Mirrors
/
feps
mirror of https://codeberg.org/silverpill/feps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
feps/c390/fep-c390.md

5.3 KiB
Raw Permalink Blame History

slug authors status dateReceived relatedFeps trackingIssue discussionsTo
c390 silverpill <@silverpill@mitra.social> DRAFT 2022-11-23 FEP-8b32 https://codeberg.org/fediverse/fep/issues/34 https://codeberg.org/fediverse/fep/issues/34

FEP-c390: Identity Proofs

Summary

This proposal describes a mechanism of creating verifiable links between Decentralized Identifiers and ActivityPub actor profiles.

Potential applications include: identity verification, end-to-end encryption and account migrations.

History

  • Mastodon implemented identity proofs in 2019. Keybase platform was used as an identity provider, but the integration was later removed.
  • Keyoxide can create off-protocol identity proofs for Fediverse profiles using OpenPGP.

Identity proofs

Identity proof is a JSON document that represents a verifiable bi-directional link between a Decentralized Identifier and an ActivityPub actor.

It MUST contain the following properties:

  • type (REQUIRED): the type property MUST contain the string VerifiableIdentityStatement.
  • subject (REQUIRED): the decentralized identifier (DID) that represents a cryptographic key belonging to an actor.
  • alsoKnownAs (REQUIRED): the value of this property MUST match the actor ID.
  • proof (REQUIRED): the data integrity proof, as defined by Data Integrity specification.

The document MAY contain additional properties.

Identity proofs SHOULD be attached to an actor object, under the attachment property.

Proof generation

The identity proof document MUST contain a data integrity proof, which includes a cryptographic proof and parameters required to verify it. It MUST be created according to the Data Integrity specification, section 4.3 Add Proof. The value of verificationMethod property of the data integrity proof MUST match the value of subject property of the identity proof document.

The resulting data integrity proof MUST be added to identity proof document under the proof key.

Example of an actor object linked to a did:key identifier:

{
    "@context": [
        "https://www.w3.org/ns/activitystreams",
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/data-integrity/v1",
        "https://w3id.org/fep/c390"
    ],
    "type": "Person",
    "id": "https://server.example/users/alice",
    "inbox": "https://server.example/users/alice/inbox",
    "outbox": "https://server.example/users/alice/outbox",
    "attachment": [
        {
            "type": "VerifiableIdentityStatement",
            "subject": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
            "alsoKnownAs": "https://server.example/users/alice",
            "proof": {
                "type": "DataIntegrityProof",
                "cryptosuite": "eddsa-jcs-2022",
                "created": "2023-02-24T23:36:38Z",
                "verificationMethod": "did:key:z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2",
                "proofPurpose": "assertionMethod",
                "proofValue": "..."
            }
        }
    ]
}

WARNING: The example above uses eddsa-jcs-2022 cryptosuite, which doesn't have stable specification.

Proof verification

The consuming implementations MUST check the authenticity of identity proof document by verifying its data integrity proof. If the proof can not be verified, or if the value of verificationMethod property of the data integrity proof doesn't match the value of subject property of the identity proof, or if the value of alsoKnownAs property of the identity proof doesn't match the actor ID, the identity proof MUST be discarded.

Verification process MUST follow the Data Integrity specification, section 4.5 Verify Proof.

Linking identities

The consuming implementations SHOULD treat identities denoted by subject and alsoKnownAs properties of identity proof as belonging to the same entity.

If two actors have identity proofs with the same subject property, they SHOULD be treated as different identities of the same entity.

Implementation notes

Servers MUST present identity proofs to clients in their original form. Clients MAY perform independent verification of identity proofs if needed.

Test vectors

TBD

Implementations

References

Copyright

CC0 1.0 Universal (CC0 1.0) Public Domain Dedication

To the extent possible under law, the authors of this Fediverse Enhancement Proposal have waived all copyright and related or neighboring rights to this work.