- From: Wayne Chang <wayne@spruceid.com>
- Date: Thu, 17 Feb 2022 18:04:59 -0700
- To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
- Cc: Orie Steele <orie@transmute.industries>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAFTzAXjUUrphQcecGqz9_yifsbxYvCEuDCZkntpvo8+enpZjEQ@mail.gmail.com>
Registering this at IANA would be really interesting. https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml Seeing Tor and Kantara on this list gives me hope for vc-issuer.json! Thanks for clarifying the approach David, very cool stuff. On Thu, Feb 17, 2022 at 10:50 AM David Chadwick < d.w.chadwick@verifiablecredentials.info> wrote: > On 17/02/2022 17:34, Orie Steele wrote: > > interesting... > > > https://<DV DN>/.well-known/vc-issuer.json > > This is not standard AFAIK... but would be assuming IANA accepts your > recommendation, and VCDM 2.0 helps pour concrete around it. > > I have not asked IANA yet. It would be better if the CCG or VCWG made the > request rather than an individual, although I am happy to do the work if > authorised (as I did for the vc and vp claims). > > Kind regards > > David > > > > The JWT open source library we use, uses X.509 PKCs to validate JWT VC > signatures. > > I have seen some evidence of support for this: > > - https://gist.github.com/monmohan/d08d41c856a54d7e7619f8fba8afdf44 > - https://gist.github.com/jasonk000/26f987681b56fe34c235248c980b5c2e > > But it has not been clear how "standard" built-in support is. > > The approach I took aligns with the links above, but again, the ca chain > verification is NOT handled consistently across implementations of JOSE as > far as I can tell. > > Thanks for your replies again. > > OS > ᐧ > > On Thu, Feb 17, 2022 at 11:29 AM David Chadwick < > d.w.chadwick@verifiablecredentials.info> wrote: > >> On 17/02/2022 16:55, Orie Steele wrote: >> >> @David Chadwick <d.w.chadwick@verifiablecredentials.info> >> >> AFAIK, JOSE does not support "DV X.509 PKCs" out of the box. >> >> So recommending removing DIDs does not actually do anything to address >> the question... the problem remains:: >> >> How do I verify that a JWT was signed by a key in a CA chain (regardless >> of how you discover that key, in other words, with or without DIDs). >> >> We use an issuer URI of https://<DV DN> >> >> The cert with this DN should be in the CA chain. >> For PKC discovery, we publish the issuer's metadata at a well-known URL. >> We will ask IANA to register the well-known name, such as “vc-issuer.json”. >> Verifiers will append this to the URL contained in the issuer property of >> the issued VCs e.g. https://<DV DN>/.well-known/vc-issuer.json to obtain >> all the meta-data about the issuer including the DV PKC or a complete CA >> chain from a trusted root CA. >> >> >> Perhaps you care to provide a complete working example of "DV X.509 PKCs" >> with JWT? >> >> this is the Identiproof implementation (https://identiproof.io) >> >> >> Obviously this is trivial if I am just sticking to openssl commands, the >> point of the question was to explain how to do this with JOSE / JWT. >> >> The JWT open source library we use, uses X.509 PKCs to validate JWT VC >> signatures. We did not really need to do much in our code to create and >> validate JWTs. >> >> Kind regards >> >> David >> >> >> >> And the assumption was that it would be valuable to the VCDM regardless >> of the format of the issuer field (DID or no DID). >> >> Regards, >> >> OS >> >> ᐧ >> >> On Thu, Feb 17, 2022 at 10:41 AM David Chadwick < >> d.w.chadwick@verifiablecredentials.info> wrote: >> >>> On 17/02/2022 14:33, Orie Steele wrote: >>> >>> Hey Folks, >>> >>> What is the best way to combine DIDs with Certificate Authorities? >>> >>> Get rid of DIDs and let the issuer use DV X.509 PKCs :-) >>> >>> Kind regards >>> >>> David >>> >>> >>> The use case is simple: As a verifier, I want to know that a credential >>> was issued from a public key that is in a certificate chain I trust. >>> >>> When I verify this credential, I not only check its signature, but I can >>> also check the CA chain from the key that signed in back to the root. >>> >>> @Mike Prorock <mprorock@mesur.io> and I have been working on a >>> simple example of this using DID Web, but I think it generalizes to any DID >>> Method that supports `publicKeyJwk` and `x5c`. >>> >>> https://github.com/transmute-industries/openssl-did-web-tutorial >>> >>> In this example, we generate a root ca, an intermediate ca, and 3 >>> child ca's all using P-384 and OpenSSL. >>> >>> We then generate a DID Web DID Document from the public keys for the 3 >>> children, and encode the ca chain from them back to the root using `x5c`. >>> >>> We then issue a JWT from the private key for 1 of them. >>> >>> We then verify the JWT signature using the public key. >>> >>> We then check the x5c using open seel to confirm the certificate chain. >>> >>> My questions are: >>> >>> 1. Is it possible to use JOSE to automate this further? >>> 2. Is there a better way of accomplishing this? >>> 3. Should the CA chain be pushed into the JWT? >>> >>> Regards, >>> >>> OS >>> >>> -- >>> *ORIE STEELE* >>> Chief Technical Officer >>> www.transmute.industries >>> >>> <https://www.transmute.industries> >>> ᐧ >>> >>> >>> >> >> -- >> *ORIE STEELE* >> Chief Technical Officer >> www.transmute.industries >> >> <https://www.transmute.industries> >> >> >> > > -- > *ORIE STEELE* > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries> > > >
Received on Friday, 18 February 2022 01:05:24 UTC