Eric Scouten 

X.509 DID method: Decentralising PKI starting with a X.509 DID method (a presentation proposal for RWOT 9 in August 2019)

• This is a call for a did:x509 method to exist as part of a transition from PKI to SSI, but is not a DID method spec.
• I could not find any documentation of this dicussion occuring at RWOT 9. I did find evidence of further work on this topic by two of these authors. (See next item.)
• The primary point of interest in this presentation proposal for me was the idea of further abstracting the method of X.509 certificate discovery by using submethods under their proposed did:x509 method.

Analysis of hybrid wallet solutions - Implementation options for combining x509 certificates with DIDs and VCs (a presentation proposal for RWOT 11 in 2022) and Combination of x509 and DID/VC for inheritance properties of trust in digital identities (presentation to Open Identity Summit, Bonn, 2022)

• Eric Scouten to give these two papers a second reading, hopefully before Thursday meeting. They look very similar, thus the co-listing here. First impressions:
• These papers talk about several possible methods for linking X.509 and DID identifiers, which again highlights that one of our larger challenges will be identifying the location of the X.509 cert.
• NOTE FOR OUR WORK: Which fields do we bind to? That significantly impacts the security profile of the identifier.

did:x509 Method Specification (draft specification and sample code published by Microsoft, 2022)

• Does not appear to be actively maintained. Published in October 2022, a few issues filed by author over next few months, but no further commits or public discussion that I could find.
• Requires the X.509 cert to be placed in the signing envelope (i.e. in x5c header of JWS/JST documents).
• NOTE FOR OUR WORK: X.509 document is an option to DID resolution. A potentially more straightforward approach might be to adopt techniques from did:webs and either translate X.509 into JSON encoding (thus embedded directly into DID doc) or adjacent to document. Potentially simpler way to provide access to cert.
• Requires cert subject identity to be mirrored in the DID (example: 

  did:x509:0:sha256:WE4P5dd8DnLHSkyHaIjhp4udlkF9LqoKwCvu9gl38jk::subject:C:US:ST:California:O:My%20Organisation).

• Allows Fulcio integration. (Fulcio is new to me. Can someone explain? Worth our time?) (Wenjing Chu Fulcio is part of Sigstore project in LF OpenSSF with an aim to sign open source software for provenance.)
• Raises issue of which chain of trust to use (X.509 or VC).
• Looks like a fairly good starting point for create/read operation specifications.
• ACTION (✅ done, awaiting response): Eric to reach out to authors of MS spec to explore ToIP TF taking over or collaborating on this draft as basis of standard. CC to Jacques Latour  who is connected with MS CTO.
• ACTION: Eric to summarize Drummond's e-mail with his feedback on the MSFT spec and add to meeting notes here.

(Eric Scouten to read, hopefully before Thursday meeting)

• DNS and digital trust IETF draft (related: presentation to TSWG)
• Object of Conformity: Verifiable Identifier

Tim Bouma Drummond Reed 

Follow up on action item from 14 December 2023 meeting: Augment this working group's charter with a second output: a position paper from ToIP advocating that decentralized trust infrastructure should incorporate existing PKI infrastructure and explore strategic alternatives.

Drummond Reed looking to counteract a perception that ToIP (as representative of larger Web3 / SSI communities) believe that centralization is bad, PKI is bad, everything should be done in the new ways. Position paper should recognize large body of work that has been placed in PKI and to welcome actors who want to / need to use existing infrastructure into the ToIP architecture. Make it explicit that PKI infrastructure is welcome in VID vision.

Tim Bouma will add some links regarding 10-15 year old changes in Canadian / US policy shifts with regard to PKI infrastructure. Wants to ensure that we focus on how we incorporate existing X.509 / PKI infrastructure into VID model, but also want to avoid re-standardizing X.509 itself. Can we avoid getting overly deep in detail?

Judith Fleenor : this position paper might be useful for describing the work of ToIP in the larger Linux Foundation process. Also, Content Authenticity will be presenting at February ToIP all-members meeting.

Drummond Reed 

Drummond Reed Trust Spanning protocol will be working on VID section (section 3) as a mini-spec. Worth reviewing recording of yesterday's Trust Spanning task force meeting where this was discussed and agreed to. Wenjing Chu will share link.

AGENDA: Next meeting Jacques Latour would like to present on artifacts for X.509 DID at CIRA. DNS records, TLS, etc. Save 20 minutes next week.

APAC meeting for this task force will share time with TSP meetings on Wednesday evening (US time) 6-7pm Pacific starting next week 17 January 2024 6pm Pacific. ACTION: Wenjing Chu to contact Michelle to change meeting title.