[MINUTES] W3C CCG Credentials CG Call - 2023-05-23

Thanks to Our Robot Overlords for scribing this week!

The transcript for the call is now available here:


Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:


W3C CCG Weekly Teleconference Transcript for 2023-05-23

  Mike Prorock, Kimberly Linson, Harrison Tang
  Our Robot Overlords
  Harrison Tang, Greg Bernstein, Mike Prorock, Jeff O - HumanOS, 
  Hiroyuki Sano, Japan, Stuart Freeman, BrentZ, Nis Jespersen , 
  Jennie Meier, Mike Xu, Will, Joe Andrieu, Andres Uribe, Dmitri 
  Zagidulin, Paul Dietrich GS1, Bob Wyman, Kaliya Young, Kimberly 
  Linson, PL/T3-ASU, Keith Kowal, Steve Magennis, Manu Sporny, 
  Kazue Sako, Brian, Kerri Lemoie, Erica Connell, Wendy Seltzer, 
  kazue, Marty Reed, Leo, Andrew Whitehead, Lucy Yang, Taylor 
  (LEF), Taylor (LEF ), John Kuo, James Chartrand, Mahesh Balan - 

Our Robot Overlords are scribing.
Harrison_Tang: Alright hello everyone welcome to this week's w3c 
  ccg meeting today we're very glad to have a Greg great burst name 
  to a present on PBS for VCS their proper credentials and json-ld 
  but before we get to the main agenda just want to do some quick 
  reminders on the code of ethics and professional conduct reminder 
  more or less just make sure that we know are remain respectful.
Harrison_Tang:  to each other we've been doing that for.
Harrison_Tang: As far as I can remember but just want to do a 
  quick reminder and cold not here all right next up we have the IP 
  note anyone can participate in these calls however all 
  substantive contributions to any CG work items must be members of 
  the ccg with full IP our agreements time I'll make sure you have 
  the w3c account and sign the w3c community contributor license 
  agreement if you have any.
Harrison_Tang:  questions or problems feel free to reach out to 
Harrison_Tang: We record these meetings and actually we have been 
  quite good at publishing these meeting minutes and I'll deal 
  recordings in the day or two but generally we said we'll publish 
  it by the end of this week.
Harrison_Tang: All right we used to teach each at to Q speaker so 
  you can type in q+ to cure yourself to add yourself to the cube 
  or q- to remove it and you can always do Q question mark to see 
  who's in the queue.
Harrison_Tang: Right that's do the introductions and 
  reintroduction so if you are new to the community or you haven't 
  been active and your rejoining the community please feel free to 
  unmute and introduce or reintroduce yourself.
Harrison_Tang: Don't be shy.
Harrison_Tang: All right so we do this every meeting so you know 
  maybe not you'll have to opportunity to do that next week if you 
  don't feel comfortable doing right now all right next we have 
  announcements and reminders any announcements and reminders.
Kaliya Young:  Hey so I guess it's two weeks we're convening the 
  digital identity unconference Europe in Zurich June 7 to 9 just 
  like we are for iaw were committed to making sure it's accessible 
  so I've really pushed them to make sure they keep the startup and 
  NGO tickets available.
Kaliya Young:  If you haven't signed up you want to come now is 
  the time to sign up and we are a really great list of those 
  topics I can see on the website if you're in Europe please join 
  us thank you.
Harrison_Tang: Thanks Korea any other announcement or reminders.
Kaliya Young: https://diceurope.org/
Harrison_Tang: All right any updates on the work Islands.
Kaliya Young: https://diceurope.org/prpoposed-topics
Harrison_Tang: And by the way I think in the email list earlier 
  there are some announcements regards to a verifiable credentials 
  rendering method so the we already we looked at for July 25th so 
  that we can have further discussions there as well.
Harrison_Tang:  alright money.
Manu Sporny:  Yeah just a question on that do we have to wait for 
  that meeting to pull it into the group it seemed to have a 
  support there were no objections we pull it into the ccg at this 
  point or should we wait two months.
Mike Prorock:  Harrison I've got no objections to pulling that in 
  now I think it makes sense there's broad support and no 
  objections to that I would say let's pull it in now and then get 
  a debrief on the updates in that July meeting if that is fine 
  with you.
Harrison_Tang: Yeah yeah of course yeah I think they were small 
  local supporters so let's do that.
Manu Sporny:  Great thank you.
Harrison_Tang: Thank you Mommy.
Harrison_Tang: Any other updates on the work items.
Harrison_Tang: All right so let's get to the main agenda so this 
  week again we are very very glad to invite a Greek to present on 
  the BBS for verifiable Potentials in json-ld giving us an 
  overview I think you mentioned that he would love to endless some 
  of the volunteers to actually helping on these efforts so great 
  the floor is yours.
Greg Bernstein:  All right let's get the screen sharing and going 
  you don't need to see me anymore but that's what I look like so 
  let's get the screen sharing select window or screen.
Greg Bernstein:  Wait before I do that.
Greg Bernstein: 
Greg Bernstein:  Off the video you don't need to see my face okay 
  the other thing to make it easier.
Harrison_Tang: And break sometimes we have technical difficulties 
  when we're doing both video and the SlideShare so thank.
Greg Bernstein:  There goes the slides the slides are all 
  available online I just put them in the chat and.
Greg Bernstein:  To get Hands-On we've got a demo.
Greg Bernstein: https://www.grotto-networking.com/BBSDemo/
Greg Bernstein:  Did I use that I'll be using but anybody can use 
  because it's built with BBs and it's just a web app a standalone 
  single page web app so now let's go back and do the screen share.
Greg Bernstein:  Select window or screen.
Greg Bernstein:  And let's go over to.
Greg Bernstein:  And I'm going to make this big so this is going 
  to be a little different than some of the things we've done this 
  is a tutorial this is at or about BBS and a reminder about 
  verifiable credentials and signatures because I've been working 
  on our crypto sweets not from the point of view of been writing 
  them I've been working and I've been out on test vectors which 
  are really important.
Greg Bernstein:   Aunt so we're going.
Greg Bernstein:  View of signatures we're going to review VC's in 
  signatures then we're going to talk about what we get from BBS 
  signatures selective disclosure and anemone and unlink ability 
Greg Bernstein:  Who am I okay let's see if we can move that 
  thing a long long time ago in a galaxy far away I got all those 
  degrees from Berkeley then part-time consultant teacher 
  implementer for a while I was formerly an R&D manager at big 
  telecoms and was in a start-up where we did got a cool optical 
  switching prod.
Greg Bernstein:  Deployed worldwide lots of network standards 
  work ietf oif itu-t this is the optical stuff spent the pandemic 
  teaching cyber security and web programming I've got the big 
  interest big Advocate on privacy and security okay so those are 
  kind of like my passions now so.
Greg Bernstein:  Me there's links to.
Greg Bernstein:  Anything else here my website Grotto networking 
  I've got all my course materials for my academic courses if 
  you're interested to see how I taught cybersecurity.
Mike Prorock: +1 Excellent text
Greg Bernstein:  Okay signatures and references once again sorry 
  for the academic Focus if you are really trying to get into 
  signatures and understand the modern approach to cryptography 
  probably can't recommend more the book by Dan Bonet and Victor 
  Shoop and it's available for free online and they just did an 
  update to it for their 0.6 version to see.
Greg Bernstein:   See some of these properties.
Greg Bernstein:  Truce in a readable fashion we came across this 
  paper taming the many EDSA s EDSA signatures and that explains 
  some of the improved properties that you get from signatures.
Greg Bernstein:  So what is the signature the formal definition 
  it's a triple it has t generation assigning algorithm and a 
  verification algorithm each of these things is pretty important I 
  tended to forget about the key generation but the thing is every 
  signature scheme.
Greg Bernstein:  Has its own set of keys and you got to be very 
  careful to use them correctly not reuse things so.
Greg Bernstein:  What is the signature we care about these four 
  verifiable credentials because they put the verifiable in the 
  verifiable credentials the idea is somebody that doesn't have the 
  secret key can't create a message with a signature.
