Decentralisation of X.509 with DIDs/VCs

Dear colleagues:

We were engaged in a discussion to replace X.509 certificates through a decentraslised tech stack using DIDs/VCs. This idea is something that came up early in the VC work years ago.

We are curious to learn if there are any best practices or reference implementations.

Thanks for any feedback,

Addendum – On DIDs and X.509 Certificates:

  • A public private key pair, a DID and their metadata can be used to generate a X.509 certificate.
  • X.509 certificates can then be used as verifiable claims with the DID model.
  • In this way, hierarchical/federated identity systems can be coupled with decentralized identity systems.

I vaguely recall there was some conversations about adapting X.509 to use DIDs or replacing X.509 with VCs for use in the TLS protocol. This work didn’t rise to a final paper at #RWOT Santa Barbara. You might want to investigate the repo in topics/ and drafts/

– Christopher Allen

We actually are doing a project in which proofs are digitized using VC’s and in which the DID of the issuer (like for instance a municipality) is referencing a X.509 certificate but the holder does not have to.

This is only a step to a future in which all data is managed by holders and newer SSI solutions get used as these digital proofs can not be used to identify holders (you might still need to prove the verifier you are the one referenced in the proof through a social security number being part of the data that’s being issued as a set) and besides that, the proofs are not valid in court unless bundled with the X509 certificate in a XaDES type of document (ETSI TS 103 171), yet it is perfectly possible to generate such a document when you trust the certificate authority and get it afterwards and the DID is anchored to the issuer X509 certificate (the DID just includes its fingerprint) which is fine for government as the issuer (when really using the same certificate for all) for now.

We intent to investigate integration of the solution of the Rabobank / Deloitte (follow up of soon as well as other SSI projects within dutch gov and while work in progress are currently going to a phase in which system integrators are going to deploy / beta test it at several municipalities.

Hi bkaptijn,

thank you for your feedback. Much appreciated. I like how you combine the X509 and DIDs.

I am very interested to continue a dialogue with you on this specific topic.

Pls ping me under:


I encourage you to submit your paper as an advance topic for #RWOT9 in

– Christopher Allen

Due to circumstances @bkaptijn will not be able to attend rwot Prague. I’m a colleague of Bas and I’ll join instead. We’re preparing the paper to be submitted.

1 Like

Can’t we have a separate call or a scheduled discussion on this where we can start some incubation development and do progress slowly

We are open to support as well. Bas and I discussed developing a X.509 DID method.

@bkaptijn already prepared an initial draft.

Your feedback to the draft will be also very much appreciated.

Let me review this doc .Please give me some time

Thanks alot for sharing

Sethi Shivam

Note that the document still is heavily edited this week.

Could you please merge our PR ?
I still need to order our ticket and I would love to use the promotional code for that.

Ordered the ticket today. That’s done :wink: Looking forward to see you in Prague