Extension of the changes in #203 to authenticate did:x509 issuers, and updated sample illustrating the policy we expect to see in cases where they are used.
I chose to do this under the IETF profile, rather than x509, but the verification sequence is different from both existing profiles (IETF is only did:web at the moment, as far as I can tell):
Find signing key (phdr.x5chain[0] currently, but eventually uhdr.x5chain[0] if digest(uhdr.x5chain[0]) == phdr.x5t)
Verify COSE signature
Check issuer is did:x509, resolve it against phdr.x5chain[0]
Extension of the changes in #203 to authenticate did:x509 issuers, and updated sample illustrating the policy we expect to see in cases where they are used.
I chose to do this under the IETF profile, rather than x509, but the verification sequence is different from both existing profiles (IETF is only did:web at the moment, as far as I can tell):
phdr.x5chain[0]
currently, but eventuallyuhdr.x5chain[0] if digest(uhdr.x5chain[0]) == phdr.x5t
)did:x509
, resolve it againstphdr.x5chain[0]
phdr.x5chain[0]