Re: FYI: Cryptography Review and Recommendations for W3C VC and W3C DID Implementations by SRI International

Anil,
We would absolutely love a deep dive on this work from SRI to the
community.  Understanding of potential issues and pitfalls in this type of
work is paramount and we really appreciate the hard work and effort
undertaken for this type of analysis.

Let's get an off-list email going with Heather and myself and SRI to line
up a date to get a full breakdown of the analysis for the community.

Mike Prorock
CTO, Founder
https://mesur.io/



On Wed, Jan 26, 2022 at 2:38 PM John, Anil <anil.john@hq.dhs.gov> wrote:

> Hello DID/VC Community,
>
>
>
> As part of the in-depth technical due-diligence we are conducting in our
> multiple DHS/SVIP workstreams to enable operational capabilities for
> DHS/CBP, DHS/PRIV and DHS/USCIS using W3C Verifiable Credentials and W3C
> Decentralized Identifiers, DHS/SVIP sponsored the independent nonprofit
> research center SRI International ( https://www.sri.com/
> <https://urldefense.us/v3/__https:/www.sri.com/__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea-QRQTxJ$>
> ) to conduct a cryptographic review of the W3C Verifiable Credentials and
> W3C Decentralized Identifier standards.
>
>
>
> This type of independent review is critically important for U.S.
> Government entities who are deploying capabilities based on these standards
> to ensure that the technologies conform to relevant U.S. Federal government
> standards and requirements, including the Federal Information Security
> Management Act (FISMA) and National Institute of Technology (NIST)
> standards for use of cryptography.
>
>
>
> Please find attached (and online at the link below) the results of this
> independent review and the associated cryptography implementation
> recommendations.
>
>
>
>
> https://docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true
> <https://urldefense.us/v3/__https:/docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea80RqYf0$>
>
>
>
>
>
> Heather and Mike,
>
>
>
> An ask on behalf of the SRI folks who conducted this work --- Do you think
> this work would be of interest to the broader community such that it would
> it be possible to get some dedicated time at the CCG (would appreciate a 45
> – 60 minute block) for them to walk thru the work and answer any questions
> the community may have?
>
>
>
> If you think that this is too government-centric and not relevant broadly,
> no worries … I’ll just point folks to the report.
>
>
>
> Kaliya, Kerri, Sharon, Drummond and Juan,
>
>
>
> It feels like this may be an area of common interest between CCG, DIF,
> ToIP and EDU, so wanted to make sure you were all aware of this work and if
> you all believe that it make sense to have some sort of a joint opportunity
> for this conversation to happen, I am happy to help on that.  Same note to
> you as well that if you consider this to be too government-centric, no
> worries – I can only lead horses to water, I cannot make them drink : -)
>
>
>
> Best Regards,
>
>
>
> Anil
>
>
>
> Anil John
>
> Technical Director, Silicon Valley Innovation Program
>
> Science and Technology Directorate
>
> US Department of Homeland Security
>
> Washington, DC, USA
>
>
>
> Email Response Time – 24 Hours
>
>
>
> [image: A picture containing graphical user interface Description
> automatically generated] <https://www.dhs.gov/science-and-technology>[image:
> /Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395]
>