Issuer method DID / DNS-DID

Requirement	DNS-TXT	DNS-DID	DID
Domain name needed?	✓	✓	✗
Smart contract deployment needed?	✓	✗	✗
Identifiable issuer?	✓	✓	✗

smart contract deployment is the deployment of either document store smart contract or token registry smart contracts.

Alternatively to DNS-TXT method, as an issuer one can use either DID or DNS-DID issuer method to verify that they indeed sign over the TradeTrust document.

note

Please take note of the document types that supports this method of identifying the issuer.

Document type	Support DID / DNS-DID
Verifiable Document	✓
Transferable Records	✗

Not sure which type of document to use? Have a better understanding about our different document types: verifiable documents and Transferable Records.

Rationale

Decentralized identifiers (DIDs) are a new type of identifier that enables verifiable, decentralized digital identity. DID document associated with DIDs contains a verification method. The owner of a DID can use the private key associated and anyone can verify that the owner control the public key. DID is new, 1.0 specification is recommended in July 2022. One advantage is that this allows our document issuance flow to not rely on the need to write on blockchain, eliminating the need for gas fees. You can read more about DID on wikipedia or deep dive into w3c specifications.

How it works

When an individual entity creates an etheruem wallet, it is nothing more than a private / public key pair. The public key can be derived from a wallet address and hence the ethereum wallet address becomes the basis for the DID verification. When we use our private key to sign over merkleRoot of our TradeTrust document, proof.signature is appended. This is the signature that will be verified against with later in tt-verify library. What happens at this end is the DID document will be resolved and retrieved, verify if the signed message hash equates back to etheruem wallet address, ensuring the document was indeed signed by it's private key. This way we know that it is "issued".

Let's look at the did:ethr method:

did:ethr:<ethereum-address>

did is the DID method prefix.
ethr signifies the Ethereum-based DID method.
<ethereum-address> is the Ethereum address of the entity being identified.

Example of a DNS-DID signed document:

{
  "version": "https://schema.openattestation.com/2.0/schema.json",
  "data": {
    "recipient": {
      "name": "bf8e3911-c3fc-44af-828b-c3ca206e1f7e:string:John Doe"
    },
    "$template": {
      "name": "a46be53b-a002-461c-a7cf-caaf7777e27b:string:main",
      "type": "7200491e-c731-43b4-b7c1-74401df1efe0:string:EMBEDDED_RENDERER",
      "url": "a3c6da71-0398-4925-88e4-8bbdc5bc034d:string:https://tutorial-renderer.openattestation.com"
    },
    "issuers": [
      {
        "id": "1bcba98a-90c2-4e84-9d78-7d367329423f:string:did:ethr:0x1245e5B64D785b25057f7438F715f4aA5D965733",
        "name": "11fcbdbc-1937-4899-a9cc-2bfc6bdafa31:string:Demo Issuer",
        "revocation": {
          "type": "eb10f23d-4b65-4124-afcb-82b3309468ec:string:NONE"
        },
        "identityProof": {
          "type": "98e739b6-1e5b-4f0e-a858-78e0d5206c3e:string:DNS-DID",
          "location": "e06d6dbe-41c5-4030-ac28-49ec1edb305d:string:demo-tradetrust.openattestation.com",
          "key": "c6df4c02-402c-418c-b8ff-5491d9e5f297:string:did:ethr:0x1245e5B64D785b25057f7438F715f4aA5D965733#controller"
        }
      }
    ]
  },
  "signature": {
    "type": "SHA3MerkleProof",
    "targetHash": "26293946d01299ca359ae40bbc3f6a9aef9654bb666331c604c8c1563faa655b",
    "proof": [],
    "merkleRoot": "26293946d01299ca359ae40bbc3f6a9aef9654bb666331c604c8c1563faa655b"
  },
  "proof": [
    {
      "type": "OpenAttestationSignature2018",
      "created": "2022-10-26T06:19:33.540Z",
      "proofPurpose": "assertionMethod",
      "verificationMethod": "did:ethr:0x1245e5B64D785b25057f7438F715f4aA5D965733#controller",
      "signature": "0x5c18263cc5194605080cffe77f934699d78d63711069cdf9917778ab0316aac1653e00b38537b482b48242bba5f0276f481c50845fce14cc91b4eada9e6a4e461c"
    }
  ]
}

Hands-on Creating a DNS-DID / DID

Before we start creating the DNS-DID / DID, please take note that this method does not require any ethers/matic (cryptocurrency) to begin. Which means if you use this method, your verifiable document that you will generate will be free! Also, please make sure you have completed the prerequisites listed below.

Prerequisites

An etheruem wallet. (DID)
Domain name. (DND-DID)
Edit access to your domain's DNS records. (DND-DID)

Creation of wallet

Create a wallet.

Creation of DID

With an etheruem wallet address, you can go to https://dev.uniresolver.io/1.0/identifiers/did:ethr:<YOUR_WALLET_ADDRESS>. The returned response is an ethr DID document and it will look something like this:

{
  "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/secp256k1recovery-2020/v2"],
  "id": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d",
  "verificationMethod": [
    {
      "id": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller",
      "type": "EcdsaSecp256k1RecoveryMethod2020",
      "controller": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d",
      "blockchainAccountId": "eip155:1:0xeB68fae40F796d6605d482773c4a7B266da87A0d"
    }
  ],
  "authentication": ["did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller"],
  "assertionMethod": ["did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller"]
}

This method (DID) do not require you to own a domain name. However, please take note that when verifying a document created from this method, the Issuer will reflect the wallet address which can be cryptic to most users. An example will look like this:

DID ethr

DNS-DID

This method concept is the same as DNS-TXT method but instead of using a document store or a token registry we tie our DID to a custom txt record that we created in a domain name we own. Refer to below on how to implement.

How to create DNS-DID Record

Make sure you have a wallet, we are only interested in the wallet address. If you do not have an existing wallet, create one by:

open-attestation wallet create --of wallet.json

ℹ  info      Creating a new wallet
? Wallet password [hidden]
…  awaiting  Encrypting Wallet [====================] [100/100%]
ℹ  info      Wallet with public address 0xeB68fae40F796d6605d482773c4a7B266da87A0d successfully created.
ℹ  info      Find more details at https://sepolia.etherscan.io/address/0xeB68fae40F796d6605d482773c4a7B266da87A0d
✔  success   Wallet successfully saved into /Users/username/Desktop/tradetrust/wallet.json

Using the above example, the DID document response for the wallet address will look like this:

{
  "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/secp256k1recovery-2020/v2"],
  "id": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d",
  "verificationMethod": [
    {
      "id": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller",
      "type": "EcdsaSecp256k1RecoveryMethod2020",
      "controller": "did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d",
      "blockchainAccountId": "eip155:1:0xeB68fae40F796d6605d482773c4a7B266da87A0d"
    }
  ],
  "authentication": ["did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller"],
  "assertionMethod": ["did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller"]
}

As an issuer, you will need to add a custom TXT record to your domain name. The exact steps to achieve this can be confirmed with your domain name registrar, this is usually achieved through your domain administration web UI.

Inserting the DNS Record for DID

The following is an example for an issuer:

Wallet address: 0xeB68fae40F796d6605d482773c4a7B266da87A0d

openatts a=dns-did; p=did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller; v=1.0;

Within your domain registrar or DNS provider's web UI, insert a TXT record into the DNS in the following format:

Type	Name	Value
TXT	example.com	"openatts a=dns-did; p=`<DID>`; v=1.0;"

The <DID> value will be did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller in this example. Double check if the txt record exists by doing the following:

open-attestation dns txt-record get --location <YOUR_DOMAIN>

Which will display to you the list of the DNS TXT records associated to that location:

┌─────────┬────────────┬───────────┬──────────────────────────────────────────────────────────────────┬─────────┬────────┐
│ (index) │    type    │ algorithm │                            publicKey                             │ version │ dnssec │
├─────────┼────────────┼───────────┼──────────────────────────────────────────────────────────────────┼─────────┼────────┤
│    0    │ 'openatts' │ 'dns-did' │ 'did:ethr:0xeB68fae40F796d6605d482773c4a7B266da87A0d#controller' │  '1.0'  │ false  │
└─────────┴────────────┴───────────┴──────────────────────────────────────────────────────────────────┴─────────┴────────┘

Note that it can take some time for the record to be correctly propagated to the DNS, even though it usually takes 10 to 15s.

Feedback

Rationale​

How it works​

Hands-on Creating a DNS-DID / DID​

Prerequisites​

Creation of wallet​

Creation of DID​

DNS-DID​

How to create DNS-DID Record​

Inserting the DNS Record for DID​