- DNS presents many of the attack vectors that enable active security and privacy attacks on the did:web - method and it is important that implementers address these concerns via proper configuration of DNS. For - example, without proper security of the DNS resolution via DNS over HTTPS it is possible for active attackers - to intercept the result of the DNS resolution via a man-in-the-middle attack which would point at a - malicious server with the incorrect DID Document. + Implementers of the DID method SHALL implement measures to cover the security and privacy + considerations outlined in the + + did:web method specification. + This includes possible attack vectors for man-in-the-middle attacks, DNS record spoofing, DID + document integrity, and in-transit security. Providers of did:web VDRs SHALL not correlate usage + of another subjects DID during resolution for credential verification for privacy reasons.
- Implementers should be aware of issues presented by spoofed DNS records where the record returned by a - malicious DNS Server is inauthentic and allows the record to be pointed at a malicious server which contains - a different DID Document. To prevent this type of issue, Digital Wallet Providers and Credential - Issuers SHALL use DNSSEC which is defined in [[RFC4033]], [[RFC4034]], and [[RFC4035]]. + Due to the centralized nature of this DID method, implementors SHALL make sure that the VDR + is highly available and resilient to availability attacks. If DID resolutions fails, digital wallets + are unable to verify credentials and trading partner ATP statuses.
+ Implementers of the DID method SHALL implement measures to cover common security attacks. This + includes private key hijacking on the wallet, man-in-the-middle attacks, and in-transit security while + communicating with an Ethereum node. Self-hosted or OCI-owned Ethereum nodes SHOULD be used to mitigate + some of those attack vectors. Enterprise-grade blockchain infrastructure-as-a-service platforms MAY be used. +
+Due to DID document related metadata being persisted on the Ethereum-blockchain, measures to make the + DID document generally available NEED NOT to be employed.
+- Verifiable Credential’s proof SHALL be generated and verified in conformance with Ed25519 Signature 2018 - Linked-Data Signature Suite. + Verifiable Credential’s proof SHALL be generated and verified in conformance with + Ed25519Signature2018 + or + + EcdsaSecp256k1RecoverySignature2020.