Azure AD 可验证凭据

Question

Azure Key Vault 是一项云服务，可实现机密和密钥的安全存储和访问。 你的可验证凭据服务将公钥和私钥存储在 Azure Key Vault 中。 这些密钥用于签署和验证凭据。 https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

我们如何找到可验证凭据的公钥和私钥？ 我可以在用于 VC 的 Key Vault 中看到恢复、签名和更新密钥。

Answer 1

•恢复、签名和加密是在为所选用户创建访问策略时需要选择的各种密钥管理和加密操作，因此限制了由该用户颁发的密钥、秘密和证书可以执行的操作范围用户.

同样， the private key and the public key of the verifiable credential cannot be accessible by the 'USER' as the user has delegated that authority to the application registered in Azure AD with the permissions 'VerifiableCredential.Create.All' and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a 'Verifiable credential' through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault the private key and the public key of the verifiable credential cannot be accessible by the 'USER' as the user has delegated that authority to the application registered in Azure AD with the permissions 'VerifiableCredential.Create.All' and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a 'Verifiable credential' through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault 。

• 当公钥与在 Azure 密钥库中生成的密钥、秘密或证书一起时，通过托管的相关应用程序完成安全通信的联系。 因此，通过这种方式，仅基于 RBAC（基于角色的访问控制）和随后在密钥库中创建的访问策略操作，您就可以通过 Web 应用程序创建安全通信，而不会暴露私钥和公钥。

有关更多信息，请参阅以下文档链接：-

https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer