search

w3c / did-resolution

RELEASED DRAFT: Decentralized Identifier Resolution (DID Resolution) 0.2 Specification
https://w3c.github.io/did-resolution/
Other
14 stars 9 forks source link

Add support for JWKS #46

Open awoie opened 4 years ago

awoie commented 4 years ago

JOSE/IETF specifications often use URIs that point to JSON Web Key Sets (JWKS), e.g., OpenID Connect. It would be great if we could find a way that allows a DID URL to be used in such a way. This could be either done by using matrix parameters, or something similar.

We could also limit the scope by just including public keys that have the publicKeyJWK type.

Is there a way to use DID URLs in such a way already?

awoie commented 4 years ago

My did:example method specification could always say that an additional jwks section will be created and that all publicKeyJwk entries should be included in that section as follows:

{ 
   "@context":[ 
      "https://www.w3.org/2019/did/v1",
      "https://w3id.org/security/v1"
   ],
   "id":"did:example:123456789abcdefghi",
   "publicKey":[ 
      { 
         "id":"did:example:123456789abcdefghi#keys-1",
         "type":"RsaVerificationKey2018",
         "controller":"did:example:123456789abcdefghi",
         "publicKeyJwk": ...
      }
   ],
   "jwks":{ 
      "id":"did:example:123456789abcdefghi#jwks",
      "keys":[ 
         { 
            "alg":"RS256",
            "kty":"RSA",
            "use":"sig",
            "x5c":[ 
               "MIIC+DCCAeCgAwIBAgIJBIGjYW6hFpn2MA0GCSqGSIb3DQEBBQUAMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTAeFw0xNjExMjIyMjIyMDVaFw0zMDA4MDEyMjIyMDVaMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnjZc5bm/eGIHq09N9HKHahM7Y31P0ul+A2wwP4lSpIwFrWHzxw88/7Dwk9QMc+orGXX95R6av4GF+Es/nG3uK45ooMVMa/hYCh0Mtx3gnSuoTavQEkLzCvSwTqVwzZ+5noukWVqJuMKNwjL77GNcPLY7Xy2/skMCT5bR8UoWaufooQvYq6SyPcRAU4BtdquZRiBT4U5f+4pwNTxSvey7ki50yc1tG49Per/0zA4O6Tlpv8x7Red6m1bCNHt7+Z5nSl3RX/QYyAEUX1a28VcYmR41Osy+o2OUCXYdUAphDaHo4/8rbKTJhlu8jEcc1KoMXAKjgaVZtG/v5ltx6AXY0CAwEAAaMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUQxFG602h1cG+pnyvJoy9pGJJoCswDQYJKoZIhvcNAQEFBQADggEBAGvtCbzGNBUJPLICth3mLsX0Z4z8T8iu4tyoiuAshP/Ry/ZBnFnXmhD8vwgMZ2lTgUWwlrvlgN+fAtYKnwFO2G3BOCFw96Nm8So9sjTda9CCZ3dhoH57F/hVMBB0K6xhklAc0b5ZxUpCIN92v/w+xZoz1XQBHe8ZbRHaP1HpRM4M7DJk2G5cgUCyu3UBvYS41sHvzrxQ3z7vIePRA4WF4bEkfX12gvny0RsPkrbVMXX1Rj9t6V7QXrbPYBAO+43JvDGYawxYVvLhz+BJ45x50GFQmHszfY3BR9TPK8xmMmQwtIvLu1PMttNCs7niCYkSiUv2sc2mlq1i3IashGkkgmo="
            ],
            "n":"yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ",
            "e":"AQAB",
            "kid":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg",
            "x5t":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg"
         }
      ]
   }
}

Then, I will be able to resolve did:example:123456789abcdefghi#jwks to the final jwks. Is that correct @peacekeeper ?

awoie commented 4 years ago

Of course one downside would be interoperability. Service providers that rely on that feature would need to know which DID methods support JWKS but the same holds true for any other publicKey type.

awoie commented 4 years ago

If the example query above is not correct, could you provide an example of how the query could look like to get the jwks section in the DID Document?

awoie commented 4 years ago

We could think about introducing DID method decorators. One such decorator could be to add this jwks section based on the publicKey section in the DID document. In this way, we could achieve some sort of interoperability. I could imagine that other decorators could make sense as well. Every DID method author could choose which decorators are supported by their DID method.