This threat model describes known threats of DID Resolution specification at https://w3c.github.io/did-resolution/.

DID resolution is the process of taking a DID URL, which contains a [=Decentralized Identifier=] and returns its authoritative DID document. This is the first step in dereferencing a DID URL.

Status of this Document

This is a draft of a new NOTE-track publication from the Decentralized Identifier Working Group (DIDWG).

Introduction

DID Resolution is the first step in dereferencing a DID URL.

Dereferencing means taking a reference to a resource and bringing that resource into the current computational context.

In programming languages like c and c++, dereferencing a pointer means accessing, interpreting, or applying the value pointed to by that pointer in the current computational context. On the web, dereferencing a URL means retrieving a representation of a resource and returning it for interactions in the local context. For web pages, that means displaying the retrieved HTML in the browser, with an appropriate view. For asynchronous JavaScript aka AJAX requests, it means bringing the result from a HTTP request into the current JavaScript context for processing, often to change the content of the page. Dereferencing a DID URL means retrieving the appropriate resource referred to by the DID URL and applying it in the current context.

Resolving is the first step in dereferencing, when you acquire the authoritative metadata that enables resource retrieval. Resolving an HTTP URL means resolving the authority part (typically a host or domain name) to get the IP address to use for the HTTP request. The first step in dereferencing a [=DID URL=] is DID is resolving the DID URL to get the DID document and associated metadata that contain the cryptographic material and service endpoints for securely interacting with the resource referenced by the DID URL. Dereferencing uses the result returned from resolution to retrieve the actual resource.

DID URL resolution depends on method-specific interactions with the DID method's Verifiable Data Registry. Every DID method defines its own approach to retrieving DID state from a VDR. DID Resolvers provide a standard interface to abstract those VDR interactions away, enabling any DID-enabled application to rely on a consistent API, regardless of how the method interacts with a VDR.

DIDs can be used as identifiers for both subjects and issuers of Verifiable Credentials and can anchor any number of cryptographic verification methods, such as attestations, authorizations, encryption, and key agreement.

A discussion of Decentralized Identifier use cases can be found in the W3C's Use Cases and Requirements for Decentralized Identifiers.

The DID Resolution specification defines how DID URL clients can dereference a DID URL into the current context, including how to resolve the DID URL to get the authoritative DID document used for retrieving the actual resource.

This document describes the threats known to the DID WG at the time of developing the specification, whether addressed by the specification, to be addressed by implementers, or accepted as unresolvable.

Architecture

The architecture of DID resolution is anchored between three roles in the system (client, resolver, and VDR), each typically running on separate devices, although different configurations may deploy these elements differently. We present a unified view of the architecture below, followed by two profiles, one for did:key and a single device and one for did:btcr2 relying on arbitrary VDR devices.

The three primary roles are the client, the resolver, and the Verifiable Data Registry (VDR). The client has a DID URL the user wants to use. The client provides the business logic to manage DID resolution and apply the result to its current context. The Resolving Client connects to a DID Resolver to get the authoritative DID document for that DID URL, then interprets the result to update the current context.

Diagram

DID Resolution Architecture Diagram

Description

The process starts with a DID User (E1) who has a DID URL (D1) they would like to dereference.

Using a DID User Client Device (C1), the user directs the device to use the DID URL through some gesture, clicking on a link, entering a DID manually, or scanning a QR code (F0). This input to the DID Enabled Application (P1) triggers a call to Resolve (F1), which then resolves the DID URL according to its DID method, returning the authoritative DID Document (D3) according to the parameters passed in.

How the client device gets a DID URL and how the user interacts with application is outside the scope of this specification.

Each device in the diagram represents a different trust container, each representing a specific set of code running on a particular device. Each code object (D4, D6, and D8) is maintained by at least one human maintainer (E2, E5, E8, respectively). Each device (C1, C2, C3) is administered by at least one human administrator (E3, E6, E9, respectively) on behalf of a service provider (E4, E7, E10, respectively) who, as a legal person, holds operational authority over each device.

It is understood that each device is operated by a service provider, administered by a human, using code maintained by a human. In the case that either the maintenance or administration is AI-driven, we consider the human configuring and running that AI to be the maintainer or administrator, respectively. When discussing different deployment strategies, it is important to consider how these entities change and how those changes impact security of the system.

