draft-carter-high-assurance-dids-with-dns-00.txt | draft-carter-high-assurance-dids-with-dns-01.txt | |||
---|---|---|---|---|
Network Working Group J. Carter | Network Working Group J. Carter | |||
Internet-Draft J. Latour | Internet-Draft J. Latour | |||
Intended status: Informational CIRA | Intended status: Informational CIRA | |||
Expires: 22 September 2024 M. Glaude | Expires: 23 September 2024 M. Glaude | |||
NorthernBlock | NorthernBlock | |||
T. Bouma | T. Bouma | |||
Digital Governance Council | Digital Governance Council | |||
21 March 2024 | 22 March 2024 | |||
High Assurance DIDs with DNS | High Assurance DIDs with DNS | |||
draft-carter-high-assurance-dids-with-dns-00 | draft-carter-high-assurance-dids-with-dns-01 | |||
Abstract | Abstract | |||
This document outlines a method for improving the authenticity, | This document outlines a method for improving the authenticity, | |||
discoverability, and portability of Decentralized Identifiers (DIDs) | discoverability, and portability of Decentralized Identifiers (DIDs) | |||
by utilizing the current DNS infrastructure and its technologies. | by utilizing the current DNS infrastructure and its technologies. | |||
This method offers a straightforward procedure for a verifier to | This method offers a straightforward procedure for a verifier to | |||
cryptographically cross-validate a DID using data stored in the DNS, | cryptographically cross-validate a DID using data stored in the DNS, | |||
separate from the DID document. | separate from the DID document. | |||
skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 22 September 2024. | This Internet-Draft will expire on 23 September 2024. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
skipping to change at page 4, line 18 ¶ | skipping to change at page 4, line 18 ¶ | |||
assurance when proving your identity or age, replicating important | assurance when proving your identity or age, replicating important | |||
information about a DID into a different domain (like the DNS) | information about a DID into a different domain (like the DNS) | |||
enables a similar form of cross validation. This enhances the | enables a similar form of cross validation. This enhances the | |||
initial trust establishment between the user and the DID document, as | initial trust establishment between the user and the DID document, as | |||
the key information can be compared and verified across two | the key information can be compared and verified across two | |||
segregated sets of infrastructure. This also acts as a form of | segregated sets of infrastructure. This also acts as a form of | |||
ownership verification in a similar way to 2FA, as the implementer | ownership verification in a similar way to 2FA, as the implementer | |||
must have control over both the DNS zone and the DID document to | must have control over both the DNS zone and the DID document to | |||
properly duplicate the relevant information. | properly duplicate the relevant information. | |||
+----------------+ +----------------+ | | | | | DNS Server | | Web | +----------------+ +----------------+ | |||
Server | | | | | | +-------+ | | +-------+ | | | DID |<---+-----+-->| | | | | | | |||
DID | | | +-------+ | | +-------+ | | +-------+ | | +-------+ | | | | | DNS Server | | Web Server | | |||
PKI |<---+-----+-->| PKI | | | +-------+ | | +-------+ | | | | | | | | | | | |||
+----------------+ +----------------+ | | +-------+ | | +-------+ | | |||
| | DID |<---+-----+-->| DID | | | ||||
| +-------+ | | +-------+ | | ||||
| +-------+ | | +-------+ | | ||||
| | PKI |<---+-----+-->| PKI | | | ||||
| +-------+ | | +-------+ | | ||||
| | | | | ||||
+----------------+ +----------------+ | ||||
The diagram above illustrates how a web server storing the DID | The diagram above illustrates how a web server storing the DID | |||
document, and the DNS server storing the URI and TLSA records shares | document, and the DNS server storing the URI and TLSA records shares | |||
and links the key information about the DID accross to independant | and links the key information about the DID accross to independant | |||
sets of infrastructure. | sets of infrastructure. | |||
3.1. Specifically for did:web | 3.1. Specifically for did:web | |||
With did:web, there’s an inherent link between the DNS needed to | With did:web, there’s an inherent link between the DNS needed to | |||
resolve the associated DID document and the domain where the relevant | resolve the associated DID document and the domain where the relevant | |||
End of changes. 5 change blocks. | ||||
9 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |