search

spruceid / ssi

Core library for decentralized identity.
https://spruceid.dev
Apache License 2.0
181 stars 54 forks source link

Implement X.509-based DID method #117

Open wyc opened 3 years ago

wyc commented 3 years ago

We are encountering users who want to utilize traditional CA infrastructure in conjunction with DIDs/VCs. A DID method may be an appropriate way to ensure this interoperability.

I think an ultimate demo of this would be X.509-based DIDs talking to did:onion-based DIDs over TorGap as per https://github.com/spruceid/didkit/issues/68

Possible examples of DIDs based on X.509:

did:x509:canonical:ccadb:example.com
did:x509:canonical:fcpca:website.gov
did:x509:md5:444bcb3a3fcf8389296c49467f27e1d6:server.corpinternal.com
did:x509:sha1:99b4251e2eee05d8292e8397a90165293d116028:server.corpinternal.com 
did:x509:sha2:2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df:server.corpinternal.com

The finger/thumbprints (md5/sha1/sha2) can be defined as per:

Uncurated and undirected dump of prior and related work: https://github.com/WebOfTrustInfo/rwot9-prague/blob/master/topics-and-advance-readings/X.509-DID-Method.md https://www.researchgate.net/publication/342027346_Distributed-Ledger-based_Authentication_with_Decentralized_Identifiers_and_Verifiable_Credentials https://hyperledger-fabric.readthedocs.io/en/release-2.2/identity/identity.html https://arxiv.org/pdf/2003.05106.pdf https://www.ndss-symposium.org/wp-content/uploads/diss2019_05_Lagutin_paper.pdf https://github.com/WebOfTrustInfo/rwot1-sf/blob/master/draft-documents/Decentralized-Public-Key-Infrastructure-CURRENT.md https://arxiv.org/pdf/2004.07063.pdf

This would be a good candidate specification for a CCG work item.

bumblefudge commented 3 years ago

I think we should check with people already working on x509 systems -- I believe an x509 method was promised to be registered in the method spec registry this month, I'll chase that up

David-Chadwick commented 2 years ago

We use X.509 infrastructures in our VC ecosystem and we don't need DIDs for this. Since X.509 and the web are already widely in use, why introduce DIDs and blockchains to slow down implementation and adoption? Its not necessary.

wyc commented 2 years ago

@David-Chadwick a few points:

David-Chadwick commented 2 years ago

Why would anyone use DIDComm? Its an experimental, complex specification that is years away from becoming a standard, The message spec is only a personal IETF draft that has expired. OTOH, client server using OIDC-SIOP, with the VP extensions that are currently being defined, is much more likely to succeed as the VC protocol. It has a low learning curve and barrier to entry, as OIDC is already widely deployed.

wyc commented 2 years ago

Those are all good points that may be more constructively directed at the DIDComm and SIOP working groups. I’m also aware that the current SIOP revision is intended to provide facilities for both VCs and DIDs, e.g. use of DIDs as a cryptographically verifiable identifier.

https://openid.net/specs/openid-connect-self-issued-v2-1_0.html

In this thread, any additional comments about the proposed implementation are still welcome.

letmaik commented 1 year ago

There's a draft did:x509 spec out with two implementations (Python and C++). Would be great to get some more eyes on the spec for extra scrutiny before registering it . (Disclaimer: I'm one of the authors of the spec.)

wyc commented 1 year ago

@letmaik looking for spec contributors too? :)

letmaik commented 1 year ago

@wyc Absolutely!

scouten-adobe commented 3 months ago

FYI per a conversation with @letmaik in January, the Trust Over IP Foundation is continuing work on the previous draft specification through the X.509 VID Task Force, which I co-chair.

Relevant links, for those interested: