W3C home > Mailing lists > Public > public-credentials@w3.org > September 2017

Re: Verifiable Claims expiration

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 17 Sep 2017 09:33:41 -0400
To: public-credentials@w3.org
Message-ID: <d9a74504-3b1d-fc32-d22f-91851285db2e@digitalbazaar.com>
On 09/17/2017 02:55 AM, David Chadwick wrote:
> And from a security perspective this is flawed, since no
> cryptography will last for ever

Jumping to the conclusion that this is flawed is premature.

It all depends on how the verifier handles issuer key management.

Remember, part of the verification process is retrieving the public key
and checking for a revocation or expiration on the key. If the
credential was issued /after/ the key expired, it's clearly invalid. If
there is a known exploit for the sort of digital signature used, then
the verifier can flag the credential as untrustworthy.

There are many other things that go into whether or not to trust a
credential. The expiration time that an issuer places on a credential is
just ONE signal... and if they don't include that signal, we shouldn't
flag it as an error.

To put it another way, if we make "expiration" mandatory, it still won't
solve the problem of "broken crypto". What happens when a flaw is found
well before the expiration of the credential? It still puts us in the
same place we are right now of the verifier having to check other signals.

I suggest that we treat all of these fields as signals for the verifier,
not absolute truths.

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
Received on Sunday, 17 September 2017 13:34:04 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:45 UTC