Greg Bernstein:  That verifies against the public key okay this 
  is called existential forgery you can't create a new message with 
  a signature that verifies okay there's the signing algorithm the 
  verification it shouldn't be able to do that in addition.
Greg Bernstein:  To make it hard for the cryptographers to come 
  up with these schemes is we allow the adversaries.
Greg Bernstein:  See signatures on as many different types of 
  credentials as they like and we say you can see as many of those 
  but you still shouldn't be able to come up with a valid signature 
  unless you have the secret key this is called existential 
  unfortunate bility under a chosen message attack to be formal 
  okay you can get you can go further there's something called.
Greg Bernstein:   Ang unfortunate Billa.
Greg Bernstein:  Okay which means you can't find a new signature 
  on an old message without knowing the secret key okay so of are 
  two schemes of our to current schemes for verifiable credentials 
  EDSA can have the strong unforgeable Leti but EC D sa is not okay 
  for the details the BNS chapter 19 okay.
Greg Bernstein:   A signature is.
Greg Bernstein:  This is another nice property if it's impossible 
  for the signer to claim later that it signed a different message.
Greg Bernstein:  He's came out as desirable after the 
  cryptocurrencies in the block change things and people were 
  finding any way they could figure out how to cheat on the Block 
  chains and such like that and so people found these ways around 
  and Attack the Block change in the cryptocurrencies.
Greg Bernstein:  Further there's something called a strongly 
  binding signature okay where the signature is binding to the 
  public key so these are forms of what is recalled non-repudiation 
  okay so there's different levels of security properties the 
  second district should have but that existential unfortunate 
  bility is the basics.
Greg Bernstein:  Now I hope I'm not missing any questions because 
  I have my cell phone full screen for good right good okay and I'm 
  watching the time I'm doing a single monitor setup so unlike when 
  Haley teach you don't have a little time clock going okay.
Harrison_Tang: I'll monitor the I'll monitor the question Q so 
  don't worry about.
Greg Bernstein:  Okay currently for VCS we have three crypto 
  sweets I think if I got this right that are in working draft 
  status so we have EDSA just got a bunch of test vectors in V our 
  request was.
Greg Bernstein:  In white and for that we're I've got some that I 
  have not put in yet for Ed ecdsa what's the difference between 
  these ecdsa has been around longer their Hardware implementations 
  okay I know the new Phipps document that just came out also has 
  EDSA but ecdsa is very important to have around because there's a 
  lot of stuff already out there in the new kid on the Block BBs.
Greg Bernstein:  So down to the bits and bytes okay I told you 
  there's three pieces key generation and people particularly with 
  this post Quantum stuff coming up people care about how big are 
  the keys okay it's not just the signature size but it is the key 
  size so our example with e DD essay which is very efficient the 
  secret key.
Greg Bernstein:   She is 32.
Greg Bernstein:  In the public key which actually is something 
  called a group element in an elliptic curve blah blah blah okay 
  is actually quite small to 32 bytes if you look at post Quantum 
  cryptography you'll find that the key sizes can get quite large 
  okay now given a message M okay this is the down to the byte 
  level part of a signature we look at messages just a bunch of.
Greg Bernstein:   B we.
Greg Bernstein:  Who's to say.
Greg Bernstein:  Mature okay where it's got two pieces to it what 
  we care about is the total length of the signature is only 64 
  bytes you'll find with both ecdsa EDSA the chief the signatures 
  are quite small okay so these signature schemes that's why these 
  are the the most popular signature schemes down because the 
  signatures the keys that you have to keep around.
Greg Bernstein:   And and the.
Greg Bernstein:  Themselves are quite small okay so quite 
  efficient, okay.
Greg Bernstein:  And particularly EDSA is very fast very 
  efficient and some folks in one of the papers reference proved 
  that by doing a few extra checks we can get all those nice 
  security properties okay and so that will be going into the 
  security consideration sections of our crypto sweet that's a PR 
  to be ridden okay.
Greg Bernstein:   Security at these.
