W3C home > Mailing lists > Public > public-credentials@w3.org > April 2022

Re: Use of cryptography with W3C VCs and DIDs released

From: Christopher Allen <ChristopherA@lifewithalacrity.com>
Date: Thu, 21 Apr 2022 15:27:25 -0700
Message-ID: <CACrqygDqbpFaZ0WCCarJ5vVXd8uL17-Ji=G5DMzgcBqkmOpBeQ@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
On Thu, Apr 21, 2022 at 10:54 AM Manu Sporny <msporny@digitalbazaar.com>

> SRI International has publicly released their independent review on the
> use of
> cryptography in W3C VCs and DIDs and made some recommendations:
> Cryptography Review of W3C Verifiable Credentials Data Model (VCDM) and
> Decentralized Identifiers (DIDs) Standards and Cryptography Implementation
> Recommendations by David Balenson & Nick Genise
> http://www.csl.sri.com/papers/vcdm-did-crypto-recs/
> It's largely a view from the US NIST cybersecurity standards, which are
> used
> through most of the world, but not everywhere. In any case, it's a valuable
> perspective that I hope the VC2WG and DIDWG takes into the next stage of
> the work.

Though I appreciate the hard work that went into this document (including
some support from our community) I ended up having a strong visceral
reaction to it as I feel its recommendations are largely bad long-term
decisions. If you want to do business with the US Government and its allies
(aka LESS "Legally Enabled Self-Sovereign" Identity), you will have to use
them. However, about the only thing I agree with is that we should start to
transition away from SHA-256, initially maybe to SHAKE256 (though I have
other nuances not considered by this report given VRFs, Schnorr and
ZK-proofs opportunities).

I feel there is some urgency here because I have colleagues in both Ukraine
& Russia that are effectively out of business, and I fear for others in
Taiwan. I fear for progressive countries changing their rules, especially
given the re-election of Orban in Hungary, continued leadership
by Morawiecki in Poland & Bolsonaro in Brazil (among many others), possible
election of LePen in France or Trump (or a Trump ally) in the United
States. Many other authoritarian threats are rising around the world.

Recently even in more progressive countries there is evidence and movement
toward using digital technologies to control people that I feel risk human
rights or violate human dignity. Canada closed protestors bank accounts
(and thus their ability to make a living) without using court hearings,
state-controlled central-bank cryptocurrencies are being proposed around
the world with high coercion risks, and public acceptance of Covid inspired
initiatives for legitimate public-health purposes are inspiring similar
approaches for more questionable purposes.

This means that we must fight harder for more decentralized, more
correlation & coercion resistant digital identity technologies. I don't
believe we can do this with an incremental upgrade of our current digital
infrastructure — there are too many "invisible architectures" (see
http://www.astrodigital.org/space/stshorse.html for an example) from early
choices made during the 80s (X.509, expense computationally to make and
secure key on 1990s CPUs, etc.) that make the cryptographic choices today
in DID 1.0, VC 1.1, technologies like JOSE/JWT/JSON-LD, and systems like
OIDC problematic. I helped architect and have actively supported the basic
design concepts behind DIDs & VCs for the last 6 years, but I don't support
their current cryptographic implementation practices.

None of my diatribe here is to say that working toward government-focused
LESS Identity solutions are a waste of effort. They just are not sufficient
for the long-term — being pragmatic today is not good enough.

I personally am forking from DID 1.0, with a hope that maybe someday we can
merge these concepts back into DID 2.0 someday. Here are some of my early
ideal design thoughts & principles:

