Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Indy DID Method spec (NYM transaction version 2) is not supported by ACA-Py #3224

Open
JoLuPuma opened this issue Sep 10, 2024 · 3 comments
Open
Assignees

Comments

@JoLuPuma
Copy link

First, it’s know that for the self-certifying Did’s, the namespace identifier or DID identifier is derived from the public key (Verkey). So for a same SEED value the DID identifier is different if we use the did:sov or did:indy approach (the Verkey remains the same in both cases). https://hyperledger.github.io/indy-did-method/#nym-transaction-version

For example , for a given SEED I generated this:
did:indy approach
DID: NLe9bFbaNs1Eareg4eCXky and Verkey: 2EDa4DdtBVSVthbjP7S4p6u8tPZpasV9ywc9xLn1SkpA

did:sov approach
DID: 3FfZB8jq8kch5qddakysA2 and Verkey: 2EDa4DdtBVSVthbjP7S4p6u8tPZpasV9ywc9xLn1SkpA

My use case:

  1. I created a did:indy from a SEED, so I got a DID identifier and a Verkey
    DID: NLe9bFbaNs1Eareg4eCXky and Verkey: 2EDa4DdtBVSVthbjP7S4p6u8tPZpasV9ywc9xLn1SkpA
  2. I registered the DID identifier and Verkey in the Ledger
  3. I started an ACA-Py agent using the initial SEED
  4. In the connection process with the Ledger (and other stuff that ACA-Py does while provisioning), ACA-Py generates a DID identifier and a Verkey from the SEED. But the DID identifier is generated using the did:sov approach. So, this DID identifier (did:sov) is different for the DID identifier (did:indy) published in the Ledger.
  5. And then I got this error : indy_vdr.error.VdrError: Request failed: client request invalid: could not authenticate, verkey for 3FfZB8jq8kch5qddakysA2 cannot be found
  6. And is logical because there is no 3FfZB8jq8kch5qddakysA2 published in the ledger

Is it planned to replace did:sov by did:indy in ACA-Py or support both as described here?

@PatStLouis
Copy link
Contributor

Something I'd like to clarify

  • 3FfZB8jq8kch5qddakysA2 is not a DID
  • did:sov:3FfZB8jq8kch5qddakysA2 is a DID

The same way that:

  • www.linkedin.com is not a DID
  • did:web:www.linkedin.com is a DID

There's the concept of qualified/unqualified DID, but I strongly disagree with this as the did core specification has a strict representation that a DID MUST be a URI:
https://www.w3.org/TR/did-core/#did-syntax

Unqualified DIDs are NOT DIDs, they are just an identifier. This term is misleading.

Now with this out of the way, what is the difference between did:sov and did:indy when resolving?

DID sov is just this, the did prefix did:sov: and the did identifier 3FfZB8jq8kch5qddakysA2.
This method requires the resolver to know in advance against which network to resolve it. This is not covered by the sovrin did method. The did doesn't contain sufficient information in itself to be resolved.

DID indy adds the concept of namespaces in the did prefix:
did:indy:<network>:<identifier>

This sort of addresses the issue, but the problem still remains that the resolver will need to have a list (or directory structure) of known Indy networks. Both of these DID methods require a resolver which has existing knowledge of which networks it knows and their labels.

I started an ACA-Py agent using the initial SEED

There's currently no way to provision aca-py with a seed resulting in something else than a sov provisioned identifier. However, a resolver will still be able to resolve this DID registered on the network using a did:indy: syntax because they are essentially the same thing.

What the did indy method adds is a specified method to refer to other published objects such as anoncreds object through paths.

@JoLuPuma my first question would be, what do you look to achieve by using the did:indy: method to refer to your dids? For operating the agent, it won't change much unless I'm missing something.

For the backwards compatibility part, yes I think this is something that should be included in aca-py. Is this something your team can look into?

@JoLuPuma
Copy link
Author

@PatStLouis
I think I didn't explain myself well. I was not talking about resolving a did:indy but the generation of the IDENTIFIER using the spec Indy Did Method . AFAIK for security reasons the spec Indy DID Method (https://hyperledger.github.io/indy-did-method/#nym-transaction-version) has changed or has added a new way to generate the IDENTIFIER (what it is called the did:indy approach):

  • NYM Transaction Version 1 (did sov approach or the old Indy SDK convention) did = Base58(Truncate_msb(16(publicKey)))
  • NYM Transaction Version 2 (did:indy approach) did = Base58(Truncate_msb(16(SHA256(publicKey))))
    The problem is that ACA-Py does not respect or does not support the NYM Transaction Version 2 of the spec indy DID Method.
    In my case I use the NYM Transaction Version 2 for generating the IDENTIFIER and Verkey, then I register them in the ledger. So when I start/provision my agent ACA-PY, by default, it generates un IDENTIFIER and Verkey from the SEED, but as it uses the did sov approche (NYM Transaction Version 1 ) the IDENTIFIER generated by ACA-Py is very different from the one I published in the ledger. Then the identifiers dont match and ACA-py does not start.
    Error from the original post: indy_vdr.error.VdrError: Request failed: client request invalid: could not authenticate, verkey for 3FfZB8jq8kch5qddakysA2 cannot be found

@JoLuPuma JoLuPuma changed the title Did:indy is not supported Indy DID Method spec (NYM transaction version 2) is not supported by ACA-Py Sep 10, 2024
@PatStLouis
Copy link
Contributor

This makes sense yes, so theres 2 things I could see happening:

  • Define a new did registration method for indy:
    • We are currently in the process of restructuring the did registration methods, if you would like to tackle this it would be a welcome addition. It should be as simple as copying the current sov method and use the new identifier algorithm. However this still won't allow you to provision the startup seed using this new method unless further changes are made.
  • Implement the backwards compatibility function as you described into aca-py's codebase whenever it interacts with the ledger.

@jamshale jamshale self-assigned this Sep 19, 2024
@esune esune moved this to Assigned in CDT Enterprise Apps Sep 24, 2024
@jamshale jamshale moved this from Assigned to In Progress in CDT Enterprise Apps Sep 25, 2024
@jamshale jamshale moved this from In Progress to In Review in CDT Enterprise Apps Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants