-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[proposal] Add interface for changing the DID controller #583
Comments
@mirceanis Lets pick this topic up again. I really like the idea of the proposed interface you had there. Thinking about did:ethr and other methods one thing comes to my mind. Right now did:ethr does not support adding multiple owners, while other methods may support this (did:web may just add multiple keys to the controller field) - so the Interface How about we add 3 abstract methods to the Abstract that an IdentifierProvider may leverage.
ethr-did would only implement |
@mirceanis Any update on this? 😄 |
no progress yet.
It's always better to only make the required changes as needed instead of adding features that are not yet demanded but would still have to be maintained.
This will be a breaking change, since any existing implementations of the That being said, there is a difference between the controllerKey concept used by Veramo (starting from did:ethr assumptions where it translates to the Coming from the DID spec, @lleifermann @nklomp what do you think? |
@mirceanis I started implementing this proposal (see here) and would love to hear your thoughts on it. What I was wondering:
I still have to write some tests to test the whole flow + if the new key is being used afterwards for future DID operations. I have not checked yet if further changes are needed for this to happen. Oh, and I probably have to remove the DID from old keys |
Based on the discussion above, you don't seem to be missing anything. However, it's not a solution that I really like because it still imposes a set of did:ethr assumptions on other DID method implementations, requiring every other provider to implement a method that throws an error. The way this would look like is that instead of The reason why I think this is a better solution is that some other DID methods don't use the same controller/owner concept, or control is not provided by a key, or they have multiple levels of control, like an update controller and a recovery controller, etc... Regarding point 2, I think eventually we'll be removing some of the relationships between entities currently defined by the data-store plugin. It's possible that using one database engine and deleting an identifier also deletes the associated keys but using another database engine it doesn't... Anyway, the shorter answer for question 2 would be to instead use the |
Thanks for your answer and I totally get your reasoning. I thought about different naming options for the method as well and wasn't happy with any of them tbh. Your suggested
I am going to go with the separate did:ethr extension plugin. Just to validate how I change the db entities for a controller/ owner change, in my example implementation above, I change the
Reading your thoughts on point 2, what changes should I do on the |
It should be possible to re-import both identifiers and keys. This should make it easier to think about these operations as public part of the update
private bookkeeping part of the update
I believe that in this case the internal connection between the keys and DID would work without having to update key metadata. |
Also, if this is a new plugin, it should not use the |
Most of the stuff you describe were already part of the implementation I linked above. But thanks for reiterating to make sure we are on the same page. public part of the update
For me, this is out of scope as I expect the new key being created before and given into the method. export interface IEthrChangeControllerKeyArgs {
did: string,
kid: string,
options?: TransactionOptions
}
Check. Had this already here
Check. Had this already here private bookkeeping part of the update
Done. See here
Done. See here
Done. See here
Done. See here
That's what I still have to do. I will probably just update the metadata as described in a prior message and set the
Check! :) I already started pressing this into a new plugin, thanks for the great plugin template repo btw. |
I am currently writing tests and now noticed the implications Now, obviously, the resolver can't retrieve the new owners public key hex from the new owners address or the DID string, as it correctly contains the public key hex from the previous owner to maintain a constant identifier. My question would be what implications a missing PS: This is how a DID document would look like after changing the owner and adding a key for reference: {
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/secp256k1recovery-2020/v2"
],
"id": "did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798",
"verificationMethod": [
{
"id": "did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798#controller",
"type": "EcdsaSecp256k1RecoveryMethod2020",
"controller": "did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798",
"blockchainAccountId": "eip155:1337:0x2B5AD5c4795c026514f8317c7a215E218DcCD6cF"
},
{
"id": "did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798#delegate-1",
"type": "EcdsaSecp256k1VerificationKey2019",
"controller": "did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798",
"publicKeyHex": "04c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee51ae168fea63dc339a3c58419466ceaeef7f632653266d0e1236431a950cfe52a"
}
],
"authentication": [
"did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798#controller"
],
"assertionMethod": [
"did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798#controller",
"did:ethr:ganache:0x0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798#delegate-1"
]
} |
Technically, the VerificationKey is more powerful than RecoveryMethod since you can compute the latter from the former.
Agreed! BTW, if you ever need a credential to remain valid even after the issuer changes ownership, you can use query parameters to point to a specific version of the DID document (see decentralized-identity/ethr-did-resolver#119). I'm not advocating for this, just mentioning that it's possible ;) |
Just wanted to mention that I released a package for The removal of endpoints etc. I mentioned yesterday was a bad on my side. I just didn't notice that https://github.com/decentralized-identity/ethr-did-resolver/blob/516f5a06aaa2bf921b1da42e82ee4f4eda0fba2c/src/resolver.ts#L257 was in a separate else haha. |
That's very cool! I'd suggest trying to use some of the top-level plugins instead for some operations. You should be able to use the methods of the DIDManager plugin instead of the DIDStore, and the methods of the What do you think? |
Thanks so much for your feedback! I am aware of me copying over some things which is a tradeoff I made to get something out quickly that we can use. Originally, I also wanted to use Edit: Or we export the |
You weren't misunderstanding me. It was an error on my part for not realizing the requirements of the This kind of modification should be a bit more easy to do and I'm inclined more and more toward adding a
The metadata update could be used for other properties too, thus not binding it necessarily to a particular DID method or blockchain. It would only handle the local bookkeeping, and would essentially act as a re-import, but with fewer potential side-effects.
It's easiest to export Edit: See #1124 |
Veramo should have a common API for changing a DID controller. As a prerequisite, the
AbstractIdentifierProvider
class should require implementers to also implement achangeController
method.A proposal for this new method signature is this:
Of all the
did-provider-*
packages that are currently implemented in this repository, this method would only have a concrete implementation indid-provider-ethr
, in which case thenewController
would be an ethereum address and the returnedstring
would be the transaction hash.The
options
parameter can be used to provide transaction value overrides (gasPrice
,gasLimit
,nonce
, etc..).It is expected that the
context.agent.keyManagerSign()
method would be called to sign the transaction and that thecontrollerKeyId
of theidentifier
would be updated.Originally discussed in #574
Originally posted by atz3n June 17, 2021
Hi all 👋,
Is there an interface for changing the DID controller? I couldn't find such a function within the
AbstractIdentifierProvider
class. If not, maybe it is a good idea to define one to have a convenient API for this task.Cheers,
Attila
The text was updated successfully, but these errors were encountered: