lsd0005

LSD0005: GNS DID Method Specification
Log | Files | Refs
commit 680be280f1ecef9d70ef0dba92888768a84c5f11
parent e640c523910712f072a4c385b1e812874d2063c3
Author: Thomas Bellebaum <thomas.bellebaum@aisec.fraunhofer.de>
Date:   Mon, 22 Aug 2022 15:45:07 +0200

Review @bellebaum

Diffstat:

Mdraft-schanzen-didgns.xml | 71+++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------------


1 file changed, 57 insertions(+), 14 deletions(-)

diff --git a/draft-schanzen-didgns.xml b/draft-schanzen-didgns.xml
@@ -42,6 +42,18 @@
     <email>tristan.schwieren@tum.de</email>
    </address>
   </author>
+  <author fullname="Thomas Bellebaum" initials="T." surname="Bellebaum">
+   <organization>Fraunhofer AISEC</organization>
+   <address>
+    <postal>
+     <street>Lichtenbergstrasse 11</street>
+     <city>Garching</city>
+     <code>85748</code>
+     <country>DE</country>
+    </postal>
+    <email>thomas.bellebaum@aisec.fraunhofer.de</email>
+   </address>
+  </author>
 
   <!-- Meta-data Declarations -->
   <area>General</area>
@@ -78,9 +90,9 @@
    <section>
      <name>Method name</name>
      <t>
-       The namestring that shall identify this DID method is: `gns`.
-       A DID that uses this method MUST begin with the following prefix: `did:ids`.
-       Per the DID specification, this string ***MUST*** be in lowercase.
+       The namestring that shall identify this DID method is "gns".
+       A DID that uses this method MUST begin with the prefix "did:gns:".
+       Per <xref target="W3C.did-core"/>, this string MUST be in lowercase.
        The remainder of the DID, after the prefix, is specified below.
      </t>
    </section>
@@ -90,11 +102,13 @@
        Each identity in GNS has a single public-private zone key pair.
        An ego should not be confused with a user. A user can have multiple egos.
        The GNS DID method utilizes the GNU Name System (GNS) and its zone key.
-       It allow us to store a DID document in a GNS zone using.
+       It allows us to store a DID document in a GNS zone.
      </t>
      <t>
-       The method specific identifier is is the Base32GNS-encoded public zone
-       key <tt>zk</tt> of an identity:
+       The method-specific identifier is the public zone key <tt>zk</tt> of an
+       identity, Base32GNS-encoded as defined in Appendix C of
+       <xref target="I-D.draft-schanzen-gns"/>. GNS DIDs are considered equal
+       if their method-specific identifiers decode to the same symbols.
      </t>
      <figure anchor="figure_did" title="The GNS DID format">
        <artwork name="" type="" align="left" alt=""><![CDATA[
@@ -131,7 +145,10 @@ did:gns:000G057G3NM5FCGEDF35DBE6Y1R7QEFF7GJA9KXVK9KMT336XWKBY1M2XC
        <name>Read (Resolve)</name>
        <t>
          In order to resolve a GNS DID, the public zone key is extracted
-         from the the DID.
+         from the the DID as the Base32GNS-decoded value of the method-specific
+         identifier. Note that the decoding procedure of Base32GNS decodes
+         several characters to the same symbol, thereby implicitly adding
+         normalization to GNS DIDs.
          The zone key is used in combination with the Apex Label in order to
          resolve a resource record of type <tt>DID_DOCUMENT</tt> as defined in
          Section 7 of <xref target="I-D.draft-schanzen-gns"/>.
@@ -189,9 +206,10 @@ forms of attack SHOULD also be documented.-->
      <!-- The Security Considerations section MUST discuss residual risks, such as the risks from compromise 
 in a related protocol, incorrect implementation, or cipher after threat mitigation was deployed. -->
      <t>
-       An incorrect implementation of the digital signature algorithm in GNS
-       could make it possible for an attacker to impersonate any other ego, and
-       create or delete DID Documents.
+       An incorrect implementation of the digital signature validation algorithm
+       in GNS could make it possible for an attacker to impersonate any other ego.
+       Leakage of the private zone key allows anyone to create or delete DID
+       Documents.
        GNS itself provides crypto-agility and the possibility of extending the
        protocol with new cryptographic schemes should the need arise.
        In such cases, existing identities will need to be revoked and new DIDs
@@ -213,9 +231,10 @@ Some examples are integrity only, and endpoint authentication.-->
        The GNS DID method uses digital signatures.
        The security of the DID method depends on the assumption that a user can
        keep the private zone key secret.
-       Any records containing DID Documents published in GNS are signed using
-       a private key derived from the zone private key and encrypted using a
-       derived symmetric key as defined in Section 5.1 of <xref target="I-D.draft-schanzen-gns"/>.
+       Any records containing DID Documents published in GNS are encrypted using
+       a derived symmetric key as defined in Section 5.1 of
+       <xref target="I-D.draft-schanzen-gns"/> and signed using a private key
+       derived from the zone private key.
      </t>
      <!-- Data which is to be held secret (keying material, random seeds, and so on) should be clearly labeled.-->
      <t>
@@ -299,7 +318,31 @@ Number | Name          | Contact | References | Comment
           <date year="2021"/>
         </front>
       </reference>
-<reference anchor="GANA" target="https://gana.gnunet.org/">
+      <reference anchor="W3C.did-core" target="https://www.w3.org/TR/did-core/">
+        <front>
+          <title>Decentralized Identifiers (DIDs)</title>
+          <author initials="M." surname="Sporny" fullname="Manu Sporny">
+            <organization>Digital Bazaar</organization>
+          </author>
+          <author initials="D." surname="Longley" fullname="Dave Longley">
+            <organization>Digital Bazaar</organization>
+          </author>
+          <author initials="M." surname="Sabadello" fullname="Markus Sabadello">
+            <organization>Danube Tech</organization>
+          </author>
+          <author initials="D." surname="Reed" fullname="Drummond Reed">
+            <organization>Evernym/Avast</organization>
+          </author>
+          <author initials="O." surname="Steele" fullname="Orie Steele">
+            <organization>Transmute</organization>
+          </author>
+          <author initials="C." surname="Allen" fullname="Christopher Allen">
+            <organization>Blockchain Commons</organization>
+          </author>
+          <date year="2022"/>
+        </front>
+      </reference>
+      <reference anchor="GANA" target="https://gana.gnunet.org/">
          <front>
            <title>GNUnet Assigned Numbers Authority (GANA)</title>
            <author><organization>GNUnet e.V.</organization>