Re: Digital Signatures for Credentials from Victoriano Giralt on 2014-11-17 (public-credentials@w3.org from November 2014)

From: Victoriano Giralt <victoriano@uma.es>
Date: Mon, 17 Nov 2014 19:58:57 +0100
To: public-credentials@w3.org
Message-ID: <546A4571.5020707@uma.es>
Hi all, I'm a new comer in this space, but I've been suffering X.509
based signatures long enough to feel itch to enter the conversation :)

On 11/17/2014 03:32 AM, Manu Sporny wrote:
8<----- snip----8<

> In general, both technologies allow a developer to:
> * Digitally sign data
> * Verify digitally signed data
> * Express public/private keypairs
> * Encrypt and decrypt data in message envelopes
> 
> In this respect, neither technology is that different from what XML
> Digital Signatures enables one to do.

or PGP for that matter

> JSON-LD Secure Messaging Pros:
> * Clear-text signatures (easier to see/debug what's going on)
> * Works with any RDF syntax (N-Quads, TURTLE, etc.)
> * Ensures discoverability of public keys via the Web
> * Simpler interface for Web developers
> * Extensible message format due to JSON-LD
> * Designed to integrate cleanly with HTTP Signatures
> * Identified as a need for both the Social Web WG and
>   Web Annotations WG due to dependence on JSON-LD

That makes 7 Pros

> JSON-LD Secure Messaging Cons:
> * Not an official standard yet
> * Graph Normalization algorithm is hidden from developers, but
>   very complex

Two cons, but one of them looks scary

> JOSE Pros:
> * First mover advantage
> * Already an IETF standard with thorough security review
> * More software libraries exist for JOSE

Just three Pros

> JOSE Cons:
> * Signed data is an opaque blob, which is very difficult to try and
>   debug
> * Fairly difficult to use for Web developers due to exposing too much
>   complexity
> * Format is not extensible, requires coordination through IETF
> * No standardized public key discoverability mechanism

Four Cons, and to me, much nastier that the SM scary Con

> The biggest downside with the SM approach is that it's not a W3C
> standard yet and that will take some time (1-2 years). The technology is

Question: is it that 1-2 year "wait" a show stopper?

> done and there are multiple interoperable implementations out there, so

So ... it can be used now.

> So, with that introduction - are there any thoughts on SM vs. JOSE? Does
> anyone feel that strongly one way or the other? Any pros/cons that are
> not in the list above that should be?

For me, the four JOSE cons are heavier that the two SM cons. while each
of the seven SM pros, weigh more or less the same as each of the three
JOSE pros, well, the IETF security review is a bit heavier, I reckon,
but, then, the KISS/Ocam principle, should make a thorough security
review "easier" to accomplish. So, for me, 7-3 2-4 plus being simpler,
SM is a clear winner if/when security can be thoroughly reviewed.

-- 
Victoriano Giralt                             Central ICT Services
Systems Manager                               University of Malaga
+34952131415                                  SPAIN
==================================================================
Note: signature.asc is the electronic signature of present message
A: Yes.
> Q: Are you sure ?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email ?
Received on Tuesday, 18 November 2014 16:32:29 UTC