did:x509 issuer support in IETF profile - Githubissues

microsoft / scitt-ccf-ledger

Supply Chain Integrity Transparency and Trust ledger application using Confidential Consortium Framework (CCF)

MIT License

35 stars 16 forks source link

did:x509 issuer support in IETF profile #206

Closed achamayou closed 1 month ago

achamayou commented 1 month ago

Extension of the changes in #203 to authenticate did:x509 issuers, and updated sample illustrating the policy we expect to see in cases where they are used.

I chose to do this under the IETF profile, rather than x509, but the verification sequence is different from both existing profiles (IETF is only did:web at the moment, as far as I can tell):

Find signing key (phdr.x5chain[0] currently, but eventually uhdr.x5chain[0] if digest(uhdr.x5chain[0]) == phdr.x5t)
Verify COSE signature
Check issuer is did:x509, resolve it against phdr.x5chain[0]
Check resolved key matches phdr.x5chain[0]

achamayou commented 1 month ago

For reference: #207 #208 and https://github.com/microsoft/didx509cpp/issues/16