2. Conventions and Definitions
4. Structure of the FOOBAR Extensions
+5. TLS Client and Server Handshake
W3C defined VC¶
+W3C defined VC and DID¶
+How to create identity in SSI and how to verify the VP (in HS sections describe how the hs covers the VP presentation).¶
The TLS extensions "client_certificate_type" and "server_certificate_type" [RFC7250] are used to negotiate the type of Certificate messages used in TLS to authenticate the server and, optionally, the client. Using separate extensions allows for mixed deployments where the client and server can use certificates of different types. +~~~ + /* Managed by IANA */ + enum { + X509(0), + RawPublicKey(2), + VC(224), + (255) + } CertificateType;¶
+struct { + select(certificate_type){ + // The new certificate type defined in this document + case VC: + opaque cert_data<1..2^24-1>;¶
+
-opaque ASN.1Cert<1..2^24-1>;
-
-struct {
- select(certificate_type){
- // RawPublicKey certificate type defined in RFC 7250
- case RawPublicKey:
- opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
-
- // X.509 certificate defined in RFC 5246
- case X.509:
- ASN.1Cert certificate_list<0..2^24-1>;
+ // RawPublicKey certificate type defined in RFC 7250
+ case RawPublicKey:
+ opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
- // The new certificate type definied in this document
- case VC:
- opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
+ // X.509 certificate defined in RFC 5246
+ case X509:
+ opaque cert_data<1..2^24-1>;
- // Additional certificate type based on
- // "TLS Certificate Types" subregistry
- };
-} Certificate;
-¶
+ // Additional certificate type based on
+ // "TLS Certificate Types" subregistry
+ }; } Certificate; ~~~
+¶
TLS Certificate types (IANA)¶
-| value | -name | -recommended | -Reference | -comment | -
|---|---|---|---|---|
| 4 | -Verifiable Credential | -- | This document | -- |
+ /* Managed by IANA */
+ enum {
+ iota(0),
+ ..
+ (65535)
+ } DIDMethod
+
+ struct {
+ DIDMethod did_methods<2..2^16-2>
+ } DIDMethodList
+
+ [did-registry](https://www.w3.org/TR/did-spec-registries/#did-methods)
+¶
did_methods extension could be sent only in ClientHello and CertificateRequest messages.¶
it happens when the server does not send ssi_paramters extension in certificate request or it does but the client does not have a DID in the list of supported DLT (i.e. DID Methods) by the server¶
+it happens when the server does not send ssi_paramters extension in certificate request or it does but the client does not have a DID in the list of supported DLT (i.e. DID Methods) by the server¶
server ignores ssi_parameters extension in the clientHello¶
+server ignores ssi_parameters extension in the clientHello¶
HelloRetryRequest + foobar extension -server replies with the list of its DID Methods, this implies that the server has a DID stored in each of the DLT of the listed DID Methods.¶
+HelloRetryRequest + foobar extension +server replies with the list of its DID Methods, this implies that the server has a DID stored in each of the DLT of the listed DID Methods.¶
server enforces SSI client authentication (no fall back bu enforce SSI to the client)¶
-HelloRetryRequest¶
+server enforces SSI client authentication (no fall back bu enforce SSI to the client)¶
+HelloRetryRequest¶
TODO Security¶
+TODO Security¶
This document has no IANA actions.¶
+This document has no IANA actions.¶
[DID] W3C, Decentralized Identifiers (DIDs) v1.0. Core architecture, data model, and representations. W3C Recommendation, 2022. https://www.w3.org/TR/did-core/¶
-[VC] W3C, Verifiable Credentials Data Model v2.0. W3C Recommendation, 2023. https://www.w3.org/TR/vc-data-model-2.0/¶
+[DID] W3C, Decentralized Identifiers (DIDs) v1.0. Core architecture, data model, and representations. W3C Recommendation, 2022. https://www.w3.org/TR/did-core/¶
+[VC] W3C, Verifiable Credentials Data Model v2.0. W3C Recommendation, 2023. https://www.w3.org/TR/vc-data-model-2.0/¶