index.html

<!DOCTYPE html>
<html>

<head>
  <meta charset="utf-8">
  <title>did:webhash Method Specification</title>
  <script src="https://www.w3.org/Tools/respec/respec-w3c" async
    class="remove"></script>
  <script class="remove">
    var respecConfig = {
      specStatus: "unofficial",
      shortName: "did-method-webhash",
      wg: "did.coop",
      wgURI: "https://did.coop/",
      wgPublicList: "public-credentials",
      editors: [{
        name: "Juan Caballero",
        url: "https://learningproof.xyz",
        email: "bumblefudge@learningproof.xyz",
        company: "learningProof uG",
        companyURL: "https://learningproof.xyz/"
      }],
      authors: [
        {
          name: "Dmitri Zagidulin",
          email: "dmitri@did.coop",
          company: "did.coop",
          companyURL: "https://did.coop/"
        }],
      github: "https://github.com/learningproof/did-method-webhash/",

      localBiblio: {
        "DID-PRIMER": {
          title: "DID Primer",
          href: "https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/did-primer.md",
          authors: [
            "Drummond Reed",
            "Manu Sporny",
          ],
          publisher: "Rebooting the Web of Trust 2017"
        },
        "DATA-INTEGRITY": {
          title: "Data Integrity",
          href: "https://w3c-ccg.github.io/data-integrity-spec/",
          authors: [
            "Manu Sporny",
            "Dave Longley",
          ],
          publisher: "Credentials Community Group"
        },
        "OWASP-TRANSPORT": {
          title: "Transport Layer Protection Cheatsheet",
          href: "https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet",
        }
      },
    };
  </script>
</head>

<body>
  <section id="abstract">
    <p>
      <code>did:webhash</code> is: <ul>
      <li><code>did:web</code></li>
      <li>+ self-certifying URLs</li>
      <li>+ signed documents</li>
      <li>+ version history</li>
      <li>+ key rotation logs</li>
      <li>+ certificate-transparency-style witnesses</li></ul>
    </p>
    <p>
      DIDs that require a distributed ledger or trusted clients for resolutions
      face significant practical challenges in anchoring trust for many
      use-cases targeted by the DID WG at W3C. Conversely, however, DNS-based
      methods have little in the way of verifiability and are susceptible to
      malicious or duplicitous DID controllers abusing control of domains under
      their control, as DID documents in the classic did:web model are neither
      signed nor self-certifying, with no standardized mechanisms defined for
      witnessing structures to vouchsafe historical authenticity. We propose a
      new DID method extending did:web with additional trust and verification
      properties based on standard hashing methods that can be extended in
      implementation-specific ways, while also offering backwards compatibility
      for the trust models and use-cases supported by did:web.
    </p>
  </section>
  <section id="sotd">
  </section>
  <section>
    <h1>
      Introduction
    </h1>
    <section>
      <h2>
        Preface
      </h2>
      <p>
        The Webhash DID method specification conforms to the requirements specified
        in the Decentralized Identifiers v1.0 Specification [[DID-CORE]]. For
        more information about DIDs and DID method specifications, please also
        see the [[?DID-PRIMER]]
      </p>
    </section>
    <section id="conformance">
      <!-- This section is filled automatically by ReSpec. -->
    </section>

    <section>
      <h2>
        Design Constraints and Motivation
      </h2>

      <p>
        This DID method was developed with the following design constraints:
      </p>

      <ol>
        <li><strong>Static web hosting</strong>: DID Documents must be able to
          be hosted on static web servers (with no support for query parameters
          or custom HTTP headers).
        </li>
        <li><strong>Prefer Backwards compatibility</strong>:
          Whenever possible, `did:webhash` DIDs should be resolvable by
          <code>did:web</code> resolvers. That is, for a given DID, if the
          <code>webhash</code> method keyword is changed to <code>web</code>,
          an existing DID Web resolver is able to fetch and process it.
        </li>
        <li><strong>Modular Trait-Based Design</strong>:
          The various security features added to this method (as compared with
          <code>did:web</code>) should be modular, and reusable by any other
          DID Method.
        </li>
      </ol>

      <section>
        <h3>
          Trust Model
        </h3>

        <div class="issue">Add section on the did:webhash Trust Model (requires
          DNS/ICANN/CA infrastructure for resolution, website operator has the
          power to disrupt key rotation chains, which means Witnesses are
          ultimately necessary).
        </div>
      </section>

