W3C home > Mailing lists > Public > public-credentials@w3.org > May 2017

Re: LD signature questions raised at the Rebooting Web of Trust

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 19 May 2017 20:08:42 -0400
To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
Message-ID: <591F8909.3060903@digitalbazaar.com>
On 05/19/2017 02:59 PM, Anders Rundgren wrote:
>> Yes, by default they should... but we have not had the opportunity
>>  to update all the libraries to work in this manner. We have a plan
>>  of how to do it, though.
> 
> I don't understand what you are writing here but it might be due my 
> limited insight in RDF and such but it sounds pretty scary in my ears
> at least.

Well, it depends on what you think is happening. :)

At the moment, if you use something like the jsonld-signatures libraries
to sign something, it can "silently" drop values before it normalizes as
a part of the JSON-LD expansion process.

However, anyone doing a regular expansion would see these values dropped
and most of the systems we are aware of do expansion/compaction on a
regular basis such that developers will see these values drop in their
applications and will get exceptions.

This, however, is not always the case and we realize that some
developers may not know that this is going on. The danger is that they
verify the signature, which would check out, and then they use the data
that came in on the wire rather than compacting/expanding again (which
they should be doing, anyway).

While this is not necessarily a bug, it could cause developers that
don't know about the dangers of using pre-canonicalized data to create
systems that are susceptible to attack. So, we just need to change the
default behavior of the libraries. The specs may need to be updated to
follow suit (for example, throw an error if any data is dropped during
normalization).

> Q: How does this relate to applications that only want to use LDS
> for "plain JSON"?

It doesn't. The above is specifically related to the Universal RDF
Dataset Canonicalization Algorithm. The JSON-based canonicalization
algorithm wouldn't be susceptible to the same issue AFAICT.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
http://manu.sporny.org/2016/rebalancing/
Received on Saturday, 20 May 2017 00:09:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:37 UTC