- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 19 May 2017 20:08:42 -0400
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
On 05/19/2017 02:59 PM, Anders Rundgren wrote: >> Yes, by default they should... but we have not had the opportunity >> to update all the libraries to work in this manner. We have a plan >> of how to do it, though. > > I don't understand what you are writing here but it might be due my > limited insight in RDF and such but it sounds pretty scary in my ears > at least. Well, it depends on what you think is happening. :) At the moment, if you use something like the jsonld-signatures libraries to sign something, it can "silently" drop values before it normalizes as a part of the JSON-LD expansion process. However, anyone doing a regular expansion would see these values dropped and most of the systems we are aware of do expansion/compaction on a regular basis such that developers will see these values drop in their applications and will get exceptions. This, however, is not always the case and we realize that some developers may not know that this is going on. The danger is that they verify the signature, which would check out, and then they use the data that came in on the wire rather than compacting/expanding again (which they should be doing, anyway). While this is not necessarily a bug, it could cause developers that don't know about the dangers of using pre-canonicalized data to create systems that are susceptible to attack. So, we just need to change the default behavior of the libraries. The specs may need to be updated to follow suit (for example, throw an error if any data is dropped during normalization). > Q: How does this relate to applications that only want to use LDS > for "plain JSON"? It doesn't. The above is specifically related to the Universal RDF Dataset Canonicalization Algorithm. The JSON-based canonicalization algorithm wouldn't be susceptible to the same issue AFAICT. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Rebalancing How the Web is Built http://manu.sporny.org/2016/rebalancing/
Received on Saturday, 20 May 2017 00:09:12 UTC