Eric Scouten Judith Fleenor 

Eric Scouten spoke with Maik Richards at Microsoft, who expressed support for our TF taking over this work but is unable to join us. Working with Judith Fleenor to ensure IPR is compatible.

Jacques Latour 

The principal is to anchor identifiers with unique DNS names. We all use them. Goal is to map X.509 cert to a domain name via the SAN field can perform that mapping.

did:web is similar; there's a domain name that can be trusted to be unique and it contains a public key. Can map public key component (or hash thereof) of X.509 to a TLSA record.

An X.509 field with a SAN field can be matched to the public key in the DNS. If so, the VID can be considered authentic. * If we chose a different field or similar method, we can updated the IETF somehow to reflect this.  

DNS is useful because it is global today. DNS can host trust registry affiliation. VID can be identified as part of a specific trust registry (C2PA, etc.).

Jacques Latour working with Jesse Carter  to build a demo.

A document/blob is signed by an did:x509 VID, the issuer can be authenticated/verified via the DNS, and can also identify the trust registry affiliation. DNS is used as a discovery mechanisms.

Work that is being done on did:web applies in the same manner and can provide an additional layer of authenticity.

DNSSEC answers concern about (plain) DNS being clear-text and thus easily tampered with. DNSSEC adds an RRSIG signature to DNS replies that ensures trust chains back to IANA (trust root for top-level domains).

(Watch recording starting at about 15 minutes for Jacques' slides.)

did:x509 should really be about answering the question can you trace a did:x509 through to the X.509 itself to a trust registry?

Will ask Jesse Carter to do a demo in an upcoming meeting.

Question raised about comparison to did:web – are they meaningfully different?

A: Conceptually similar, but shift in emphasis on where the identity is expressed.

Example of did web https://trustregistry.ca/.well-known/did.json/

Discussion about the use case for did:x509: Is it suitable for individual identity or more suited to organizational identity?

May need to differentiate departments or regional distinctions within an organization.

ACTION: Eric Scouten to review 14 December 2023 meeting discussion on use cases and translate to written form.

DECISION: did:x509 VID should be verifiable and unique and should enable trust decision based on trust registry affiliation.

ACTION: Eric Scouten to write comparisons to did:web and did:webs in draft did:x509 spec. Articulate why all three should exist. Review chat and recording from this meeting.

Ed Eykholt has done work on wallets and TSP.

Keerthi Thomas with ToIP governance stack. Working with SSI. Innovation Lab in London.

ACTION: Wenjing Chu and Eric Scouten to share updates from NA/EU call to following APAC call and any updates/decisions required.