Page History

Eric Scouten Judith Fleenor 

Eric Scouten spoke with Maik Richards at Microsoft, who expressed support for our TF taking over this work but is unable to join us. Working with Judith Fleenor to ensure IPR is compatible.

Jacques Latour 

Anchor identifiers in DNS names. We all use them. Goal is to map X.509 cert to a domain name. SAN field can perform that mapping.

did:web is similar; there's a domain name that can be trusted to be unique and it contains a public key. Can map public key component (or hash thereof) of X.509 to a TLSA record.

An X.509 field with a SAN field can be matched to the public key in the DNS. If so, the VID can be considered authentic.

DNS is useful because it is global today. DNS can host trust registry affiliation. VID can be identified as part of a specific trust registry (C2PA, etc.).

Jacques Latour working with Jesse Carter  to build a demo.

A document/blob is signed by an did:x509 VID and identify the trust registry affiliation.

Work that is being done on did:web applies in the same manner and can provide an additional layer of authenticity.

DNSSEC answers concern about (plain) DNS being clear-text and thus easily tampered with. DNSSEC adds an RRSIG signature to DNS replies that ensures trust chains back to IANA (trust root for top-level domains).

(Watch recording starting at about 15 minutes for Jacques' slides.)

did:x509 should really be about answering the question can you trace a did:x509 through to the X.509 itself to a trust registry?

Will ask Jesse Carter to do a demo in an upcoming meeting.

Question raised about comparison to did:web – are they meaningfully different?

A: Conceptually similar, but shift in emphasis on where the identity is expressed.

Example of did web https://trustregistry.ca/.well-known/did.json/