9797 < p >
9898 DIDs that target a distributed ledger face significant practical
9999 challenges in bootstrapping enough meaningful trusted data around
100- identities to incentivize mass adoption.
100+ identities to incentivize mass adoption.
101101 We propose a new DID method using a web domain's existing reputation.
102102 </ p >
103103 </ section >
126126 Examples
127127 </ h2 >
128128
129- < pre class ="example " title ="Example did:web DID document using JSON Web Keys ">
129+ < pre class ="example "
130+ title ="Example did:web DID document using JSON Web Keys ">
130131{
131132 "@context": [
132133 "https://www.w3.org/ns/did/v1",
181182}
182183 </ pre >
183184
184- < pre class ="example " title ="Example did:web DID document using an ethereum address ">
185+ < pre class ="example "
186+ title ="Example did:web DID document using an ethereum address ">
185187{
186188 "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/secp256k1recovery-2020/v2"],
187189 "id": "did:web:example.com",
@@ -210,9 +212,10 @@ <h2>
210212 Target system
211213 </ h2 >
212214 < p >
213- The target system of the Web DID method is the web host that the domain
214- name described by the DID resolves to when queried through the Domain
215- Name System (DNS).
215+ The target system of the Web DID method is the host (or domain if the
216+ host
217+ is not specified) name when the domain specified by the DID is resolved
218+ through the Domain Name System (DNS).
216219 </ p >
217220
218221 </ section >
@@ -262,6 +265,53 @@ <h2>
262265did:web:example.com%3A3000
263266 </ pre >
264267 </ section >
268+ < section >
269+ < h2 >
270+ Key Material and Document Handling
271+ </ h2 >
272+ < p >
273+ Due to the way most web servers present content, it is likely that a
274+ particular `did:web` document will be served with a media type of
275+ `application/json`. If a document is retrieved and it is named
276+ `did.json`, a few processing rules should apply:
277+ < ul >
278+ < li >
279+ If an
280+ `@context` is present at the root of the JSON document,
281+ the document should be processed according to the JSON-LD rules.
282+ If this is not possible, or if the document fails processing, the
283+ document should be rejected from consideration as a `did:web` doc.
284+ </ li >
285+ < li >
286+ If an
287+ `@context` is present at the root of the JSON document,
288+ and it passes JSON-LD processing, and it contains the context
289+ `https://www.w3.org/ns/did/v1`, it may be further processed
290+ as a
291+ DID document as specified by section
292+ < a href ="https://www.w3.org/TR/did-core/#consumption-0 "> 6.3.2</ a > of
293+ the
294+ [[did-core]] specification.
295+ </ li >
296+ < li >
297+ If no
298+ `@context` is present, it should be processed via normal
299+ JSON rules for DID processing as specified in section
300+ < a href ="https://www.w3.org/TR/did-core/#consumption "> 6.2.2</ a > of the
301+ [[did-core]] specification.
302+ </ li >
303+ </ ul >
304+ </ p >
305+ < p >
306+ Whenever a DID URL is present within a `did:web` document, it must
307+ be an absolute URL.
308+ < p class ="note ">
309+ This includes URLs inside of embedded key material and other metadata, and
310+ prevents
311+ key confusion attacks.
312+ </ p >
313+ </ p >
314+ </ section >
265315
266316 < section >
267317 < h2 >
@@ -505,16 +555,47 @@ <h3>
505555 </ h3 >
506556
507557 < p >
508- At least TLS 1.2 should be configured to use only strong ciphers
509- suites and to use sufficiently large key sizes. As recommendations may
510- be volatile these days, only the very latest recommendations should be
511- used. However, as a rule of thumb, the following must be used:
558+ Guidance from < a
559+ href ="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final ">
560+ NIST SP 800-52 Rev. 2
561+ </ a > or superceding, MUST be followed for delivery of a `did:web`
562+ document.
563+ </ p >
564+
565+ < p >
566+ It is additionally recommended to adhere to the latest recommendations
567+ from OWASP's Transport Layer Protection Cheat Sheet [[OWASP-TRANSPORT]]
568+ for hardening TLS configurations.
569+ </ p >
570+
571+ < p >
572+ Consult < a href ="https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final ">
573+ NIST SP 800-57
574+ </ a > for guidance on cryptoperiod, which is the time span during which
575+ a specific key is authorized for use or in which the keys for a given
576+ system or application may remain in effect.
577+ </ p >
578+
579+ < p >
580+ TLS configuration MUST use at least SHA256, and SHOULD use SHA384,
581+ POLY1305, or stronger, depending on the needs of your
582+ operating environment.
583+ </ p >
584+
585+ < p >
586+ Delete action MAY be performed by domain name registrars or DNS lookup
587+ services.
588+ </ p >
589+
590+ < p >
591+ As of this writing, TLS 1.2 or higher SHOULD be configured to use
592+ only strong ciphers suites and to use sufficiently large key sizes.
593+ As recommendations may be volatile these days, only the very latest
594+ recommendations should be used. However, as a rule of thumb,
595+ the following set of suites is a reasonable starting point:
512596 </ p >
513597
514598 < ul >
515- < li >
516- Ephemeral keys are to be used.
517- </ li >
518599 < li >
519600 ECDHE with one of the strong curves {X25519, brainpoolP384r1, NIST
520601 P-384, brainpoolP256r1, NIST P-256} shall be used as key exchange.
@@ -531,10 +612,6 @@ <h3>
531612 Authenticated Encryption with Associated Data (AEAD) shall be used
532613 as Mac.
533614 </ li >
534- < li >
535- At least SHA256 shall be used, but SHA384 or POLY1305 are
536- recommended.
537- </ li >
538615 </ ul >
539616
540617 < p >
@@ -561,16 +638,7 @@ <h3>
561638 </ li >
562639 </ ul >
563640
564- < p >
565- It is recommended to adhere to OWASP's Transport Layer Protection
566- Cheat Sheet [[OWASP-TRANSPORT]] latest recommendations for hardening
567- TLS configurations.
568- </ p >
569641
570- < p >
571- Delete action can be performed by domain name registrars or DNS lookup
572- services.
573- </ p >
574642
575643 </ section >
576644
0 commit comments