FEP-c390: Identity Proofs
Summary
This proposal describes a mechanism of creating verifiable links between Decentralized Identifiers and ActivityPub actor profiles.
Potential applications include: identity verification, end-to-end encryption and account migrations.
History
- Mastodon implemented identity proofs in 2019. Keybase platform was used as an identity provider, but the integration was later removed.
- Keyoxide can create off-protocol identity proofs for Fediverse profiles using OpenPGP.
Identity proofs
Identity proof is a JSON document that represents a verifiable bi-directional link between a Decentralized Identifier and an ActivityPub actor.
It MUST contain the following properties:
type(REQUIRED): thetypeproperty MUST contain the stringVerifiableIdentityStatement.subject(REQUIRED): the decentralized identifier (DID) that represents a cryptographic key belonging to an actor.alsoKnownAs(REQUIRED): the value of this property MUST match the actor ID.proof(REQUIRED): the data integrity proof, as defined by Data Integrity specification.
The document MAY contain additional properties.
Identity proofs SHOULD be attached to an actor object, under the attachment property.
Proof generation
The identity proof document MUST contain a data integrity proof, which includes a cryptographic proof and parameters required to verify it. It MUST be created according to the Data Integrity specification, section 4.3 Add Proof. The value of verificationMethod property of the data integrity proof MUST match the value of subject property of the identity proof document.
The resulting data integrity proof MUST be added to identity proof document under the proof key.
Example of an actor object linked to a did:key identifier:
{
"@context": [
"https://www.w3.org/ns/activitystreams",
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/data-integrity/v1",
"https://w3id.org/fep/c390"
],
"type": "Person",
"id": "https://server.example/users/alice",
"inbox": "https://server.example/users/alice/inbox",
"outbox": "https://server.example/users/alice/outbox",
"attachment": [
{
"type": "VerifiableIdentityStatement",
"subject": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
"alsoKnownAs": "https://server.example/users/alice",
"proof": {
"type": "DataIntegrityProof",
"cryptosuite": "eddsa-jcs-2022",
"created": "2023-02-24T23:36:38Z",
"verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
"proofPurpose": "assertionMethod",
"proofValue": "..."
}
}
]
}
WARNING: The example above uses eddsa-jcs-2022 cryptosuite, which doesn't have stable specification.
Proof verification
The consuming implementations MUST check the authenticity of identity proof document by verifying its data integrity proof. If the proof can not be verified, or if the value of verificationMethod property of the data integrity proof doesn't match the value of subject property of the identity proof, or if the value of alsoKnownAs property of the identity proof doesn't match the actor ID, the identity proof MUST be discarded.
Verification process MUST follow the Data Integrity specification, section 4.5 Verify Proof.
Linking identities
The consuming implementations SHOULD treat identities denoted by subject and alsoKnownAs properties of identity proof as belonging to the same entity.
If two actors have identity proofs with the same subject property, they SHOULD be treated as different identities of the same entity.
Implementation notes
Servers MUST present identity proofs to clients in their original form. Clients MAY perform independent verification of identity proofs if needed.
Test vectors
TBD
実装
参考文献
- Christine Lemmer Webber, Jessica Tallon, ActivityPub, 2018
- Manu Sporny, Dave Longley, Markus Sabadell, Drummond Reed, Orie Steele, Christopher Allen, Decentralized Identifiers (DIDs) v1.0, 2022
- Dave Longley, Manu Sporny, Verifiable Credential Data Integrity 1.0, 2022
著作権
CC0 1.0 ユニバーサル (CC0 1.0) パブリック ドメイン
法律で認められる範囲において、この Fediverse 拡張提案の著者は、この作品に対するすべての著作権および関連する権利または隣接する権利を放棄しています。