Greg Bernstein:  Work with B the keys are a bunch of bytes the 
  messages are a bunch of bytes the signatures are a bunch of 
  fights okay we've got to apply these to verifiable credentials 
  and we have to do it correctly okay because if we don't do it 
  correctly you leave holes for exploitation so what do we protect 
  the underside credential but also very important as we have to 
  protect the options related to cryptographic.
Greg Bernstein:   I am okay so somebody can't say hey.
Greg Bernstein:  Uses we don't use any cryptography no no we're 
  signing this we're going to protect that information to make sure 
  what additional tools do we generally need when we apply these 
  things to be seized we need some kind of if we're talking about 
  Json Json Kana canonicalization algorithm and we usually use 
  cryptographic hashes in some way or form sometimes those are 
  built in the signature schemes.
Greg Bernstein:   And sometimes we use them before we go into 
Greg Bernstein:  Scheme so let's take a look very big okay so 
  here's an example credential taken from our document okay it's we 
  want to sign this credential this is unsigned we want to protect 
  this we want to sign this thing we want to digital signature on 
  it in addition to signing that though.
Greg Bernstein:   We want.
Greg Bernstein:  Swipes the wrong way and it tried to go 
  someplace else okay in addition to protecting the credential we 
  want to protect and ensure that nobody can lie about what type of 
  data Integrity prove what crypto sweet are we using when this 
  thing was created verification method all these things are what 
  we call the proof options okay so we're going to protect these 
  things too.
Greg Bernstein:   What do I mean by that.
Greg Bernstein:  We're going to include this as stuff we sign so 
  how do our signature crypto sweets work at least for EDSA and 
  ecdsa well.
Greg Bernstein:  We run one of these canonicalization algorithms 
  either J CS or rdf on the unsigned VC we do that with the 
  configuration options we take these cryptographic hash things 
  which take a long message and give you a fixed-length output we 
  combine those things together and we actually sign the output of 
  that combined set of hashes.
Greg Bernstein:  Becomes our message so that means we have to 
  have a good signature algorithm we got to know how weird 
  canonicalizing things and we also have to make sure it's a good 
  hash Agra all those things we're going to make it very clear that 
  the cryptographer people's can read our document see examples 
  easily and say yeah you're doing that the right way okay and so 
Greg Bernstein:   Essentially very.
Greg Bernstein:  Actually what we do in our crypto sweet 
  documents to produce something that looks like this verifiable 
  credentials got all the credentials stuff ah we've got the proof 
  that includes all that proof.
Greg Bernstein:  Option stuff did Integrity proof group just read 
  information proof purpose right here at the end nicely encoded 
Greg Bernstein:  BTC blah blah blah encoding where we convert 
  from B to something that we can put into text is our signature so 
  that's an example of signing now what does BBS do for us okay 
  first of all BBS doesn't stand for brief beautiful signature.
Greg Bernstein:  Of the original academic work with the author's 
  Denver nay Xavier bullion and I don't want to put your sack 
  woman's name but I probably just did these guys first described 
  the ski okay references.
Greg Bernstein:  The draft okay which is a good place to go and I 
  do have to thank the silliest Gallows who.
Greg Bernstein:  And I was working through and coming up with my 
Greg Bernstein:  Part of what's really good about here is we have 
  good test vectors and we checked them and when somebody had 
  issues with trying to verify very helpful group over at dif ietf 
  that we're working on this it's like no no no we've got a mistake 
  here at this is where air is very helpful complete set of test 
  vectors great for people trying to okay and if we do.
Greg Bernstein:   A more advanced.
Greg Bernstein:  BS at a later time I'm sure we can try and get 
  the silliest and some of the other guys I know Brent's eundel is 
  was on this call use one of the early advocates for BBS and has a 
  nice blog post about it from way back okay.
Greg Bernstein:   So that's our.
<brentz> waves
<manu_sporny> ^ that guy :)
Greg Bernstein:  Injured however just like with EDSA as things 
  started approaching standardization some of the academic folks 
  took a second look and they've got better results optimizations 
  for us so we've been working with a group out of University of 
  Washington up in Washington state they've got some optimizations 
  and additional security proofs for us just like there's more 
Greg Bernstein:   Proofs of security for EDSA which.
