Re: FYI: Cryptography Review and Recommendations for W3C VC and W3C DID Implementations by SRI International from Heather Vescent on 2022-01-27 (public-credentials@w3.org from January 2022)

From: Heather Vescent <heathervescent@gmail.com>
Date: Thu, 27 Jan 2022 13:58:39 -0800
To: "public-credentials@w3.org" <public-credentials@w3.org>
Cc: Mike Prorock <mprorock@mesur.io>, "John, Anil" <anil.john@hq.dhs.gov>, Kerri Lemoie <klemoie@concentricsky.com>, Drummond Reed <drummond.reed@evernym.com>, Kaliya Identity Woman <kaliya@identitywoman.net>, Juan Caballero <juan.caballero@spruceid.com>, Sharon Leu <sleu@jff.org>
Message-ID: <CA+C6qMzXiVFg7QXUKJru0Yrc38WVj5TMkJNHcv3MYmEoJtOQsA@mail.gmail.com>

CCG List & All,

This has been scheduled for our Feb 15 CCG call. A full agenda will be sent
about a week prior. The CCG is happy to host the broader discussion or hold
a subsequent CCG meeting for the discussion with broader parties.

Cheers,

-Heather



On Wed, Jan 26, 2022 at 11:41 AM Mike Prorock <mprorock@mesur.io> wrote:

> Anil,
> We would absolutely love a deep dive on this work from SRI to the
> community.  Understanding of potential issues and pitfalls in this type of
> work is paramount and we really appreciate the hard work and effort
> undertaken for this type of analysis.
>
> Let's get an off-list email going with Heather and myself and SRI to line
> up a date to get a full breakdown of the analysis for the community.
>
> Mike Prorock
> CTO, Founder
> https://mesur.io/
>
>
>
> On Wed, Jan 26, 2022 at 2:38 PM John, Anil <anil.john@hq.dhs.gov> wrote:
>
>> Hello DID/VC Community,
>>
>>
>>
>> As part of the in-depth technical due-diligence we are conducting in our
>> multiple DHS/SVIP workstreams to enable operational capabilities for
>> DHS/CBP, DHS/PRIV and DHS/USCIS using W3C Verifiable Credentials and W3C
>> Decentralized Identifiers, DHS/SVIP sponsored the independent nonprofit
>> research center SRI International ( https://www.sri.com/
>> <https://urldefense.us/v3/__https:/www.sri.com/__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea-QRQTxJ$>
>> ) to conduct a cryptographic review of the W3C Verifiable Credentials and
>> W3C Decentralized Identifier standards.
>>
>>
>>
>> This type of independent review is critically important for U.S.
>> Government entities who are deploying capabilities based on these standards
>> to ensure that the technologies conform to relevant U.S. Federal government
>> standards and requirements, including the Federal Information Security
>> Management Act (FISMA) and National Institute of Technology (NIST)
>> standards for use of cryptography.
>>
>>
>>
>> Please find attached (and online at the link below) the results of this
>> independent review and the associated cryptography implementation
>> recommendations.
>>
>>
>>
>>
>> https://docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true
>> <https://urldefense.us/v3/__https:/docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea80RqYf0$>
>>
>>
>>
>>
>>
>> Heather and Mike,
>>
>>
>>
>> An ask on behalf of the SRI folks who conducted this work --- Do you
>> think this work would be of interest to the broader community such that it
>> would it be possible to get some dedicated time at the CCG (would
>> appreciate a 45 – 60 minute block) for them to walk thru the work and
>> answer any questions the community may have?
>>
>>
>>
>> If you think that this is too government-centric and not relevant
>> broadly, no worries … I’ll just point folks to the report.
>>
>>
>>
>> Kaliya, Kerri, Sharon, Drummond and Juan,
>>
>>
>>
>> It feels like this may be an area of common interest between CCG, DIF,
>> ToIP and EDU, so wanted to make sure you were all aware of this work and if
>> you all believe that it make sense to have some sort of a joint opportunity
>> for this conversation to happen, I am happy to help on that.  Same note to
>> you as well that if you consider this to be too government-centric, no
>> worries – I can only lead horses to water, I cannot make them drink : -)
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> Anil
>>
>>
>>
>> Anil John
>>
>> Technical Director, Silicon Valley Innovation Program
>>
>> Science and Technology Directorate
>>
>> US Department of Homeland Security
>>
>> Washington, DC, USA
>>
>>
>>
>> Email Response Time – 24 Hours
>>
>>
>>
>> [image: A picture containing graphical user interface Description
>> automatically generated] <https://www.dhs.gov/science-and-technology>[image:
>> /Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395]
>>
>

-- 
Heather Vescent <http://www.heathervescent.com/>
Co-Chair, Credentials Community Group @W3C
<https://www.w3.org/community/credentials/>
President, The Purple Tornado, Inc <https://thepurpletornado.com/>
Author, The Secret of Spies <https://amzn.to/2GfJpXH>
Author, The Cyber Attack Survival Manual
<https://www.amazon.com/Cyber-Attack-Survival-Manual-Apocalypse/dp/1681886545/>
Author, A Comprehensive Guide to Self Sovereign Identity
<https://ssiscoop.com/>

@heathervescent <https://twitter.com/heathervescent> | Film Futures
<https://vimeo.com/heathervescent> | Medium
<https://medium.com/@heathervescent/> | LinkedIn
<https://www.linkedin.com/in/heathervescent/> | Future of Security Updates
<https://app.convertkit.com/landing_pages/325779/>

Attachments

image/jpeg attachment: image005.jpg
image/jpeg attachment: image006.jpg

Received on Thursday, 27 January 2022 21:59:04 UTC