DID Web, OpenSSL and Certificate Authorities from Orie Steele on 2022-02-17 (public-credentials@w3.org from February 2022)

From: Orie Steele <orie@transmute.industries>
Date: Thu, 17 Feb 2022 08:33:04 -0600
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Mike Prorock <mprorock@mesur.io>, Mike Jones <Michael.Jones@microsoft.com>
Message-ID: <CAN8C-_LHucJRXVgiEZrhYcMkXsp5KUQmuR+_2KostqSf_5wFCg@mail.gmail.com>

Hey Folks,

What is the best way to combine DIDs with Certificate Authorities?

The use case is simple: As a verifier, I want to know that a credential was
issued from a public key that is in a certificate chain I trust.

When I verify this credential, I not only check its signature, but I can
also check the CA chain from the key that signed in back to the root.

@Mike Prorock <mprorock@mesur.io> and I have been working on a
simple example of this using DID Web, but I think it generalizes to any DID
Method that supports `publicKeyJwk` and `x5c`.

https://github.com/transmute-industries/openssl-did-web-tutorial

In this example, we generate a root ca, an intermediate ca, and 3
child ca's all using P-384 and OpenSSL.

We then generate a DID Web DID Document from the public keys for the 3
children, and encode the ca chain from them back to the root using `x5c`.

We then issue a JWT from the private key for 1 of them.

We then verify the JWT signature using the public key.

We then check the x5c using open seel to confirm the certificate chain.

My questions are:

1. Is it possible to use JOSE to automate this further?
2. Is there a better way of accomplishing this?
3. Should the CA chain be pushed into the JWT?

Regards,

OS

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
ᐧ

Received on Thursday, 17 February 2022 14:33:28 UTC