<mprorock> well since that guy is a fan. . .
Greg Bernstein:  I get to our VC document okay the original 
  documents that we base the standard on is this paper from 2016 
  caution it's these are both hard reads.
Greg Bernstein:  Now we have a demo.
Greg Bernstein:  We're going to actually go through okay 
  signature creation Singler what's all the rest of us we're going 
  to see what the rest of that is about okay this closely mirrors 
  what we do with our test vectors okay so hence we're doing 
  something that we tell people never ever to do we've got private 
  keys out floating around in the open.
Greg Bernstein:   We do this when we.
Greg Bernstein:  Is specs and RVC specs in the ietf spec because 
  people need to test these things but the biggest thing about 
  these things Professor mode on is keeping these Keys secure so we 
  throw around random keys and our test vectors and such like that 
  note that in reality you never do this okay so just there for 
  just my caveat okay.
Greg Bernstein:  Is like we do in our test vectors in our various 
  aspects hex representation for all field except messages because 
  I wanted the messages readable which are UTF text okay I use Json 
  the hold the information at various stages just like we do with 
  our test vectors these are not VPS or VCS okay this is just for 
  demo purposes Json is just a happy way to get test vectors around 
Greg Bernstein:  Using a simple list of BBS messages there is 
  more work.
Greg Bernstein:  To get BBS applied to a verifiable credential 
  than what my demo shows My Demo is highlighting BBS not the 
  process that we have to take to go and apply BBS to a verifiable 
  credential okay so what are its fundamental properties it has 
  strong unfortunate bility okay so it's got those good properties 
  the security properties that we want to have a little bit 
  stronger than EC.
Greg Bernstein:  Scott selective disclosure.
Greg Bernstein:  The scheme allows the signer to sign multiple 
  messages and produce a single constant size output signature from 
  which a holder can select which of the quote messages to reveal 
  later it's got something called unlink able proofs and proof of 
  possession okay this is the formal language from the ietf draft.
Greg Bernstein:   First and it we're going to.
Greg Bernstein:  These things okay so I'm not going to read those 
  detail okay what is this look like from the bits and bytes point 
  of view.
Greg Bernstein:  It's a little bigger the random secret key is 32 
  bytes the public key is a lot bigger three times but still 
  remember a small jpg photo will be a couple hundred K bytes so 
  when we're talking about the signature sizes for elliptic curve 
  based things and this is elliptic curve base ecdsa.
Greg Bernstein:   I say eat.
Greg Bernstein:  The signature sizes and the keys sizes are small 
  okay so you can do a lot with these things okay and so worrying 
  about too much about B and B we want to do things optimally okay 
  the signature sighs okay.
Greg Bernstein:  B okay so that's bigger than the 64 bytes the 
  new optimization results gives us 80 bytes signatures are small 
  so this is why some of this stuff is also being looked at by a 
  coyote people because the signature that the iot even if it has a 
  bunch of different sensors and you want selective disclosure of 
  sensor reading the message going to send has to send is small 
Greg Bernstein:   So let's go over to.
Greg Bernstein:  So I've got a random key I've got a public key.
Greg Bernstein:  In a in a more advanced discussion will talk 
  about what we should use this feature of BBS called the header 
  okay but I have here a sequence of messages I was faking a 
  driver's license for a tree in Northern California okay so we 
  have a bunch of different properties first name last name address 
  date of birth height no eyes brown bark.
Greg Bernstein:   E needles Etc.
Greg Bernstein:  Can create a signature you can add as more 
  messages if you like here you can remove a message this is a okay 
  let's just show okay so we then we click create signature.
Greg Bernstein:  Oopsies let's reload.
Greg Bernstein:  Create a signature okay so what did we do we get 
  a signature what is it it's a bunch of bytes okay so we have a 
  platinum now somebody's going to use this for something like 
  verify it we need to public key we need the headers We need oh 
  all the separate messages and the signature.
Greg Bernstein:  If we want to verify the signature okay we bring 
  in we have to have the public key.
