-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review 2021 discussion on did:x509 #11
Comments
See also microsoft/did-x509#2. |
@talltree to review and suggest the relevant parts of that link list. |
Per my homework above, here is my analysis of all the references included in spruceid/ssi#117, divided cleanly into relevant and not relevant: Relevanthttps://morgansimonsen.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/ Blog post explaining why a cert thumbprint must change every time a new cert is issued. Not really a definition of how to create a certificate thumbprint, but helpful for understanding how they work. https://datatracker.ietf.org/doc/html/rfc3280#section-4.2.1.1 Specifies how to create an identifier for a public key via hashing. Does not seem to apply to generating an did:x509 DID because this value will change as soon as the key pair is rotated, but helpful for understanding these fields in an X.509 certificate. https://datatracker.ietf.org/doc/html/rfc5280 This is the main spec governing use of X.509 certs on the Internet. Contains all the raw info needed to identify the cert fields that would be used to construct an did:x509 DID. Introduction:
It is worth noting that, for purposes of certificate revocation, certificates are identified by a certificate serial number (CSN) that is unique in the scope of the issuing CA. Of course the CSN would change when the key pair is rotated. This Rebooting the Web of Trust paper proposes the basic idea of an X.509 DID method and provides a few basic examples of what they could look like, but does not contain an actual specification and only proposes to base the DID on the public key fingerprint of the cert. It also states that due to privacy reasons and lack of support for key rotation, this approach to X.509-based DIDs is only appropriate to public organizations using existing X.509 PKI. Not RelevantThis 2020 paper, funded by an EU grant, proposes the idea of encoding X.509 certs as VCs and storing them on public blockchains or distributed ledgers for their security and resilience properties. It does not discuss X.509 cert architecture or propose an X.509 DID method. https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.html This Hyperledger Fabric document explains how PKI works, the roles of CAs, X.509 certificates, and CRLs, and how they provide the identity infrastructure for Hyperledger Fabric. It does not discuss X.509 cert architecture or propose an X.509 DID method. https://arxiv.org/pdf/2003.05106.pdf This 2020 academic paper, called Self-Sovereign Identity for IoT environments: A Perspective, compares conventional X.509 PKI infrastructure with DID-based VC infrastructure for IoT devices (and concludes that the latter shows great promise). It does not discuss X.509 cert architecture or propose an X.509 DID method. https://www.ndss-symposium.org/wp-content/uploads/diss2019_05_Lagutin_paper.pdf This 2020 academic paper, called Enabling Decentralised Identifiers and Verifiable Credentials for Constrained IoT Devices using OAuth-based Delegation, was funded by the EU and Finland. It covers exactly what the title says. It does not discuss X.509 cert architecture or propose an X.509 DID method. This is the original Rebooting the Web of Trust paper that coined the term “decentralized public key infrastructure” or DPKI. While it explains the deficiencies of X.509 PKI and the benefits of DIDs and DPKI, it does not discuss X.509 cert architecture or propose an X.509 DID method. https://arxiv.org/pdf/2004.07063.pdf This 2020 German academic paper, called Hardening X.509 Certificate Issuance using Distributed Ledger Technology, proposes using Hyperledger Fabric to increase the security and transparency of the X.509 certificate issuance and revocation process. It also compares this solution with Certificate Transparency. It does not discuss X.509 cert architecture or propose an X.509 DID method. |
spruceid/ssi#117 includes some speculation on what a
did:x509
method specification might look like with some links to prior/related work.The text was updated successfully, but these errors were encountered: