W3C home > Mailing lists > Public > public-credentials@w3.org > November 2020

Re: proofs for fragments of JSON-LD documents

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 7 Nov 2020 14:26:10 -0500
To: public-credentials@w3.org
Message-ID: <88326a27-43e9-4d23-e5a8-959f2285748e@digitalbazaar.com>
On 11/5/20 10:35 AM, Giuseppe Tropea wrote:
> In other words, would it be desirable to specify a way for the
> algorithms to natively operate on portions of JSON-LD documents vs.
> the whole?

No, absolutely not -- this is a really dangerous idea, please don't ever
do it. :)

If you can help it, you never want to digitally sign just a subset of
information. Linked Data Security was designed to avoid this mistake on
purpose.

The issue with signing subsets of information in an otherwise digitally
signed document is that a significant number of developers then go on to
assume that /everything/ is signed, when it is not.

Linked Data Security digitally signs everything, both the message and
*all* of the signing parameters. Don't want something signed? Tough, you
can't do it -- because it will lead to security vulnerabilities.

The correct approach is to verify signatures for all of the pieces of
information you have and then merge everything together (which is one of
the things that Linked Data is designed to do -- easy merging).

It is possible to create an encapsulating JSON-LD container that isn't
signed, but even then, important that you avoid that if you can.

Hope that helps. :)

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Saturday, 7 November 2020 19:26:24 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 7 November 2020 19:26:25 UTC