- From: Markus Sabadello <markus@danubetech.com>
- Date: Wed, 30 Aug 2023 10:59:43 +0200
- To: ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp>, Alen Horvat <horvat.alen@yahoo.com>
- Cc: "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <cee1db6c-1a8d-78be-48d0-da8157310dab@danubetech.com>
To add to this, we have done some work on attaching X509 certificates to verification methods in DID documents, see here: https://docs.google.com/document/d/1zMYUt8icua5kCyQtaDhjLnpETwfhBDE-cFQKauysk-k/ E.g. try to resolve this DID: https://dev.uniresolver.io/#did:web:danubetech.com:did:test4 Verifying the certificate chain attached to a DID document's verification method can be done by a DID resolver, which could raise errors/warnings if a verification method can't be traced back to a "trusted CA". And here are a few more links to existing work related to this topic: - https://github.com/WebOfTrustInfo/rwot11-the-hague/blob/master/advance-readings/hybrid_wallet_solutions_x509_DIDs_VCs.md - https://wiki.trustoverip.org/display/HOME/X.509+PKD+Interop - https://github.com/transmute-industries/openssl-did-web-tutorial Markus On 8/30/23 10:47, ステファニー タン(SBIホールディングス) wrote: > Hi Alen, > > Thank you for your response! > > To answer your questions (our answers are in *blue*): > > 1. > Binding x509 certs to DIDs can be also done via public keys. *We > think this might raise some technical hurdles and might be more > troublesome.* > 2. do you have the freedom to add additional information to the x509 > cert? *No, we would want everyone to be able to use it.* > 3. is binding a public key to a DID sufficient? Related question is: > does a Legal Entity have multiple x509 certs?*we are still > reviewing this. For now, we are starting by connecting one DID to > one Legal Entity, but we still don't know what the needs are for > more than one DID against multiple Legal entities (so we cannot > give a clear answer here, sorry.)*** > 4. do you need a link from the DID to the certificate, vice versa or > both?*the link from the certificate to the DID is critical, but > even vice versa would be okay.* > > Best regards, > Stefannie > > ------------------------------------------------------------------------ > *From:* Alen Horvat <horvat.alen@yahoo.com> > *Sent:* Wednesday, August 30, 2023 3:02 PM > *To:* ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp> > *Cc:* Markus Sabadello <markus@danubetech.com>; > public-credentials@w3.org <public-credentials@w3.org> > *Subject:* Re: Question regarding DID method-specific-id > Hi, > > Very timely question. What about putting DID information in x509, if > that’s possible? Issuer Alternative Name and Subject Alternative Name > support URI value, which DID is. > > Binding x509 certs to DIDs can be also done via public keys. Questions > are: > > - do you have the freedom to add additional information to the x509 cert? > - is binding a public key to a DID sufficient? Related question is: > does a Legal Entity have multiple x509 certs? > - do you need a link from the DID to the certificate, vice versa or both? > > BR, Alen > >> On 30 Aug 2023, at 05:20, ステファニー タン(SBIホールディングス) >> <tstefan@sbigroup.co.jp> wrote: >> >> Hi Markus, >> >> Thank you for the prompt response! >> Please let me clarify, we are considering using both DID/VC and X509 >> authentication (RFC 5280). We assume a world wherein X509 trust roots >> mutually authenticate each other using DID/VC. >> >> In order to achieve the above, we are thinking of embedding the >> Issuer (Distinguished Name) in X509 into the DID method-specific-id >> or the issuer id of the VC. >> >> However, the ABNF pattern allowed by the VC standard is more >> restrictive than X509 Issuer (DN), so we cannot transcribe it as is. >> >> One suggestion is to use base-percent-encoding, but the processing is >> complicated and heavy and lacks readability, so we are currently >> seeking a better solution. >> >> Thank you for any further advice you or any member can provide! >> >> Best, >> Stefannie >> ------------------------------------------------------------------------ >> *From:*Markus Sabadello <markus@danubetech.com> >> *Sent:*Tuesday, August 29, 2023 4:53 PM >> *To:*public-credentials@w3.org <public-credentials@w3.org> >> *Subject:*Re: Question regarding DID method-specific-id >> Hello Stefannie, >> >> From that documentation page I can't really tell what a >> "CordaX500Name" looks like when expressed as a single string, do you >> have an example? >> >> But basically a method-specific-id can be anything that matches this >> ABNF pattern: >> >> method-specific-id = *( *idchar ":" ) 1*idchar >> idchar = ALPHA / DIGIT / "." / "-" / "_" / pct-encoded >> >> So it can consist of letters, digits, and the . - _ characters as >> well as percent-encoding such as %20 >> >> You say the name is base encoded and then percent-encoded, but from a >> DID syntax perspective, this feels unnecessary. >> >> If the "CordaX500Name" can be expressed using only characters from >> the list above, then there may be no need to base- or percent-encode >> anything, and readability can be preserved. >> >> Markus >> >> On 8/29/23 09:33, ステファニー タン(SBIホールディングス) wrote: >>> Hi everyone, >>> >>> I am seeking community support/advice regarding DID >>> method-specific-id in the syntax. If the DID Name is a CordaX500Name >>> (https://docs.r3.com/en/api-ref/corda/4.8/open-source/javadoc/net/corda/core/identity/CordaX500Name.html >>> <https://docs.r3.com/en/api-ref/corda/4.8/open-source/javadoc/net/corda/core/identity/CordaX500Name.html>) >>> that has been base encoded, and then percent-encoded: >>> >>> 1. will there be any potential issues if we use the above method? >>> (technically speaking, is it possible?) >>> 2. is there a way to preserve readability? >>> >>> >>> Thank you! >>> >>> Stefannie >
Received on Wednesday, 30 August 2023 08:59:52 UTC