Digital certificates

The invention claimed is: 1 . A method for issuing an output certificate, the method comprising: receiving a request for the output certificate, the request comprising a template identifier and data indicative of one or more dependency certificates, and the output certificate comprising a set of attributes, wherein each attribute has a name and a value; for each of the one or more dependency certificates, checking that the dependency certificate relates to a previously issued certificate; querying a rules store using the template identifier to retrieve a template, wherein the template specifies one or more first attribute paths to first attributes in the output certificate, the template specifies that values of the first attributes are to be computed based on attributes from the dependency certificates, and the template specifies a rule for computing an attribute value for each of the one or more first attribute paths; generating the output certificate based on the request and the template, by: computing an attribute value for each of the one or more first attribute paths specified in the template, by applying the rule associated with that first attribute path on attribute values in the one or more dependency certificates; including the computed attribute value for each of the one or more first attribute paths in the output certificate; and sending the output certificate in a response to the request. 2 . The method of claim 1 , wherein the template specifies one or more second attribute paths to second attributes in the output certificate, the template specifies that values of the second attributes are to be digitally signed by a trusted endorser and provided in the request, and the method comprises: receiving an endorsement in the request comprising attribute values of the one or more second attribute paths specified in the template, an endorser identifier, and a digital signature associated with the attribute values generated by the endorser using a private key; verifying the digital signature by querying a public key store with the endorser identifier to retrieve a public key associated with the private key, and verifying the digital signature based on the public key and the endorsement; and upon successfully verifying the signature, including the endorsed attributes into the output certificate, by: establishing a precedence order among first attributes and second attributes; and including an attribute value of an attribute path in the output certificate by, upon determining that the attribute path has an existing attribute value filled by a previous step, determining the attribute value to include based on the precedence order. 3 . The method of claim 2 , wherein issuing the output certificate comprises: querying a rules store on a Blockchain to retrieve the template; querying a public key store on the Blockchain to retrieve the public key; creating a metadata entry for the output certificate in a metadata store on the Blockchain, the metadata entry containing metadata of the output certificate; implementing and executing the method for issuing an output certificate as one or more smart contracts deployed on the Blockchain; and applying a deterministic function on the request to obtain a unique certificate identifier for the output certificate. 4 . The method of claim 2 , wherein the method comprises: specifying one or more metadata attributes to be included in the output certificate, the one or more metadata attributes being indicative of one or more of: certificate identifier of the output certificate, template identifier of the output certificate, endorser identifier of the output certificate, endorser signature of the output certificate, one or more certificate identifiers of dependency certificates associated with the output certificate, and hash value of the output certificate; obtaining the template identifier of the output certificate from the request; obtaining the certificate identifiers of dependency certificates by extracting certificate identifiers from the dependency certificates in the request; obtaining the endorser identifier and signature from the endorsement in the request; and including the obtained metadata attribute values in the output certificate by: establishing a precedence order among first attributes, second attributes and metadata attributes; and including an attribute value of an attribute path in the output certificate by, upon determining that the attribute path has an existing attribute value filled by a previous step, determining the attribute value to include based on the precedence order. 5 . The method of claim 1 , wherein the template specifies schema of the attributes in the output certificate, the schema specifying, for each attribute path in the output certificate, a value type and a value range of attribute value associated with the attribute path, and the method further comprises checking that the output certificate satisfies the schema specified in the template, by checking that each attribute value in the output certificate is of the correct type and within the correct range. 6 . The method of claim 1 , wherein certificate metadata attributes are stored on a metadata store and non-metadata attributes are not stored on the metadata store, and the issuance method comprises: creating a metadata entry in the metadata store, indexed by the certificate identifier of the output certificate; and saving the metadata attributes of the output certificate in the metadata entry. 7 . The method of claim 1 , wherein a computation rule of an attribute path specifies one or more template identifiers of dependency certificates associated with the attribute path, one or more dependency attribute paths for each of the one or more template identifiers of dependency certificates, and a function for computing an attribute value of the attribute path, where the function can be defined as a combination of arithmetic and logical functions on the attribute values of the one or more dependency attribute paths, and the issuance method comprises: computing an attribute value of an attribute path with an associated computation rule by: for each of the one or more template identifiers of dependency certificates specified in the computation rule, finding a dependency certificate with a matching template identifier from the one or more dependency certificates in the request, and extracting one or more attribute values from the dependency certificate using the one or more dependency attribute paths associated with the template identifier of dependency certificate; obtaining one or more inputs for the function, by gathering the one or more extracted attribute values for each of the one or more template identifiers of dependencies; and applying the function specified in the computation rule on the one or more inputs to obtain the attribute value of the attribute path. 8 . The method of claim 1 , wherein the method further comprises: checking that each of the one or more dependency certificates in the request relates to a previously issued certificate by: calculating a hash value for the dependency certificate; extracting a certificate identifier from the dependency certificate; querying the metadata store using the certificate identifier to retrieve a metadata entry; and comparing the calculated hash value against the hash value in the metadata entry retrieved from the metadata store; and calculating a hash value of the output certificate and including the hash value in the metadata attributes of the output certificate. 9 . The method of claim 1 , wherein the template specifies attribute paths of endorsed attributes implicitly.