W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

Re: Single Use Key Pairs: Disposable Private Keys?

From: ProSapien Sam Smith <sam@prosapien.com>
Date: Mon, 13 Dec 2021 10:58:57 -0700
Cc: Leonard Rosenthol <lrosenth@adobe.com>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
Message-Id: <7487B140-8F98-45EC-A193-0BB748645B2B@prosapien.com>
To: "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>
If the signature is used to authorize a change of ownership then the private key is no longer useful once the ownership has changed. 
But for many other use cases, merely signing something does not prevent replay attacks. It depends on what is being signed.
Is the signature on an authorization of some form, if so then authorizations are subject to replay attacks and require a presentation where the presentation is signed at the time of presentation
and may require signing a nonce.

If the signature is merely representing that . I (the signer) saw this data and attest that I saw it and makes no other representation. Then once its signed there may not be a need for the private key any more.

But in general the only time when its save to through away a private key is if you have a mechanism for rotating keys e.g. you formally revoke and replace the private key in a verifiable manner.


> On 13 Dec 2021, at 09:33 , Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> wrote:
> 
> To gently pick on your words a bit Leonard, there's *way too much focus* on Identity ...the infinitesimally smallest class of digitally identifiable objects on the planet. 
> 
> For any singleton VC (e.g. any NFT asset - photo, calf, kiss, purchase order, invoice, waybill, ...), they can be signed with a single-use key-pair and then the private key can be thrown away/discarded (i.e. not persisted). 
> 
> This is a tremendous security-driven improvement for the most numerous classes of VCs on the planet and elsewhere. 
> 
> Cheers, 
> Michael Herman 
> Founder 
> Trusted Digital Web 
> 
> ...inspired by Sam and KERI. 
> 
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> From: Leonard Rosenthol <lrosenth@adobe.com>
> Sent: Monday, December 13, 2021 6:18:40 AM
> To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>; sam@prosapien.com <sam@prosapien.com>; public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
> Subject: Re: Single Use Key Pairs: Disposable Private Keys?
>  
> Michael – interesting question.
>  
> The main reason for keeping the private key around would be if that key is associated with an identity that wishes to establish a history of “trust” by signing multiple objects/documents over time.  If, however, there are reasons why there is no need to do that or you are situation where it is not possible to keep it around (e.g., hardware/memory/storage), then it is fine to dispose of it.
>  
> Leonard
>  
> From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
> Date: Saturday, December 11, 2021 at 11:50 PM
> To: sam@prosapien.com <sam@prosapien.com>, public-credentials (public-credentials@w3.org) <public-credentials@w3.org>
> Subject: Single Use Key Pairs: Disposable Private Keys?
> 
> If an NFT (for a photo, a calf, or a kiss, etc.) or a unique one-of-a-kind business document (a specific purchase order, invoice, waybill, delivery confirmation, etc.) is represented as a (signed) verifiable credential, once the proof is generated for the VC, is it necessary to persist the private key used to sign the VC? 
> ...can't the private key be thrown away if it is no longer needed to sign anything further? 
> ...that is, only the public key needs to be persisted and keyed to the VC's outer id and stored in the corresponding DID document?
> ... inspired by the early part of Sam's KERI ssimeetup talk.
>  
> Michael Herman
> Founder
> Trusted Digital Web
> Get Outlook for Android <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=04%7C01%7Clrosenth%40adobe.com%7C012dd9618f544fd3254408d9bd2ad990%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C637748814016005456%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uE9UXaphFdjMYJFYMO%2Fkta%2BL7wYpIcTZTEEuBFVHcoo%3D&reserved=0>

Received on Monday, 13 December 2021 18:00:14 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC