-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
484 lines (441 loc) · 15.1 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>did:solid Method Specification</title>
<script src="https://www.w3.org/Tools/respec/respec-w3c" async class="remove"></script>
<script class="remove">
var respecConfig = {
specStatus: "CG-DRAFT",
shortName: "did-method-solid",
wg: "Solid Community Group",
wgURI: "https://www.w3.org/community/solid/",
wgPublicList: "public-solid",
editors: [{
name: "Sarven Capadisli",
url: "https://csarven.ca/#i",
email: "info@csarven.ca"
},
{
name: "Amy Guy",
url: "https://rhiaro.co.uk",
email: "amy@rhiaro.co.uk"
},
{
name: "Dmitri Zagidulin",
url: "http://computingjoy.com",
email: "dzagidulin@gmail.com"
}],
github: "https://github.com/solid/did-method-solid",
localBiblio: {
"DID-PRIMER": {
title: "DID Primer",
href: "https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/did-primer.md",
authors: [
"Drummond Reed",
"Manu Sporny",
],
publisher: "Rebooting the Web of Trust 2017"
},
"DID-DNS": {
title: "The Decentralized Identifier (DID) in the DNS",
href: "https://tools.ietf.org/html/draft-mayrhofer-did-dns-01",
authors: ["A. Mayrhofer", "D. Klesev", "M. Sabadello"],
status: "Internet Draft",
publisher: "IETF"
},
"DID-WEB": {
title: "Web DID method specification",
href: "https://w3c-ccg.github.io/did-method-web/",
authors: ["Dmitri Zagidulin", "Amy Guy", "Oliver Terbu"],
status: "CG-DRAFT",
publisher: "W3C Credentials Community Group"
},
"SOLID-PROTOCOL": {
title: "Solid Protocol",
href: "https://solidproject.org/TR/protocol",
authors: ["Sarven Capadisli", "Tim Berners-Lee", "Ruben Verborgh", "Kjetil Kjernsmo", "Justin Bingham", "Dmitri Zagidulin"],
status: "ED",
publisher: "W3C Solid Community Group"
}
},
};
</script>
</head>
<body>
<section id="abstract">
<p>
This DID method is designed to be compatible with
<a href="https://solidproject.org/TR/">Solid</a> set of protocols, so that Solid
<a href="https://solidproject.org/TR/protocol#server">server</a> can be
used as <a href="https://www.w3.org/TR/did-core/#dfn-verifiable-data-registry">
verifiable data registries</a> for the reading and writing of DID documents.
</p>
</section>
<section id="sotd">
</section>
<section>
<h1>
Introduction
</h1>
<section>
<h2>
Preface
</h2>
<p>
The Solid DID method specification conforms to the requirements specified in the
Decentralized Identifiers v1.0 Specification [[DID-CORE]]. For more
information about DIDs and DID method specifications, please also see the
DID Primer [[?DID-PRIMER]].
</p>
<p>
The DID method operations are designed to be compatible with existing Solid
servers. For more information, see the Solid Protocol [[SOLID-PROTOCOL]].
</p>
<p class="issue" title="Name of this DID method">
The Solid DID method specification is a specialisation of the Web DID method
[[DID-WEB]] whereby write (create, update, delete) operations are more tightly
specified. The Solid DID method is designed to be generic enough to be
compatible with other Web-based systems which implement read and write
operations using HTTP methods (RFC 7231). For this reason, we are considering
whether to name the DID method <code>did:https</code> or <code>did:rest</code>
or similar.
</p>
</section>
<section id="conformance">
<!-- This section is filled automatically by ReSpec. -->
</section>
<section>
<h2>
Example
</h2>
<p class="issue" title="More examples">
</p>
<pre class="example" title="Example did:solid DID document">
{
"@context": ["https://w3.org/ns/did/v1", "https://TODO-solid-context"],
"id": "did:solid:csarven.ca",
"authentication": [{
...
}]
}
</pre>
</section>
</section>
<section>
<h1>
Solid DID Method Specification
</h1>
<section>
<h2>
Verifiable data registry
</h2>
<p>
The verifiable data registry of the Solid DID method is the web host that the domain
name described by the DID resolves to when queried through the Domain Name System
(DNS). This MAY be a Solid <a href="https://solidproject.org/TR/protocol#server">server</a> [[SOLID-PROTOCOL]].
</p>
</section>
<section>
<h2>
Method name
</h2>
<p>
The namestring that shall identify this DID method is: <code>solid</code>.
A DID that uses this method MUST begin with the following prefix:
<code>did:solid</code>. This string MUST be in lowercase.