      <section>
        <h3>
          Separation of Server Operator and DID Controller
        </h3>

        <p>The division of responsibilities into two different parties,
          separating the web server Operator from the DID Controller, is a
          primary motivation for creating a new DID method instead of continuing
          to use <code>did:web</code>.
        </p>

        <ul>
          <li>Is crucial in "multi-tenancy" scenarios (either via subdomains
          or subdirectories).</li>
          <li>Allows for greater availability, archiving, and migration to
          other domains or other DID methods.</li>
        </ul>
      </section>
    </section>

    <section>
      <h2>
        Relationship to Other DID Methods
      </h2>

      <p>
        This DID method is an iteration over the original <code>did:web</code>
        method, and exists in conversation with similar web-derived
        microledger-based methods currently under development.
      </p>
      <ul>
        <li><code>did:web</code> - No key rotation history; the DID Document
          contains only the latest valid keys. Unsigned DID docs.</li>
        <li><code>did:webs</code> - see the
          <a href="https://trustoverip.github.io/tswg-did-method-webs-specification/">DID Method did:webs Specification</a>.
          Key rotation events at a separate location (in KERI format).
        </li>
        <li><code>did:webplus</code> - see
          <a href="https://github.com/LedgerDomain/did-webplus">https://github.com/LedgerDomain/did-webplus</a></li>
        <li><code>did:plc</code> - key rotation events at a separate location</li>
      </ul>

      <div class="issue">Add text comparing did:webhash to did:webs and similar
        methods.
      </div>

      <section>
        <h3>Enhancements and Differences from <code>did:web</code></h3>

        <p>The differences are nonbreaking and additive (see the Design
          Constraints section).</p>

        <ul>
          <li>Introduces the <code>prev</code> term for backwards chaining,
            as well as a corresponding algorithm for chain verification.</li>
          <li>DID Documents must be signed.</li>
          <li>Requires the use of the <code>controller</code> term (specifically,
            DID document update and key rotation events must be signed by
            the <code>controller</code> DID (specifically, by a key
            authorized in its <code>assertionMethod</code> section).
          </li>
          <li>Requires the use of a path fragment which binds a given DID
            document to the initial inception event.</li>
          <li>Because there is always a path fragment, no <code>.well-known/</code>
            directory mechanism is used for a DID at the "top" domain level.</li>
          <li>Requires the use of Tombstones when a DID is deactivated.</li>
          <li>Provides affordances for DID migration and archiving (for end-of-life
            and migration from non-cooperative server scenarios).</li>
          <li>Specifies optional but recommended Witness mechanism.</li>
          <li>Specifies optional but recommended Cache Control property.</li>
        </ul>
      </section>
    </section>

    <section>
      <h2>
        Examples
      </h2>

      <div class="issue" data-number="1"></div>
      <pre class="example" title="Example initial DID document">
{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/did/webhash/v0.1",
    "https://w3id.org/security/suites/jws-2020/v1"
  ],
  "id": "did:webhash:example.com",

  // Note that in this example, the controller is a different DID
  "controller": "did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH",

  // This is the first DID Document in the chain; no previous version exists
  prev: null,

  // Keys to be used for DID Authentication only
  "authentication": [
    {
      "id": "did:webhash:example.com#key-1",
      "type": "JsonWebKey2020",
      "controller": "did:webhash:example.com",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "Ed25519",
        "x": "0-e2i2_Ua1S5HbTYnVB0lj2Z2ytXu2-tYmDFf8f5NjU"
      }
    }
  ],
  // Keys to be used for signing VCs, DIDs, key rotation events, etc
  "assertionMethod": [
    {
      "id": "did:webhash:example.com#key-2",
      "type": "JsonWebKey2020",
      "controller": "did:webhash:example.com",
      "publicKeyJwk": {
        "kty": "EC",
        "crv": "P-256",
        "x": "38M1FDts7Oea7urmseiugGW7tWc3mLpJh6rKe7xINZ8",
        "y": "nDQW6XZ7b_u2Sy9slofYLlG03sOEoug3I0aAPQ0exs4"
      }
    }
  ],
  // Keys to be used for encryption (key agreement) only
  "keyAgreement": [
    {
      "id": "did:webhash:example.com#key-3",
      "type": "JsonWebKey2020",
      "controller": "did:webhash:example.com",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "X25519",
        "x": "9GXjPGGvmRq9F6Ng5dQQ_s31mfhxrcNZxRGONrmH30k"
      }
    }
  ],

