scitt-ccf-ledger icon indicating copy to clipboard operation
scitt-ccf-ledger copied to clipboard
verified publisher icon microsoft

Remove `"x5c"` from DID document

Open letmaik opened this issue 3 years ago • 1 comments

(Follow-up from https://github.com/microsoft/scitt-ccf-ledger/issues/53)

At the moment, SCITT receipts with CCF tree algorithm rely on service and node certificates. This complicates matters, especially when looking at DID as service ids.

If possible, we want to end up in a place where:

  • The service identity keys sign the receipt (tree root) directly
  • Node certificates are not part of the receipt anymore
  • Only a DID and key id is included in a receipt
  • The DID document only publishes service identity keys, without the service certificates in "x5c"
  • The key id changes from being a hash of the certificate to a hash of the public key only

This would require an extension to CCF to support signing the tree root directly instead of (or in addition to) having node keys do the signing.

letmaik avatar Jan 25 '23 18:01 letmaik

Not critical at the moment. Other mentioned things related to the receipt are subject to change in IETF and CCF implementations. Moving to backlog

ivarprudnikov avatar Jan 12 '24 11:01 ivarprudnikov

Azure SDK relies on this field to verify the receipt cert chain https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/confidentialledger/Azure.Security.CodeTransparency/src/Receipt/DidWebReference.cs#L165-L176

ivarprudnikov avatar Oct 23 '24 14:10 ivarprudnikov