diff --git a/spec.md b/spec.md index bee90f7..8f75fe9 100644 --- a/spec.md +++ b/spec.md @@ -285,7 +285,20 @@ The following describes a sample profile document. } } ``` +### Security Considerations +This section describe a non-normative, non-exhaustive list of security considerations. + +#### Cryptography Suites and Libraries +_This section is non-normative._ + +Some aspects of the profile model described in this specification can be protected through the use of cryptography. It is important for implementers to understand the cryptography suites and libraries used to create and process credentials and presentations. Implementing and auditing cryptography systems generally requires substantial experience. Effective red teaming can also help remove bias from security reviews. + +#### Unsigned Profile Documents + +_This section is non-normative._ + +This specification allows profiles to be produced that do not contain signatures or proofs of any kind. These types of profiles are often useful for cases where users may not have the ability to take advantage of the cryptographic proof mechanisms. Endpoint systems should be aware that these types of profiles are not verifiable because the authorship either is not known or cannot be trusted. ### Future Work @@ -295,7 +308,7 @@ This pertains to defining the capabilities or services associated with the profile data. By outlining the functions embodied by the profile, this section provides clarity on the profile's purpose and its role within the DID ecosystem. -### References +### References and Acknowledgements - Initial Proposal: https://github.com/trustoverip/tswg-trust-registry-tf/discussions/96 - DID Linked Resources : @@ -304,3 +317,4 @@ provides clarity on the profile's purpose and its role within the DID ecosystem. - DID Core: https://www.w3.org/TR/did-core/ - Referenced mainly the DID Core spec. - DIDComm Messaging: https://identity.foundation/didcomm-messaging/spec/ - used for understanding how to update the service endpoint of the DID Document. +- https://www.w3.org/TR/vc-data-model/ : For the securtiy considerations and guidance on the profile document structure.