It is also worth noting that the resolve method call (F1) crosses a fundamental trust boundary (T1), where the result of the resolver *is* necessarily taken as authoritative. Regardless of the complexity of the resolver and VDR systems, the DID user chooses the resolvers they trust; it is understood that the choice of resolver is an unavoidable build versus buy decision. However that resolver achieves the result is up to the quality of its own implementation of each supported DID method.

DID Resolution, as defined in this specification, begins after the Resolver (P2) receives a Base DID URL (D2)—the DID URL minus the fragment&mdsh; and associated parameters. The resolver (P2) then queries the VDR Node(P3) with Read VDR State (F3) based on that state, generates the canonical DID Document (D3) and associated metadata (D10 and D11) which is returned to the application (P1). The application takes that result and depending on whether or not a secondary resource is indicated, it either returns the DID document or dereferences the secondary resource.

How the VDR maintains state (D9) and how the resolver reads that state (F3) are DID-method specific, defined in each DID method specification and otherwise out of scope of this specification.

Dictionary

E1 DID URL User The user of the decentralized identifier URL (D1)
E2 Client Code Maintainer The person maintaining the client software (D4)
E3 Client Administrator The person administering the client software (D4) configuration on the client device (C1)
E4 Client Service Provider The party legally responsible for the client software (D4) running on the client device (C1)
E5 Resolver Code Maintainer The person maintaining the resolver software (D8)
E6 Resolver Administrator The person administering the resolver software (D8) configuration on the resolver device (C3)
E7 Resolver Service Provider The party legally responsible for the resolver software (D8) running on the resolver device (C3)
E8 VDR Code Maintainer The person maintaining the VDR software (D6)
E9 VDR Administrator The person administering the VDR software (D6) configuration on the VDR device (C2)
E10 VDR Service Provider The party legally responsible for the VDR software (D6) running on the VDR device (C2)
P1 DID Enabled Application The process performing DID URL dereferencing. It coordinates with the resolver (P2) and performs whatever is needed after resolution to dereference the DID URL and apply the result to the current context.
P2 Resolver Process The process running on the resolver device that knows how to access the VDR for a given DID method (using F3 to reach P3) and interpret the response to generate the canonical DID document for the DID URL (D1) in question.
P3 VDR Process The process that interfaces directly with the VDR data store and provides selected VDR state to the resolver (P2).
F0 Use DID URL The initial interaction from the DID URL User (E1), directing the software to use the DID URL (D1) in some fashion.
F1 Resolve The call from the DID enabled application (P1) to the resolver (P2) requesting the canonical DID document for a given DID URL.
F3 Read VDR State The call from the resolver (P2) to the VDR (P3) requesting state data related to a given DID URL (D1)
D1 DID URL The initial DID URL, including any path, query, and fragment parts. This is a pointer to a resource that may be dereferencable (P1).
D2 BASE DID URL A version of the initial DID URL without the fragment part, sent to the Resolver (P2). This is a pointer to a resource that can be dereferenced (P1).
D3 DID Document The canonical DID document for the DID URL (D1), taking into account any parameters that might affect resolution, such as versionId
D4 Client Code Software running on the client device (C1) to realize the DID Enabled Application (P1). It manages the user experience as well as the dereferencing (P1) algorithm. This code includes all of the client-side software running in that container. This means the business logic, the UX interface, and any plugins that might be part of a solution. For example, a browser that leverages an extension to allow a website to dereference a DID would have a much more complicated set of code, processes, and flows between those components. If profiling the DID architecture for more complex setups, these components may deserve their own processes, code, and data stores.
D5 DID Client Data Store Data stored in the client device (C1), presumed to be accessible to any process in the container, including the dereferencer (P1) and resolver (P2).
D8 Resolver Code Software running on the resolver device (C3) to realize the resolver process (P2) and manage the Resolver data store (D7). It handles incoming Resolve (F1) calls, taking an incoming Base DID URL (D2) and returning its authoritative DID document (D3).
D7 Resolver Local Data Data stored on the resolver device (C2), presumed accessible to the Resolver Process (P2)
D8 VDR Code Software running on the VDR device (C2) to instantiate the VDR Node as a running process (P3). It maintains the state of the VDR (D9 and makes aspects of that state available to the resolver via the Read VDR State function (F3)
D9 VDR Data Store Data stored in the VDR device (C2), presumed accessible to the VDR Process (P3).
D10 DID Document Metadata Metadata related to the DID Document (D3). Returned by resolver (P2) in response to Resolve(F1).
D11 DID Resolution Metadata Metadata related to the DID Resolution. Returned by resolver (P2) in response to Resolve (F1).
C1 DID User Client Device The user's device, which runs the dereferencing (P1) and resolution client (P2) processes using client code (D4) as configured by the client administrator (E3) on behalf of the client service provider (E4).
C3 Resolver Device The device running the resolver process (P2) using resolver code (D6) as configured by the resolver administrator (E6) on behalf of the resolver service provider (E7)
C2 VDR Device The device running the VDR process (P3) using VDR code (D8) as configured by the VDR administrator (E9 on behalf of the VDR service provider (E10)
T1 Resolution Trust Boundary The boundary between the resolver client (P1) and the resolver (P2). It is understood that the client process (P1) MUST inherently trust the resolver (P2) which also implies the user (E1) trusts the resolver service provider (E7)

