Attacker re-using a peer DID in a different context: Problematic or not?

[SvenHammann90]

Hi all,

I have encountered a peculiarity about peer DIDs in combination with the current version of DID Exchange, where I am unsure whether it poses a problem or not.

Suppose A and B have a connection, for which A uses peer DID (didA@B).

I believe that it is currently possible for an attacker who knows (didA@B) and its DID Doc to register (didA@B) with that DID Doc as its own peer DID with a third party C.
The reason is that, in an exchange request, the requester does not have to prove control of the secret key in the initial DID Doc's public key - at least, this is not the case in the current version of DID Exchange. I realize that this may be an issue of the DID Exchange spec, and might be addressed in the DID Comm WG or Aries WG (I'm not sure whether DID Exchange is part of the DID Comm WG)

However, I wonder if this is even a problem. Would a "re-use" of a peer DID between A and B in another context (involving a third party C) even pose any problem? Or are peer DIDs only "meaningful" between the two parties for which they were set up?

I do not see how such a re-use could directly hurt A or B, but it still allows the attacker to register a peer DID they do not control...

[dhh1128]

Closing now that the ticket has moved to its new repo home at decentralized-identity/peer-did-method-spec#17.