Specify format of returned secrets

Question

Specify format of returned secrets

Closed this issue 3 years ago · 5 comments

In cases when a DID Registrar returns generated secrets (such as private DID controller keys) to a client, we should specify the format of those secrets (probably re-using JWK and other standards).

Depending on the DID method, not all returned secrets may be private keys, they could also be seeds or other things.

See https://identity.foundation/did-registration/#didstatesecret.

Answer 1 · 2021-06-02T15:12:07.000Z

Possible options:

Use JWKS for returned private keys, e.g.:

{
	"keys": [{
			"kty": "EC",
			"d": "-s-PwFdfgcdBPTDbJwZuiAFHCuI8r9vR13OGHo14--4",
			"crv": "secp256k1",
			"x": "htusHse5FMBnT_4266kn9T2yMmjDllwWvVSc_I2-WZ0",
			"y": "RjE_GjsRMELYJ6XuNSFDu3mCbyJnCQ26X_YtmyM9Bfo"
		},
		{
			"kty": "EC",
			"d": "-SMrR50X50l36Ex5UcC-tOQHCrBM5XbSgVVnfZ0SjcI",
			"crv": "secp256k1",
			"x": "4WnV5ec5KFfpO6vrXWmYBukWs2bJ50GMjXPfKbc5_II",
			"y": "2vouQMwP1UaWEwGML4cemyS59Ck_ie8XoA4fayX940g"
		}
	]
}

Use structure similar to verification methods in DID documents, but with private keys included, e.g.:

{
	"verificationMethod": [{
			"id": "did:example:123#key-0",
			"type": "JsonWebKey2020",
			"controller": "did:example:123",
			"purpose": ["authentication", "assertionMethod", "capabilityDelegation", "capabilityInvocation"],
			"privateKeyJwk": {
				"kty": "EC",
				"d": "-s-PwFdfgcdBPTDbJwZuiAFHCuI8r9vR13OGHo14--4",
				"crv": "secp256k1",
				"x": "htusHse5FMBnT_4266kn9T2yMmjDllwWvVSc_I2-WZ0",
				"y": "RjE_GjsRMELYJ6XuNSFDu3mCbyJnCQ26X_YtmyM9Bfo"
			}
		},
		{
			"id": "did:example:123#key-1",
			"type": "Ed25519VerificationKey2020",
			"controller": "did:example:123",
			"purpose": ["authentication"],
			"privateKeyMultibase": "z5TVraf9itbKXrRvt2DSS95Gw4vqU3CHAdetoufdcKazA"
		}
	]
}

Consider "Key" data structure in Universal Wallet: https://w3c-ccg.github.io/universal-wallet-interop-spec/#Key

Answer 2 · 2021-06-02T15:13:18.000Z

Note: Private keys could be returned to the client in an encrypted/locked form.

Answer 3 · 2021-06-08T16:57:18.000Z

Some ideas I showed on the 02 Jun 2021 DID Registration Work Item Call:

return-private-keys.pdf
return-private-keys.odp

Answer 4 · 2021-09-28T15:53:06.000Z

Note, this is only relevant in internal secret mode, since e.g. in client-managed secret mode the registrar will never return secrets.

Answer 5 · 2021-11-13T21:09:50.000Z

Closing this after merging #11. If necessary, we can re-visit this in the future.