</p>
</section>
<section>
<h2>
Method-specific identifier
</h2>
<p>
The method specific identifier is a fully qualified domain name that is
secured by a TLS/SSL certificate with an optional path to the DID document.
The formal rules describing valid domain name syntax are described in
[[RFC1035]], [[RFC1123]], and [[RFC2181]].
</p>
<p>
The method specific identifier MUST match the common name used in the TLS/SSL
certificate, and it MUST NOT include IP addresses or port numbers. Directories
and subdirectories MAY optionally be included, delimited by colons rather
than slashes.
</p>
<pre class="nohighlight">
solid-did = "did:solid:" domain-name
solid-did = "did:solid:" domain-name * (":" path)
</pre>
<pre class="example nohighlight" title="Example Web Method DIDs">
did:solid:server.example
did:solid:server.example:guinan
</pre>
</section>
<section>
<h2>
Representation
</h2>
<p>
Solid DIDs use the <a href="https://www.w3.org/TR/did-core/#json-ld">JSON-LD
representation</a> for DID documents [[DID-CORE]].
</p>
<p>
The <code>@context</code> value MUST contain the Solid context URL
as the second entry in the list (following the DID Core context URL).
The Solid context URL is: <code>https://TODO-solid-context</code>.
</p>
<p>
The definition of the Solid DID JSON-LD context is:
</p>
<p class="issue" title="Solid context">
TODO
</p>
<p>
DID documents for Solid DIDs MAY contain any verification methods and
service endpoints as required by the DID controller.
</p>
<p>
All terms in the DID document MUST be present in either the DID Core
context or the Solid context.
</p>
</section>
<section>
<h2>
Authorization
</h2>
<p class="issue" title="Authorization">
TODO: "A DID method specification MUST define how authorization is performed
to execute all operations, including any necessary cryptographic processes
- https://w3c.github.io/did-core/#method-operations"
</p>
</section>
<section>
<h2>
Mapping a DID to an HTTP URL
</h2>
<p>
A prerequisite for the Solid DID method operations is to map the DID subject
URI to an HTTP URL. This is done as follows:
</p>
<ol>
<li>
Replace ":" with "/" in the method specific identifier to obtain the fully
qualified domain name and optional path.
</li>
<li>
Generate an HTTPS URL to the expected location of the DID document by
prepending <code>https://</code>.
</li>
</ol>
<p class="issue" title="Location of DID doc">
Do we want to 'hardcode' a path for the actual DID document itself? Eg. A
final step in the above could be "append <code>/did</code> to the URL".
Otherwise we just rely on the content type and the server returns the DID doc
for the DID subject URI given the correct content type? Or do we use the
<code>type</code> Link header, as is done for containers?
</p>
</section>
<section>
<h2>
DID method operations
</h2>
<section>
<h3>
Create (Register)
</h3>
<p>
To register a DID for the first time, the client MUST execute an HTTP
<code>PUT</code> request as follows:
</p>
<ol>
<li>
Generate the URL by following the steps in <a href="#mapping-a-did-to-an-http-url"></a>.
</li>
<li>
Set the body of the HTTP request to the JSON-LD representation of the DID document
(see <a href="#representation"></a>).
</li>
<li>
Execute an HTTP <code>PUT</code> request to the URL with with a <code>Content-Type</code>
header with the value <code>application/did+ld+json</code>.
</li>
</ol>
<p>
Upon receipt of a valid create request, the server MUST store the triples in the payload
of the request, and MUST respond with a <code>201</code> status code.
</p>
<p class="issue" title="Authorization">
Something about Authorization
</p>
</section>
<section>
<h3>
Read (Resolve)
</h3>
<p>
The following steps MUST be executed to resolve the DID document from a Solid
DID:
</p>
<ol>
<li>
Retreive the URL by following the steps in <a href="#mapping-a-did-to-an-http-url"></a>.
</li>
<li>
Perform an HTTP <code>GET</code> request to the URL using an agent that can
successfully negotiate a secure HTTPS connection, with an <code>Accept</code>
header with a value including <code>application/did+ld+json</code>.
</li>
</ol>
<p class="issue" title="Content type">
The content type <code>application/did+ld+json</code> is at risk in the DID
Core specification [[DID-CORE]] so this requirement may change (most likely
to a content type of <code>application/ld+json</code> accompanied by a
specific <code>profile</code> value).
</p>
<p class="issue" title="Metadata">
We may want to make use of <a href="https://www.w3.org/TR/did-core/#did-document-metadata">DID document metadata</a>.
