DID
Request for Comments: Vaultys Decentralized Identity Keyring Protocolβ
1. Introductionβ
This document specifies the Vaultys Decentralized Identity Keyring Protocol, a comprehensive system for managing cryptographic identities across different devices and contexts. The protocol enables secure key management, authentication, encryption, and identity portability while supporting both software-based and hardware-based key storage.
1.1. Terminologyβ
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
1.2. Abbreviationsβ
- DID: Decentralized Identifier
- PRF: Pseudo-Random Function
- HMAC: Hash-based Message Authentication Code
- DHIES: Diffie-Hellman Integrated Encryption Scheme
- COSE: CBOR Object Signing and Encryption
- FIDO2: Fast Identity Online 2.0 (WebAuthn)
2. Protocol Overviewβ
The Vaultys Decentralized Identity Keyring Protocol provides a comprehensive framework for managing cryptographic identities with the following features:
- Multiple identity types (machine, person, organization, FIDO2-based)
- Support for both software and hardware-based key storage
- Standardized key derivation and management
- Secure messaging through authenticated encryption
- Identity verification through challenge-response mechanisms
- Key rotation and revocation mechanisms
- Interoperability with W3C DID standards
3. Identity Typesβ
3.1. Enumerated Identity Typesβ
The protocol defines the following identity types, encoded as the first byte of the identity:
| Value | Type | Description |
|---|---|---|
| 0 | MACHINE | Identity for autonomous systems or devices |
| 1 | PERSON | Identity for individual human users |
| 2 | ORGANIZATION | Identity for organizations or groups |
| 3 | FIDO2 | Identity bound to a FIDO2 authenticator |
| 4 | FIDO2PRF | Identity using FIDO2 PRF extension |
3.2. Identity Structureβ
Each identity consists of:
- A type indicator (1 byte)
- Identity-specific cryptographic material:
- For software-based identities: a key manager with signing and encryption keys
- For hardware-based identities: FIDO2 credential information and encryption keys
4. Key Manager Specificationβ
4.1. KeyManager Overviewβ
The KeyManager is the core component responsible for cryptographic operations and key management for software-based identities. It maintains:
- A proof key for identity verification
- A signing key pair for authentication and signatures
- An encryption key pair for secure messaging
- Optional entropy for key derivation
4.2. Key Derivationβ
Software-based identities derive keys from entropy using a deterministic path:
- Generate a 512-bit seed using SHA-512(entropy)
- Derive the proof key using BIP32 path
m/1'/0'/{swapIndex}' - Derive the signing key using BIP32 path
m/1'/0'/{swapIndex}'/0' - Derive the encryption key using SHA-256 of the second half of the seed
4.3. Identity Serializationβ
The identity is serialized using MessagePack encoding with the following structure:
{
"v": version, // Version (0 or 1)
"p": proof, // Proof key hash
"x": signingKey, // Public signing key
"e": encryptionKey // Public encryption key
}
This serialized structure is prefixed with the identity type byte to form the complete identity.
5. FIDO2-Based Identitiesβ
5.1. FIDO2 Identity Creationβ
FIDO2-based identities are created by:
- Generating a new WebAuthn credential
- Extracting the COSE public key
- Generating or deriving an encryption key
- For FIDO2PRF: Using the PRF extension to derive keys
5.2. FIDO2 Identity Structureβ
FIDO2 identities serialize the following information:
{
"v": version, // Version (0 or 1)
"c": coseKey, // COSE-encoded public key
"e": encryptionKey // Public encryption key
}
For private key operations, additional fields are included:
{
"f": fidId, // WebAuthn credential ID
"t": transports // Bitmask of supported transports
}
5.3. FIDO2 PRF Extensionβ
For FIDO2PRF identities, the WebAuthn PRF extension is used to derive key material. The salt "VaultysID salt" is used to ensure consistent key derivation across operations.
