Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable publishing IACA certificates #119

Closed
wants to merge 2 commits into from
Closed

Enable publishing IACA certificates #119

wants to merge 2 commits into from

Conversation

selfissued
Copy link
Member

Fixes #62

peppelinux
peppelinux reviewed Nov 22, 2023
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md
### IACA Certificate Metadata

This profile defines an OpenID4VCI Credential Issuer Metadata parameter to publish Issuing Authority Certificate Authority (IACA) certificates. These certificates are defined in ISO 18013-5 (mDL). They are needed to verify mdoc certificate chains. This parameter is:

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I got it well, I recap:

  • mdoc_iacas_uri points to an HTTPs resource that publishes a json object containing trust anchors' certificates needed to verify the mdoc issued by a VCI

may we use the certificate's CN/Subject as key name, instead of "certificate"? that would help the resolution of the issuer in a human readable way.

or, wdyt about having the certificate issuer's entity id in addition to that "certificate" member name?

@Sakurann
Copy link
Collaborator

there is no agreement on the issue to do this PR

Sakurann
Sakurann requested changes Nov 23, 2023
View reviewed changes
Copy link
Collaborator

@Sakurann Sakurann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

even if we agree to add something like this, I am not sure this should be an mdoc specific parameter. if we agree, this is useful, it should be a generic parameter in the issuer metadata section. otherwise, it should go into an mdoc profile, not VCI.

@selfissued
Copy link
Member Author

As I saw it, the discussion in the issue was mostly about how to do it - not whether it was needed - hence the PR to give us a concrete proposal on a way to do it to discuss.

Unless you can get the root signing keys, you can't evaluate the X.509 certificate chain, so there's clearly a need for something like this.

If someone wants to propose a concrete way of generalizing this so that it's not mdoc specific, should that be the direction that people want to go, we could also discuss that.

Anyway, it seems like putting this topic on a call agenda would be productive.

@tplooker
Copy link
Contributor

I agree with @selfissued without a mechanism like the proposed the issuance of mdocs is at best incomplete because there is no way to verify the credentials that are issued, we should discuss it more on the next editors call

tlodderstedt
tlodderstedt requested changes Nov 30, 2023
View reviewed changes
Copy link
Collaborator

@tlodderstedt tlodderstedt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I object against this proposal. I don't think this is in scope for the oid4vci spec.

@Sakurann Sakurann added this to the post ID-1 milestone Dec 7, 2023
@awoie
Copy link
Contributor

awoie commented Dec 14, 2023

IMO, the IACA could go into the issuer metadata and more specifically the credential format-specific metadata where also claims are described. The reason is why this makes sense is that different types can have different X.509 cert profiles and issuers.

@awoie
Copy link
Contributor

awoie commented Dec 20, 2023
edited
Loading

IMO, the IACA could go into the issuer metadata and more specifically the credential format-specific metadata where also claims are described. The reason is why this makes sense is that different types can have different X.509 cert profiles and issuers.

I made a proposal here #161 by using @selfissued language. @selfissued please feel free to update this PR using #161 if the group feels more comfortable making this a Credential Issuer mso_mdoc-specific metadata which I think is the right approach.

@Sakurann
Copy link
Collaborator

closing this in a week, unless strong objections, because there is #161 and also not enough discussion on the topic.

@Sakurann Sakurann closed this Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peppelinux peppelinux peppelinux left review comments

@tlodderstedt tlodderstedt tlodderstedt requested changes

@Sakurann Sakurann Sakurann requested changes

@tplooker tplooker tplooker approved these changes

@danielfett danielfett Awaiting requested review from danielfett

Assignees
No one assigned
Labels
discuss in the issue pending close
Projects
None yet
Milestone
post ID-1
Development

Successfully merging this pull request may close these issues.

IACA Metadata for Credential Issuers
6 participants
@selfissued @Sakurann @tplooker @awoie @tlodderstedt @peppelinux