Re: FYI: Cryptography Review and Recommendations for W3C VC and W3C DID Implementations by SRI International

Looking forward to this call. Thanks for scheduling.

I’ll forward Anil’s original email to the public-vc-edu@w3.org <mailto:public-vc-edu@w3.org> list. Thanks, Anil!

K.

--------
Kerri Lemoie, PhD
Director, Digital Credentials Research & Innovation
badgr.com <https://info.badgr.com/> | concentricsky.com <https://concentricsky.com/>
she/her/hers






> On Jan 27, 2022, at 4:58 PM, Heather Vescent <heathervescent@gmail.com> wrote:
> 
> CCG List & All,
> 
> This has been scheduled for our Feb 15 CCG call. A full agenda will be sent about a week prior. The CCG is happy to host the broader discussion or hold a subsequent CCG meeting for the discussion with broader parties. 
> 
> Cheers,
> 
> -Heather
> 
> 
> 
> On Wed, Jan 26, 2022 at 11:41 AM Mike Prorock <mprorock@mesur.io <mailto:mprorock@mesur.io>> wrote:
> Anil,
> We would absolutely love a deep dive on this work from SRI to the community.  Understanding of potential issues and pitfalls in this type of work is paramount and we really appreciate the hard work and effort undertaken for this type of analysis.  
> 
> Let's get an off-list email going with Heather and myself and SRI to line up a date to get a full breakdown of the analysis for the community.
> 
> Mike Prorock
> CTO, Founder
> https://mesur.io/ <https://mesur.io/>
> 
> 
> 
> On Wed, Jan 26, 2022 at 2:38 PM John, Anil <anil.john@hq.dhs.gov <mailto:anil.john@hq.dhs.gov>> wrote:
> Hello DID/VC Community,
> 
>  
> 
> As part of the in-depth technical due-diligence we are conducting in our multiple DHS/SVIP workstreams to enable operational capabilities for DHS/CBP, DHS/PRIV and DHS/USCIS using W3C Verifiable Credentials and W3C Decentralized Identifiers, DHS/SVIP sponsored the independent nonprofit research center SRI International (https://www.sri.com/ <https://urldefense.us/v3/__https:/www.sri.com/__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea-QRQTxJ$> ) to conduct a cryptographic review of the W3C Verifiable Credentials and W3C Decentralized Identifier standards.
> 
>  
> 
> This type of independent review is critically important for U.S. Government entities who are deploying capabilities based on these standards to ensure that the technologies conform to relevant U.S. Federal government standards and requirements, including the Federal Information Security Management Act (FISMA) and National Institute of Technology (NIST) standards for use of cryptography.
> 
>  
> 
> Please find attached (and online at the link below) the results of this independent review and the associated cryptography implementation recommendations.
> 
>  
> 
> https://docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true <https://urldefense.us/v3/__https:/docs.google.com/document/d/1EdCBSACtlBv2DxNZM67qi9F15Iv5uWOW/edit?usp=sharing&ouid=116879129655891111263&rtpof=true&sd=true__;!!BClRuOV5cvtbuNI!QQnc651HVGJnMNYs-vSuaQ_LFlyrI91HPL5EhedGkojcjPJHCBFDlIMm6lAea80RqYf0$>
>  
> 
>  
> 
> Heather and Mike,
> 
>  
> 
> An ask on behalf of the SRI folks who conducted this work --- Do you think this work would be of interest to the broader community such that it would it be possible to get some dedicated time at the CCG (would appreciate a 45 – 60 minute block) for them to walk thru the work and answer any questions the community may have?
> 
>  
> 
> If you think that this is too government-centric and not relevant broadly, no worries … I’ll just point folks to the report.
> 
>  
> 
> Kaliya, Kerri, Sharon, Drummond and Juan,
> 
>  
> 
> It feels like this may be an area of common interest between CCG, DIF, ToIP and EDU, so wanted to make sure you were all aware of this work and if you all believe that it make sense to have some sort of a joint opportunity for this conversation to happen, I am happy to help on that.  Same note to you as well that if you consider this to be too government-centric, no worries – I can only lead horses to water, I cannot make them drink : -)
> 
>  
> 
> Best Regards,
> 
>  
> 
> Anil
> 
>  
> 
> Anil John
> 
> Technical Director, Silicon Valley Innovation Program
> 
> Science and Technology Directorate
> 
> US Department of Homeland Security
> 
> Washington, DC, USA
> 
>  
> 
> Email Response Time – 24 Hours
> 
>  
> 
> <image005.jpg> <https://www.dhs.gov/science-and-technology><image006.jpg>
> 
> 
> 
> -- 
> Heather Vescent <http://www.heathervescent.com/>
> Co-Chair, Credentials Community Group @W3C <https://www.w3.org/community/credentials/>
> President, The Purple Tornado, Inc <https://thepurpletornado.com/>
> Author, The Secret of Spies <https://amzn.to/2GfJpXH> 
> Author, The Cyber Attack Survival Manual <https://www.amazon.com/Cyber-Attack-Survival-Manual-Apocalypse/dp/1681886545/>
> Author, A Comprehensive Guide to Self Sovereign Identity <https://ssiscoop.com/>
> 
> @heathervescent <https://twitter.com/heathervescent> | Film Futures <https://vimeo.com/heathervescent> | Medium <https://medium.com/@heathervescent/> | LinkedIn <https://www.linkedin.com/in/heathervescent/> | Future of Security Updates <https://app.convertkit.com/landing_pages/325779/>

Received on Friday, 28 January 2022 19:35:09 UTC