Mastodon

@reiver ⊼ (Charles) :batman:programming, did key

HelgeFirst step towards <a href="https://blog.mymath.rocks/2023-03-15/BIN1_Moo_Authentication_and_Authoriation" rel="nofollow noopener" target="_blank">Moo-Auth-1</a> is taken: <a href="https://mymath.rocks/.well-known/webfinger?resource=did:key:z6MkujdZ216eYz55vz8X5HetqeJXj9ddn5ZHZUsBpRX4wfnL" rel="nofollow noopener" target="_blank">https://mymath.rocks/.well-known/webfinger?resource=did:key:z6MkujdZ216eYz55vz8X5HetqeJXj9ddn5ZHZUsBpRX4wfnL</a> also check out <a href="https://socialhub.activitypub.rocks/t/webfinger-and-did/3013/4" rel="nofollow noopener" target="_blank">webfinger and did</a> on SocialHub for discussion of using webfinger this way. Next step, actually check signatures, then finally have a sane way to configure ActivityPub Clients.

HelgeHi Marius. Supporting Ed25519 keys is just one of the aspects for me. Furthermore, I want to make explicit that the "public key" used is an Identity, that's why I use the did:key format. Second, I want <a href="https://blog.mymath.rocks/2023-03-15/BIN1_Moo_Authentication_and_Authoriation#appendix-test-data" rel="nofollow noopener" target="_blank">explicit examples</a>! Everybody wanting to implement this, can now write unit tests with copy and paste. Third, HTTP-Sig contains a lot of unnecessary details, it specifies how to encode dictionaries contained in HTTP headers in TWO! ways. This is not the type of specification one can "quickly" implement. It's the type of specification that I want a battle hardened library for. So let's give HTTP-Sig at least 1 year to exit draft stage and 1 year to acquire good library support. Then we can talk again about it.

HelgeI will be using the multicodec, multibase encoded private key <code>z3u2Yxcowsarethebestcowsarethebestcowsarethebest</code> for all my future examples. In particular, this means that if you see <code>did:key:z6MkekwC6R9bj9ErToB7AiZJfyCSDhaZe1UxhDbCqJrhqpS5</code> somewhere, it's someone impersonating my example user. Note: Using a private key as the above is a bad idea, as the entropy of such keys is much lower as the one of randomly generated ones. Using the above private key is just for my private amusement.

HelgeI have finally realized the true weakness to <a href="https://w3c-ccg.github.io/did-method-key/" rel="nofollow noopener" target="_blank">did-key</a>. It's the formatting. If they had chosen to add a colon after every 4 characters in the string, it would be easy to copy them to paper. I mean <pre><code>did:key:z6Mk:haXg:BZDv:otDk:L525:7fai:ztiG:iC2Q:tKLG:pbnn:EGta:2doK </code></pre> is much easier to copy than <pre><code>did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK </code></pre> Of course, I'm somewhat acting in bad faith here. There is little reason to write down a did-key, what you really want is to write down the private key. I want to use a similar format, except replacing "did:key" with "secret". Maybe even without colons and whitespace instead.

HelgeWhile trying to determine the status of <a href="https://w3c-ccg.github.io/did-method-key/" rel="nofollow noopener" target="_blank">did:key</a>, i.e. is there some way to create a <a href="https://github.com/w3c-ccg/did-method-key/blob/f5abee840c31e92cd1ac11737e0b62103ab99d21/index.html" rel="nofollow noopener" target="_blank">good permalink</a>, I discovered that solid has its own <a href="https://github.com/bblfish/authentication-panel/blob/main/proposals/HttpSignature.md" rel="nofollow noopener" target="_blank">http signature implementation</a>. I somewhat feel like creating my own version of Http Signature to increase the confusion.

Recent searches

Search options

Administered by:

Server stats:

#didkey

Recent searches

Search options

Administered by:

Server stats:

DIDKey

#didkey