Comments (6)
I am of the opinion that we should be fothcoming about the limits to any "privacy" we offer. Any time a request is made, the details of that request may be recorded. Logged data will generally include the time of the request and the requesting IP address. This is inherent in HTTP, and in TCP/IP generally. Domain name resolution requests in advance of the HTTP request typically leak similar information.
Caching can relocate the privacy issue to a resolver (or, for that matter, a CDN or even a proxy provider in the context of DID:WEB). There is, I think, an open question as to whether relocating the privacy concerns to a centralized resolver improves or degrades the privacy scenario.
We can reference these issues in the context of DID:WEB, but resolution of them must be undertaken more globally to have any practical effect. Even if we were able to make HTTP requests for DID:WEB documents private and secure, those requests are likely to be a very small portion of the communication in any given transaction that would need a similar level of privacy and security. In a hypothetical context of information displayed on a web page, every image, every external script loaded, and the markup of the page itself each introduce a similar set of privacy concerns.
from did-method-web.
Could RFC 7234 HTTP/1.1 Caching be useful here?
did:web
hosts could set appropriate HTTP cache headers, and resolvers could follow these.
from did-method-web.
@clehner -- +1, I think one of the nice things about using HTTP for this method is that we get things like caching for free (meaning, just use the HTTP mechanism from RFC 7234).
I'm not sure if we need to specifically call that out in the spec, but we could.
from did-method-web.
I don't think we need to call it out either, but it would not hurt to point out that the typical HTTP mechanisms are applicable. I think language to that effect can be quite general for an audience of people implementing the spec.
from did-method-web.
What about in the security considerations sections calling out that if a cache is used (agreed with reusing RFC 7234 as well, that's the direction we went anyways) to calling out that the longer the cache time the more likely for a relying party to not know about an update occurring which could present issues around validity of documents (such as VCs) that have been issued with keys from this document could be incorrect while the cache is still valid.
from did-method-web.
The security and tracking issues associated with DID:WEB are essentially the security and tracking issues associated with any modern website. DNS lookups may be more or less secure depending on which service resolves the domain name and whether that resolution runs over https. Reverse proxy services (aka CDN) like Cloudflare, AWS Cloudfront, and Fastly cache content close to users for an increasing portion of active websites, and those caches could become stale. HTTP server logs generally record paths requested, IP addresses, and user agent strings with timestamps, and this very probably occurs at every point after the initial SSL termination. Similarly, DNS logs may include IP address, name resolved, and a timestamp. Browsers themselves store request history. All of this logged data can be correlated with advanced identity tracking.
We could look at the security section as an opportunity to lay out the basics to give people a better overall understanding of how these systems work, where the vulnerabilities are typically found, and generally how to mitigate them.
I think, though, that it is important to stress that all of this is inherent in the way the internet operates today, and is generally applicable to the use of browsers and https.
from did-method-web.
Related Issues (20)
- Deny off-domain redirects HOT 1
- replace owner with controller? HOT 1
- Register Well-Known URI HOT 1
- Is historical query out of scope of this spec? Is it standardized anywhere else? HOT 7
- RFC: Proposal to standardize email to DID translation HOT 4
- by creating DID in this method we can verify from third party ?? HOT 11
- Did web method support Ed25519?? HOT 2
- Encoding of tilde (`~`) HOT 1
- Support "file" not just "directory" paths HOT 3
- User component of a URL HOT 6
- Are did:webs that redirect another domain's did:web ok? HOT 1
- UTS-46 and WHATWG
- Require email for editors
- QUESTION - Resolving other objects than did.json documents HOT 10
- Can we mark this as final? HOT 3
- Resolver should check resolved document (ID) matches the expected one
- Clarify integrity protection / use of hashlinks HOT 1
- Is there any usecase or relevant usage scenarios, methods, or examples about did:web method? HOT 1
- Subpaths under /.well-known
- Key Rotation HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from did-method-web.