W3C home > Mailing lists > Public > public-credentials@w3.org > February 2022

DID Web, OpenSSL and Certificate Authorities

From: Orie Steele <orie@transmute.industries>
Date: Thu, 17 Feb 2022 08:33:04 -0600
Message-ID: <CAN8C-_LHucJRXVgiEZrhYcMkXsp5KUQmuR+_2KostqSf_5wFCg@mail.gmail.com>
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Christopher Allen <ChristopherA@lifewithalacrity.com>, Mike Prorock <mprorock@mesur.io>, Mike Jones <Michael.Jones@microsoft.com>
Hey Folks,

What is the best way to combine DIDs with Certificate Authorities?

The use case is simple: As a verifier, I want to know that a credential was
issued from a public key that is in a certificate chain I trust.

When I verify this credential, I not only check its signature, but I can
also check the CA chain from the key that signed in back to the root.

@Mike Prorock <mprorock@mesur.io> and I have been working on a
simple example of this using DID Web, but I think it generalizes to any DID
Method that supports `publicKeyJwk` and `x5c`.


In this example, we generate a root ca, an intermediate ca, and 3
child ca's all using P-384 and OpenSSL.

We then generate a DID Web DID Document from the public keys for the 3
children, and encode the ca chain from them back to the root using `x5c`.

We then issue a JWT from the private key for 1 of them.

We then verify the JWT signature using the public key.

We then check the x5c using open seel to confirm the certificate chain.

My questions are:

1. Is it possible to use JOSE to automate this further?
2. Is there a better way of accomplishing this?
3. Should the CA chain be pushed into the JWT?



Chief Technical Officer

Received on Thursday, 17 February 2022 14:33:28 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC