Re: Single Use Key Pairs: Disposable Private Keys? from Michael Herman (Trusted Digital Web) on 2021-12-13 (public-credentials@w3.org from December 2021)

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Mon, 13 Dec 2021 17:15:01 +0000
To: Mike Prorock <mprorock@mesur.io>, Bob Wyman <bob@wyman.us>
CC: "sam@prosapien.com" <sam@prosapien.com>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
Message-ID: <MWHPR1301MB20949C43339064B317E5F528C3749@MWHPR1301MB2094.namprd13.prod.outlook.>

A checksum doesn't amount to a signature/proof.

With a checksum approach, anybody is free to change the VC's claims, metadata (aka packing list), and/or the inner/outer id's and simply recompute the checksum.

If you want to call what I'm proposing single-use key-pair based "checksums" that might be an interesting but confusing term.

What I'm proposing are not checksums in the classic sense. There is a stated assumption that the public key of the SUKP is stored on a VDR for verification purposes.

...are you assuming a classic checksum could be stored in the same way on a VDR?

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Mike Prorock <mprorock@mesur.io>
Sent: Monday, December 13, 2021 10:03:05 AM
To: Bob Wyman <bob@wyman.us>
Cc: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>; sam@prosapien.com <sam@prosapien.com>; public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
Subject: Re: Single Use Key Pairs: Disposable Private Keys?

+1 Bob

Mike Prorock
mesur.io<http://mesur.io>

On Mon, Dec 13, 2021, 11:45 Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote:
I think I'm missing something in the scenario you describe. If the private key has been discarded, how can a signature generated with that private key serve as anything more than a checksum? If a checksum is all you need, why not just provide a checksum? Why bother with the signature?

bob wyman


On Sat, Dec 11, 2021 at 11:50 PM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>> wrote:
If an NFT (for a photo, a calf, or a kiss, etc.) or a unique one-of-a-kind business document (a specific purchase order, invoice, waybill, delivery confirmation, etc.) is represented as a (signed) verifiable credential, once the proof is generated for the VC, is it necessary to persist the private key used to sign the VC?
...can't the private key be thrown away if it is no longer needed to sign anything further?
...that is, only the public key needs to be persisted and keyed to the VC's outer id and stored in the corresponding DID document?
... inspired by the early part of Sam's KERI ssimeetup talk.

Michael Herman
Founder
Trusted Digital Web
Get Outlook for Android<https://aka.ms/AAb9ysg>

Received on Monday, 13 December 2021 17:15:20 UTC