- From: Brent Shambaugh <brent.shambaugh@gmail.com>
- Date: Mon, 24 Jan 2022 08:39:04 -0600
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CACvcBVpRHg-t2HUy+tsZPw0JjxGH+abvra=+7Kq=Ji73JrSNcg@mail.gmail.com>
Interesting. I'm trying to refactor this repository to add secp256r1 support: https://github.com/bshambaugh/did-jwt/blob/feat/secp256r1/src/SignerAlg/ES256SignerAlg.ts -Brent Shambaugh GitHub: https://github.com/bshambaugh Website: http://bshambaugh.org/ LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259 Skype: brent.shambaugh Twitter: https://twitter.com/Brent_Shambaugh WebID: http://bshambaugh.org/foaf.rdf#me On Sun, Jan 23, 2022 at 2:18 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > Hi all, > > Proposing a new work item so we can fold it into the new VCWG 2.0 work (to > complete the proposals we have for Ed25519, secp256k1, and BBS+). > > https://digitalbazaar.github.io/di-ecdsa-secp384r1-2019/ > > This specification describes the ECDSA Secp384r1 cryptosuite created in > 2019 > for the Data Integrity specification. Just like the exiting CCS work items > for > the Ed25519 Cryptosuite, the Secp256k1 Cryptosuite, and the BBS+ > Cryptosuite, > this cryptosuite extends the Data Integrity specification to support > cryptography supported by many large organizations throughout the world. > > > 1. Explain what you are trying to do using no jargon or acronyms. > > This specification adds support for a type of digital signature that is > used > heavily by large organizations throughout the world. It was our hope that > we > would not have to support this digital signature suite due to it's > controversial nature: > > > https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters > > ... but given the slow pace of the hardware security module industry, > along with the slow pace at which national institutes that standardize > cryptography are moving, and given the hostility of a vocal minority of W3C > Member companies towards the scope of the Verifiable Credentials work, > publishing this work item and folding it into the VCWG 2.0 work protects > that > work from any W3C Member that might insist that work on this technology is > out > of scope (and thus hobbling the VCWG group's ability to be responsive to > cryptographic needs in the industry). > > > 2. How is it done today, and what are the limits of the current practice? > > The current focus of Elliptic Curve digital signatures in the VC ecosystem > seems to be around something called the "Twisted Edwards Curve", or > Ed25519. > That cryptography uses provably secure techniques. Unfortunately, that > technology has just been approved by the National Institute of Standards in > draft form and it might take years for it to be supported in the commercial > hardware security modules that many governments and large organizations > depend > on. It was our hope that the industry was going to make more progress by > this > point, but it's not moving fast enough. We plan to standardize a few > cryptosuites in the upcoming VCWG 2.0 work. In order to mitigate the risk > that > Ed25519 won't be available in commercial hardware security modules by the > time > that some vendors need to deploy into production settings with large > organizations and governments, we are suggesting that ECDSA Secp384r1 > should > be an option for Issuers that desire its functionality. > > > 3. What is new in your approach and why do you think it will be > > successful? > > There is nothing new in the approach, in fact, the cryptography used here > is > fairly old (almost 20+ years at this point). If it is successful, it will > be > because of the broad market adoption that the technology already has. > > > 4. How are you involving participants from multiple skill sets and > global > > locations in this work item? (Skill sets: technical, design, product, > > marketing, anthropological, and UX. Global locations: the Americas, > APAC, > > Europe, Middle East.) > > Due to the nature of the work item (cryptographic security), it is > difficult > to include non-technical participants. We will be involving the CCG and > VCWG, > which do include non-technical participants throughout the world, but > again, > their ability to influence the technical direction will be quite limited. > > > 5. What actions are you taking to make this work item accessible to a > > non-technical audience? > > Overall, none, as non-technical audiences need not be exposed to this > level of > detail. > > We will happily try and explain what we're doing on the CCG mailing list if > non-technical members have questions about the technology. > > Chairs, I'd like a few minutes to propose this work item to the CCG and > seek a > co-editor for the specification. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > >
Received on Monday, 24 January 2022 14:39:29 UTC