- From: Alen Horvat <horvat.alen@yahoo.com>
- Date: Wed, 30 Aug 2023 17:22:58 +0200
- To: ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp>
- Cc: Markus Sabadello <markus@danubetech.com>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-Id: <5655831C-3259-4587-8123-EDCEA2793330@yahoo.com>
Hi. 1. Clear. 2. Clear. 3. Question is linking in the other direction: 1 DID per LE and multiple certs or VCs bound to it. DID (depending on a DID method) is usually more stable identifier that the contextual information of certs/VCs. To a DID you can bind domain names, Legal Entity info, attestations, mandates, ... 4. Do you plan establishing a DID infrastructure or not? If no, you can proceed as suggested by others (e.g., did:key) or include the certificate in the JWS signature header via x5c JOSE header claim. There’s also a combination where an authority issues a VC binding the DID and a specific x509 certificate, although this might be suboptimal. BR, Alen > On 30 Aug 2023, at 10:47, ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp> wrote: > > Hi Alen, > > Thank you for your response! > > To answer your questions (our answers are in blue): > Binding x509 certs to DIDs can be also done via public keys. We think this might raise some technical hurdles and might be more troublesome. > do you have the freedom to add additional information to the x509 cert? No, we would want everyone to be able to use it. > is binding a public key to a DID sufficient? Related question is: does a Legal Entity have multiple x509 certs? we are still reviewing this. For now, we are starting by connecting one DID to one Legal Entity, but we still don't know what the needs are for more than one DID against multiple Legal entities (so we cannot give a clear answer here, sorry.) > do you need a link from the DID to the certificate, vice versa or both? the link from the certificate to the DID is critical, but even vice versa would be okay. > Best regards, > Stefannie > > From: Alen Horvat <horvat.alen@yahoo.com> > Sent: Wednesday, August 30, 2023 3:02 PM > To: ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp> > Cc: Markus Sabadello <markus@danubetech.com>; public-credentials@w3.org <public-credentials@w3.org> > Subject: Re: Question regarding DID method-specific-id > > Hi, > > Very timely question. What about putting DID information in x509, if that’s possible? Issuer Alternative Name and Subject Alternative Name support URI value, which DID is. > > Binding x509 certs to DIDs can be also done via public keys. Questions are: > > - do you have the freedom to add additional information to the x509 cert? > - is binding a public key to a DID sufficient? Related question is: does a Legal Entity have multiple x509 certs? > - do you need a link from the DID to the certificate, vice versa or both? > > BR, Alen > >> On 30 Aug 2023, at 05:20, ステファニー タン(SBIホールディングス) <tstefan@sbigroup.co.jp> wrote: >> >> Hi Markus, >> >> Thank you for the prompt response! >> Please let me clarify, we are considering using both DID/VC and X509 authentication (RFC 5280). We assume a world wherein X509 trust roots mutually authenticate each other using DID/VC. >> >> In order to achieve the above, we are thinking of embedding the Issuer (Distinguished Name) in X509 into the DID method-specific-id or the issuer id of the VC. >> >> However, the ABNF pattern allowed by the VC standard is more restrictive than X509 Issuer (DN), so we cannot transcribe it as is. >> >> One suggestion is to use base-percent-encoding, but the processing is complicated and heavy and lacks readability, so we are currently seeking a better solution. >> >> Thank you for any further advice you or any member can provide! >> >> Best, >> Stefannie >> From: Markus Sabadello <markus@danubetech.com> >> Sent: Tuesday, August 29, 2023 4:53 PM >> To: public-credentials@w3.org <public-credentials@w3.org> >> Subject: Re: Question regarding DID method-specific-id >> >> Hello Stefannie, >> >> From that documentation page I can't really tell what a "CordaX500Name" looks like when expressed as a single string, do you have an example? >> >> But basically a method-specific-id can be anything that matches this ABNF pattern: >> >> method-specific-id = *( *idchar ":" ) 1*idchar >> idchar = ALPHA / DIGIT / "." / "-" / "_" / pct-encoded >> >> So it can consist of letters, digits, and the . - _ characters as well as percent-encoding such as %20 >> >> You say the name is base encoded and then percent-encoded, but from a DID syntax perspective, this feels unnecessary. >> >> If the "CordaX500Name" can be expressed using only characters from the list above, then there may be no need to base- or percent-encode anything, and readability can be preserved. >> >> Markus >> >> On 8/29/23 09:33, ステファニー タン(SBIホールディングス) wrote: >>> Hi everyone, >>> >>> I am seeking community support/advice regarding DID method-specific-id in the syntax. If the DID Name is a CordaX500Name (https://docs.r3.com/en/api-ref/corda/4.8/open-source/javadoc/net/corda/core/identity/CordaX500Name.html) that has been base encoded, and then percent-encoded: >>> >>> will there be any potential issues if we use the above method? (technically speaking, is it possible?) >>> is there a way to preserve readability? >>> >>> Thank you! >>> >>> Stefannie
Received on Wednesday, 30 August 2023 15:23:23 UTC