...
This page describes the approach the ToIP Trust Registry Task Force is taking to interoperability with traditional X.509-based public key directories (PKDs). It is intended for discussion and proposals around this topic, the final results of which will be incorporated into the ToIP Trust Registry Protocol specification.
Problem Description
...
Since this model of publishing public key certificates is well-established, it would be ideal if the ToIP Trust Registry Protocol enabled issuers who use X.509 PKDs to have their public key certificates identified, accessed, and verified in a parallel manner as issuers who use DIDs and DID documents.
...
With this approach, any issuer (or trust registry) that uses X.509 PKDs can "join" the decentralized network that uses the ToIP Trust Registry Protocol specification by publishing a DID document meeting this specification at an HTTPS URL, encoding that HTTPS URL in a did:web: DID, and using that DID as the issuer ID in their verifiable credentials. Any verifier that trusts the root X.509 certificate in the certificate chain verified in the x509CertificateChain property will know that the issuer is authorized by that root certificate authority.
...
- Verify this end-to-end design with both X.509 and VC security experts.
- Determine if a specific JSON-LD context and/or JSON-LD "@type" property is needed to identify this specific type of DID document.
- Determine if the did:web: DID needs to be included in the X.509 certificate as a SAN (Subject Alternative Name) as specified in RFC 5280.
- Decide if this DID-to-X.509 bridge needs to be a separate specification or if it can be incorporated directly into the ToIP Trust Registry Protocol spec.
- Draft the spec and hold a public review.
...