2024-01-25 X.509 VID TF Meeting Notes
Meeting Date & Time
This Task Force meets every other Thursday (NA/EU). There are two meetings to serve different time zones:
- NA/EU meeting: 08:30-09:30 PT / 16:30-17:30 UTC
e Calendar of ToIP Meetings for exact meeting dates, times and Zoom links.
Zoom Meeting Links / Recordings
- NA/EU Meeting: Recording
Attendees
NA/EU:
- Eric Scouten
- Drummond Reed
- Charles Lanahan
- Jacques Latour
- Darrell O'Donnell
- Wenjing Chu
- Greg Fowl
- Jesse Carter
- Keerthi Thomas
- Mark Scott
APAC:
Agenda Items and Notes (including all relevant links)
Time | Agenda Item | Lead | Notes |
3 min |
| Leads |
|
2 min | Review of previous action items | Leads | |
5 mins | Update on Microsoft did:x509 spec | Eric Scouten spoke with Maik Richards at Microsoft, who expressed support for our TF taking over this work but is unable to join us. Working with Judith Fleenor to ensure IPR is compatible. | |
20 mins | Artifacts for X.509 DID at CIRA. DNS records, TLS, etc. | The principal is to anchor identifiers with unique DNS names. We all use them. Goal is to map X.509 cert to a domain name via the SAN field can perform that mapping. did:web is similar; there's a domain name that can be trusted to be unique and it contains a public key. Can map public key component (or hash thereof) of X.509 to a TLSA record. An X.509 field with a SAN field can be matched to the public key in the DNS. If so, the VID can be considered authentic. * If we chose a different field or similar method, we can updated the IETF somehow to reflect this. DNS is useful because it is global today. DNS can host trust registry affiliation. VID can be identified as part of a specific trust registry (C2PA, etc.). Jacques Latour working with Jesse Carter to build a demo. A document/blob is signed by an did:x509 VID, the issuer can be authenticated/verified via the DNS, and can also identify the trust registry affiliation. DNS is used as a discovery mechanisms. Work that is being done on did:web applies in the same manner and can provide an additional layer of authenticity. DNSSEC answers concern about (plain) DNS being clear-text and thus easily tampered with. DNSSEC adds an RRSIG signature to DNS replies that ensures trust chains back to IANA (trust root for top-level domains). (Watch recording starting at about 15 minutes for Jacques' slides.) did:x509 should really be about answering the question can you trace a did:x509 through to the X.509 itself to a trust registry? Will ask Jesse Carter to do a demo in an upcoming meeting. Question raised about comparison to did:web – are they meaningfully different? A: Conceptually similar, but shift in emphasis on where the identity is expressed. Example of did web https://trustregistry.ca/.well-known/did.json/ Discussion about the use case for did:x509: Is it suitable for individual identity or more suited to organizational identity? May need to differentiate departments or regional distinctions within an organization. ACTION: Eric Scouten to review 14 December 2023 meeting discussion on use cases and translate to written form. DECISION: did:x509 VID should be verifiable and unique and should enable trust decision based on trust registry affiliation. ACTION: Eric Scouten to write comparisons to did:web and did:webs in draft did:x509 spec. Articulate why all three should exist. Review chat and recording from this meeting. | |
15 mins | Introductions | Ed Eykholt has done work on wallets and TSP. Keerthi Thomas with ToIP governance stack. Working with SSI. Innovation Lab in London. | |
5 mins |
| Leads | ACTION: Wenjing Chu and Eric Scouten to share updates from NA/EU call to following APAC call and any updates/decisions required. |
Screenshots/Diagrams (numbered for reference in notes above)
#1
(Darrell's picture)
Decisions
- Sample Decision Item
Action Items
- ACTION: Eric to summarize Drummond's e-mail with his feedback on the MSFT spec and add to meeting notes here. (Carried over from 2024-01-11.)