  "service": [{
    "type": "TransparencyService",
    "serviceEndpoint": "https://key-log.example.com"
  }],

  proof: {
     // ... DID Doc signed by controller's 'assertionMethod' key
  }
}
        </pre>

        <div class="issue" data-number="1"></div>
        <pre class="example"
        title="Example did:webhash DID document using an ethereum address">
{
  "@context": [
    "https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/secp256k1recovery-2020/v2"
  ],
  "id": "did:webhash:example.com",
  "verificationMethod": [{
      "id": "did:webhash:example.com#address-0",
      "type": "EcdsaSecp256k1RecoveryMethod2020",
      "controller": "did:webhash:example.com",
      "blockchainAccountId": "eip155:1:0x89a932207c485f85226d86f7cd486a89a24fcc12"
  }],
  "authentication": [
      "did:webhash:example.com#address-0"
  ]
}
        </pre>

    </section>
  </section>

  <section>
    <h1>
      <code>webhash</code> DID Method Specification
    </h1>

    <section>
      <h2>
        Target system
      </h2>
      <p>
        The target system of the <code>webhash</code> DID method is the host
        (or domain if the host is not specified) name when the domain specified
        by the DID is resolved through the Domain Name System (DNS).
      </p>

    </section>

    <section>
      <h2>
        Method name
      </h2>
      <p>
        The namestring that shall identify this DID method is: <code>webhash</code>.
      </p>
      <p>
        A DID that uses this method MUST begin with the following prefix:
        <code>did:webhash</code>. Per the DID specification, this string MUST be
        in lowercase. The remainder of the DID, after the prefix, is specified
        below.
      </p>
    </section>

    <section>
      <h2>
        Method-specific identifier
      </h2>
      <p>
        The method specific identifier is a fully qualified domain name that is
        secured by a TLS/SSL certificate with an optional path to the DID
        document. The formal rules describing valid domain name syntax are
        described in [[RFC1035]], [[RFC1123]], and [[RFC2181]].
      </p>
      <p>
        The method specific identifier MUST match the common name used in the
        SSL/TLS certificate, and it MUST NOT include IP addresses. A port MAY be
        included and the colon MUST be percent-encoded to prevent a conflict
        with paths. Directories and subdirectories MAY optionally be included,
        delimited by colons rather than slashes.
      </p>
      <p>
        Additionally, a hash value for the unsigned "payload" of the
        currently-valid DID document (i.e., the "backwards-compatible" one that
        is also a valid did:web document) MAY be appended (delimited by a
        colon), after the path if present, to any webhash method identifiers.
      </p>
      <p>
        The syntax of a <code>webhash</code> DID string, expressed as a pseudo
        regular expression, is:<br>
        <code>did:webhash:{valid domain}[:[^/:#?]+]*[:{Initial creation event trust anchor}]{0,1}</code>
      </p>

      <pre class="nohighlight">
webhash-did = "did:webhash:" domain-name
webhash-did = "did:webhash:" domain-name * (":" path)
        </pre>


        <div class="issue" data-number="2"></div>
        <pre class="example nohighlight" title="Example Web Method DIDs">
did:webhash:w3c-ccg.github.io

did:webhash:w3c-ccg.github.io:user:alice

did:webhash:example.com%3A3000
        </pre>
    </section>
    <section>
      <h2>
        Key Material and Document Handling
      </h2>
      <p>
        Due to the way most web servers present content, it is likely that a
        particular `did:webhash` document will be served with a media type of
        `application/json`. If a document is retrieved and it is named
        `did.json`, it can be parsed as a JSON object; depending on the contents
        of the <code>proof</code> object(s) attached, it can be verified as a
        valid JSON-LD document (see section
        <a href="https://www.w3.org/TR/did-core/#consumption-0">6.3.2</a> of the
        [[did-core]] specification.) and/or reconstructed to form a a valid JWS
        truple (see section
        <a href="https://www.w3.org/TR/did-core/#consumption-0">6.3.2</a> of
        the
        [[did-core]] specification) for verification.
      </p>
      <p>
        Whenever a DID URL is present within a `did:webhash` document, it MUST
        be an absolute URL *without* the hash-segment appended.
        <p class="note">
          This includes URLs inside of embedded key material and other metadata, and
          prevents key confusion attacks.
        </p>
      </p>
    </section>

