W3C home > Mailing lists > Public > public-credentials@w3.org > February 2022

Re: DID Web, OpenSSL and Certificate Authorities

From: David Waite <dwaite@pingidentity.com>
Date: Tue, 22 Feb 2022 00:58:11 -0700
Message-ID: <CA+3kW=aT_uoGcfJkMF1cYRj0KQfTbDqgoXOg+btyerdyrnAK_w@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>, Christopher Allen <christophera@lifewithalacrity.com>, Mike Prorock <mprorock@mesur.io>, Mike Jones <Michael.Jones@microsoft.com>
On Thu, Feb 17, 2022 at 7:34 AM Orie Steele <orie@transmute.industries>

> Hey Folks,
> What is the best way to combine DIDs with Certificate Authorities?
> The use case is simple: As a verifier, I want to know that a credential
> was issued from a public key that is in a certificate chain I trust.

Do you only care about the key being in a certificate being under the
umbrella of a trust chain, or that the key was actually issued to the
issuer? I suspect the latter.

For the second, you would be checking that the DID URI was one of the
subject alternative names on the issuer's certificate. You could either
include the chain or use the Certificate Authority Information extension to
resolve the signing certificate.

When I verify this credential, I not only check its signature, but I can
> also check the CA chain from the key that signed in back to the root.
> @Mike Prorock <mprorock@mesur.io> and I have been working on a
> simple example of this using DID Web, but I think it generalizes to any DID
> Method that supports `publicKeyJwk` and `x5c`.

For DIDs which are HTTPS-backed, you might define a domain mapping rule,
aka did:web:example.com will also match against a SAN of just example.com.
This would allow you to use existing DV certs like letsencrypt.

1. Is it possible to use JOSE to automate this further?

JOSE (and JWT) are really more about defining algorithms, primitives and
formats and not about the processing steps for a particular message. As
such, there is a gap between a comprehensive JOSE implementation and say
tooling to handle signed id_token JWTs, with far more implementations of
the latter.

For a comprehensive library, you typically will have extension points to
add format, trust and context information for your particular use case. The
documentation for JOSE4J at
https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples illustrates some of
this extensibility in one such comprehensive implementation.

2. Is there a better way of accomplishing this?
> 3. Should the CA chain be pushed into the JWT?

I suspect the proper place would be in the DID as a publicKeyJwk's x5c or
x5u. DIDs don't really have a first-class place for trust or authority
relationships, so I suspect this belongs in the verificationMethod today.



_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
Received on Tuesday, 22 February 2022 07:58:35 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC