W3C home > Mailing lists > Public > public-credentials@w3.org > February 2022

Re: DID Web, OpenSSL and Certificate Authorities

From: Orie Steele <orie@transmute.industries>
Date: Thu, 17 Feb 2022 10:55:19 -0600
Message-ID: <CAN8C-_J36JWvZfgbtV8tz+5M5qNyP8rmN44LbgGVg1m2uchU5w@mail.gmail.com>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
@David Chadwick <d.w.chadwick@verifiablecredentials.info>

AFAIK, JOSE does not support "DV X.509 PKCs" out of the box.

So recommending removing DIDs does not actually do anything to address the
question... the problem remains::

How do I verify that a JWT was signed by a key in a CA chain (regardless of
how you discover that key, in other words, with or without DIDs).

Perhaps you care to provide a complete working example of "DV X.509 PKCs"
with JWT?

Obviously this is trivial if I am just sticking to openssl commands, the
point of the question was to explain how to do this with JOSE / JWT.

And the assumption was that it would be valuable to the VCDM regardless of
the format of the issuer field (DID or no DID).

Regards,

OS

ᐧ

On Thu, Feb 17, 2022 at 10:41 AM David Chadwick <
d.w.chadwick@verifiablecredentials.info> wrote:

> On 17/02/2022 14:33, Orie Steele wrote:
>
> Hey Folks,
>
> What is the best way to combine DIDs with Certificate Authorities?
>
> Get rid of DIDs and let the issuer use DV X.509 PKCs :-)
>
> Kind regards
>
> David
>
>
> The use case is simple: As a verifier, I want to know that a credential
> was issued from a public key that is in a certificate chain I trust.
>
> When I verify this credential, I not only check its signature, but I can
> also check the CA chain from the key that signed in back to the root.
>
> @Mike Prorock <mprorock@mesur.io> and I have been working on a
> simple example of this using DID Web, but I think it generalizes to any DID
> Method that supports `publicKeyJwk` and `x5c`.
>
> https://github.com/transmute-industries/openssl-did-web-tutorial
>
> In this example, we generate a root ca, an intermediate ca, and 3
> child ca's all using P-384 and OpenSSL.
>
> We then generate a DID Web DID Document from the public keys for the 3
> children, and encode the ca chain from them back to the root using `x5c`.
>
> We then issue a JWT from the private key for 1 of them.
>
> We then verify the JWT signature using the public key.
>
> We then check the x5c using open seel to confirm the certificate chain.
>
> My questions are:
>
> 1. Is it possible to use JOSE to automate this further?
> 2. Is there a better way of accomplishing this?
> 3. Should the CA chain be pushed into the JWT?
>
> Regards,
>
> OS
>
> --
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries>
> ᐧ
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
Received on Thursday, 17 February 2022 16:56:43 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC