Azure AD可验证凭证

Question

Azure密钥库是一种云服务，可以安全地存储和访问机密和密钥。您的可验证凭据服务将公钥和私钥存储在Azure密钥库中。这些密钥用于签署和验证凭据。https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant

我们如何找到可验证凭据的公钥和私钥？我可以在用于VC的密钥库中看到恢复、签名和更新密钥。

Answer 1

·恢复、签名和加密是在为所选用户创建访问策略时需要选择的各种密钥管理和加密操作，从而限制了该用户颁发的密钥、秘密和证书所能执行的操作范围。

类似地，the private key and the public key of the verifiable credential cannot be accessible by the ‘USER’ as the user has delegated that authority to the application registered in Azure AD with the permissions ‘VerifiableCredential.Create.All’ and this application registered in Azure AD has been granted API permission for the API Verifiable Credential Request Service. Thus, the private key is generated and is with the service principal of the Azure resource which issues a ‘Verifiable credential’ through the registered Azure AD application to create a key, secret, or a certificate in the Azure keyvault。

·虽然公钥具有在Azure密钥库中生成的密钥、秘密或证书，但通过托管的相关应用程序完成安全通信的连接。因此，通过这种方式，仅仅基于RBAC (基于角色的访问控制)和随后在密钥库中创建的访问策略操作，您就可以通过web应用程序创建安全的通信，而无需公开私钥和公钥。

欲了解更多信息，请参阅以下文档链接：-

https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/verifiable-credentials-configure-issuer