- From: Peter Patel-Schneider <pfpschneider@gmail.com>
- Date: Fri, 21 May 2021 16:40:45 -0400
- To: Manu Sporny <msporny@digitalbazaar.com>, semantic-web@w3.org
I would be fine with any faculty member at a decent university whose speciality is crypographic computer security saying that the algorithms in https://w3c-ccg.github.io/ld-proofs/#algorithms are secure assuming that the canonicalization algorithm works as stated. Even better would be that person also stating that the RDF dataset normalization algorithm doesn't introduce any problems when used as a canonicalization algorithm. Linked Data Proofs 1.0 - https://w3c-ccg.github.io/ld-proofs/ - has several parts: canonicalization, signing, and embedding. It has no pointers to implementations of the entire method. https://github.com/digitalbazaar/vc-js talks about verifiable credentials and verifiable presentations. It's unclear what the relationship between these and linked data proofs is. I'm looking for commands that have the same inputs and outputs as the algorithms in https://w3c-ccg.github.io/ld-proofs/#algorithms https://github.com/spruceid/didkit has a set of commands, in https://github.com/spruceid/didkit/tree/main/cli It does reference Linked Data Proofs 1.0. Its didkit vc-issue-credential command looks close to what is required, but I don't see a complete correspondence. https://github.com/danubetech/verifiable-credentials-java links to some examples that look close to what is required, but I don't see something that looks like Example 6 of Linked Data Proofs 1.0. What I would like to see is some code and associated documentation that says something like: To sign a document that encodes an RDF dataset as in https://w3c-ccg.github.io/ld-proofs/#proof-algorithm run FOO document options key where document is the name of a file containing a document that encodes an RDF dataset, key is an X private key, and options contains a W key- pair identifier with key as private key and a current date in UTC. This will canonicalize the document using Y and sign the result using X with key in such a way that any document encoding an RDF dataset isomorphic to the one in the original document will have the same signature. A signed document will be output on standard output. And similarly for the verification algorithm. I didn't recognize this anywhere I looked. peter On Fri, 2021-05-21 at 10:23 -0400, Manu Sporny wrote: > Peter Patel-Schneider wrote: > > So I'm waiting for some security expert sign-off on the entirety of > > the > > proof algorithms in Linked Data Proofs 1.0, and also for an open- > > source > > reference implementation of the algorithms. I don't think that the > > WG > > should start until both of these have been made available. > > Multiple open source reference implementations, a corresponding test > suite, > and higher-level Verifiable Credential libraries that used the RDF > Dataset > Canonicalization algorithms were provided to you here (over a week > ago): > > https://lists.w3.org/Archives/Public/semantic-web/2021May/0126.html > > As for your request for "security expert sign-off" -- please mention > who, > specifically, that you would like to sign off on the implemented > algorithms. > Or at least, provide an extensive and complete list of qualifications > you'd > like to see for the "security expert". The people that have reviewed > the work > to date over the last 8+ years don't seem to be meeting your nebulous > set of > qualifications and I expect you will have to be far more precise > regarding > your "security expert" definition. > > This sort of "expert review" (which has been done to the degree that > has > already been documented) is also one of the reasons we convene W3C > Working > Groups... so demanding it all happen before a group is created tends to > defeat > one of the reasons for creating the group in the first place. > > -- manu >
Received on Friday, 21 May 2021 20:42:01 UTC