    <section>
      <h2>
        DID method operations
      </h2>
      <section>
        <h3>
          CRUD API
        </h3>
        <p>
          There is intentionally no HTTP API specified for the <code>did:webhash</code>
          method operations, leaving programmatic registrations and management
          to be defined by each implementation, or based on their own
          requirements in their web environment.
        </p>

        <div class="issue">
          Add some example HTTP-based APIs for creating and editing resources,
          such as Solid, AtomPub, etc.
        </div>
      </section>
      <section>
        <h3>
          Create (Register)
        </h3>
        <p>
          To create a <code>did:webhash</code> DID and its corresponding
          document, you'll need a domain and a web server. Specifically,
          one must meet the following pre-requisite requirements:
        </p>
        <ul>
          <li>
            Select a registered domain that has a valid domain certificate,
            that is running a web server able to serve static files.
            That is, a domain able to be resolved using the <code>https</code>
            URL scheme.
          </li>
          <li>
            Have sufficient authorization/privileges to be able to create
            resources (folders and files), to be served by that web server.
            For example, to create a <code>did:webhash</code> DID at the
            domain <code>https://webserver.example</code>, you'll need to be
            able to create resources at the web path <code>/</code>. That is,
            to create a directory <code>abcd12345</code>, such that it'll be
            resolvable via <code>https://webserver.example/abcd12345/</code>
          </li>
        </ul>
        <p>
          Once those pre-requisites are met, creating a DID is done by:
        </p>
        <ol>
          <li>
            Select a public-private signing key pair that will serve as the
            <em>controller key</em>. This key will be used to sign the initial
            DID Document, as well as to sign subsequent DID Document update
            events.
          </li>
          <li>
            Generate a JWK Thumbprint (see
            <a href="https://datatracker.ietf.org/doc/html/rfc7638">RFC7638</a>)
            of the controller key.
          </li>


          <li>
            creating the payload DID document (without <code>proof</code>
            object) that will be hashed and then signed with all the relevant
            keys referenced at absolute DID URLs <strong>without</strong> a hash
            segment appended.
          </li>
          <li>
            signing the unproofed DID document with a approprate keypair from
            the DID document and appending one or more <code>proof</code>
            objects to the DID document containing and describing said signature
            (See the section "Signing DID Documents" for default method and
            alternatives).
          </li>
          <li>
            hashing the proofed DID document to generate the "hash segment"
            needed for both publishing and securely using the DID. (See the
            section "Generating entropic identifiers for DID documents" for more
            default method and alternatives).
          </li>
          <li>
            publishing the proofed DID Document as the file
            <code>did.json</code> at the domain (qualified or unqualifed) that
            the did identifier (without hash segment) translates to when
            <code>:</code>s are replaced with <code>/</code>s, <strong>as well
            as</strong> the domain (qualified or unqualified) that the did
            identifier (with hash segment) translates to when <code>:</code>s
            are replaced with <code>/</code>s.
          </li>
        </ol>

        <p>
          For example, for the domain name `w3c-ccg.github.io`, the `did.json`
          will be available under the following URL:
        </p>

        <div class="issue" data-number="2"></div>

        <pre class="example nohighlight" title="Creating the DID">
did:webhash:w3c-ccg.github.io
 -> https://w3c-ccg.github.io/did.json
          </pre>

        <p>
          If an optional path is specified rather than a bare domain, the
          <code>did.json</code> will be available under the specified path:
        </p>

        <pre class="example nohighlight"
          title="Creating the DID with optional path">
did:webhash:w3c-ccg.github.io:user:alice
 -> https://w3c-ccg.github.io/user/alice/did.json
          </pre>

        <p>
          If an optional port is specified on the domain, the port colon
          splitting the host and the port MUST be percent encoded to prevent
          collision with the colons used as separators between domain,
          optional path, and entoropic identifier.
        </p>

