W3C home > Mailing lists > Public > public-credentials@w3.org > July 2016

Re: Questions about Linked Data Signatures for Verifiable Claims

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 26 Jul 2016 12:01:38 -0400
To: public-credentials@w3.org
Message-ID: <5b96a03a-2a67-22ce-88f4-92e3832b55a3@digitalbazaar.com>
On 07/26/2016 10:53 AM, Nate Otto wrote:
> I would like to make it so that claims (badges) may be issued that 
> are not "forward-shareable", meaning that only an authorized 
> inspectors are able to verify a verifiable claim and that recipients
>  and issuers work together to get verifiable claims to intended 
> inspectors.

We might need to be careful with this, as a few of the organizations
that we're talking with want to offload the inspection of verifiable
claims to other organizations. Doing so would require an additional
mechanism to state which "verifier keys" the inspector wants to tie the
credential to.

> This would have the cost of making verifiable claims using this 
> mechanism not fully portable (because the recipient could never give
>  them to an arbitrary inspector to verify without interaction with 
> the issuer to obtain a copy signed to that inspector), but in some 
> cases privacy trumps portability.

Right, so understanding the use cases for this feature are important.

> Of course, anyone who possesses information on the Internet may 
> technically share that information with others, but if we make it so 
> that the verifiable nature of a claim does not travel to all holders,
> we can make it possible that the ecosystem is truly user-centric.

Arguable, as self-sovereign/user-centric also has to do with ease of use
and privacy. This feature doesn't really protect one's privacy and we're
also making the system more complex with this feature. That said, let's
put that to the side for the moment and talk about the technical details.

>From a technical perspective, this is do-able, but doesn't really
address the "privacy" use case... some thoughts below.

> - Is it possible to leave the message content in plaintext but make 
> the signature verifiable only by the holder of a specific private 
> key? (This would facilitate multiple signatures to different 
> domainKeys on the same message -- otherwise it would be fine to 
> encrypt the message content as well)

Thinking about this a bit more from the last time we talked about it...
yes, we could extend the Linked Data Signatures spec to perform a
signature and then encrypt only the signature field to a specific target
key so that only the receiving entity can verify the information. For

  "@context": {...},
  "claim": {"id": "did:abc123", "isAwesome": true},
  "signature": {
    "type": "EncryptedSignature2016",
    "creator": "https://publickeys.net/issuer1key",
    "created": "2016-07-25T12:34:56Z",
    "domain": "https://publickeys.net/inspector2key",
    "signatureValue": "BASE64(ENCRYPT(SIGNATURE, inspector2key))"

So, verifying that signature would go through the following steps:

1. Decrypt the signatureValue using the inspector's private key.
2. Verify the resulting signature using the issuer's public key.

That said, I'm not sure this really protects one's privacy as the
information is in clear text and in 99.9% of the cases, that information
is going to be valid.

So, the question is - what's the actual attack? What are we trying to

If the answer is "make sure information is not shared", we may find
that's impossible to do given bad actors in the system (for example,
inspectors that forward information to other organizations via 3rd party
information sharing agreements).

We may find that the W3C Permissions and Obligations Expression language
to be more useful to us than making the crypto more complex:


... coupled with enough Common Law to give the restrictions some legal bite.

> - I'm interested in building an index of public keys that are trusted
> by users on a system and associating them with descriptive 
> information about the entities that hold them.

Both do-able, but need more information about the use case to see if
it's a problem we want to solve (via the standard).

> How should these keys be indexed/identified and related to the 
> entities that hold them?

I'd assume in the same way that the Linked Data Signature spec works
today. For example, if you dereference this (fake) key:


You should see something like this:

  "@context": "https://w3id.org/identity/v1",
  "id": "https://publickeys.net/issuer1key",
  "type": "CryptographicKey",
  "owner": "https://publickeys.net/issuer1",
  "label": "Issuer 1 signing key",
  "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBI..."

and if you dereference the "owner" of that key, you should get:

   "@context" : "https://w3id.org/identity/v1",
   "id" : "https://publickeys.net/issuer1",
   "type" : "Identity",
   "label" : "Issuer 1"
   "description" : "A short human-readable description of issuer1",
   "publicKey" : {
      "id" : "https://publickeys.net/issuer1key",
      "type" : "CryptographicKey"
      "label" : "Issuer 1 signing key",
      "owner" : "https://publickeys.net/issuer1",

... plus any other information you deem appropriate.

> Is an HTTP(s) URL the best way to identify a key (and maybe obtain 
> descriptive public linked data about the entity it belongs to)?

It's the best way that we've found. Other options include:

1. public key fingerprints/hashes
2. pointers to public ledgers
3. OIDs

Keep in mind that every option other than an HTTP URL needs to have a
corresponding dereferencing mechanism that the client understands (that
is, how do you get at the data pointed to by the identifier?).

> - What does the document look like that is obtained by dereferencing
>  the key URLs that appear here?

Answered above... did any of that help, Nate?

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Web Browser API Incubation Anti-Pattern
Received on Tuesday, 26 July 2016 16:02:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:30 UTC