</p>
<p class="issue" title="Verify authenticity">
TODO: "A DID method specification MUST specify how a DID resolver uses a DID
to resolve a DID document, including how the DID resolver can verify the
authenticity of the response. "
</p>
</section>
<section>
<h3>
Update
</h3>
<p>
To update the DID document, the client MUST perform the same steps as for
a create operation (see <a href="#create-register"></a>). The entire updated DID
document (not a diff) MUST be included in the request body.
</p>
<p>
Upon receipt of a valid update request, the server MUST replace the triples already
present for the DID document with the triples from the request payload. The server
MUST respond with a <code>200</code> or <code>204</code> status code.
</p>
<p class="issue" title="Authorization">
Something about Authorization
</p>
</section>
<section>
<h3>
Deactivate (Revoke)
</h3>
<p>
To delete the DID document, the client MUST retreive the URL by following the
steps in <a href="#mapping-a-did-to-an-http-url"></a>, and then MUST make an
HTTP <code>DELETE</code> request to the URL.
</p>
<p>
Upon receipt of such a <code>DELETE</code> request, the server MUST remove the
triples pertaining to the DID document, and return a <code>200</code> or
<code>204</code> status code. The server MUST respond with a <code>404</code>
or <code>410</code> status code for future requests to the URL.
</p>
<p class="issue" title="Authorization">
Something about Authorization
</p>
</section>
</section>
<section class="informative">
<h2>
Security and privacy considerations
</h2>
<section>
<h3>
DNS Considerations
</h3>
<p class="issue" title="DNS tracking">
Add warning - all resolutions of a <code>did:solid</code> identifier using DNS
are centrally logged, enabling pervasive tracking mechanisms. </p>
</section>
<section>
<h3>
DID Document Integrity Verification
</h3>
<p class="issue" title="Hashlinks">
Add discussion of using <a
href="https://tools.ietf.org/html/draft-sporny-hashlink">Hashlinks</a> to aid
integrity protection and verification of the DID document.
</p>
</section>
<section>
<h3>
In-transit Security
</h3>
<p class="note" title="From did:web">
This section has been copied from the Web DID method specification and may
need revising [[DID-WEB]].
</p>
<p>
At least TLS 1.2 should be configured to use only strong ciphers suites and to
use sufficiently large key sizes. As recommendations may be volatile these days,
only the very latest recommendations should be used. However, as a rule of
thumb, the following must be used:
</p>
<ul>
<li>
Ephemeral keys are to be used.
</li>
<li>
ECDHE with one of the strong curves {X25519, brainpoolP384r1, NIST P-384,
brainpoolP256r1, NIST P-256} shall be used as key exchange.
</li>
<li>
AESGCM or ChaCha20 with 256 bit large keys shall be used for bulk encryption
</li>
<li>
ECDSA with one of the strong curves {brainpoolP384r1, NIST P-384,
brainpoolP256r1, NIST P-256} or RSA (at least 3072) shall be used.
</li>
<li>
Authenticated Encryption with Associated Data (AEAD) shall be used as Mac.
</li>
<li>
At least SHA256 shall be used, but SHA384 or POLY1305 are recommended.
</li>
</ul>
<p>
Examples of strong SSL/TLS configurations for now are:
</p>
<ul>
<li>
<code>ECDHE-ECDSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=ECDSA,
Enc=AESGCM(256), Mac=AEAD</code>
</li>
<li>
<code>ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=RSA Enc=AESGCM(256),
Mac=AEAD</code>
</li>
<li>
<code>ECDHE-ECDSA-CHACHA20-POLY1305, TLSv1.2, Kx=ECDH, Au=ECDSA,
Enc=ChaCha20-Poly1305, Mac=AEAD</code>
</li>
<li>
<code>ECDHE-RSA-CHACHA20-POLY1305, TLSv1.2, Kx=ECDH, Au=RSA,
Enc=ChaCha20-Poly1305, Mac=AEAD</code>
</li>
<li>
<code>ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=RSA,
Enc=AESGCM(256), Mac=AEAD</code>
</li>
<li>
<code>ECDHE-ECDSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=ECDSA,
Enc=AESGCM(256), Mac=AEAD</code>
</li>
</ul>
<p>
It is recommended to adhere to OWASP's Transport Layer Protection Cheat Sheet
[[OWASP-TRANSPORT]] latest recommendations for hardening TLS configurations.
</p>
<p>
Delete action can be performed by domain name registrars or DNS lookup
services.
</p>
</section>
</section>
</section>
</body>
</html>