- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 7 May 2017 08:08:09 +0200
- To: W3C Credentials Community Group <public-credentials@w3.org>
A problem with using "in-lined" keys like below is that it doesn't give you any issuer
information. One solution to that is rather using an X.509 certificate. Another solution
is referring to keys with URLs. For an entirely different project than Verified Credentials
I have come up with a concept combining in-lined public keys with an external description
which I call "Authority Object". The advantages include:
- Objects can always be verified for [technical] correctness including off-line
- Arbitrary extensive issuer information and its associated keys are kept in a consolidated
document (which in turn may have been signed by another "governing" party)
Actual example: https://mobilepki.org/webpay-acquirer/
Concept specification: https://cyberphone.github.io/doc/defensive-publications/authority-objects.pdf
On 2017-05-07 07:36, Anders Rundgren wrote:
> Before you decide on signature format I suggest that you evaluate an alternative which:
> - Builds on ES6 serialization making JSON.stringify() and JSON.parse() the only "algorithms" needed for canonicalization
> - Supports a subset of the JOSE signature algorithms (JWA)
> - Supports a subset of the JOSE key descriptor (JWK)
> - Does not shroud data or headers in Base64
>
> {
> "firstName": "Luke",
> "familyName": "Skywalker",
> "origin": "Alderaan",
> "signature": {
> "algorithm": "ES256",
> "publicKey": {
> "kty": "EC",
> "crv": "P-256",
> "x": "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs",
> "y": "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM"
> },
> "value": "Y3Y_O0500a2S2qt11Wx7SxPtIw_hcwMwTOkCaxXKgSgnGXRvSt_96a3Daq0jzqf2ROFvPIiAWGIVtKWxtPMPuw"
> }
> }
>
> On-line testing: https://mobilepki.org/jcs
> Specification: https://cyberphone.github.io/doc/security/jcs.html
> Code: https://github.com/cyberphone/openkeystore
>
Received on Sunday, 7 May 2017 06:08:45 UTC