How to ensure the legitimacy of did?
For example, in the case of “did:web”, I think you can judge by the domain name.
However, if a malicious third party acquires a domain with a similar name, the user may spoof it without realizing it.
To prevent things like this, How should did did be defined?
Hi,
so this is a good question and a real problem, and while I have also been confronted to this philosophical problem, I don’t think there is yet a straight answer, especially if you want to keep things decentralized. Those questions are actually discussed at W3C CCG and DIF levels, so it’s a bit out of scope of what this project offers.
Now, in practical terms and for the sake of Blockcerts, we do have a check in place that the public of the bounded did document holds the key to the issuing address, plus the DID document should provide a link to the web hosted issuer profile. A malicious actor can still impersonate someone they claim they are not, but the issuer profile still holds important information and we highlight the domain on which it is hosted.
If that identity binding is even more important, using did:web seems to be a good (centralized) approach for now, and those DIDs should verify as we rely on the DID universal resolver for verification (we encourage consumers to host their own instance of this universal resolver for reliability and control - you can specify a custom verifier to the verification library (cert-verifier-js)).
Thank you for answering.
I realized that this problem is not simple and that using did:web is the best way to go.