Greg Bernstein:  Of all her messages.
Greg Bernstein:  I can process that is Json we can click verify 
Greg Bernstein:  Let's say the tree has a issue on you wants to 
  pretend that he's taller than his brother and he's.
Greg Bernstein:  297 Feets not 296 feet that's what happens when 
  you hit the wrong button okay process the Json verify the 
  signature it doesn't verify right that's the kind of thing we 
  expect from signatures people mess with the information it 
  shouldn't verify its back to its original form okay.
Greg Bernstein:  Basic signatures okay.
Greg Bernstein:  So what okay well.
Greg Bernstein:  If we want to do is discuss selective disclosure 
  and we're doing a full VC model we have an issue or a holder and 
  verifier okay we have a three-step model selective disclosure 
  comes in that the holder doesn't want to reveal everything.
Greg Bernstein:  So the issuer signs of EC holder verifies the 
  sign VC then the holder selects which to disclose okay which 
  messages and BBs terminology so let's take a look.
Greg Bernstein:  Selective disclosure now let's go back for a 
  second do I have my caveat we doing TimeWise okay ish okay.
Greg Bernstein:  There's multiple different approaches to 
  selective disclosure okay probably the most straightforward 
Greg Bernstein:  Break up your VC into a bunch of different 
  messages okay sign each individual message.
Greg Bernstein:  Overall signature for the Kabam combination is 
  just the number of messages times the signature sighs that's not 
  what happens with BBs BBS gives us a fixed signature side no 
  matter how many messages.
Greg Bernstein:  Another approach which we have heard of I think 
  we've had a we had the presentation on gordian envelopes there 
  based on a Merkel hash tree you get a signature single signature 
  for the tree the presentation cost is general overhead plus a-hat 
  oops sorry this has basically a single circuit future for the 
  whole tree the costs in both the Merkel and the BBS come when you 
  do your selective disclosure.
Greg Bernstein:  Veal or give.
Greg Bernstein:  The verifier something for each undisclosed 
  message so you either pay up front when you individually sign 
Greg Bernstein:   I know.
Greg Bernstein:  Quick okay just giving just an overview but with 
  BBs just like with Merkel hash trees basically for each unknown 
  disclose message it's part of the signature you have a little 
  price to pay okay for hash trees it depends on the hash through 
  using the basically it's the number of undisclosed plus the hatch 
  size for BBS number of undisclosed times 32 bytes.
Greg Bernstein:   It's for our current implementation.
Greg Bernstein:  So we have a tree going into a bar and needs to 
  prove their ID Okay so.
Greg Bernstein:  Let's say they're gonna have in clothes their 
  picture and their date of birth okay so we're going to generate a 
Greg Bernstein:  Oh we got a proof it's got what does it have in 
  it down here.
Greg Bernstein:  Only two pieces of message now we come to the 
  proof verification Professor I mean Greg what's going on here.
Greg Bernstein:  Sorry we've got a terminology Collision.
Greg Bernstein:  Both PBS and verifiable credentials use the term 
  proof and signature but they use them in very different ways okay 
  so I'll use the term BBS signature and BBs proof BBS proof.
Greg Bernstein:  Is kind of like the secondary signature or the 
  disclosed signature okay.
Greg Bernstein:  So that's why I was like what's this terminology 
  oh BBs.
Greg Bernstein:  We select the messages we want to include then 
  we create a proof on it this isn't.
Greg Bernstein:  Isn't to be confused with a general VC proof it 
  would be included in the verifiable print presentation as part of 
  the proof okay but it is a derived thing it's derived from the 
  first signature now let's check that this thing can verify.
Greg Bernstein:  So what's in it oh I forgot we got these nice 
  things and make things bigger so what are we giving them well 
  we're telling them what things are being disclosed we have some 
  overhead okay given them the date of birth and the encoded photo 
Greg Bernstein:  If I was true what if they are lying about their 
  age maybe they want to not be as old as they say they are.
