-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DID / DPKI integration #105
Comments
One of the interesting things to keep in mind about Biscuits (and Macaroons, and SPKI/SDSI) is they can lean on their built-in support for delegation to express various PKI patterns. Especially with support for third party blocks/caveats (#103) this can solve problems analogous to certificate authorities and certificate chains. (In fact it can go far beyond that... you can express SAML/OIDC-like relationships but maintaining cryptographic bindings across principals, which effectively eliminates audience confusion attacks via cryptography) As such, Biscuits don't really gain much from integrations with other PKI systems, especially because the integration patterns are subtly different (more like OCap patterns) |
DIDs and VCs are not in the roadmap right now, although we've been looking at them, and generally we're interested in how Biscuit can integrate with other systems. And as @tarcieri said, with the third party blocks feature coming up, there will be a lot of cool patterns to explore |
Thank you Tony and Geoffroy. I guess what we need is only the DID of the user (controller in DID world) and the DID of the Biscuit emitter, and of course appropriate signatures of both. For information I'm trying to evaluate the relevance of the integration of Biscuit in this context. |
I'm also interested in DID usage in a form of a root signature key (of different cryptographic algorithms) for Biscuit issuer, but as I know Biscuit doesn't allow any cryptographic algorithms other than Ed25519 for the root key. |
Support for more algorithms is planned, and we have some tests in biscuit-auth/biscuit-rust#108 |
Hello Biscuit team,
One of the first sentence of your documentation say :
This implies to distribute public keys on all services that have to verify tokens, manage key renewal. Revocation, ...
Is it in your plans to include DID based signature or encapsulate the biscuit in a verifiable token ?
This cloud solve traditional PKI problems by using a DPKI based identity / signature management.
The text was updated successfully, but these errors were encountered: