Azure AD 可驗證憑據

Question

Azure Key Vault 是一項雲服務，可實現機密和密鑰的安全存儲和訪問。 你的可驗證憑據服務將公鑰和私鑰存儲在 Azure Key Vault 中。 這些密鑰用於簽署和驗證憑據。 https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

我們如何找到可驗證憑據的公鑰和私鑰？ 我可以在用於 VC 的 Key Vault 中看到恢復、簽名和更新密鑰。

Answer 1

•恢復、簽名和加密是在為所選用戶創建訪問策略時需要選擇的各種密鑰管理和加密操作，因此限制了由該用戶頒發的密鑰、秘密和證書可以執行的操作范圍用戶.

同樣， the private key and the public key of the verifiable credential cannot be accessible by the 'USER' as the user has delegated that authority to the application registered in Azure AD with the permissions 'VerifiableCredential.Create.All' and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a 'Verifiable credential' through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault the private key and the public key of the verifiable credential cannot be accessible by the 'USER' as the user has delegated that authority to the application registered in Azure AD with the permissions 'VerifiableCredential.Create.All' and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a 'Verifiable credential' through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault 。

• 當公鑰與在 Azure 密鑰庫中生成的密鑰、秘密或證書一起時，通過托管的相關應用程序完成安全通信的聯系。 因此，通過這種方式，僅基於 RBAC（基於角色的訪問控制）和隨后在密鑰庫中創建的訪問策略操作，您就可以通過 Web 應用程序創建安全通信，而不會暴露私鑰和公鑰。

有關更多信息，請參閱以下文檔鏈接：-

https://docs.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer