Page History

@Eric Scouten 

X.509 DID method: Decentralising PKI starting with a X.509 DID method (a presentation proposal for RWOT 9 in August 2019)

• This is a call for a did:x509 method to exist as part of a transition from PKI to SSI, but is not a DID method spec.
• I could not find any documentation of this dicussion occuring at RWOT 9. I did find evidence of further work on this topic by two of these authors. (See next item.)
• The primary point of interest in this presentation proposal for me was the idea of further abstracting the method of X.509 certificate discovery by using submethods under their proposed did:x509 method.

Analysis of hybrid wallet solutions - Implementation options for combining x509 certificates with DIDs and VCs (a presentation proposal for RWOT 11 in 2022) and Combination of x509 and DID/VC for inheritance properties of trust in digital identities (presentation to Open Identity Summit, Bonn, 2022)

• Eric Scouten to give these two papers a second reading, hopefully before Thursday meeting. They look very similar, thus the co-listing here. First impressions:
• These papers talk about several possible methods for linking X.509 and DID identifiers, which again highlights that one of our larger challenges will be identifying the location of the X.509 cert.
• NOTE FOR OUR WORK: Which fields do we bind to? That significantly impacts the security profile of the identifier.

did:x509 Method Specification (draft specification and sample code published by Microsoft, 2022)

• Does not appear to be actively maintained. Published in October 2022, a few issues filed by author over next few months, but no further commits or public discussion that I could find.
• Requires the X.509 cert to be placed in the signing envelope (i.e. in x5c header of JWS/JST documents).
• NOTE FOR OUR WORK: X.509 document is an option to DID resolution. A potentially more straightforward approach might be to adopt techniques from did:web and place cert adjacent webs and either translate X.509 into JSON encoding (thus embedded directly into DID doc) or adjacent to document. Potentially simpler way to provide access to cert.
• Requires cert subject identity to be mirrored in the DID (example: 

  did:x509:0:sha256:WE4P5dd8DnLHSkyHaIjhp4udlkF9LqoKwCvu9gl38jk::subject:C:US:ST:California:O:My%20Organisation).

• Allows Fulcio integration. (Fulcio is new to me. Can someone explain? Worth our time?)
• Raises issue of which chain of trust to use (X.509 or VC).
• Looks like a fairly good starting point for create/read operation specifications.
• ACTION: Eric to reach out to authors of MS spec to explore ToIP TF taking over or collaborating on this draft as basis of standard. CC to Jacques Latour  who is connected with MS CTO.
• ACTION: Eric to summarize Drummond's e-mail with his feedback on the MSFT spec and add to meeting notes here.

(Eric Scouten to read, hopefully before Thursday meeting)

• DNS and digital trust IETF draft (related: presentation to TSWG)
• Object of Conformity: Verifiable Identifier

Tim Bouma Drummond Reed 

AGENDA: Next meeting Jacques Latour would like to present on artifacts for X.509 DID at CIRA. DNS records, TLS, etc. Save 20 minutes next week.