Stakeholders

E1 DID URL User

The primary end user for DID resolution is an individual human seeking to use a DID URL for some purpose. There are two major variations of this [=DID URL User=]:

  1. Someone who controls a [=DID document=], and presumably is able to update the DID document should its DID method support it.
  2. Someone who has received or seen a DID URL in a particular context and wants to perform a DID related function with it,
    1. Verifying a proof signed by the DID
    2. Verifying an authorization invocation
    3. Interacting with the DID controller by sending a message to a service endpoint
    4. Retrieving a resource indicated by a DID

The [=DID URL User=] is primarily concerned with the integrity and reliability of the system. They may be just about anyone on the planet with a computation device at their disposal: a smart phone, a desktop, even a shared device at a library or internet cafe. The User could also be a corporate employee or agent, who has received a DID from a supplier or customer and wants to use it to verify a verifiable presentation or satisfy a confidence method to increase their confidence that a given actor is the subject of a particular Verifiable Credential.

As a technical layperson, the DID URL User requires a certain reliability and simplicity; the system should “just work” in the manner they have become accustomed to on the Web. When their software encounters a DID URL, it should work just like any URL, without additional interactions, when possible.

Perhaps most importantly, the DID URL User SHOULD retain complete control over which software and services they use for DID resolution.

In practice, most individuals will make choices based on brand confidence and peer recommendations. End users choose the software they want to run and the services they access, including which resolvers to use for specific DID methods. Just like a web browser enables end users to choose which website they want to visit, DID URL users MUST be able to direct their DID client software to use the resolvers they trust. In practice, software will be delivered with default services and many users will never see the difference, just as some users may start on a browser's default home page and only click on links, never typing a URL into an address bar. However, it is a fundamental security decision that end users get to decide which resolvers are trusted.

Finally, the DID URL User may have any number of accessibility challenges, from visual impairments to language gaps. While it is important that DID resolution works seamlessly without a lot of cognitive burden, implementations should take care to ensure that the broadest number of users can effectively use the technology, especially when interactive prompts are used to confirm or direct intermediary behavior. For example, did:btcr has an iterative resolution process, where the data required to complete resolution may not be known–even as a requirement–when the DID URL is initially presented.

E2 Client Code Maintainer

The client code maintainer cares about the integrity of their software code base.

E3 Client Administrator

The client administrator cares about a reliably working client device. They want to know the software configuration on the device aligns with individual and/or corporate policy, especially with regard to resolver selection and library adoption.

E4 Client Service Provider

If the client service provider is primarily concerned with the integrity, usability, and profitability/cost of the service. For typical consumer usage, the end user is the client service provider, but when the client is run on behalf of a corporation for its employees, that employer is the client service provider.

The Client Service Provider cares about the code and configuration on the device is as the administrator has established, based on the service provider’s policies.

E5 Resolver Code Maintainer

The resolver code maintainer wants to ensure that their code is provably executing the resolution function as defined in the DID methods it supports.

E6 Resolver Administrator

The resolver administrator wants to ensure that the resolution service is configured as intended and that any libraries or original software is reliably performing as needed and expected.

E7 Resolver Service Provider

The resolver administrator wants to ensure that the resolution service is running as configured and without errors.

Fundamentally, the resolver service must be trustworthy enough for users to be willing to rely on its service for cryptographically anchored interactions. Since DIDs can be used to secure information and transactions of arbitrary value, the service provider necessarily wants to be perceived as reliable, friendly, and easy to use.

At the end of the day, it's the resolver service provider that the DID URL User is trusting to return the real, authoritative DID document.

E8 VDR Code Maintainer

The VDR Code Maintainer cares primarily about the quality of their code. Many VDRs are open source, but there is no expectation that this is always true. Whether open or closed source, the code maintainer wants to be able to maintain code quality so that those who rely on their software can rest assured that the software is doing exactly what is promised, and no more.

That said, the VDR Code Maintainer may only care about the Verifiable Data Registry, without any expectation of use beyond that. To wit, BTCR2 can use a VDR device that is directly running a full bitcoin node; in that configuration, the VDR code maintainer is a bitcoin core developer. Bitcoin core developers care primarily about the integrity of the bitcoin network as maintained by bitcoin core. They don't care about DIDs, nor do they need to.

E9 VDR Administrator

The VDR administrator runs the actual VDR device queried by the resolver. In most configurations, they care primarily (perhaps ONLY) about the reliable operation of the VDR device.

E10 VDR Service Provider

VDR service providers care about providing a reliable verifiable data registry, for whatever purpose that VDR is used for. Often a VDR service provider stands up a VDR device as a public service, such as bitcoin nodes that are accessible by others. Some service providers may offer VDR capability as a paid service.

Threats

Contributing

This threat model was developed using the W3C Threat Modeling Guide. Contributions to this threat model that are aligned with that approach are welcome.

To propose a change, create an new issue proposing your change. Discussion on Github about that issue will help collaborators understand and incorporate it into the model. It may be that the issue is perfect, but most likely feedback will improve it.

Once a consensus has emerged about adding a particular threat, updating the diagram, or any other change, a Pull Request can be submitted to the repo to propose the actual specification text that realizes the suggestion.

Issues discussing threats should eventually cover all of the threat details needed to propose the change in a PR.

Adding a threat

To add a new threat to the model, we need several components.

  1. A good name
  2. A unique ID
  3. A description
  4. One or more responses
  5. List of affected elements
  6. The analytic framework

We discuss each of these below.

A good name

Choose a short, descriptive name that captures the essence of the threat. Make sure the name is distinctive within this threat model.

A unique ID

Every threat should have a unique ID that starts with the letter 'T' following by an integer number, e.g., T12

A description

Describe the threat with enough detail for readers to understand the scope of concern

One or more responses

Each response should describe something either the specification does or that implenters should consider to address the threat. Responses also need a good name (short and descriptive) and a unique ID (starting with the letter 'R' followed by an integer number).

It is likely that a single response is appropriate for multiple unique threats. For example, cryptographic signing is a reasonable response to tampering for any number of data objects. In this case, simply reuse the response name and ID of the first use and repeat the description text along with the phrase, in parantheses, '(Reused Response)'

List of affected elements

Drawing from the diagram and dictionary, identify the components in the diagram affected by this threat. Make sure the PR includes a link to the affected components, e.g., 

C1

The analytic framework

Identify the analytic framework used to identify the threat. For example, STRIDE, LINDUN, or OSSTMM. If none was used, enter "NONE".

Adding to this repo
  1. Create A threat file
  2. Give it a good name
  3. Add javascript element
  4. Add threat to outline
Create a threat file

Create a JavaScript file that defines and registers your threat, formatted like the following template. Make sure you retain the opening immediate function execution wrapper and that you register with the ThreatModel object.

// wrap your data definition in an Immediately Invoked Function Expression
(function () {
  
  // then define a single threat
  var threat = {
    id: "T0",
    name: "Template Threat",
    description: "This is a template threat. It is not a real threat.",
    responses: [{
      id: "R0",
      name: "Template Response",
      description: "This is a template response. It is not a real response."
    }],
    elements: ["C1", "P1"],
    framework: {
      name: "Fake Framework",
      type: "Fake Type"
    }
  };

  // then register that threat with the global ThreatModel object 
  window.ThreatModel.registerThreat(threat);

})();  // Finish the Immediately Invoked Function Expression
Give the file a good name

Name the file uniquely, preferably with the following pattern based on the ID and name, all in lower-case kebab style

          var id = `${threat.id}-${threat.name}`;
          id = id.toLowerCase();
          id = id.replace(/ /g, "-");
          return id;

For example, T0. Template Threat becomes t0-template-threat

Add javascript element

Add a new <script> tag

to index.html alongside the other threat definition files 
        <script src="threats/t0-template-threat.js"></script>
Add threat to outline

Update the outline.js file, adding the id of your threat, e.g., T0 to the threats array.

Test & Submit

Open the index.html locally and you should see your threat added to the list. Propose your working change as a PR, for consideration by the editors.