The use case is simple: As a verifier, I want to know that a credential was issued from a public key that is in a certificate chain I trust.
When I verify this credential, I not only check its signature, but I can also check the CA chain from the key that signed in back to the root.
@Mike Prorock and I have been
working on a simple example of this using DID Web, but I think
it generalizes to any DID Method that supports `publicKeyJwk`
and `x5c`.
https://github.com/transmute-industries/openssl-did-web-tutorial
In this example, we generate a root ca, an intermediate ca, and 3 child ca's all using P-384 and OpenSSL.
We then generate a DID Web DID Document from the public keys for the 3 children, and encode the ca chain from them back to the root using `x5c`.
We then issue a JWT from the private key for 1 of them.
We then verify the JWT signature using the public key.
We then check the x5c using open seel to confirm the certificate chain.
My questions are:
1. Is it possible to use JOSE to automate this further?
2. Is there a better way of accomplishing this?
3. Should the CA chain be pushed into the JWT?
Regards,
OS
--
https://github.com/transmute-industries/openssl-did-web-tutorial
In this example, we generate a root ca, an intermediate ca, and 3 child ca's all using P-384 and OpenSSL.
We then generate a DID Web DID Document from the public keys for the 3 children, and encode the ca chain from them back to the root using `x5c`.
We then issue a JWT from the private key for 1 of them.
We then verify the JWT signature using the public key.
We then check the x5c using open seel to confirm the certificate chain.
My questions are:
1. Is it possible to use JOSE to automate this further?
2. Is there a better way of accomplishing this?
3. Should the CA chain be pushed into the JWT?
Regards,
OS
ᐧ