X.509 vs. SSI

August 23, 2021

X.509 is a format specification for public-key certificates. Public key certificates enable the connection of a public key to other data. By far, the most popular use is TLS/SSL, which serves as the foundation for confidence in HTTPS, the Web security standard. The certificate establishes a connection between a public key and a domain name via TLS (and perhaps other information).

For many individuals, the initial hurdle is deciding whether X.509 certificates are more closely related to verified credentials or DIDDocs. This makes sense since X.509 integrates the functionality of these two specific SSI standards. X.509 certificates, like DIDDocs, tie data to a public key. However, X.509's hierarchical public critical infrastructure (PKI) is intended to vouch for the validity of the X.509 certificate. Additionally, X.509 extensions enable the inclusion of additional information. As a result, X.509 certificates also associate the public key (as an identifier) with physical characteristics. DIDDocs lack a public key infrastructure (PKI). Rather than that, SSI relies on verified credentials to make a trustworthy assertion about a decentralized identity.

Another significant distinction between X.509 certificates and DIDDocs is that the DIDDoc's primary purpose is to associate the public key with a decentralized identifier, or DID, whereas X.509 certificates can associate the public key with a subject name and other information, such as a domain name. Certificate extensions enable the certificate to be used to link the public key to additional data. The critical difference is that the DID is needed and serves as a unique identifier for the DIDDoc; furthermore, the DID must be capable of resolving to the DIDDoc1. The DID adds a layer of concealment to the public key. As a result, the public key associated with a DID may be cycled without affecting the DID, making it a permanent identification. I won't go into depth about how this is accomplished safely, but you can read much more at The Architecture of Identity Systems if you're interested.

Therefore, why embark on a new endeavour? Several benefits of DIDs, DIDDocs and verified credentials over X.509 certificates include the following:

1. DIDs provide a higher level of security. DIDs enable the rotation of public keys securely. As a result, Alice may freely rotate the key underlying the DID without requiring new credentials. The identification exists for as long as Alice needs it. Alice will not be persuaded to retain a possibly compromised key out of concern for the inconvenience.

2. SSI employs the appropriate tools for each step of the process. The SSI design clearly distinguishes between identifying Alice and proving anything about Alice. Without depending on a hierarchical chain of authority, the binding between the DID and its associated public key may be validated cryptographically. The credential exchange's integrity may be confirmed cryptographically using data from a public credential registry (often a ledger of some sort). This division enables techniques and tools to be tailored to the specific requirements of each kind of document.

3. Verifiable credentials help to keep information private. Sharing just what has been required safeguards Alice's privacy. Daniel Hardman's Webinar on ZKP-based Credentials is an excellent, accessible explanation of the many advantages of ZKPs for credential sharing.

4. The SSI data sharing user interface is more secure. ZKPs benefit Alice by saving her time and decreasing the likelihood of her oversharing due to human mistakes (i.e. they are safer from a privacy perspective).

5. SSI has a uniform user interface. SSI wallets and agents provide an excellent user experience in maintaining connections, saving credentials, and responding to proof requests. As far as I am aware, X.509 certificate wallets do not exist in their current form; thus, they would need to be created to offer a similar user experience.

6. Credentials that are verifiable facilitate interoperability. Alice can utilize numerous credentials from various issuers and verify things to many verifiers due to standards, not just for data formats but also for issuer and presentation protocols. It is unaware of any criteria defining how X.509 credentials may be used to verify the kind of information in the mortgage example. They have been present for more than 40 years and are virtually solely used for TLS.

X.509 certificates have comparable high-level objectives as DIDs and verified credentials. However, DIDs and verified credentials constitute an innovation that incorporates 40 years of expertise and recent advances in cryptography to give a more robust, flexible answer to the issue of securely transferring data. The employment of SSI in DIDs and verified credentials enables the creation of a worldwide, interoperable data exchange metasystem that is cryptographically sound and provides a great user experience.

More you can find at https://www.windley.com/archives/2021/05/comparing_x509_certificates_with_ssi.shtml

Back to all News
Latest updates
©2023 Systems integration solutions