This page describes the approach the ToIP Trust Registry Task Force is taking to interoperability with traditional X.509-based public key directories (PKDs). It is intended for discussion and proposals around this topic, the final results of which will be incorporated into the ToIP Trust Registry Protocol specification.
PKDs based on X.509 digital certificates are widely used by governments and in multiple industries around the world. They use a classic centralized or federated model to issue certificate chains (also called "certification paths" in RFC 5280) that "chain back" to a root certificate. Examples include the ICAO ePassport PKD and the the EU Digital COVID Certificate (DCC) PKD.
Since this model of publishing public key certificates is well-established, it would be ideal if the ToIP Trust Registry Protocol enabled issuers who use X.509 PKDs to have their public key certificates identified, accessed, and verified in a parallel manner as issuers who use DIDs and DID documents.
The proposed approach is to use two special DID methods—the did:web:
method and the did:key:
method—to adapt DID architecture to X.509 certificates as follows:
With this approach, any issuer (or trust registry) that uses X.509 PKDs can "join" the decentralized network that uses the ToIP Trust Registry Protocol specification by publishing a DID document meeting this specification at an HTTPS URL, encoding that HTTPS URL in a did:web:
DID, and using that DID as the issuer ID in their verifiable credentials. Any verifier that trusts the root X.509 certificate in the certificate chain verified in the x509CertificateChain property will know that the issuer is authorized by that root certificate authority.