Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC023: X509Credential #283

Open
wants to merge 41 commits into
base: master
Choose a base branch
from
Open

RFC023: X509Credential #283

wants to merge 41 commits into from

Conversation

reinkrul
Copy link
Member

No description provided.

@reinkrul reinkrul requested a review from rolandgroen December 17, 2024 11:07
@rolandgroen
Add detailed explanation of x509 certificates in RFC
2574caf 
Expand the RFC with an in-depth introduction to x509 certificates, their structure, and their application in the Nuts network. Include details on the `did:x509` DID method and its attributes, usage of x509 for signing JWEs, and expanded specification of the Subject Other Name attribute.
@rolandgroen
Update RFC023 to extend x509 specification and clarify usage
12859aa 
Extend the x509 specification with additional SAN attributes and updated formatting details. Provide structured guidance on UZI certificates and their integration into the Dutch healthcare ecosystem. Elaborate on the use of x509 Verifiable Credentials within the Nuts network to establish trust.
@rolandgroen
Update section title to specify UZI server certificate usage
6af5704 
Clarified the section title to specifically refer to the UZI server certificate instead of the more generic x509 Verifiable Credential. This improves specificity and aligns the document with its intended focus.
rolandgroen
rolandgroen requested changes Dec 19, 2024
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
@rolandgroen
Refine X509Credential validation and add UZI mapping guide.
ccdbf88 
Clarified certificate chain validation rules and revocation checks. Added a section to map UZI certificates to X509Credentials, including field mappings and hierarchical structure of the UZI certificate register. This improves compatibility and compliance with the `did:x509` specification.
@rolandgroen
Copy link

Request to change the structure of the attributes:

  • Remove the : separator
  • Use nested properties.

