W3C home > Mailing lists > Public > public-credentials@w3.org > February 2022

Re: DID Web, OpenSSL and Certificate Authorities

From: Orie Steele <orie@transmute.industries>
Date: Thu, 17 Feb 2022 10:55:19 -0600
Message-ID: <CAN8C-_J36JWvZfgbtV8tz+5M5qNyP8rmN44LbgGVg1m2uchU5w@mail.gmail.com>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
@David Chadwick <d.w.chadwick@verifiablecredentials.info>

AFAIK, JOSE does not support "DV X.509 PKCs" out of the box.

So recommending removing DIDs does not actually do anything to address the
question... the problem remains::

How do I verify that a JWT was signed by a key in a CA chain (regardless of
how you discover that key, in other words, with or without DIDs).

Perhaps you care to provide a complete working example of "DV X.509 PKCs"
with JWT?

Obviously this is trivial if I am just sticking to openssl commands, the
point of the question was to explain how to do this with JOSE / JWT.

And the assumption was that it would be valuable to the VCDM regardless of
the format of the issuer field (DID or no DID).




On Thu, Feb 17, 2022 at 10:41 AM David Chadwick <
d.w.chadwick@verifiablecredentials.info> wrote:

> On 17/02/2022 14:33, Orie Steele wrote:
> Hey Folks,
> What is the best way to combine DIDs with Certificate Authorities?
> Get rid of DIDs and let the issuer use DV X.509 PKCs :-)
> Kind regards
> David
> The use case is simple: As a verifier, I want to know that a credential
> was issued from a public key that is in a certificate chain I trust.
> When I verify this credential, I not only check its signature, but I can
> also check the CA chain from the key that signed in back to the root.
> @Mike Prorock <mprorock@mesur.io> and I have been working on a
> simple example of this using DID Web, but I think it generalizes to any DID
> Method that supports `publicKeyJwk` and `x5c`.
> https://github.com/transmute-industries/openssl-did-web-tutorial
> In this example, we generate a root ca, an intermediate ca, and 3
> child ca's all using P-384 and OpenSSL.
> We then generate a DID Web DID Document from the public keys for the 3
> children, and encode the ca chain from them back to the root using `x5c`.
> We then issue a JWT from the private key for 1 of them.
> We then verify the JWT signature using the public key.
> We then check the x5c using open seel to confirm the certificate chain.
> My questions are:
> 1. Is it possible to use JOSE to automate this further?
> 2. Is there a better way of accomplishing this?
> 3. Should the CA chain be pushed into the JWT?
> Regards,
> OS
> --
> Chief Technical Officer
> www.transmute.industries
> <https://www.transmute.industries>
> ᐧ

Chief Technical Officer

Received on Thursday, 17 February 2022 16:56:43 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC