- From: Gabe Cohen <gabe.cohen@workday.com>
- Date: Wed, 2 Dec 2020 19:27:03 +0000
- To: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <BYAPR06MB416733D8F8D5838CAF25D5B588F30@BYAPR06MB4167.namprd06.prod.outlook.com>
* you are absolutely not guaranteed to digitally sign the information in the message... just the bytes This is exactly why we created that signature suite. LD isn’t always wanted or necessary. Sometimes just signing the bytes is what you want and need. From: Manu Sporny <msporny@digitalbazaar.com> Date: Wednesday, December 2, 2020 at 9:11 AM To: public-credentials@w3.org <public-credentials@w3.org> Subject: Re: JWS Clear Text JSON Signature Option (JWS/CT) On 11/30/20 1:43 PM, Orie Steele wrote: > I think detached JWS and JCS can provide a much better experience in > certain scenarios when compared to vanilla JOSE. Yes, agreed, however, there is at least one massive gotcha with JWS+JCS (and JOSE in general) -- you are absolutely not guaranteed to digitally sign the information in the message... just the bytes, which means there are some really nasty attacks that can be achieved in open world ecosystems that choose to use JCS+JWS (such as DIDs and Verifiable Credentials). To put it simply, if someone digitally signs this message: { "source": "https://urldefense.proofpoint.com/v2/url?u=https-3A__me.example_me&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=p0BlERCrdeoh5t_DXEPIiCIfykTNaEl3yOYDoa3owqg&e= ", "destination": "https://urldefense.proofpoint.com/v2/url?u=https-3A__you.example_you&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=Lpjj0Tye0prI9OG-2uCW8lfexGLQQfbR5_mrsyCOjC0&e= ", "amount": "$14.00" } You have no idea if they mean "source", "destination", and "amount" in the same way that you do. There are a class of security attacks that take advantage of this fact and anyone using JWS+JCS needs to be intimately familiar with that attack surface. History has demonstrated that developers often don't understand those class of attacks, which is why Linked Data Proofs/Signatures were introduced -- to ensure that the developer didn't need to know about cryptography to be protected in all scenarios. While there is nothing inaccurate with what Orie said, folks shouldn't take those statements as "It's totally fine to use JCS over LDS in an open world data model."... because it isn't. :) -- manu -- Manu Sporny - https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_manusporny_&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=dG55oDhfjhuVtQOPu2mcpAWatmTTb4EDUqC3xQGmT9Y&e= Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://urldefense.proofpoint.com/v2/url?u=https-3A__tinyurl.com_veres-2Done-2Dlaunches&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=3Fpj5LQXrJ_LkiJjen77K38QupBad5u-upmu-4NGNWE&e=
Received on Wednesday, 2 December 2020 19:27:48 UTC