Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some maybe relevant code from the start of GitHub DID #18

Open
OR13 opened this issue May 15, 2019 · 3 comments
Open

Some maybe relevant code from the start of GitHub DID #18

OR13 opened this issue May 15, 2019 · 3 comments

Comments

@OR13
Copy link

OR13 commented May 15, 2019

Not sure if this is helpful or not, but GitHub DID was originally more similar to this, and has since become much more centralized (and less ambitious).

I'd love to create compatibility, and assist, I'm gonna share some links here to things I considered which may or may not be useful. Since this isn't really an "issue" feel free to close it.

We used to have a bunch of scripts that operated on files checked into the repo:

https://github.com/decentralized-identity/github-did/tree/f6baefe68fefbed5fae32149fbab97f8652e7475/scripts

We tried to use GPG directly via command line tools, instead of via js libraries:

https://github.com/decentralized-identity/github-did/tree/f6baefe68fefbed5fae32149fbab97f8652e7475/scripts/shell

https://github.com/decentralized-identity/github-did/blob/f6baefe68fefbed5fae32149fbab97f8652e7475/scripts/did/create_document.js

We had a checkDID script that would cause travis CI to fail if a DID was not signed properly:

https://github.com/decentralized-identity/github-did/blob/f6baefe68fefbed5fae32149fbab97f8652e7475/scripts/did/checkDIDs.js

The idea was to not merge PRs that contains DIDs that were not signed correctly.

Originally I considered it to be fine to fork and push, because the resolver was tied to the user in GitHub, so I might have old versions of your DID in my repo, but nobody would trust them since I'm not the root of trust for you.

I really liked the idea of just building a DID method on top of GPG, GIT and SSH + some strong assumptions around trust, but the security challenges, rewriting history, etc... scared me off. plus I'm not actually very good with git.

Feel free to borrow any code that is helpful from GitHub DID, and I'm happy to think through security / protocol / method design.
@dhuseby
Copy link
Owner

dhuseby commented Jun 2, 2019
edited
Loading

Thanks! This is very helpful. I've already seen some tricks in your code that we may borrow. We won't be lifting any code though. I'm already implementing the new signing tool in Rust and the patches to Git are in C and the git did porcelain prototype will likely be Python since some other git porcelains are implemented that way. Ideally, the final git porcelain would also be implemented in Rust but I would accept C if it was demanded by the Git maintainers in exchange for adding git did into the main Git distribution.

@OR13
Copy link
Author

OR13 commented Jun 3, 2019

awesome, I've recently updated: https://github.com/transmute-industries/PROPOSAL-OpenPgpSignature2019

Any chance you are planning to create some Rust / C / Python GPG JSON-LD Signature suite? or are you planning on keeping signing at the protocol layer (internal)?

If you are planning on exposing GPG keys in DID Documents, I imagine we might have some overlapping standards update needs, support for publicKeyPgp or similar, and something like OpenPgpVerificationKey2019... These don't exist currently, but I'm working to propose them.

@dhuseby
Copy link
Owner

dhuseby commented Jun 5, 2019

I'm OK with adding that, however my ultimate goal is to kill GPG entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dhuseby @OR13