6. Cryptographic Operationsβ
6.1. Authentication and Signaturesβ
The protocol supports two signature mechanisms:
- Software-based signatures using Ed25519
- Hardware-based signatures using FIDO2 authenticators
For FIDO2 signatures, the protocol uses a specialized format to include authenticator data:
{
"s": signature, // Actual signature bytes
"c": clientDataJSON, // WebAuthn client data
"a": authenticatorData // WebAuthn authenticator data
}
6.2. Encryptionβ
The protocol supports multiple encryption methods:
- DHIES (Diffie-Hellman Integrated Encryption Scheme): For direct secure messaging between two identities
- Saltpack: For multi-recipient encryption and anonymous encryption
6.2.1. DHIES Formatβ
DHIES encrypted messages have the following structure:
+----------------+----------------+----------------+----------------+
| Nonce | Ephemeral Key | Ciphertext | MAC |
| (24 bytes) | (32 bytes) | (variable) | (32 bytes) |
+----------------+----------------+----------------+----------------+
6.3. Key Agreement (Diffie-Hellman)β
The protocol uses X25519 for key agreement operations, enabling two parties to establish a shared secret for encrypted communications.
6.4. HMAC-based Pseudo-Random Functions (PRF)β
The protocol uses HMAC-SHA256 for generating deterministic values based on the identity's encryption key:
HMAC-SHA256(encryptionKey, "VaultysID/{message}/end")
7. Decentralized Identifier (DID) Integrationβ
7.1. DID Methodβ
The protocol defines the did:vaultys method with the following format:
did:vaultys:<40-character-fingerprint>
The fingerprint is derived from:
- The identity type byte
- SHA-224 hash of the identity's key material
7.2. DID Documentβ
Each identity can generate a W3C compliant DID document with the following structure:
{
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"id": "did:vaultys:<fingerprint>",
"authentication": [{
"id": "did:vaultys:<fingerprint>#keys-1",
"type": "<authType>",
"controller": "did:vaultys:<fingerprint>",
"publicKeyMultibase": "<base64-public-key>"
}],
"keyAgreement": [{
"id": "did:vaultys:<fingerprint>#keys-2",
"type": "<encType>",
"controller": "did:vaultys:<fingerprint>",
"publicKeyMultibase": "<base64-public-key>"
}]
}
8. Key Rotation and Revocationβ
8.1. Swapping Certificateβ
The protocol enables key rotation through a swapping certificate mechanism:
{
"newId": Buffer, // New identity ID
"proofKey": Buffer, // Original proof key
"timestamp": number, // Operation timestamp
"signature": Buffer // Signature by proof key
}
8.2. Verification Processβ
To verify a swapping certificate:
- Verify the proof key matches the identity's proof hash
- Verify the signature over the concatenation of newId, proofKey, and timestamp
9. Time-Based Operationsβ
9.1. One-Time Password (OTP) Generationβ
The protocol supports time-based one-time passwords for authentication:
OTP = HMAC-SHA256(secretKey, "OTP-" + Math.floor(Date.now() / timelock))
Where timelock is a time period (defaulting to 1 hour).
10. Security Considerationsβ
10.1. Key Storage and Managementβ
- Private keys MUST be securely erased from memory after use
- Hardware-backed keys SHOULD be preferred for high-security scenarios
- The protocol SHOULD use secure random number generation for all operations
10.2. Authenticationβ
- User verification SHOULD be requested for sensitive operations
- FIDO2 authenticators SHOULD use user verification when available
10.3. Forward Secrecyβ
The protocol does not inherently provide forward secrecy for all operations. Applications requiring forward secrecy SHOULD implement additional key rotation mechanisms.
11. Implementation Considerationsβ
11.1. Cross-Platform Supportβ
- Implementations MUST handle binary data correctly across different platforms
- The protocol supports both browser and native environments
11.2. Hardware Supportβ
The protocol is designed to work with:
- FIDO2-compliant authenticators (e.g., YubiKeys, Windows Hello, Apple Touch ID)
- WebAuthn API in modern browsers
- PRF-supporting authenticators for FIDO2PRF identities
12. Interoperabilityβ
12.1. Versioningβ
The protocol supports two serialization versions (0 and 1):
- Version 0: Legacy serialization format
- Version 1: MessagePack-based serialization format
Implementations MUST support both versions for backward compatibility.