* Architect proactively for user independence (aka self-sovereign), privacy
focused on correlation-resistance & coercion resistance, use cases to
support human rights and dignity, AND support user resilience and
* Multikey first. This means Distributed Key Generation (DKG), aggregatable
threshold signing & proofs, collaborative identifier and key rotation, and
collaborative identity recovery (not just social network key recovery, but
also recovery facilitated by personal IoT devices, cloud services, and a
personal choice of other responsible entities) using technologies like VSS,
Music2, FROST, ZK-STARKS, etc.
* All identifiers must have rotable key material, and such key material
should be minimally used (say an KERI-style inception key that is
immediately used to rotate, or a blockchain UTXO that is immediately spent).
* Minimize key reuse, avoid using keys for multiple purposes, separate
derived keys from the sources, support punctuated perfect forward secrecy,
* ECDSA , AES and SHA-2 should largely be transitioned out and retired.
* By default all public keys should be considered to to represent multisig
collaborative controllers, whether that is a key created in a VSS or Musig2
or FROST collaborate ceremony between multiple devices held by a single
individual (say a mobile phone, smart ring or watch, and a cloud service),
or by a dyad for P2P (Adam and Bart have a single public key that can only
be used in signing when they cooperative), or triads and up (some form of
aggregatable threshold quorum, such as 2 of 3, 4 of 9, 50+1 of many,
supermajority, consensus but not unanimity, etc.)
* Signatures and proofs should largely use aggregatable multisign Schnorr,
which currently only can be done safely on secp256k1 or ristretto255 style
curves (not NIST r1 or 25519).
* Leverage the possibilities of Schnorr for atomic operations, adapter
signatures, blind signatures, scriptless scripts, smart signatures, etc. as
well as leverage the DKG & VSS pre-cursors to group Schnorr.
* Don't allow public keys, signatures, and other proofs to be correlatable
— leverage VRFs and related commitment schemes, or Schnorr adapter
signatures and scriptless scripts to make even the ability to verify a
signature require some process of consent.
* All key-value assertions signed by default are redactable by the
presenter, using a hash tree or certificate transparency-style VRF
hash-tree mechanism. Integrate the default redactable support with other
forms of selective disclosure (BBS+, etc.).
* All secrets should be multisig centric, with no Single Points of Failure
(SPOF), Single Points of Compromise (SPOC), or Single Points of Denial
(SPOD). This means we don't have to rely on a single chip (FIDO), personal
device (mobile phone), or service (personal cloud), or ecoystem (Apple,
Google), to be able to leverage our secrets, either as individuals or as
* No single source of authority or vendor lock-in — start with P2P
web-of-trust, but anything greater than that is explicitly user choice with
multiple options.
* Trust must be granular - not black or white.  Create Progressive Trust
architectures http://www.lifewithalacrity.com/2004/08/progressive_tru.html
that may require  require many steps and round-trips, and less risky early
trust testing before establishment of long-term trust.
* Personal choices of roots of trust must not be just acceptable, but
preferable. Design to avoid dark patterns of one-time or default trust
acceptance (design for modest and safe choices first, educate, request
confirmation over time, review periodically, etc.). Avoid risks of process
fatigue and desire convenience with cognitive design.
* Rethink architectures of dedicated cryptographic hardware. Work with
silicon vendors so that we don't have to solely rely on single-keys on
hardened chips, using legacy cryptography, and address the larger need to
avoid supply chain threats.
* All data is by default encrypted at rest, and encryption may be nested
with multiple "permits" to reliably support decryption under
different scenarios.
* Focus on personal trust (aka P2P) first, group aggregated trust (more
like key transparency) second, before leveraging blockchain tech.
Time-related proofs and commitments are more useful than immutability.
* Minimize biometrics to their sole use by devices under users control (for
instance iPhone-style biometrics).
* Where human secrets are required (aka "passwords") focus them solely as
one factor of many, and leverage more modern techniques OPAQUE rather than
the more long-term vulnerable approaches of bcrypt/scrypt-style PAKE. When
personal secret is required, leverage psychology of memory and spaced
repetition to support greater personal secret entropy.
* Largely leverage CBOR (but not COSE) for self-describing data, torgaps
transports (Tor or I2P - not https), and design for separation of keys and
trust services using airgapped and other segregated approaches.
* Support multiple testing of sources of truth. Ask 3 servers, not one.
Support reliability & resilience.
* Firmly separate authentication from authorization.
* Leverage cryptographic o-cap for delegatable and attenuable authorization.

All of my wish list is quite ambitious, but some of them are distinctly
possible to start developing now. Blockchain Commons already is beginning
to address some of them for use cases in the emerging Bitcoin multisig
community, and we now have support from patrons who can implement what we
need in silicon or dedicated hardware (such as secp256k1, ristretto255, and
Schnorr support in a secure enclave). We have begun to ship reviewed source
code (SSKR for social key recovery) for some of the above, have numerous
specs, code libraries and POC reference code available, and we have begun
creation of methodologies to evaluate the SPOCs and SPOFs for
multisig scenarios (see drafs at

Given the current rising community spread of Covid I unfortunately will not
be attending IIW next week, however, I am open to discussion with others
interested in supporting this more evolved (and radical) approach to
decentralized identity. So if you are in the area, I welcome invites to
lunch at some convenient outdoor location, and anytime via Zoom. I plan
that by September we can try to meet in person at the next Rebooting Web of
Trust in the Hague on September 26-30th

I welcome your participation in development of these technologies and
tools,  and of course your monthly financial patronage (even if a small $20
a month, your social proof of support is valuable!) at

Offered with hope & optimism that we can do this…

-- Christopher Allen
Received on Thursday, 21 April 2022 22:28:16 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 21 April 2022 22:28:17 UTC