- From: Daniel Hardman <daniel.hardman@gmail.com>
- Date: Wed, 26 Oct 2022 12:15:40 +0200
- To: Morgan Hedges <morgan.hedges@gosource.com.au>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CACU_chmdGoQz8mu5comOHVcyXpXboqCV-p8KLSmp8=_DnTEk+Q@mail.gmail.com>
> > The especially naive bit- I think/presume it's not as easy as just using a > FIPS compliant signature algorithm on some kind of "hash of hashes" > (obvious example: a Merkle tree, something like MerkleDisclosureProof2021 > <https://w3c-ccg.github.io/Merkle-Disclosure-2021/>), but despite > spending some time with the FIPS-186-5 draft, I'm still not clear why this > should be ruled out. > This would have been my answer, so I will be curious to see what others have to say about it. FIPS publications offer several different scopes in which it is possible to comply. As I understand it, all of these possible scopes are focused on the soundness of cryptographic algorithms. They do cover appropriateness of algorithms to certain problems, but I don't think selective disclosure is one of those problems. But I could be wrong. One gotcha to be aware of is that the term "selective disclosure" is highly problematic when you're spanning the two audiences of SSI/CCG on one hand, and US government/NIST/FIPS on the other. This may explain why doing a web search on the topic isn't very helpful. The only official usage of that term in US government circles is associated with financial context (e.g., the SEC), and in that environment, "selective disclosure" is a dirty word. Essentially it is the practice of lying by omission when filing financial reports. Thus I think it is unlikely that you'll ever see that term in a FIPS publication as a desirable feature. So you'll have to search for it by other names. (I like the term "progressive disclosure", which comes out of usability theory and human factors/UX circles, but I doubt FIPS would use that, either.)
Received on Wednesday, 26 October 2022 10:16:05 UTC