Re: JWS Clear Text JSON Signature Option (JWS/CT) from Gabe Cohen on 2020-12-02 (public-credentials@w3.org from December 2020)

From: Gabe Cohen <gabe.cohen@workday.com>
Date: Wed, 2 Dec 2020 19:27:03 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <BYAPR06MB416733D8F8D5838CAF25D5B588F30@BYAPR06MB4167.namprd06.prod.outlook.com>

  *   you are absolutely not guaranteed to digitally
sign the information in the message... just the bytes

This is exactly why we created that signature suite. LD isn’t always wanted or necessary. Sometimes just signing the bytes is what you want and need.

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wednesday, December 2, 2020 at 9:11 AM
To: public-credentials@w3.org <public-credentials@w3.org>
Subject: Re: JWS Clear Text JSON Signature Option (JWS/CT)
On 11/30/20 1:43 PM, Orie Steele wrote:
> I think detached JWS and JCS can provide a much better experience in
>  certain scenarios when compared to vanilla JOSE.

Yes, agreed, however, there is at least one massive gotcha with JWS+JCS
(and JOSE in general) -- you are absolutely not guaranteed to digitally
sign the information in the message... just the bytes, which means there
are some really nasty attacks that can be achieved in open world
ecosystems that choose to use JCS+JWS (such as DIDs and Verifiable
Credentials).

To put it simply, if someone digitally signs this message:

{
  "source": "https://urldefense.proofpoint.com/v2/url?u=https-3A__me.example_me&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=p0BlERCrdeoh5t_DXEPIiCIfykTNaEl3yOYDoa3owqg&e= ",
  "destination": "https://urldefense.proofpoint.com/v2/url?u=https-3A__you.example_you&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=Lpjj0Tye0prI9OG-2uCW8lfexGLQQfbR5_mrsyCOjC0&e= ",
  "amount": "$14.00"
}

You have no idea if they mean "source", "destination", and "amount" in
the same way that you do. There are a class of security attacks that
take advantage of this fact and anyone using JWS+JCS needs to be
intimately familiar with that attack surface.

History has demonstrated that developers often don't understand those
class of attacks, which is why Linked Data Proofs/Signatures were
introduced -- to ensure that the developer didn't need to know about
cryptography to be protected in all scenarios.

While there is nothing inaccurate with what Orie said, folks shouldn't
take those statements as "It's totally fine to use JCS over LDS in an
open world data model."... because it isn't. :)

-- manu

--
Manu Sporny - https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_in_manusporny_&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=dG55oDhfjhuVtQOPu2mcpAWatmTTb4EDUqC3xQGmT9Y&e=
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://urldefense.proofpoint.com/v2/url?u=https-3A__tinyurl.com_veres-2Done-2Dlaunches&d=DwICaQ&c=DS6PUFBBr_KiLo7Sjt3ljp5jaW5k2i9ijVXllEdOozc&r=8q0wrOfH-XtkquJe3zZvbZIZ4Fdjh_ScTjE6H3xw59k&m=u94LCmIRkLr7WXI0pIKm7NTSrh6FVbXP5geX3Y31BSQ&s=3Fpj5LQXrJ_LkiJjen77K38QupBad5u-upmu-4NGNWE&e=

Received on Wednesday, 2 December 2020 19:27:48 UTC