Do we need to express pre-rotation key commitments in the DIDDoc?
swcurran opened this issue · 3 comments
I'm thinking as I'm writing this that the pre-rotation keys commitments don't need to be in the DIDDoc at all. If anyone is interested, they are available in the Key State, and are used in the KEL processing to get to the Key State.
Leaving this issue in so we can talk about it.
I think this is a different verification relationship. @peacekeeper pointed out to me that pre-rotation is modeled in did:ion (albeit with some minor differences). It would be interesting to see whether they put it in the did doc.
did:ion doesn't put their pre-rotated keys (they call them "update commitment" and "recovery commitment") into the DID document.
Basically, if keys are only meant to be used for controlling the DID itself, then they shouldn't be in the DID document. If OTOH keys are expected to be used by applications or services that use DIDs (e.g. for signing W3C VCs), then they should be in the DID document.
It would theoretically be possible to add pre-rotated key commitments into the DID document as verification methods. This would make sense e.g. if you expect those pre-rotated keys to be used before they are revealed. For example, you could issue a W3C VC, signed by your pre-rotated keys, and they then become verifiable only after the pre-rotated keys are revealed.
This is what the work on EcdsaSecp256k1RecoveryMethod2020 / blockchainAccountId / ES256K-R was about, for example in Ethereum-based DID methods. In these methods, you have an Ethereum address (which is similar to the concept of a pre-rotated key) in the DID document, and people used their not-yet-revealed Ethereum keys for signing VCs:
https://w3c.github.io/did-spec-registries/#blockchainaccountid
Okay, if did:ion didn't put this kind of material in the did doc, I'm content for us to leave it out, too.