        <pre class="example nohighlight"
          title="Creating the DID with optional path and port">
did:webhash:example.com%3A3000:user:alice
 -> https://example.com:3000/user/alice/did.json
        </pre>
      </section>

      <section>
        <h3>
          Read (Resolve)
        </h3>
        <p>
          The following steps MUST be executed to resolve the DID document from
          a webhash DID:
        </p>

        <ol>
          <li>
            Replace ":" with "/" in the method specific identifier to obtain the
            fully qualified domain name and optional path, whether a hash
            segment is appended or not.
          </li>
          <li>
            If the domain contains a port, percent-decode the colon.
          </li>
          <li>
            Generate an HTTPS URL to the expected location of the DID document
            by prepending <code>https://</code>.
          </li>
          <li>
            Append <code>/did.json</code> to complete the URL.
          </li>
          <li>
            Perform an HTTP <code>GET</code> request to the URL using an agent
            that can successfully negotiate a secure HTTPS connection, which
            enforces the security requirements as described in <a
              href="#security-and-privacy-considerations"></a>.
          </li>
          <li>
            When performing the DNS resolution during the HTTP <code>GET</code>
            request, the client SHOULD utilize [[RFC8484]] in order to prevent
            tracking of the identity being resolved.
          </li>
        </ol>
      </section>

      <section>
        <h3>
          Update
        </h3>
        <p>
          <div class="issue" data-number="6"></div>
          When generating a new DID document, the value of root DID document
          property <code>prev</code> should be set to the current DID
          <strong>with</strong> the version-specific hash segment appended.
        </p>
        <p>
          Once updated, the new DID document must be published. The
          <code>did.json</code> corresponding to the identifier
          <strong>without</strong> a hash segment appended must be replaced with
          a new (and newly-proofed) DID document. This new DID document MUST
          also be published at the path corresponding to the identifier
          <strong>with</strong> the new document's hash segment.
        </p>

        <p class="note" title="HTTP API">
          There is no HTTP API specified for the update process leaving
          programmatic registrations and management to be defined by each
          implementation.
        </p>
      </section>

      <section>
        <h3>
          Deactivate (Tombstone)
        </h3>
        <p>
          To delete the DID document without revoking or "disavowing" all
          previous history of the DID, a new DID <code>did.json</code> should be
          stripped of all values except `prev` and all key material, then signed
          and published as usual, making future updates unverifiable (as no
          future DID document can be signed by a key contained in the previous
          document).
        </p>
      </section>
      <section>
        <h3>
          Deactivate (Revoke)
        </h3>
        <p>
          To delete the DID document and revoke all previous history of the DID,
          the current <code>did.json</code> and those corresponding to all
          previous hash-segment-appended versions should be deleted from the
          corresponding domain.
        </p>
      </section>
      <section>
        <h3>
          Generating entropic identifiers for DID documents
        </h3>
        <p>
          As the name webhash would imply, each DID document published to the
          web is intended to be addressable stably and archivally by an entropic
          identifier, such as one produced by a deterministic and standard hash
          function. This allows a "microledger" style history of each DID, since
          each DID document after the first contains a back-link to the previous
          one in the form of a <code>prev</code> property, the value of which is
          includes the hash of the previous unproofed DID document. It also
          enables multiple witnessing structures to "mirror" or sync witnessed
          DID documents across architectures, and even for DID histories to span
          multiple domains (although these cannot be considered verified without
          some form of additional input from a witness of some kind).
        </p>
        <p>
          To generate a deterministic hash, canonicalize an unproofed DID
          document according to <a
          href=https://www.rfc-editor.org/rfc/rfc8785>RFC 8785</a>, for which
          standard tooling is readily available at time of press. The hash
          function and expression used is a <code>SHA256</code>
          ASCII-encoded as a 32 characters in the <code>base58btc</code>
          alphabet. This is commonly referred to as a <a
          href=https://github.com/multiformats/cid#cidv0>"CIDv0"</a> in
          IPFS-based systems for content-addressed key/value storage, and common
          IPFS tooling can be used to generate such hashes from canonicalized
          JSON objects regardless of an implementation's choice of storage or
          witnessing mechanisms.
        </p>
      </section>
      <section>
        <h3>
          Historical Query and Walking Backlinks
        </h3>
        <p>
          Dynamic web services or complex redirecting policies MAY be
          implemented to allow consumers to query by resolution metadata via
          query parameters like <code>?versionId=</code> or
          <code>?versionTime=</code> (see section
          <a
          href="https://www.w3.org/TR/did-core/#did-document-metadata">7.1.3</a>
          of the [[did-core]] specification), but this is not required for
          conformance. Publishing according to this specification allows
          witnesses and consumers alike to reconstruct the entire history of a
          given did by recursing through the <code>prev</code> property of each
          resolved and verified DID document starting at the presently-valid one
          (which can be queried without hash segment).
        </p>
        <p>
          In low-trust environments, protection against duplicitous or
          inauthentic DID histories can be achieved by
          <ol>
            <li>establishing a complete
              DID history walking back from the presently-valid DID document (i.e.
              querying without a hash segment and then resolving each
              <code>prev</code> DID until a DID without a <code>prev</code> is
              resolved), then</li>
            <li>querying a trusted witnessing service (e.g. by hash segment
              value, <code>versionId</code>, and/or <code>versionTime</code>)
              or querying any other form of external verifiable
              data registry, including git-based records, snapshotting systems,
              key-value stores that store resolution metadata, and/or by
              content-addressed archives, and then</li>
              <li>confirming the provenance of the requested current or
              historical DID document as per use-case and witnessing system
              properties.</li>
          </ol>
        </p>
      </section>
    </section>

