Contribution and collaborations by many in the W3C CCG, W3C VCCG, and DIF Auth WG Authored by Kyle Den Hartog
this is nearly an implementation of TLS 1.3 using public keys associated with a DID rooted on a blockchain rather than X.509 Certificates. It allows two DID owners to be able to mutually authenticate with a high degree of certainty (as long as the private key haven't been cracked, stolen, intercepted, etc) and can establish an ephemeral, secure, communication channel. The main concerns with TLS at this point is that established libraries such as OpenSSL, GnuTLS, and wolfSSL need slight modifications in order to run DID-TLS. In the intermediary, we could utilize this protocol to get Authentication through DIDs working, and then when the modifications in Open-TLS are accepted into the libraries, DID-Authentication could migrate to these libraries.
- Client DID ( The DID the client wishes to be associated with)
- Client generates a nonce 315mod 17 = 6 (nonce = 6, g = 3, p = 17, 15 is secret key)
{ plaintext [Client DID, g, p, nonce], signature signed by private key associated with DID document public key }
- Server looks up DID Doc of Client DID
- Server verifies signature
- If valid server generates request A else server generates request B
-
Request A (valid): Server DID ( The DID the server wishes to be associated with ) Server generates a nonce 313mod 17 = 12 (nonce = 12, g = 3, p = 17, 13 = secret key)
-
Request B (invalid): A standard 401 HTTP response
-
{ plaintext [Server DID, g, p, nonce], signature signed by private key associated with DID document public key }
- If client validates the message, the shared private key is now used as a symmetrical encryption key
- Client would produce shared private key (symmetrical encryption key) by calculating: 1215mod17 = 10
- Server would produce shared private key (symmetrical encryption key) by calculating: 613mod17 = 10
- This could use verifiable claims, HTTP-signatures, JWTs, etc to maintain continuous mutual Authentication