Use SHA1 of commit for generating a contributor DID as well? #17
Comments
|
This is an interesting idea. I had assumed that the I'm liking the idea of making all of the DID documents templates and the DID string in them being "rendered" with the commit hashes. But again, that commit hash is SHA-1. I just defaulting to using the SHA-256 hash of the DID's public key instead, just because SHA-256 > SHA-1. But this requires more thinking. Can you think of any attack vectors that can be mitigated by using the key hash instead of the commit hash? |
|
FYI, I updated the spec to say that the |
|
The reason I went that way is because the author string in commits will be the DID string for the contributor and I want that to include the key ID for the signature and I also want the contributor's DID document to be named the same for simplicity sake. |
|
OK, so I can see the value of going either way, but now I'm going to change my mind : ) If the contributor DID document is named the encoded hash of the public key, then the DID document would change names when the key get rotated. I'm not sure that's a good idea. I like using the commit hash as the contributor ID better than using the key id. Here's why:
|
|
I like that approach. The aliases seem to provide a lot of flexibility.
Thomas
…On Wed, Jun 5, 2019 at 2:06 PM Dave Huseby ***@***.***> wrote:
OK, so I can see the value of going either way, but now I'm going to
change my mind : ) If the contributor DID document is named the encoded
hash of the public key, then the DID document would change names when the
key get rotated. I'm not sure that's a good idea.
I like using the commit hash as the contributor ID better than using the
key id. Here's why:
1. The contributor ID is tied to the repo and tied to a point in time.
This is important for verifiable claims that are time based. For instance,
I could prove that I've been a contributor for >5 years or something.
2. The DID string for a contributor will remain stable over time even
if their keys are rotated. This will help for keeping DID strings from
going stale.
3. We can add aliases that map the Base58(SHA256(key bytes)) -> .did
and then modify aliases as keys rotate.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#17?email_source=notifications&email_token=AAAPEEVVCOZDTTK3ZLZQDXLPY76DBA5CNFSM4HMUUO3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXARMGA#issuecomment-499193368>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAPEER3XVOIXZE6WS6JIZ3PY76DBANCNFSM4HMUUO3A>
.
|
|
So now we have to revisit the procedure for bootstrapping the regime in a repo. If a contributor ID is the commit ID of when their DID document is added means that all DID documents have to be added in their own commit. But we want to have the repo.did file to be signed and linked to the DID documents of the maintainers. Also, all of the DID documents would at least start as a template with placeholders for the commit IDs in the the ID strings in the document. So here's how I think the bootstrapping procedure should go:
It isn't atomic, but it has to be this way if the commit ID is the contributor ID. This is the only way to establish the DID for a committer. |
|
Yes, I think this would be the necessary sequence if none of the
maintainers have external DIDs/trust from outside.
…On Wed, Jun 5, 2019 at 5:50 PM Dave Huseby ***@***.***> wrote:
So now we have to revisit the procedure for bootstrapping the regime in a
repo. If a contributor ID is the commit ID of when their DID document is
added means that all DID documents have to be added in their own commit.
But we want to have the repo.did file to be signed and linked to the DID
documents of the maintainers. Also, all of the DID documents would at least
start as a template with placeholders for the commit IDs in the the ID
strings in the document.
So here's how I think the bootstrapping procedure should go:
1. The did folder is created in the repo root.
2. The repo.did DID template is created and committed, signing it with
one of the maintainer keys. Along with the repo.did DID template, the
governance documents are also committed.
3. An initial maintainer creates their DID template in the did folder
and commits it, signing the commit with the private key associated with the
public key in their template.
4. Each initial maintainer creates their DID template in the did
folder and commits them in the same way. One DID per commit.
It isn't atomic, but it has to be this way if the commit ID is the
contributor ID. This is the only way to establish the DID for a committer.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#17?email_source=notifications&email_token=AAAABANVWHKPT7X27JDFBMLPZBGNBA5CNFSM4HMUUO3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXBKVTI#issuecomment-499296973>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAABAPVYCZ3U6H4MJNOUPTPZBGNBANCNFSM4HMUUO3A>
.
|
Context
While it's certainly possible (and even encouraged, as DIDs become more wide-spread) to use an external DID as one's contributor DID (e.g.
did:sov,did:btcr, etc.) it also seems useful and likely common to create a DID within the git repository for a contributor. It could be that the contributor has no other DID, or they prefer to remain anonymous, and thus need a new DID.Proposal
We could require that all new DIDs generated via the
did:gitmethod be by appending the commit sha.So for the genesis DID of the repo itself, the DID would be generated from
did:git:$commit. (Producingdid:git:<genesis commit SHA>.)For a subsequent new contributor DID to be generated, it would be
did:git:<genesis commit SHA>:$commitwhere this$commitrefers not to the genesis commit, but to the SHA1 of the commit where the contributor's new DID document was added.Corollaries
This would imply that DID document filenames stored like
did/<contributor>.diddo not contain the actual DID in the filename (nor in the document). Since the SHA1 is generated as a result of checking in the DID Document, a contributor DID doc would suffer from the same problem as the genesis DID document--the DID itself is known only after creation.So, the
<contributor>in<contributor>.didcould be the name or handle of the contributor, rather than their DID. As an aside, I think this would actually be easier to manage, since listing the directory contents would show recognizable names rather than a list of SHA-like DIDs.Also, contributor DID generation would be exactly like repository DID generation: the DID is contained in the context of the DID Document creation (i.e. in the SHA1) not in the repository content.
Lastly, only one new contributor DID can be generated per commit.
The text was updated successfully, but these errors were encountered: