Skip to content

Commit

Permalink
Merge pull request #17 from trustoverip/ask/security-considerations
Browse files Browse the repository at this point in the history 
adding section on security considerations.
  • Loading branch information
@a-fox
a-fox authored Nov 30, 2023
2 parents a995c57 + f5269d0 commit aeb8f00
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion spec.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,20 @@ The following describes a sample profile document.
}
}
```
### Security Considerations

This section describe a non-normative, non-exhaustive list of security considerations.

#### Cryptography Suites and Libraries
_This section is non-normative._

Some aspects of the profile model described in this specification can be protected through the use of cryptography. It is important for implementers to understand the cryptography suites and libraries used to create and process credentials and presentations. Implementing and auditing cryptography systems generally requires substantial experience. Effective red teaming can also help remove bias from security reviews.

#### Unsigned Profile Documents

_This section is non-normative._

This specification allows profiles to be produced that do not contain signatures or proofs of any kind. These types of profiles are often useful for cases where users may not have the ability to take advantage of the cryptographic proof mechanisms. Endpoint systems should be aware that these types of profiles are not verifiable because the authorship either is not known or cannot be trusted.

### Future Work

Expand All @@ -295,7 +308,7 @@ This pertains to defining the capabilities or services associated with the
profile data. By outlining the functions embodied by the profile, this section
provides clarity on the profile's purpose and its role within the DID ecosystem.

### References
### References and Acknowledgements

- Initial Proposal: https://github.com/trustoverip/tswg-trust-registry-tf/discussions/96
- DID Linked Resources :
Expand All @@ -304,3 +317,4 @@ provides clarity on the profile's purpose and its role within the DID ecosystem.
- DID Core: https://www.w3.org/TR/did-core/ - Referenced mainly the DID Core spec.
- DIDComm Messaging: https://identity.foundation/didcomm-messaging/spec/ - used
for understanding how to update the service endpoint of the DID Document.
- https://www.w3.org/TR/vc-data-model/ : For the securtiy considerations and guidance on the profile document structure.

0 comments on commit aeb8f00

Please sign in to comment.