DID现有产品调研

• 参考文档
  • DID 三篇规范：
  • 百度 DID实现
  • 微众银行WeIdentity
• DID相关概念
  • DID概念、规范
  • DID Resolver
  • VC
    • 基本概念
    • 标准VC
    • 标准VP
    • 百度企业认证VC实现
    • 微众银行DID
    • Weelink DID VC

参考文档

DID 三篇规范：

https://w3c.github.io/did-core/

https://w3c-ccg.github.io/did-resolution/

https://www.w3.org/TR/vc-data-model/

百度 DID实现

http://did.baidu.com/

微众银行WeIdentity

https://weidentity.readthedocs.io/zh_CN/latest/docs/weidentity-spec.html

DID相关概念

DID概念、规范

身份相关数据锚定在区块链上，认证的过程不需要依赖于提供身份的应用方。

• 如何不依赖身份提供方来验证身份？

• DID是由用户自己生成的，用户生成DID的同时会生成一对秘钥，DID和公钥的绑定关系写入分布式数据库，达到了去中心化身份的目的

可验证声明（Verifyable Claim）
是一个 DID 给另一个 DID 的某些属性做背书而发出的描述性声明，并附加自己的数字签名，用以证明这些属性的真实性，可以认为是一种数字证书。

• 分布式信任网
  holder持有DID， Issuer针对Holder的某个DID颁发VC， Verifier可以验证Holder自身的DID，以及Issuer颁发给Holder的VC
  （例如某网站可以指定，验证某个用户的DID即可登录，或者需要验证用户的DID，并且需要一个针对该DID的声明（例如该DID持有者年龄大于18岁））

{
  "@context": "https://w3id.org/did/v1",
  "id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2",
  "version": 1,
  "created": "2016-02-08T16:02:20Z",
  "updated": "2016-02-08T16:02:20Z",
  "publicKey": [
    {
      "id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-1",
      "type": "Secp256k1",
      "publicKeyHex": "02b97c30de767f084ce3080168ee293053ba33b235d7116a3263d29f1450936b71"
    },
    {
      "id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-2",
      "type": "Secp256k1",
      "publicKeyHex": "e3080168ee293053ba33b235d7116a3263d29f1450936b71"
    }
  ],
  "authentication": ["did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#key-1"],
  "recovery": ["did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#key-2"],
  "service": [
    {
      "id": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#resolver",
      "type": "DIDResolve",
      "serviceEndpoint": "https://did.baidu.com"
    }
  ],
  "proof": {
    "type": "Secp256k1",
    "creator": "did:ccp:7f8ca8982f6cc6e8ea087bd9457ab8024bd2#keys-1",
    "signatureValue": "QNB13Y7Q9...1tzjn4w=="
  }
}

serviceEndPoint 标识，能够使用该DID的某个EndPoint，例如type为DIDResolver的serviceEndPoint 存放了DIDResolve服务的地址

DID resolve 和 DID dereference

resolve：通过DID获取DID document ； dereference：通过DID URL 获取所需资源

DID Resolver

VC

基本概念

可验证声明(Verifiable Claim，简称Claim)，是发证方使用自己的 DID 给用户的 DID 的某些属性做背书而签发的描述性声明，并附加自己的数字签名，可以认为是一种数字证书。

发证方的 DID 是做背书的，签发出来的Claim我们称之为：Proof Claim;
如果发证方就是用户自己，即一个 DID 对自己签发Claim，我们称之为：Profile Claim。

VC的整个生命周期包括用户申请-发证方签发-吊销-第三方请求-验证

对于可吊销的 claim 所保存的信息里需要包括吊销方式的字段，里面需要有查询 claim 吊销状态的 endpoint，验证 claim 时，需要通过该 endpoint 来验证 claim 是否吊销。如果需要支持 claim 的吊销，DID 账户所有者需要自己维护一个提供获取吊销列表的 endpoint。

• 访问吊销列表的时候，如何保证访问可信？证书？吊销列表自己是个DIDDocument

• VC存在哪里？百度是存在一个Identity Hub里，用户持一个VC id，可以通过VC id去该Identity Hub里拿。

• 系统中是否只存在某个协议服务去发VC，不存在用户去申请VC的情况？

标准VC

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": ["VerifiableCredential", "NameAndAddress"],
  "issuer": "https://example.edu/issuers/14",
  "holder": {
    "type": "LawEnforcement",
    "id": "did:example:ebfeb1276e12ec21f712ebc6f1c"
  },
  "issuanceDate": "2010-01-01T19:73:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "name": "Mr John Doe",
    "address": "10 Some Street, Anytown, ThisLocal, Country X"
  },
  "proof": {
    "type": "RsaSignature2018",
    "created": "2018-06-17T10:03:48Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "https://example.edu/issuers/14/keys/234",
    "jws": "pY9...Cky6Ed = "
  }
}

标准VP

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "did:example:76e12ec21ebhyu1f712ebc6f1z2",
  "type": ["VerifiablePresentation"],
  "verifiableCredential": [
    {
     "@context": [
       "https://www.w3.org/2018/credentials/v1",
       "https://www.w3.org/2018/credentials/examples/v1"
      ],
      "id": "http://example.gov/credentials/3732",
      "type": ["VerifiableCredential", "PrescriptionCredential"],
      "issuer": "https://example.edu",
      "issuanceDate": "2010-01-01T19:73:24Z",
      "credentialSubject": {
        "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
        "prescription": {....}
      },
      "revocation": {
        "id": "http://example.gov/revocations/738",
        "type": "SimpleRevocationList2017"
      },
      "proof": {....}
    },
    {
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://www.w3.org/2018/credentials/examples/v1"
      ],
      "id": "https://example.com/VC/123456789",
      "type": ["VerifiableCredential", "PrescriptionCredential"],
      "issuer": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "issuanceDate": "2010-01-03T19:73:24Z",
      "credentialSubject": {
        "id": "did:example:76e12ec21ebhyu1f712ebc6f1z2",
        "prescription": {....}
      },
      "proof": {
        "type": "RsaSignature2018",
        "created": "2018-06-17T10:03:48Z",
        "proofPurpose": "assertionMethod",
        "jws": "pYw8XNi1..Cky6Ed=",
        "verificationMethod": "did:example:ebfeb1f712ebc6f1c276e12ec21/keys/234"
      }
    }
  ],
  "proof": [{
    "type": "RsaSignature2018",
    "created": "2018-06-18T21:19:10Z",
    "proofPurpose": "authentication",
    "verificationMethod": "did:example:76e12ec21ebhyu1f712ebc6f1z2/keys/2",
    "challenge": "c0ae1c8e-c7e7-469f-b252-86e6a0e7387e",
    "jws": "BavEll0/I1..W3JT24="
  }]
}

百度企业认证VC实现

{
    "@context": [
        "https://www.w3.org/2018/credentials/v1"
    ],
    "id": "9a2abb48-20d6-4308-bf52-61c868a8b090",
    "type": [
        "ProofClaim"
    ],
    "issuer": "did:ccp:4GQRdctGMEwueArfykURe8rkNyRw",
    "issuanceDate": "2019-09-02T05:34:46.586Z",
    "expirationDate": "2066-01-02T15:04:05.999Z",
    "credentialSubject": {
        "id": "did:ccp:raMWmi1LEpCeoxzb7atmSNbkozc",
        "shortDescription": "百度云企业认证",
        "longDescription": "本DID已通过百度云企业认证。",
        "type": "EnterpriseAuthentication"
    },
    "revocation": {
        "id": "https://did.baidu.com/v1/claim/revocations",
        "type": "SimpleRevocationListV1"
    },
    "proof": [
        {
            "creator": "did:ccp:4GQRdctGMEwueArfykURe8rkNyRw/1",
            "type": "Secp256k1",
            "signatureValue": "3044022051757c2de7032a0c887c3fcef02ca3812fede7ca748254771b9513d8e2bb"
        }
    ]
}

