- From: Kim Hamilton Duffy <kim@learningmachine.com>
- Date: Tue, 30 Oct 2018 13:51:28 -0700
- To: Daniel Burnett <daniel.burnett@consensys.net>
- Cc: Oliver Terbu <oliver.terbu@consensys.net>, Pelle Braendgaard <pelle.braendgaard@consensys.net>, Anders Rundgren <anders.rundgren.net@gmail.com>, dean@authenticity.ac, public-credentials@w3.org
- Message-ID: <CAB=TY86GBhyutpzUK7y+oqv5z15GRO5K7tTF8Z+OM4g0hR=9EA@mail.gmail.com>
Thank you Dan and Oliver for doing this. I’m very encouraged by this iteration of JSON-LD/JWT email threads, and eagerly awaiting your results. I imagine the scope could be a bit beyond what you can take on for VCWG, so let us know if you’d like CCG airtime/involvement. We’ve already discussed taking on some tooling improvements (mentioned above), but that’s just part of the solution. On Tue, Oct 30, 2018 at 2:28 AM Daniel Burnett <daniel.burnett@consensys.net> wrote: > It turns out that Oliver and I are both in Prague this week, so we will > meet first in person to brainstorm practical options for how this work > might occur in relation to the VCWG's current specifications and timelines. > > -- dan > > On Tue, Oct 30, 2018 at 4:54 AM Oliver Terbu <oliver.terbu@consensys.net> > wrote: > >> Hi Dan, >> >> I have been following this thread for a while now. After last RWOT and >> especially after last IIW, I can clearly see that we should make progress >> in both directions: JWT and JSON-LD. As Pelle mentioned, it doesn’t make >> sense to refer to articles listing the pros and cons of one option over the >> other. We already are aware of those. It is time to make progress. >> >> @Dan: I am very interested and I am willing to contribute on a proposal >> for a JWT-based VC specification as suggested by Dan Burnett. Does it make >> sense to organise separate calls which are only JWT-specific until we have >> a first draft and then bring it to the W3C CC (VC) group? In this case, I >> am happy to arrange these calls for all people that are interested. >> >> If you believe separate calls do not make sense, please let me know what >> would be an appropriate approach. >> >> Thanks, >> Oliver >> >> On 29. Oct 2018, at 21:20, Daniel Burnett <daniel.burnett@consensys.net> >> wrote: >> >> >> >> On Sun, Oct 28, 2018 at 5:32 PM Pelle Braendgaard < >> pelle.braendgaard@consensys.net> wrote: >> >>> Just to clarify. I’m not a fan of canonicalization for the reasons >>> mentioned here, but it could work with proper tooling. >>> >>> My main problem is that it you have to be intimately knowledgeable of >>> how json-ld, canonicalization and even how did resolution works before you >>> can safely take a verifiable claim and verify it. >>> >>> It is even more complex due to the nested aspects of many parts of the >>> proposed VC standards. >>> >>> In many cases in its extreme flexibility it has the same very dangerous >>> aspects of xmlsig. >>> >>> For VC to actually be used it needs to have tooling that can safely be >>> used by regular bank or web devs to verify what is sent to them. >>> >>> Ideally it would be simple enough that we could get a plethora of >>> implementations as well, but it seems unlikely since it’s fans don’t seem >>> interested in fixing these aspects in the name of flexibility and >>> readability. >>> >>> This is why I propose a workable middleground. Those who believe >>> strongly in the power of JSONLD invest in useable tooling to make it >>> foolproof. >>> >>> At the same time those of us that are sceptical work to create better >>> proposals for VC based on JWT. >>> >> >> The Verifiable Claims Working Group, the standards-track group where this >> work is being finalized, takes this very seriously, having discussed this >> topic at every face-to-face meeting since inception and always reaching a >> conclusion of 'we would like more detailed proposals from those who prefer >> a JWT-based approach'. As a member of the VCWG yourself, you are no doubt >> aware that we have been seeking precisely such detailed proposals since the >> beginning of that group in March 2017. >> As a co-chair of the VCWG, I would like to ask you to expedite that >> work. Our group is chartered to complete in March of next year, with an >> expectation of feature / substantive content freeze on November 6th of this >> year (yes, in just a couple of weeks). If your detailed proposals come in >> after that time we may need to consider adding them in a version 2.0 >> when/if such additional work is chartered. We look forward to receiving >> your (and others') proposals. >> >> >>> Currently the state of libraries for json ld signature validation means >>> that most of us working on real production apps will not support it. >>> >>> The problem is not solved by a back and forth sending links on the pros >>> and cons. I think we’re all aware of them and are past that. >>> >>> Thanks. Hopefully we can make progress. >>> >>> Pelle >>> >>> On Sun, Oct 28, 2018 at 17:04 Anders Rundgren < >>> anders.rundgren.net@gmail.com> wrote: >>> >>>> On 2018-10-28 19:37, Dean Kevin Poulsen wrote: >>>> > Anders, >>>> > >>>> > Maybe canonicalization can be eliminated, because the need for >>>> canonicalization