know they need to present their did so a credential can be issued
```json
{
"options": {
"challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
"domain": "example.com"
},
"presentation_definition": {
"id": "32f54163-7166-48f1-93d8-ff217bdb0653",
"input_descriptors": [
{
"id": "did_auth",
"name": "DID Auth",
"purpose": "We want to authenticate your did before issuing a credential to it",
"schema": [
{
"uri": "https://www.w3.org/2018/credentials#VerifiablePresentation"
}
],
"constraints": {
"fields": [
{
"path": "$.holder"
}
]
}
}
]
}
}
```
## Using DIF PE as part of Credential Manifest
- Not sure yet how to construct the presentation definition
- Attachment format already supported, but not really implemented by agents (AFGO?)
- No separate run of Present Proof protocol needed, done as part of the Credential Manifest
## Extending RFC 0593
- Take inspiration from the OIDC for issuance spec (https://openid.net/specs/openid-connect-4-verifiable-credential-issuance-1_0.html#section-6.6.1) and allow holder to provide a `did` + `proof`
- No separate run of Present Proof protocol needed, done as part of the vc-detail
```json
{
"credential": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "urn:uuid:3978344f-8596-4c3a-a978-8fcaba3903c5",
"type": ["VerifiableCredential", "UniversityDegreeCredential"],
"issuer": "did:key:z6MkodKV3mnjQQMB9jhMZtKD9Sm75ajiYq51JDLuRSPZTXrr",
"issuanceDate": "2020-01-01T19:23:24Z",
"expirationDate": "2021-01-01T19:23:24Z",
"credentialSubject": {
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
}
},
"options": {
"proofPurpose": "assertionMethod",
"created": "2020-04-02T18:48:36Z",
"domain": "example.com",
"challenge": "9450a9c1-4db5-4ab9-bc0c-b7a9b2edac38",
"credentialStatus": {
"type": "CredentialStatusList2017"
},
"proofType": "Ed25519Signature2018",
"did": {
"id": "did:example:1234",
"proof": {
"type": "RsaSignature2018",
"created": "2018-09-14T21:19:10Z",
"proofPurpose": "authentication",
"verificationMethod": "did:example:1234/keys/1",
"challenge": "2H4dB9xl-FZQL-pixV-WJk0eOt4CXQ-1NXKW",
"domain": "https://issuer.example.com",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..l9d0YHjcFAH2H4dB9xlWFZQLUpixVCWJk0eOt4CXQe1NXKWZwmhmn9OQp6YxX0a2LffegtYESTCJEoGVXLqWAA"
}
}
}
}
```
### Sending a separate DIDComm message
As described in https://github.com/hyperledger/aries-rfcs/issues/545
Require the other agent to send any message to you as an issuer with a (key from a) specific did. The thread id can identify the message and allow the issuer to correlate it to the other exchange
- Only works for keys that can be used for both signing and encryption
-
### Always use connection did
- Wont work well with using peer dids for connections.
- Won't work well for using other dids for subject as for connections