微众银行DID

链上格式

{
    "@context":"https://weidentity.webank.com/vc/v1",
    "id":"dsfewr23sdcsdfeqeddadfd",
    "type":[
        "Credential",
        "cpt100"
    ],
    "issuer":"did:weid:1:2323e3e3dweweewew2",
    "issued":"2010-01-01T21:19:10Z",
    "claim":{
        "primeNumberIdx":"1234",
        "other properties key":"other properties value",
        "...":"..."
    },
    "revocation":{
        "id":"did:weid:1:2323e3e3dweweewew2",
        "type":"SimpleRevocationList2017"
    },
    "signature":[
        {
            "type":"LinkedDataSignature2015",
            "created":"2016-06-18T21:19:10Z",
            "creator":"did:weid:1:2323e3e3dweweewew2",
            "domain":"www.diriving_card.com",
            "nonce":"598c63d6",
            "signatureValue":"xxx"
        }
    ]
}

声明格式

1 驾照VC

{
    "Claim":{
        "@context":"https://weidentity.webank.com/cpt100/v1",
        "version":"v1",
        "id":"CPT100",
        "publisher":"did:weid:1:2323e3e3dweweewew2",
        "signature":"xxx",
        "claim":"",
        "address":"重庆",
        "class":"C1",
        "created":"2010-06-20T21:19:10Z",
        "updated":"2016-06-20T21:19:10Z",
        "description":"中国内地驾照"
    }
}

{
"Claim": {
  "@context" : "https://weidentity.webank.com/cpt100/v1",
  "version" : "v1",
  "id" : "",
  "weid" : "did:weid:1:0xdfsdf....",
  "name" : "张小明",
  "sex" : "男",
  "nationality" : "中国",
  "address" : "重庆",
  "class" : "C1",
  "issueDate" : "2010-06-20T21:19:10Z",
  "validDate" : "2016-06-20T21:19:10Z",
  "expireDate" : "2026-06-20T21:19:10Z",
}
}

2 单词文件转移VC

适用场景：用户授权后，用户的数据由一个机构给到另外一个机构。credential的ID用于标识本次文件转移。这一类Claim一般用户是issuer

Weelink DID VC

{
   "alg": "Ed25519",
   "typ": "JWT"
 }
 {
   "iss": "userDid",
   "iat": "1548713422",
   "nbf": "1548713422",
   "exp": "1548813422",
   "requestedClaims": [
     {
       "type": "profile",
       "fullName": "Alice Bean",
       "mobilePhone": "123456789",
       "mailingAddress": {
         "addressLine1": "456 123th AVE",
         "addressLine2": "Apt 106",
         "city": "Redmond",
         "state": "WA",
         "postalCode": "98052",
         "country": "USA"
       }
     },
     {
       "type": "agreement",
       "uri": "https://document-1.io",
       "hash": {
         "method": "sha256",
         "digest": "The hash result of the document's content"
       },
       "agreed": true,
       "sig": "user's signature against the doc hash plus AGREED."
     },
     {
       "type": "agreement",
       "uri": "ipfs://document-2",
       "hash": {
         "method": "sha3",
         "digest": "The hash result of the document's content"
       },
       "agreed": false
     }
   ]
 }

VC结构

• three kinds of verifiable claims：

  • profile：This can contain multiple universally-known predefined claim items, such as firstName and birthday.
    • type：fixed to “profile”.
    • meta：an optional field.
    • items：a list of predefined profile items.
  • agreement：A peer may ask users to sign agreements.
    • type：fixed to “agreement”.
    • meta：optional field.
    • uri：points to the content of agreement.
    • hash：an object where the method subfield specifies the algorithm (sha3, sha256, etc) used and the digest subfield is the hash result.
    • agreed：a boolean value added by Wallet to represent whether the user accepts the agreement.
    • sig：the DSA signature of hash.
  • proofOfHolding： A peer may ask users to prove that they have either a certain amount of tokens or a certificate issued by a third party.

• meta is an optional field which may contain, but not limited to, the following field:

• description: This is used for describing claim. Wallet can shown users this field.