Re: Integration with traditional PKI schemes

On 02/08/2018 15:42, Challener, David C. wrote:
> Yes, I like that.  It also eliminates (I believe) the need for a CRL.

I did not think that it circumvented the need for revocation

>  I am not sure of the privacy implications though. 

But you are right that there are privacy implications with it (not of
course for publicly accessible web sites, but for private ones).

> 
> -----Original Message-----
> From: David Chadwick <D.W.Chadwick@kent.ac.uk> 
> Sent: Thursday, August 02, 2018 10:38 AM
> To: Challener, David C. <David.Challener@jhuapl.edu>; Manu Sporny <msporny@digitalbazaar.com>; public-credentials@w3.org
> Subject: Re: Integration with traditional PKI schemes
> 
> Google's certificate transparency can be regarded as a white list mechanism for X.509
> 
> On 01/08/2018 14:54, Challener, David C. wrote:
>> One problem I have always had with x.509 certificates is that there is no way to determine how many of them there are signed by a particular key. That makes it very difficult to "white list" them.   If someone either breaks the key (or steals it, or pays someone to sign bad certs), it is very difficult to determine it has happened.  And that problem IS REAL. 
>>
>> I am worried that the same problem will exist with DiDs.  It would be very nice if we could solve that problem for both of them... I am not sure how though. 
>>
>> -----Original Message-----
>> From: Manu Sporny <msporny@digitalbazaar.com>
>> Sent: Wednesday, August 01, 2018 9:20 AM
>> To: public-credentials@w3.org
>> Subject: Re: Integration with traditional PKI schemes
>>
>> On 08/01/2018 03:57 AM, Carlos Bruguera wrote:
>>> Is there any literature, ongoing work or specific aspect of the 
>>> present DID/credential development that allows an entity to utilize
>>> x.509 certificates as verificable credentials within the 
>>> decentralized ecosystem?
>>
>> The desire is there, and some of the building blocks for x.509 are re-used (RSA Signatures, etc.).
>>
>> It wouldn't be difficult to identify a few use cases where you have a DID Document point to an x.509 certificate and vice versa. I think the issue is that the use cases haven't been identified yet.
>>
>> For example, here's one that comes to mind:
>>
>> Enable someone to claim that an email address is theirs and provide 
>> proof that a Certificate Authority has attested to that fact via an
>> x.509 certificate.
>>
>> You could easily add a link to the x.509 certificate in the credential.evidence field. You could also bind the x.509 certificate using the SAN field, placing a DID into that field.
>>
>> ... but all that said, it would probably just be easier for an entity to issue a verifiable credential that doesn't have the indirection in it.
>>
>>
>> In any case, I think the first step here is to find a compelling use case. Perhaps stating that a domain is yours would be a better use case?
>>
>> -- manu
>>
>> --
>> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc.
>> blog: Veres One Decentralized Identifier Blockchain Launches 
>> https://tinyurl.com/veres-one-launches
>>

Received on Thursday, 2 August 2018 14:56:35 UTC