    <section class="informative">
      <h2>
        Security and privacy considerations
      </h2>

      <section>
        <h3>
          Authentication and Authorization
        </h3>
        <div class="issue" data-number="8"></div>
        <p>
          This DID method does not specify any authentication or authorization
          mechanism for writing to, removing or creating the DID Document,
          leaving it up to implementations to protect did:webhash documents as
          with any other web resource.
        </p>
        <p>
          It is up to implementer to secure their web environments according to
          industry best practices for updating or otherwise managing web content
          based on the specific needs of their threat environment.
        </p>
      </section>
      <section>
        <h3>
          DNS Considerations
        </h3>
        <h4>
          DNS Security Considerations
        </h4>
        <p>
          DNS presents many of the attack vectors that enable active security
          and privacy attacks on the did:webhash method and it's important that
          implementors address these concerns via proper configuration of DNS.
          For example, without proper security of the DNS resolution via <a
            href="https://tools.ietf.org/html/rfc8484">DNS over HTTPS</a> it's
          possible for active attackers to intercept the result of the DNS
          resolution via a Man in the Middle attack which would point at a
          malicious server with the incorrect DID Document.
        </p>
        <p>
          Additionally, implementors should be aware of issues presented by a
          Spoofed DNS records where the record returned by a malicious DNS
          Server is inauthentic and allows the record to be pointed at a
          malicious server which contains a different DID Document. To prevent
          this type of issue, usage of DNSSEC which is
          <a href="https://tools.ietf.org/html/rfc4033">RFC4033</a>,
          <a href="https://tools.ietf.org/html/rfc4034">RFC4034</a>, and
          <a href="https://tools.ietf.org/html/rfc4035">RFC4035</a>.
        </p>

        <h4>
          DNS Privacy Considerations
        </h4>
        <p>
          Due to the nature of the did:webhash method relying upon a DNS in
          order to resolve the web server, all resolutions of a did:webhash
          identifier have the potential to be tracked by a DNS provider.
          Additionally, due to the DID Document being stored on a web server,
          each time the DID Document resource is retrieved, the web server has
          the ability to track the resolution of the DID Document. To mitigate
          the issue of the relying party being tracked when resolving the DID
          Document the relying party should look to either use a trusted
          universal resolver service to gain herd privacy, utilize a VPN service
          or perform a resolution over the TOR network. Another emerging
          solution that will be useful to address this is <a
            href="https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-03">
            draft-pauly-dprive-oblivious-doh-03</a>
        </p>
      </section>
      <section>
        <h3>
          In-transit Security
        </h3>

        <p>
          Guidance from <a
            href="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final">
            NIST SP 800-52 Rev. 2
          </a> or superceding, MUST be followed for delivery of a `did:webhash`
          document.
        </p>

        <p>
          It is additionally recommended to adhere to the latest recommendations
          from OWASP's Transport Layer Protection Cheat Sheet [[OWASP-TRANSPORT]]
          for hardening TLS configurations.
        </p>

        <p>
          Consult <a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final">
            NIST SP 800-57
          </a> for guidance on cryptoperiod, which is the time span during which
          a specific key is authorized for use or in which the keys for a given
          system or application may remain in effect.
        </p>

        <p>
          TLS configuration MUST use at least SHA256, and SHOULD use SHA384,
          POLY1305, or stronger, depending on the needs of your
          operating environment.
        </p>

        <p>
          Delete action MAY be performed by domain name registrars or DNS lookup
          services.
        </p>

        <p>
          As of this writing, TLS 1.2 or higher SHOULD be configured to use
          only strong ciphers suites and to use sufficiently large key sizes.
          As recommendations may be volatile these days, only the very latest
          recommendations should be used. However, as a rule of thumb,
          the following set of suites is a reasonable starting point:
        </p>

        <ul>
          <li>
            ECDHE with one of the strong curves {X25519, brainpoolP384r1, NIST
            P-384, brainpoolP256r1, NIST P-256} shall be used as key exchange.
          </li>
          <li>
            AESGCM or ChaCha20 with 256 bit large keys shall be used for bulk
            encryption
          </li>
          <li>
            ECDSA with one of the strong curves {brainpoolP384r1, NIST P-384,
            brainpoolP256r1, NIST P-256} or RSA (at least 3072) shall be used.
          </li>
          <li>
            Authenticated Encryption with Associated Data (AEAD) shall be used
            as Mac.
          </li>
        </ul>

        <p>
          Examples of strong SSL/TLS configurations for now are:
        </p>
        <ul>
          <li>
            <code>ECDHE-ECDSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=ECDSA, Enc=AESGCM(256), Mac=AEAD</code>
          </li>
          <li>
            <code>ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=RSA Enc=AESGCM(256), Mac=AEAD</code>
          </li>
          <li>
            <code>ECDHE-ECDSA-CHACHA20-POLY1305, TLSv1.2, Kx=ECDH, Au=ECDSA, Enc=ChaCha20-Poly1305, Mac=AEAD</code>
          </li>
          <li>
            <code>ECDHE-RSA-CHACHA20-POLY1305, TLSv1.2, Kx=ECDH, Au=RSA, Enc=ChaCha20-Poly1305, Mac=AEAD</code>
          </li>
          <li>
            <code>ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=RSA, Enc=AESGCM(256), Mac=AEAD</code>
          </li>
          <li>
            <code>ECDHE-ECDSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=ECDSA, Enc=AESGCM(256), Mac=AEAD</code>
          </li>
        </ul>



      </section>

      <section>
        <h3>
          International Domain Names
        </h3>
        <p>
          [[DID-CORE]] identifier syntax does not
          allow Unicode in method name nor method specific identifiers.
        </p>
        <p>
          Implementers should be cautious when implementing support for DID URLs
          that rely on domain names or path components that contain Unicode
          characters outside of the ASCII range.
        </p>
        <p>
          See also:
        </p>
        <ul>
          <li>
            <a href="https://unicode.org/reports/tr46/">UTS-46</a>
          </li>
          <li>
            <a href="https://www.rfc-editor.org/rfc/rfc5895">IDNA 2008</a>
          </li>
        </ul>
      </section>

      <section>
        <h3>
          Optional Path Considerations
        </h3>
        <p>
          When optional paths to DID documents are used to resolve documents
          rather than bare domains, verification with signed data proves that
          the entity in control of the file indicated in the path has the
          private keys. It does not prove that the domain operator has the
          private keys.
        </p>

        <p>
          This example:
        </p>

        <pre class="nohighlight">
did:webhash:example.com:u:bob
          </pre>
        <p>
          resolves to the DID document at:
        </p>
        <pre class="nohighlight">
https://example.com/u/bob/did.json
        </pre>
        <p>
          In this scenario, it is probable that example.com has given user Bob
          control over the DID in question, and proofs of control refer to Bob
          rather than all of example.com.
        </p>
      </section>
    </section>
  </section>

  <section class="appendix informative">
    <h1>
      Reference implementations
    </h1>

      <div class="issue" data-number="1"></div>
  </section>
</body>

</html>