12.2. Messaging Formatsβ
The protocol defines standard formats for:
- Identity serialization
- Signature representation
- Encrypted message structure
13. Examplesβ
13.1. Creating a Software-Based Identityβ
// Generate a new person identity
const personId = await VaultysId.generatePerson();
// Get the identity's DID
const did = personId.did; // "did:vaultys:0123456789abcdef0123456789abcdef01234567"
// Export the identity's secret for backup
const secret = personId.getSecret();
13.2. Creating a FIDO2-Based Identityβ
// Create a new FIDO2 identity (e.g., using Windows Hello or YubiKey)
const fido2Id = await VaultysId.createWebauthn();
// The identity is bound to the hardware authenticator
const isHardware = fido2Id.isHardware(); // true
13.3. Encrypting a Messageβ
// Encrypt a message for a recipient
const encryptedMessage = await senderId.dhiesEncrypt(
"Secret message",
recipientId.id
);
// Decrypt the message
const decryptedMessage = await recipientId.dhiesDecrypt(
encryptedMessage,
senderId.id
);
13.4. Multi-Recipient Encryptionβ
// Encrypt a message for multiple recipients
const encryptedMessage = await VaultysId.encrypt(
"Secret message for multiple recipients",
[recipient1.id, recipient2.id, recipient3.id]
);
// Each recipient can decrypt the message
const decryptedMessage = await recipient1.decrypt(encryptedMessage);
14. Referencesβ
14.1. Normative Referencesβ
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[WebAuthn] W3C, "Web Authentication: An API for accessing Public Key Credentials", https://www.w3.org/TR/webauthn/
[DID-CORE] W3C, "Decentralized Identifiers (DIDs) v1.0", https://www.w3.org/TR/did-core/
[BIP32-ED25519] "BIP32-Ed25519 Hierarchical Deterministic Keys over a Non-linear Keyspace", https://github.com/stricahq/bip32ed25519
14.2. Informative Referencesβ
[SALTPACK] "Saltpack: a modern crypto messaging format", https://saltpack.org/
[NACL] Bernstein, D.J., et al., "Networking and Cryptography library", https://nacl.cr.yp.to/
[DHIES] Abdalla, M., Bellare, M., and P. Rogaway, "DHIES: An encryption scheme based on the Diffie-Hellman Problem", https://web.cs.ucdavis.edu/~rogaway/papers/dhies.pdf
Authors' Addressesβ
François-Xavier Thoorens fx.thoorens@vaultys.com
Appendix A: Data Structures and Formatsβ
A.1. Identity Formatβ
+----------------+--------------------------------+
| Type | Identity-specific data |
| (1 byte) | (variable length) |
+----------------+--------------------------------+
A.2. FIDO2 Signature Format (MessagePack encoded)β
{
"s": Uint8Array, // Signature bytes
"c": Uint8Array, // Client data JSON
"a": Uint8Array // Authenticator data
}
A.3. VaultysId Fingerprint Formatβ
The fingerprint is a 40-character hexadecimal string derived from:
- The identity type byte
- SHA-224 hash of the identity's key material
It is formatted as space-separated groups of 4 characters for readability.
Appendix B: Implementation Notesβ
B.1. Browser Compatibilityβ
The protocol has been tested with:
- Chrome/Edge (full WebAuthn)
- Firefox (WebAuthn support)
- Safari (WebAuthn support, no direct attestation)
B.2. Hardware/Passkey Compatibilityβ
The protocol has been tested with:
- Winkeo (FIDO2 compliant, no PRF support)
- YubiKey (FIDO2 compliant, PRF support)
- Feitian (FIDO2 compliant, PRF support)
- Windows Hello (FIDO2 compliant, PRF support)
- Apple Touch ID (FIDO2 compliant, PRF support)
B.3. Key Derivation Pathsβ
The protocol uses the following BIP32 derivation paths:
- Proof key:
m/1'/0'/{swapIndex}' - Signing key:
m/1'/0'/{swapIndex}'/0'