Enhance Security Document Loader #16
Comments
|
I found also this https://github.com/quartzjer/did-jwk/, that might be relevant. @dmitrizagidulin for guidance :) |
|
@fabrii Tell us more about your use case(s)? What made you consider this when creating this issue? We'd love to learn more. |
|
Hi @alexfigtree. In our case, we would like to have unique issuer identifiers that remain consistent over time (we cannot do that with did:key). Additionally, we need to support key rotation, so we considered exposing a JWKS endpoint. This JWKS endpoint could be exposed at either the central registry or the issuer. Since we couldn’t find a DID key resolver that works with JWKS endpoints, we are considering implementing one ourselves. I could not find any specification of this. Initially, we thought about using a domain name as the issuer identifier (e.g., https://userdomain.com/). With this approach, our central registry could maintain a list of all trusted issuer domains. If we trust an issuer's domain, we can also trust the JWKS endpoint it exposes. This approach is aligned with the concept outlined in https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-05.html#name-jwt-vc-issuer-metadata (I know this is not for W3C credentials, but the idea is similar). However, this approach presents some potential issues:
Given these considerations, we were also exploring the use of OIDs. Each issuer in our case is assigned a unique OID by ISO & ITU-T (ISO/IEC 8824-1 Information Technology - Abstract Syntax Notation One (ASN.1)). These OIDs are unique (in the entire world) and stable over time, providing a consistent issuer identifier. However, we currently lack a DID resolver for these OIDs. The first digits of an OID can identify a central registry that belongs to a country, so it could be used to fetch public keys that belong to issuers of that country. Example: Issuer 1 = 2.16.858.0.0.0.3.1 All these issuers belong to central registry = 2.16.858, with the url "https://centralregistry.com". If our credential verification method is urn:oid:2.16.858.0.0.0.3.0#1", we can use that information to fetch the We haven’t seen this OID idea referenced in any specifications, and we assume it wouldn’t be interoperable with wallets. For this reason, we’re likely going to discard this approach. So, the only option we have left, is to find a "jwks" endpoint DID resolver, which I think is going to be a bit more accepted in the future. We can see here that this is being implemented for SDJWT. I thought that in W3C world we could have something similar. May be this topic is better suited for W3C GitHub. Let me know if this is clear or if you need any other information. Thank you! |
|
@fabrii Makes sense, thanks for the added clarification. It sounds like you want to address the shortcomings of the
|
Thank you for your help. You can close this issue. |
Hello!
I would like to explore the possibility of enhancing the Security Document Loader to support additional use cases.
I understand that in the Learner Credential Wallet,
did:keyis currently used for holders and issuers. For that reason, the DID resolver fordid:keyis sufficient.I am picturing some other scenarios where:
https://issuerdomain#key1and retrieving the keys from the JWKS endpoint.urn:oid:2.16.858.0.0.0.3.0. In this scenario, we could configure the loader to recognize that all OIDs starting with2.16.858have keys published on a specific domain. . The loader could use this information to process a verificationMethod likeurn:oid:2.16.858.0.0.0.3.0#key1, and use it to fetch the keys from the jwks endpoint.What are your thoughts on this?
Thank you
EDIT: I just realized that case (1) might be covered by the did:web implementation.
EDIT2: I can contribute with a PR.
The text was updated successfully, but these errors were encountered: