Does that really make it out of scope? For the Identity Proofs spec perhaps, but I think not for nomadic identity in general. I kinda want a domain-based identity coupled with a key-based identity. Isn’t Solid a good foundation to which key-based ID could be added?
This draft spec seems to be pointing in that direction: did:solid Method Specification
Meanwhile, here’s a Solid developer explaining how the protocol enables nomadic identities (without private keys?):
Though i am not deeply familiar (yet) with fediverse protocols, i will elaborate on how
webid + dpop + solid-oidc
, enable decentralized, nomadic identity that can be provable.
- Say a user has ownership over a web uri (
https
to be complete). Eg:https://eg.org/user#me
, which he can use as hisname
. I.e. user themself is a resource, and it is their universal name. This will be their webid. From now onwards anyone can use this name to talkabout
them in rdf statements.- Webid is required to either derefer or redirect to a web document, which is known as
webid-document
. In above case uri of the webid-doc ishttps://ex.org/user
. (different fromhttps://ex.org/user#me
).- This document is public for the span of the world of discource. It contain authoritative info about the user as an rdf graph.
- They thus can have for example their pub-key. This can be used as
one-of
direct authentication mechanism too. See https://github.com/solid/authentication-panel/blob/main/proposals/HttpSignature.md- But user can also link to their
oidc identity-provider
.- Thus the main trick to decentalized id is this: User choose and own their id. That is dereferable. And links to their chosen (preferably self-hosted) oidc idp. Thus resource-servers (RS) and applications(RP) can trust the idp’s mandate on user’s identity.
- When idp issues an id token to a client (RP), it can use that with any resource servers to act on behalf of user. (Scoped probably).
- But an issue arises in decentralized ecosystem. I.e a malicious resource server can use that id token with other arbitrary resource-servers too.
- Thus, it is imperative that, an id token issued by an idp must be scoped to a single client. This is what
sender-constrainined-access-token
do. DPoP essentially addresses this problem.- In dpop layered oidc, when client initializes oidc flow, it also sends its public key to the idp. Idp, then “bounds” the id token to this pub-key. And it includes that pub key in id-token signed jwt payload.
- Thus, when a client wants to use it at a resource-server, it should send a dpop-proof, along with the id token. That depop proof must be signed with the private key corresponding to the pub-key it previously used at idp.
- Thus resource server can verify the proof against bounded pub key to asset that, token is being used by the same client to which it is granted.
This all together enables nomad identities.
Further discussion here: