RFC023: X509Credential #283
+556
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -180,8 +180,17 @@ rules: | |
| - The credential MUST be in JWT format. | ||
| - `type`: MUST include `VerifiableCredential` and `X509Credential`. | ||
|
There was a problem hiding this comment. I ran into problems when the credential type started with an |
||
| - `issuer`: MUST be a valid `did:x509` identifier. | ||
| - `credentialSubject`: MUST only contain fields explicitly present in the `did:x509` DID policies with the fields mapped by each type as a separate map. An example: | ||
| ``` | ||
| { | ||
| "subject": { | ||
| "O" : "My Organisation" | ||
| }, | ||
| "san" : { | ||
| "email" : "[email protected]," | ||
rolandgroen marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| } | ||
| ``` | ||
|
|
||
| The credential subject can be identified by any DID method (e.g. `did:web`) accepted by the credential verifier. | ||
|
|
||
|
|
@@ -283,7 +292,10 @@ validated to ensure the credential is within its valid timeframe. | |
|
|
||
| ## Security Considerations | ||
|
|
||
| The following security considerations are to be considered: | ||
rolandgroen marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| - The Root CA of the did:x509 needs to be checked against the root CA structure of the use case. For instance, in case | ||
rolandgroen marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| of UZI certificates the ROOT CA must match the associated root CA chain. | ||
rolandgroen marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ### Certificate Revocation | ||
|
|
||
|
|
@@ -307,7 +319,9 @@ entity controlling the `did:x509` DID. | |
| - [DID:X509 Method Specification](https://trustoverip.github.io/tswg-did-x509-method-specification/) | ||
| - [X.509 Certificate Revocation (OCSP/CRL)](https://datatracker.ietf.org/doc/html/rfc5280) | ||
|
|
||
| # An application of the RFC023: UZI server certificates | ||
|
|
||
| ## PKI overheid & UZI server certificates | ||
|
|
||
| The Dutch government has a Public Key Infrastructure (PKI) that is used to establish trust between parties. The PKI | ||
| framework is currently in place and makes use of PKI Overheid Certificates issued by the root CAs of the Dutch | ||
|
|
@@ -349,10 +363,13 @@ contains the following information (of intrest): | |
|
|
||
| ## Mapping UZI certificate to X509Credential | ||
|
|
||
| The mapping of certificates to x509 is depending | ||
|
There was a problem hiding this comment. Do you mean mapping of certificates to an X509Credential? And what is "depending"? |
||
|
|
||
| ### The ROOT G3 | ||
|
|
||
| The `did:x509` specification dictates that the fingerprint of the Root CA is part of the did:x509. For mapping an UZI | ||
|
There was a problem hiding this comment. No it doesn't:
|
||
| certificate to an X509Credential the ROOT CA MUST match one of the certificates in the UZI ROOT CA register hierarchy. | ||
| For G3 this is: | ||
|
|
||
| ```asciidoc | ||
| ┌────────────────────────────────────┐ | ||
|
|
@@ -368,9 +385,10 @@ certificate to an X509Credential the ROOT CA MUST match one of the certificates | |
| └────────────────────────────────────────────┘ | ||
| ``` | ||
|
|
||
| ### Field mapping of the UZI credential | ||
|
|
||
| The following fields are commonly used for mapping UZI certificates to X509Credentials | ||
|
There was a problem hiding this comment. We are specifying it here how it should be used, not how it is used. So rephrase to something like: The following fields MUST be included in the mapping. |
||
| * The `subject:O` the name of the holder of the certificate. Maps to `subject.O` in the X509Credential. | ||
| * The `subject.L` The subject locality (city) | ||
| * The `san:otherName` a string containing `<OID CA>-<versie-nr>-<UZI-nr>-<pastype>-<Abonnee-nr>-<rol>-<AGB-code>`, | ||
| where: | ||
|
|
@@ -382,7 +400,7 @@ The following fields are commonly used for mapping UZI cetificates to X509Creden | |
| * `<rol>` is the role of the holder of the certificate, always "0.00" | ||
| * `<AGB-code>` is the AGB code of the holder of the certificate. | ||
|
|
||
| ## The use of UZI server certificate in the Nuts network or identifying organizations | ||
|
|
||
| The focus on trust in the NUTS network for organizations lies primarily on the URA number identified as the | ||
| `<Abonnee-nr>` on the UZI certificate. This number is used to identify the holder of the certificate within the Dutch | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the format is called the Proof Format.