On 17/02/2022 14:33, Orie Steele wrote:
Hey Folks,

What is the best way to combine DIDs with Certificate Authorities?

Get rid of DIDs and let the issuer use DV X.509 PKCs :-)

Kind regards


The use case is simple: As a verifier, I want to know that a credential was issued from a public key that is in a certificate chain I trust.

When I verify this credential, I not only check its signature, but I can also check the CA chain from the key that signed in back to the root.

@Mike Prorock and I have been working on a simple example of this using DID Web, but I think it generalizes to any DID Method that supports `publicKeyJwk` and `x5c`.


In this example, we generate a root ca, an intermediate ca, and 3 child ca's all using P-384 and OpenSSL.

We then generate a DID Web DID Document from the public keys for the 3 children, and encode the ca chain from them back to the root using `x5c`.

We then issue a JWT from the private key for 1 of them.

We then verify the JWT signature using the public key.

We then check the x5c using open seel to confirm the certificate chain.

My questions are:

1. Is it possible to use JOSE to automate this further?
2. Is there a better way of accomplishing this?
3. Should the CA chain be pushed into the JWT?



Chief Technical Officer