trustoverip/tswg-did-x509-method-specification

Review 2021 discussion on did:x509

Opened this issue · 3 comments

spruceid/ssi#117 includes some speculation on what a did:x509 method specification might look like with some links to prior/related work.

@talltree to review and suggest the relevant parts of that link list.

Per my homework above, here is my analysis of all the references included in spruceid/ssi#117, divided cleanly into relevant and not relevant:

Relevant

https://morgansimonsen.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/

Blog post explaining why a cert thumbprint must change every time a new cert is issued. Not really a definition of how to create a certificate thumbprint, but helpful for understanding how they work.

https://datatracker.ietf.org/doc/html/rfc3280#section-4.2.1.1

Specifies how to create an identifier for a public key via hashing. Does not seem to apply to generating an did:x509 DID because this value will change as soon as the key pair is rotated, but helpful for understanding these fields in an X.509 certificate.

https://datatracker.ietf.org/doc/html/rfc5280

This is the main spec governing use of X.509 certs on the Internet. Contains all the raw info needed to identify the cert fields that would be used to construct an did:x509 DID. Introduction:

This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified.

It is worth noting that, for purposes of certificate revocation, certificates are identified by a certificate serial number (CSN) that is unique in the scope of the issuing CA. Of course the CSN would change when the key pair is rotated.

https://github.com/WebOfTrustInfo/rwot9-prague/blob/master/topics-and-advance-readings/X.509-DID-Method.md

This Rebooting the Web of Trust paper proposes the basic idea of an X.509 DID method and provides a few basic examples of what they could look like, but does not contain an actual specification and only proposes to base the DID on the public key fingerprint of the cert. It also states that due to privacy reasons and lack of support for key rotation, this approach to X.509-based DIDs is only appropriate to public organizations using existing X.509 PKI.

Not Relevant

https://www.researchgate.net/publication/342027346_Distributed-Ledger-based_Authentication_with_Decentralized_Identifiers_and_Verifiable_Credentials

This 2020 paper, funded by an EU grant, proposes the idea of encoding X.509 certs as VCs and storing them on public blockchains or distributed ledgers for their security and resilience properties. It does not discuss X.509 cert architecture or propose an X.509 DID method.

https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.html

This Hyperledger Fabric document explains how PKI works, the roles of CAs, X.509 certificates, and CRLs, and how they provide the identity infrastructure for Hyperledger Fabric. It does not discuss X.509 cert architecture or propose an X.509 DID method.

https://arxiv.org/pdf/2003.05106.pdf

This 2020 academic paper, called Self-Sovereign Identity for IoT environments: A Perspective, compares conventional X.509 PKI infrastructure with DID-based VC infrastructure for IoT devices (and concludes that the latter shows great promise). It does not discuss X.509 cert architecture or propose an X.509 DID method.

https://www.ndss-symposium.org/wp-content/uploads/diss2019_05_Lagutin_paper.pdf

This 2020 academic paper, called Enabling Decentralised Identifiers and Verifiable Credentials for Constrained IoT Devices using OAuth-based Delegation, was funded by the EU and Finland. It covers exactly what the title says. It does not discuss X.509 cert architecture or propose an X.509 DID method.

https://github.com/WebOfTrustInfo/rwot1-sf/blob/master/draft-documents/Decentralized-Public-Key-Infrastructure-CURRENT.md

This is the original Rebooting the Web of Trust paper that coined the term “decentralized public key infrastructure” or DPKI. While it explains the deficiencies of X.509 PKI and the benefits of DIDs and DPKI, it does not discuss X.509 cert architecture or propose an X.509 DID method.

https://arxiv.org/pdf/2004.07063.pdf

This 2020 German academic paper, called Hardening X.509 Certificate Issuance using Distributed Ledger Technology, proposes using Hyperledger Fabric to increase the security and transparency of the X.509 certificate issuance and revocation process. It also compares this solution with Certificate Transparency. It does not discuss X.509 cert architecture or propose an X.509 DID method.