Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DID / DPKI integration #105

Open
BastienVigneron opened this issue May 17, 2022 · 5 comments
Open

DID / DPKI integration #105

BastienVigneron opened this issue May 17, 2022 · 5 comments

Comments

@BastienVigneron
Copy link

Hello Biscuit team,

One of the first sentence of your documentation say :

One of those building blocks is an authorization token that is signed with public key cryptography (like JWT), so that any service knowing the public key can verify the token.

This implies to distribute public keys on all services that have to verify tokens, manage key renewal. Revocation, ...

Is it in your plans to include DID based signature or encapsulate the biscuit in a verifiable token ?

This cloud solve traditional PKI problems by using a DPKI based identity / signature management.
@tarcieri
Copy link
Collaborator

One of the interesting things to keep in mind about Biscuits (and Macaroons, and SPKI/SDSI) is they can lean on their built-in support for delegation to express various PKI patterns.

Especially with support for third party blocks/caveats (#103) this can solve problems analogous to certificate authorities and certificate chains.

(In fact it can go far beyond that... you can express SAML/OIDC-like relationships but maintaining cryptographic bindings across principals, which effectively eliminates audience confusion attacks via cryptography)

As such, Biscuits don't really gain much from integrations with other PKI systems, especially because the integration patterns are subtly different (more like OCap patterns)

@Geal
Copy link
Contributor

Geal commented May 17, 2022

DIDs and VCs are not in the roadmap right now, although we've been looking at them, and generally we're interested in how Biscuit can integrate with other systems. And as @tarcieri said, with the third party blocks feature coming up, there will be a lot of cool patterns to explore

@BastienVigneron
Copy link
Author

Thank you Tony and Geoffroy.
I have to investigate on third party blocks but I'm not sure its allow easily to integrate with DID.

I guess what we need is only the DID of the user (controller in DID world) and the DID of the Biscuit emitter, and of course appropriate signatures of both.

For information I'm trying to evaluate the relevance of the integration of Biscuit in this context.

@Voronar
Copy link

Voronar commented Jan 22, 2024

I'm also interested in DID usage in a form of a root signature key (of different cryptographic algorithms) for Biscuit issuer, but as I know Biscuit doesn't allow any cryptographic algorithms other than Ed25519 for the root key.
The only OCap-like authorization protocol with built in DID support that comes in mind is UCAN.

@Geal
Copy link
Contributor

Geal commented Jan 23, 2024

Support for more algorithms is planned, and we have some tests in biscuit-auth/biscuit-rust#108
Right now the goal is making sure that other libraries can implement it in the same way before adding that to the specification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tarcieri @Geal @Voronar @BastienVigneron