@rolandgroen
Add detailed security considerations for x509credential
95a2f51 
Expanded the Security Considerations section to include checks against the root CA structure for specific use cases. Highlighted the importance of matching the ROOT CA chain, such as for UZI certificates. This ensures clearer guidance on trust and certificate validation.
@rolandgroen
Add example UZI certificate mapping in RFC023 documentation
9bdff45 
Updated the RFC023 to enhance clarity around mapping UZI certificates to X509Credentials. Added details on the ROOT G3 CA hierarchy, refined field mapping descriptions, and adjusted sections to improve readability and consistency.
@rolandgroen
Refactor credentialSubject structure in RFC023.
6c17ad6 
Updated the `credentialSubject` definition to use a structured mapping for each type as separate maps, enhancing clarity and consistency in representation. Provided an example to illustrate the new format.
@rolandgroen rolandgroen marked this pull request as ready for review January 7, 2025 10:42
@rolandgroen
Normalize attribute notation in RFC023 document.
6f72f41 
Updated attribute references to use consistent dot notation (e.g., `san.otherName` and `subject.O`) instead of colon-based notation. This improves standardization and readability across the document.
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
reinkrul
reinkrul commented Jan 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
@rolandgroen
Suggested rewording.
32abc4f
@rolandgroen
Suggested rewording.
75c5b73
@rolandgroen
Add verification of trust anchor in x509 credential checks
0138bc0 
Ensure that the DID specifies an accepted trust anchor (CA certificate) for the `ca-fingerprint` during credential validation. This strengthens the validation process by confirming the trustworthiness of the issuing CA.
@rolandgroen
Update x509credential example to reflect new issuer details
873f0f8 
Revised the credential example with updated issuer information, including organization, location, and SAN fields. This ensures the example aligns with current specification changes and provides clearer, more accurate data.
@rolandgroen
Simplify revocation check to use only CRL.
945271c 
Updated the certificate revocation check to rely solely on CRL instead of both OCSP and CRL. This change aims to streamline the revocation verification process and ensure consistency in validation methods.
@rolandgroen
Update subject.commonName to subject.CN in RFC023
5075e6e 
Replaced `subject.commonName` with `subject.CN` for clarity and consistency with standard naming conventions. Removed the `san.dNSName` entry as it was redundant or no longer required.
@rolandgroen
Fix alignment issues in x509credential RFC diagram
4609a6d 
Corrected the alignment of diagram elements in the x509credential RFC for better visual clarity. These adjustments ensure the diagram is more readable and properly formatted.
@rolandgroen
Refine wording on x509 credential issuer description.
6fa366a 
Updated the RFC to clarify that the `NutsX509Credential` is issued by the subject of an x509 certificate, rather than its holder. This improves the precision of the specification and ensures alignment with the intended semantics.
@rolandgroen
Update wording from CIBG to UZI in RFC023 description
0608c3d 
Corrected the reference from "CIBG register" to "UZI register" to ensure accuracy in the explanation of trust transfer within the NUTS ecosystem. This aligns the documentation with the proper terminology.
@rolandgroen
Revise X.509 certificate introduction and add trust hierarchy.
9b339b3 
Updated the X.509 certificate section to provide a clearer introduction, highlight key features, and explain the trust hierarchy more effectively. Added relevance to the Nuts framework by showcasing its integration with X.509 for decentralized identity.
@rolandgroen
Simplify documentation by removing x5t description.
e60beb7 
The x5t field is deprecated and no longer supported, so its description has been removed for clarity. The document now accurately reflects current usage standards.
@rolandgroen
Simplify and update the introduction for clarity.
64f27d0 
Revised the introduction to focus on the purpose and functionality of the `did:x509` method, ensuring clarity and alignment with interoperability goals. Removed redundant explanations and outdated statements to enhance readability and precision.
@rolandgroen
"Clarify signing and verification details for NutsX509Credential"
fb55323 
Refined the explanation of credential signing to specify the use of private keys associated with the UZI certificate and improved clarity on verification steps. These updates ensure better accuracy and comprehensibility of the credential lifecycle.
@rolandgroen
Update X509 credential verification steps for clarity
fa3b45f 
Revised the verification process to improve accuracy and alignment with trust anchors. Included a detailed check for the URA number in the Verifiable Credential against the trusted certificate, ensuring stricter validation.
@rolandgroen
Clarify validation steps in X509 credential documentation
b59f60e 
Reordered and refined the validation process for better clarity and consistency. Removed redundant section duplicating validation instructions and fixed a formatting issue with `ca-fingerprint`.
@rolandgroen
Clarify X.509 certificate validation requirements.
115c65a 
Enhanced details on trust chain validation, including mandatory signature checks and the requirement for a DID-specified trust anchor in the certificate chain. These changes provide clearer guidance on securing credentials.
@rolandgroen
Expand security considerations in RFC023
3a37988 
Detailed security risks and mitigation steps were added to the document, addressing issues such as broken trust chains, revocation checks, expired certificates, and weak cryptographic practices. This update improves clarity on potential threats and their consequences, enhancing the guidance for secure implementation.
@rolandgroen
Clarify subject identification and trust establishment process
f77b2bb 
Updated terminology from "holder" to "subject" for accuracy in describing entities linked to UZI certificates. Enhanced diagram explanations and added a detailed step-by-step breakdown of the trust establishment process using X.509 certificates, did:x509, and NutsX509Credential.
@rolandgroen
Update references to Verifiable Credentials Data Model v1.1
30043aa 
Updated links and references to point to the latest version (v1.1) of the Verifiable Credentials Data Model for better accuracy and alignment with current standards. Minor formatting adjustments were also made for consistency.
@rolandgroen rolandgroen self-requested a review February 5, 2025 12:49
@stevenvegt stevenvegt mentioned this pull request Feb 6, 2025
Open
17 tasks
reinkrul
reinkrul commented Feb 7, 2025
View reviewed changes
rfc/rfc023-x509credential.md Outdated Show resolved Hide resolved
@rolandgroen
Update terminology from NutsX509Credential to X509Credential
97a7547 
Replaces all occurrences of "NutsX509Credential" in the RFC with "X509Credential" to align with updated terminology. This change ensures clarity and consistency throughout the specification and associated processes.
@rolandgroen
Merge branch 'master' into rfc023-x509credential
3a1794b 
* master:
  Fix broken link to RFC004 in RFC011 (#284)
@rolandgroen
Add requirements for signing algorithm in X509Credential
812640e 
Clarified that the signing algorithm for credentials must use `PS256`. Updated sections to include verification of the signing algorithm as part of the credential proof validation process.
@rolandgroen
Clarify JWT sub and credentialSubject.id relationship
fd516c0 
Added a requirement specifying that for JWT-based credentials, the `sub` value(s) must match the `credentialSubject.id` field. This ensures consistency and validity during verification of such credentials.
@rolandgroen
Refactor and streamline rfc023-x509credential.md
ef1fb21 
Improved clarity by rephrasing and consolidating content without altering the intended meaning. Removed redundancies and adjusted formatting to align with standards. Refactored sections for better readability and smoother flow.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rolandgroen rolandgroen rolandgroen requested changes

@stevenvegt stevenvegt stevenvegt left review comments

@gerardsn gerardsn Awaiting requested review from gerardsn

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst

Requested changes must be addressed to merge this pull request.

Assignees

@reinkrul reinkrul

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@reinkrul @rolandgroen @woutslakhorst @stevenvegt @gerardsn