diff --git a/draft-vesco-vcauthtls.md b/draft-vesco-vcauthtls.md index 342a4c8..525dfd8 100644 --- a/draft-vesco-vcauthtls.md +++ b/draft-vesco-vcauthtls.md @@ -47,19 +47,18 @@ This document defines a new certificate type and extension for the exchange of V --- middle -# Introduction +# Introduction and motivation -The Self-Sovereign Identity (SSI) is an emerging decentralised identity model that gives a subject control over the data it uses to generate and prove its identity. SSI model relies on three fundamental elements: a distributed ledger as the Root of Trust (RoT) for public keys, Decentralized IDentifier [DID](https://www.w3.org/TR/did-core/), and Verifiable Credential [VC](https://www.w3.org/TR/vc-data-model-2.0/). An SSI subject builds his identity starting from generating the identity key pair ($sk, pk$). Then the subject stores $pk$ in the distributed ledger of choice for other nodes to authenticate it. +The Self-Sovereign Identity (SSI) is a decentralised identity model that gives a subject control over the data it uses to generate and prove its identity. SSI model relies on three fundamental elements: a distributed ledger as the Root of Trust (RoT) for public keys, Decentralized IDentifier [DID](https://www.w3.org/TR/did-core/), and Verifiable Credential [VC](https://www.w3.org/TR/vc-data-model-2.0/). An SSI subject builds his identity starting from generating the identity key pair ($sk, pk$). Then the subject stores $pk$ in the distributed ledger of choice for other nodes to authenticate it. A subject's DID is a pointer to the distributed ledger where other subjects can retrieve its $pk$. A DID is a Uniform Resource Identifier (URI) in the form _did:did-method-name:method-specific-id_ where _method-name_ is the name of the [DID Method](https://www.w3.org/TR/did-core/) used to interact with the distributed ledger and _method-specific-id_ is the pointer to the [DID Document](https://www.w3.org/TR/did-core/) that contains $pk$, stored in the distributed ledger. -After that, the subject can request a VC from one of the Issuers available in the system. -The VC contains the metadata to describe properties of the -credential, the DID and the claims about the -identity of the subject and the signature of the Issuer. +After that, the subject can request a VC from one of the Issuers available in the system. The VC contains the metadata to describe properties of the credential, the DID and the claims about the identity of the subject and the signature of the Issuer. The combination of the key pair ($sk, pk$), the DID and at least one VC forms the identity compliant with the SSI model. - A subject requests access to services by presenting a Verfiable Presentation [VP](https://www.w3.org/TR/vc-data-model-2.0/). The VP is an envelop of the VC signed by the subject with its $sk$. The verifier authenticates the peers checking the authenticity of the VP and the validity and authenticity of the inner VC before granting or denying access to the requesting subject. +The SSI model subtends the peer-to-peer model of interaction where either authenticatio way are possible; +one peer authenticates the other or the peers can authenticate each other. -The SSI model subtends the peer-to-peer model of interaction where only one peer authenticates the other or the peers can authenticate each other. +SSI is emerging as an identity option for Internet of Thing and Edge nodes in computing continuum environments. This document describes the extensions to TLS protocol to support the use of VCs for authentication while preserving the interoperability with TLS endpoints that use X.509 certificates. +The extensions enable server-only and mutual authentication using VC, X.509, Raw Public Key or a combination of VC and X.509 certificates at the TLS endpoints. The ability to perform hybrid authenticated handshakes supports the gradual deployment of SSI in existing systems. # Conventions and Definitions