- From: Orie Steele <orie@transmute.industries>
- Date: Thu, 17 Feb 2022 11:34:50 -0600
- To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_Kn0PmRW+_eqQvB1kAS9_7KkBtG1E3-2ymaasGiZxA8jg@mail.gmail.com>
interesting... > https://<DV DN>/.well-known/vc-issuer.json This is not standard AFAIK... but would be assuming IANA accepts your recommendation, and VCDM 2.0 helps pour concrete around it. > The JWT open source library we use, uses X.509 PKCs to validate JWT VC signatures. I have seen some evidence of support for this: - https://gist.github.com/monmohan/d08d41c856a54d7e7619f8fba8afdf44 - https://gist.github.com/jasonk000/26f987681b56fe34c235248c980b5c2e But it has not been clear how "standard" built-in support is. The approach I took aligns with the links above, but again, the ca chain verification is NOT handled consistently across implementations of JOSE as far as I can tell. Thanks for your replies again. OS ᐧ On Thu, Feb 17, 2022 at 11:29 AM David Chadwick < d.w.chadwick@verifiablecredentials.info> wrote: > On 17/02/2022 16:55, Orie Steele wrote: > > @David Chadwick <d.w.chadwick@verifiablecredentials.info> > > AFAIK, JOSE does not support "DV X.509 PKCs" out of the box. > > So recommending removing DIDs does not actually do anything to address the > question... the problem remains:: > > How do I verify that a JWT was signed by a key in a CA chain (regardless > of how you discover that key, in other words, with or without DIDs). > > We use an issuer URI of https://<DV DN> > > The cert with this DN should be in the CA chain. > For PKC discovery, we publish the issuer's metadata at a well-known URL. > We will ask IANA to register the well-known name, such as “vc-issuer.json”. > Verifiers will append this to the URL contained in the issuer property of > the issued VCs e.g. https://<DV DN>/.well-known/vc-issuer.json to obtain > all the meta-data about the issuer including the DV PKC or a complete CA > chain from a trusted root CA. > > > Perhaps you care to provide a complete working example of "DV X.509 PKCs" > with JWT? > > this is the Identiproof implementation (https://identiproof.io) > > > Obviously this is trivial if I am just sticking to openssl commands, the > point of the question was to explain how to do this with JOSE / JWT. > > The JWT open source library we use, uses X.509 PKCs to validate JWT VC > signatures. We did not really need to do much in our code to create and > validate JWTs. > > Kind regards > > David > > > > And the assumption was that it would be valuable to the VCDM regardless of > the format of the issuer field (DID or no DID). > > Regards, > > OS > > ᐧ > > On Thu, Feb 17, 2022 at 10:41 AM David Chadwick < > d.w.chadwick@verifiablecredentials.info> wrote: > >> On 17/02/2022 14:33, Orie Steele wrote: >> >> Hey Folks, >> >> What is the best way to combine DIDs with Certificate Authorities? >> >> Get rid of DIDs and let the issuer use DV X.509 PKCs :-) >> >> Kind regards >> >> David >> >> >> The use case is simple: As a verifier, I want to know that a credential >> was issued from a public key that is in a certificate chain I trust. >> >> When I verify this credential, I not only check its signature, but I can >> also check the CA chain from the key that signed in back to the root. >> >> @Mike Prorock <mprorock@mesur.io> and I have been working on a >> simple example of this using DID Web, but I think it generalizes to any DID >> Method that supports `publicKeyJwk` and `x5c`. >> >> https://github.com/transmute-industries/openssl-did-web-tutorial >> >> In this example, we generate a root ca, an intermediate ca, and 3 >> child ca's all using P-384 and OpenSSL. >> >> We then generate a DID Web DID Document from the public keys for the 3 >> children, and encode the ca chain from them back to the root using `x5c`. >> >> We then issue a JWT from the private key for 1 of them. >> >> We then verify the JWT signature using the public key. >> >> We then check the x5c using open seel to confirm the certificate chain. >> >> My questions are: >> >> 1. Is it possible to use JOSE to automate this further? >> 2. Is there a better way of accomplishing this? >> 3. Should the CA chain be pushed into the JWT? >> >> Regards, >> >> OS >> >> -- >> *ORIE STEELE* >> Chief Technical Officer >> www.transmute.industries >> >> <https://www.transmute.industries> >> ᐧ >> >> >> > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> > > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Thursday, 17 February 2022 17:35:15 UTC