- From: Orie Steele <orie@transmute.industries>
- Date: Thu, 17 Feb 2022 10:55:19 -0600
- To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_J36JWvZfgbtV8tz+5M5qNyP8rmN44LbgGVg1m2uchU5w@mail.gmail.com>
@David Chadwick <d.w.chadwick@verifiablecredentials.info> AFAIK, JOSE does not support "DV X.509 PKCs" out of the box. So recommending removing DIDs does not actually do anything to address the question... the problem remains:: How do I verify that a JWT was signed by a key in a CA chain (regardless of how you discover that key, in other words, with or without DIDs). Perhaps you care to provide a complete working example of "DV X.509 PKCs" with JWT? Obviously this is trivial if I am just sticking to openssl commands, the point of the question was to explain how to do this with JOSE / JWT. And the assumption was that it would be valuable to the VCDM regardless of the format of the issuer field (DID or no DID). Regards, OS ᐧ On Thu, Feb 17, 2022 at 10:41 AM David Chadwick < d.w.chadwick@verifiablecredentials.info> wrote: > On 17/02/2022 14:33, Orie Steele wrote: > > Hey Folks, > > What is the best way to combine DIDs with Certificate Authorities? > > Get rid of DIDs and let the issuer use DV X.509 PKCs :-) > > Kind regards > > David > > > The use case is simple: As a verifier, I want to know that a credential > was issued from a public key that is in a certificate chain I trust. > > When I verify this credential, I not only check its signature, but I can > also check the CA chain from the key that signed in back to the root. > > @Mike Prorock <mprorock@mesur.io> and I have been working on a > simple example of this using DID Web, but I think it generalizes to any DID > Method that supports `publicKeyJwk` and `x5c`. > > https://github.com/transmute-industries/openssl-did-web-tutorial > > In this example, we generate a root ca, an intermediate ca, and 3 > child ca's all using P-384 and OpenSSL. > > We then generate a DID Web DID Document from the public keys for the 3 > children, and encode the ca chain from them back to the root using `x5c`. > > We then issue a JWT from the private key for 1 of them. > > We then verify the JWT signature using the public key. > > We then check the x5c using open seel to confirm the certificate chain. > > My questions are: > > 1. Is it possible to use JOSE to automate this further? > 2. Is there a better way of accomplishing this? > 3. Should the CA chain be pushed into the JWT? > > Regards, > > OS > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> > ᐧ > > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Thursday, 17 February 2022 16:56:43 UTC