RE: Integration with traditional PKI schemes

One problem I have always had with x.509 certificates is that there is no way to determine how many of them there are signed by a particular key. That makes it very difficult to "white list" them.   If someone either breaks the key (or steals it, or pays someone to sign bad certs), it is very difficult to determine it has happened.  And that problem IS REAL. 

I am worried that the same problem will exist with DiDs.  It would be very nice if we could solve that problem for both of them... I am not sure how though. 

-----Original Message-----
From: Manu Sporny <msporny@digitalbazaar.com> 
Sent: Wednesday, August 01, 2018 9:20 AM
To: public-credentials@w3.org
Subject: Re: Integration with traditional PKI schemes

On 08/01/2018 03:57 AM, Carlos Bruguera wrote:
> Is there any literature, ongoing work or specific aspect of the 
> present DID/credential development that allows an entity to utilize
> x.509 certificates as verificable credentials within the decentralized 
> ecosystem?

The desire is there, and some of the building blocks for x.509 are re-used (RSA Signatures, etc.).

It wouldn't be difficult to identify a few use cases where you have a DID Document point to an x.509 certificate and vice versa. I think the issue is that the use cases haven't been identified yet.

For example, here's one that comes to mind:

Enable someone to claim that an email address is theirs and provide proof that a Certificate Authority has attested to that fact via an
x.509 certificate.

You could easily add a link to the x.509 certificate in the credential.evidence field. You could also bind the x.509 certificate using the SAN field, placing a DID into that field.

... but all that said, it would probably just be easier for an entity to issue a verifiable credential that doesn't have the indirection in it.


In any case, I think the first step here is to find a compelling use case. Perhaps stating that a domain is yours would be a better use case?

-- manu

--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches

Received on Wednesday, 1 August 2018 13:55:36 UTC