Identity Issuing Request

DiME, the open and trust-based data format building secure Application-based Public-Key Infrastructures (APKIs) in a breeze.

An Identity Issuing Request (IIR) item serves a similar purpose to a Certificate Signing Request (CSR) when using x.509 certificates. An entity that wants to register and acquire a DiME identity within a system or infrastructure starts by creating an IIR. The IIR is then sent to an issuing entity, that approves the request and issues a new Dime identity.

The following is an example of an IIR item:

Di:IIR.eyJjYXAiOlsiZ2VuZXJpYyJdLCJpYXQiOiIyMDIyLTEwLTIzVDEzOjMwOjAxLjM2ODI3N1oiLCJwdWIiOiJTVE4uTWY5MjVGblh3Nmp5RmZKSkFFWTZFM0drNUZ3S0Q3ZmtNSHJDc29xVHJjN2VleDU5VSIsInVpZCI6IjQ2MWJkOTk1LTBhOGUtNDI4NS1iNTMyLTVjODllZDFmYWM1NyJ9.YmQ2YmQ5N2I4NDIwMmNiYS5mNzQyNmFhZjJmOWYzOWU0NzBhMmFiY2MwNzkwODEzYjBiNTA5ZjljYzQzMmZiYTgwZWJjZDgwYzI5OGNiMWVmMDgwY2Y3MDUzMWUzOGJkMTJhMWI4ODZhMTYzZWI5YWVjMjk4YzczY2EzYmY2NjYwZDM2YjIxMjE4NjA3YzEwMA

The header of a DiME identity issuing request item is always 'IIR' as seen in the above example following the colon (':') after the envelope header ('Di').

Components

A DiME identity issuing request item consists of several components. Each component is separated by a dot (‘.’), which is referred to as a component separator.

The following components make up an identity issuing request item:

  • Header - always 'IIR'

  • Claims - required

  • Signature - required

Claims

Claims are information or data related to the entity and identity issuing request. These could be unique identifiers, expiration dates, associated public keys, and principle information (additional information about a subject).

Any claims inside an identity item are protected from modification by an encapsulating signature. This signature is generated when the identity is issued, normally by using the private key of the issuing entity.

Claims used for identity issuing requests are the same as for Identity items, this since an IIR is used to issue an identity. For additional information about claims used for an IIR refer to Claims and the claims section under Identity.

Signature

The final component in an identity issuing request item is always the signature. Apart for protecting the integrity of the contained components, the signature also proves the ownership and control of the private key used to generate it. This assumes careful generation, usage and storage of the private key by the requesting entity.

For additional details around the format of signature see Signature encoding.

Last updated