stems from the core issue, which is: >>>> > — The requirement that signed content be modified after being >>>> signed. >>>> >>>> Kevin, >>>> It is rather the wish using standard JSON tools which (typically) do >>>> not respect property order that calls for canonicalization. >>>> >>>> In the case of JSON-LD it is even worse since the requirement is to >>>> verify that both sides use the same graph expansion scheme. >>>> >>>> I started with building unique JSON tools which preserved property >>>> order and textual representation of elements. This worked flawlessly but I >>>> had to give it up anyway since nobody wanted to change their parser :-( The >>>> recent draft has a potentially very interesting quality: It can (with ease) >>>> be implemented as a option in a JSON serializer. Sorting is a one-liner >>>> and number serializing is well defined and open sourced. I use the >>>> canonicalization scheme for multiple purposes in my applications. Example: >>>> https://cyberphone.github.io/doc/saturn/bank2bank-payment.html#userauthz >>>> (requestHash). >>>> >>>> Enveloping and detached signature schemes do not require explicit >>>> modification of signed data but I stick to enveloped signatures because >>>> they preserve the structure of the data. >>>> >>>> Related discussion in the IETF: >>>> https://www.ietf.org/mail-archive/web/jose/current/msg05752.html >>>> >>>> Regards, >>>> Anders >>>> >>>> >>>> Then, the receiver is required to recreate the signed content through >>>> prescribed manipulations. >>>> > >>>> > “Seasoned XML developers recalling difficulties getting signatures to >>>> > validate (usually due to different interpretations of the quite >>>> > intricate XML canonicalization rules as well as of the equally >>>> > extensive Web Services security standards)…” >>>> > — From the introduction to: >>>> https://tools.ietf.org/html/draft-rundgren-json-canonicalization-scheme-01 >>>> > >>>> > >>>> > ------ >>>> > My opinion: SIGNED CONTENT SHOULD NOT BE MODIFIED AFTER IT IS SIGNED. >>>> > >>>> > To simplify the proposal, here's a signed JSON-LD in the existing >>>> standard and the same signed JSON-LD revised per my proposal: >>>> > >>>> > >>>> > My proposal does two things: >>>> > >>>> > 1. It splits the “proof” array into two arrays: “proofMetadata” and >>>> “proofValue”. >>>> > 2. It puts the signed content into a “signedContent” array. The >>>> “proofValue” immediately follows the “signedContent” >>>> > >>>> > This pulls the “proofValue” out of the signed content, eliminating >>>> the need to modify the signed content after it has been signed (except in >>>> the case of signature sets, where minimal modification is suggested for >>>> convenience). >>>> > >>>> > >>>> > — >>>> > You mentioned that one form of canonicalization doesn’t require the >>>> signature to be included. I can’t find that option in the links that you >>>> sent. Can you point me in the right direction? >>>> > >>>> > Thanks, >>>> > Kevin >>>> > [“Dean” is a title, not my name. :) ] >>>> > >>>> > >>>> > >>>> > >>>> >> On Oct 27, 2018, at 11:27 PM, Anders Rundgren < >>>> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> >>>> wrote: >>>> >> >>>> >> Hi Dean, >>>> >> >>>> >> I don't completely follow your proposal. Does it actually remove >>>> the need for RDF/LD canonicalization? >>>> >> >>>> >> Anyway, there are subtle differences between formats and one is if >>>> the signature parameters should be included or not. Including them >>>> requires that the data is modified by the signature and verify process. >>>> >> >>>> >> FWIW, this is how my Java verifier code deals with this particular >>>> topic for JSON Clear text Signatures: >>>> >> >>>> >> // 1. Make a shallow copy of the signature object >>>> >> LinkedHashMap<String, JSONValue> savedProperties = >>>> >> new LinkedHashMap<String, >>>> JSONValue>(innerSignatureObject.root.properties); >>>> >> // 2. Hide the signature value property for the serializer... >>>> >> >>>> innerSignatureObject.root.properties.remove(JSONCryptoHelper.VALUE_JSON); >>>> >> // 3. Serialize ("JSON.stringify()") >>>> >> normalizedData = >>>> signedData.serializeToBytes(JSONOutputFormats.CANONICALIZED); >>>> >> // 4. Restore the signature object >>>> >> innerSignatureObject.root.properties = savedProperties; >>>> >> >>>> >> Regards, >>>> >> Anders >>>> > >>>> >>>> -- >>> *Pelle Brændgaard // uPort Engineering Lead* >>> pelle.braendgaard@consensys.net >>> 49 Bogart St, Suite 22, Brooklyn NY 11206 >>> <https://maps.google.com/?q=49+Bogart+St,+Suite+22,+Brooklyn+NY+11206&entry=gmail&source=g> >>> Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> >>> | Facebook <https://www.facebook.com/consensussystems> | Linkedin >>> <https://www.linkedin.com/company/consensus-systems-consensys-> | >>> Newsletter >>> <http://consensys.us11.list-manage.com/subscribe?u=947c9b18fc27e0b00fc2ad055&id=257df01285&utm_content=buffer1ce12&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer> >>> >> >> -- Kim Hamilton Duffy CTO & Principal Architect Learning Machine Co-chair W3C Credentials Community Group kim@learningmachine.com
Received on Tuesday, 30 October 2018 20:52:05 UTC