W3C home > Mailing lists > Public > public-credentials@w3.org > May 2017

Re: Progress on Linked Data Signatures from IETF 98

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 8 May 2017 09:47:15 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, "Stone, Matt" <matt.stone@pearson.com>
Cc: Credentials Community Group <public-credentials@w3.org>
Message-ID: <167d1528-10f2-2263-17a5-abd8f5cfa012@digitalbazaar.com>
On 05/08/2017 09:20 AM, Anders Rundgren wrote:
> I hope the VC WG in progress realizes that founding their work on 
> Linked Data Signatures would (as far as I can tell...) require 
> credentials to be specified in JSON-LD.

Not true. :)

Linked Data Signatures allows the specification of different
normalization algorithms.

We could easily swap out the RDF Dataset Canonicalization algorithm for
a pure JSON-based one. In fact, we have been kicking this idea around
for a few years, but have not specified it yet because it doesn't seem
to be a blocker for anyone. If it /did/ end up being a blocker, we'd
basically define a JSON canonicalization algorithm that recursively
sorts all keys in lexicographical order and then serializes using no
spaces/padding/etc.

So, Anders, the canonicalization algorithm would basically be what
you've been touting for a while now.

The downside for pure JSON-based canonicalization is what it has always
been: the signatures only work for JSON; they're not syntax agnostic.
All of our current signatures for Verifiable Claims ARE syntax agnostic,
which provides a certain level of future proofing when JSON goes out of
style. For example, I'm hearing that CBOR is the new hot thing and that
JSON's days are numbered. :)

> By rather using a signature scheme that only signs the actual "JSON 
> bytes", people would be able to mix JSON and JSON-LD as they want.

Yes, but with the downside listed above.

> However, based on an off-list conversation with a JSON-LD
> enthusiast, the fact that Linked Data Signatures effectively builds
> on RDF normalization/expansion, both sides can verify that they
> indeed do the same interpretation of that.

Yes. The argument against using RDF Dataset Normalization is that it's
overly complicated for some situations, which is a valid argument. It
does, however, have its advantages such as meeting a number of
requirements that we have for Verifiable Claims, such as the ability to
simply express a signed document in an HTML page available to a search
engine.

> Another way of achieving same function would be to create a specific 
> property holding a hash of the RDF normalization and embedding that 
> in the JSON document signed by a "regular" signature method.

Yep, this is effectively just another type of signature stored with the
data.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
http://manu.sporny.org/2016/rebalancing/
Received on Monday, 8 May 2017 13:47:44 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:37 UTC