Greg Bernstein:  Okay if they change their age and then they try 
  and send that proof to somebody it won't verify this is as good 
  as a signature this is derived signature thingy that's not a 
  formal that's not formal terminology it's a derived signature 
  thing but that is our proof okay that's what Brooks like a 
Greg Bernstein:  And if verifies so we're able to select.
<mprorock> "derived signature thingy 2023" i am sure will now be 
Greg Bernstein:  Got selective disclosure pretty efficient with 
  their selective disclosure so far so good you can include how 
  many ever different things you like so now the tree can go to as 
  many bars as possible.
Greg Bernstein:  It didn't have to reveal its name its address or 
Greg Bernstein:  Okay and we see the kind of extra information 
  that we have to put into this disclosed in tracks we've got 
  another type of header called a presentation header when we get 
  to not this talk I talk about how you apply BBS verifiable 
  credentials will talk about how we're going to use the header for 
  and the presentation header for that's not this stock that may 
  not be this this for sensory.
Greg Bernstein:   Either okay so when you read these.
Greg Bernstein:  We have to remember there's this Collision in 
  terminology and we'll see that there's different core operations 
  okay so for verifiable credential the issuer issues the VC we use 
  a BBS signature okay during that process the holder creates a 
Greg Bernstein:   A presentation.
Greg Bernstein:  And it's going to use a BBS proof okay.
Greg Bernstein:  He uses proof Jen procedure okay.
Greg Bernstein:  Okay now when the holder creates the VP here's 
  where the magic comes in it doesn't have the the issuer's secret 
  key it's not even using its own secret cure anything all it has 
  to have is the original signature and the issuer's public key.
Greg Bernstein:  That is amazing that's amazing cryptography okay 
  the verifier can verify that the subset of information contained 
  in the verifiable presentation has not been modified by 
  validating the proof contained in the presentation against the 
  issuer's public key right that's what we want to know we want to 
  check it against the vishu no holder keys are involved not saying 
Greg Bernstein:  Okay that's something else that's one of these 
  Advanced topics there's something called BBS with bound 
  signatures as being kicked around okay but that's a different 
  thing no holder keys that is amazing okay and we saw it so and 
  you can go and do and mess with the demo right at each of the 
  different steps we saw that if you mess with the information 
  after signature creation it will not.
Greg Bernstein:   Not verify what.
Greg Bernstein:  Unfortunate bility yay okay so straight out of 
  the document we've got signed secret key public key messages blah 
  okay verify public key signature messages okay.
Greg Bernstein:  Proof or this derive signature thingy just the 
  public key the signature we received the messages and some 
  information about what we're disclosing or what we choose to 
  disclose okay and proof verify use by the verifier.
Greg Bernstein:  With the issuer's public key.
Greg Bernstein:  Now if that was it that would be amazing enough 
  but wait there's more we get something called anonymity and 
  unlink ability okay so the issuer signs of EC.
Greg Bernstein:  Back to the demo.
Greg Bernstein:  Create a signature click the button click the.
Greg Bernstein:  O signature doesn't change when I click the 
Greg Bernstein:  What does that mean 6 or science fair 
  cryptographic signature by their security properties these tend 
  to be unique yeah it's hard to come up with another signature on 
  the same messages hmm uniqueness is good uniqueness is bad in 
  some ways when a holder creates a VP that includes design BC the 
  cryptographic signature is included if the holder census the 
  multiple verifier.
Greg Bernstein:   Where's those signatures verified.
Greg Bernstein:  Khalood what's the picture.
Greg Bernstein:  So and you sure okay issues a signature to the 
  holder the holder sends the credential to various places but what 
  if the verifier share data amongst themselves they collude okay 
  verifier the verifier collusion that means the issuer can be 
  tracked but wait this is really happened it's not any real 
  information it's just the signature.
Greg Bernstein:   Yeah yeah.
Greg Bernstein:  The signature is really unique so even though 
  the tree went into a bar and it only disclosed its photo or an 
  age the signature can help identify that it went to different 
  multiple bars okay does this really happen yeah all the time okay 
  this is what people do to keep track you even though third-party 
  cookies are going out they fingerprint your.
Greg Bernstein:  Okay so go go look at e FF cover Your Tracks 
  like I said this is from teaching cybersecurity beginning course 
  make people go and see how unique their browser is a cover Your 
  Tracks Mozilla talks a little bit more about browser 
  fingerprinting and if you want to fingerprint people visiting 
  your site you can go to npm you can get a JavaScript library that 
  I'll help you do it and that gets three hundred thousand.
Greg Bernstein:   Downloads a week so it's.
Greg Bernstein:  That's okay so BBS and anonymity unlink couple 
  proofs the proofs generated by the scheme or known as for what's 
  the zero-knowledge this or that or the other thing lots of theory 
  lots of let's take a look.
Greg Bernstein:   So when.
Greg Bernstein:  To create my signature nothing happened when I 
  re clicked create signature let's go to proof generation.
Greg Bernstein:  This tree is going to go into multiple bars and 
  let's say.
Greg Bernstein:  They really don't care about their photo but 
  they want to know if they're from a local National local park 
  state or National Park to see if they can get a big drink of 
  water because we have Trout's now we're going to generator proof 
Greg Bernstein:   Well that makes sense.
Greg Bernstein:  So the proof should change right that makes 
  sense but let's say they go into another bar and they click 
  generate proof.
Greg Bernstein:  Oh the proofs generated by BBs.
Greg Bernstein:  Okay cryptographically in a cryptographic sense 
  okay these proofs when I create each one of them they're unlinked 
  able there's there's nothing about them that ties each to each 
  other part of the magic of Zur this hold zero knowledge proof 
  stuff okay you can see it here okay this is what takes some 
  effort that's what we mean by.
Greg Bernstein:  Harder area because this proof value nice 
  General random Mission numbered thing cryptographically proven on 
  linkable but don't forget we're revealing information up here 
  okay this is like detailed information about their date of birth 
  okay so when we talk start talking about on linkable proofs in 
  anything that.
Greg Bernstein:   It has this feature.
Greg Bernstein:  Yeah sure put it into the general context of.
Greg Bernstein:  How much of other information are you giving 
  away and how much are you leak potentially leaking okay how we 
  doing TimeWise about there.
Greg Bernstein:  So that's Unthinkable proofs what did Proof of 
  possession mean why did they say that well that's the thing we 
  just checked that.
Greg Bernstein:  Need to do this we did this that unlink able 
Greg Bernstein:  We understand what did the proof of possession 
  map the proof of possession thing that hard to understand 
  statement means that the signature sorry not the signature bundle 
  but the proof bundle given the thing we put in the verifone 
  viable presentation behaves like a signature okay theoretically 
  they say this is proof of possession that I have a signature that 
  was signed by blah.
Greg Bernstein:   Okay but from our point of view.
Greg Bernstein:  Apple presentations means.
Greg Bernstein:  Truth or it's just like a signature okay.
Greg Bernstein:  Somewhat in a nutshell here.
Greg Bernstein:  We've got Deion linkable proofs okay nice 
  feature okay they have peer essentially random okay but it 
  doesn't prevent correlation on disclose message so us the 
  verifiable credential verifiable presentation people when we go 
  and use BBS we're going to have to take care and also advise 
Greg Bernstein:   Using BBs.
Greg Bernstein:  They want these capabilities.
Greg Bernstein:  What information might we be leaking and the 
  fact that you're giving away information that can be used okay.
Greg Bernstein:  So later on if you'd like to try out these 
  things here's some steps try modifying the messages and things 
  like that and how does this all work okay this is proven 
  cryptographically people have used academic proofs and such like 
  that at its heart it's just some up it uses the hardness of 
  what's known as discrete log problem it uses things called 
  elliptic curves to keep all.
Greg Bernstein:   These values.
Greg Bernstein:  Double sizes and then it uses additional magic 
  of something called elliptic curve pairings or by linear maps to 
  get us this selective disclosure and on linkable properties I 
  know this was quick but hopefully this gives you this tutorial 
  level overview of what we get whoops okay.
Greg Bernstein:  Mbbs and why we want to use them for verifiable 
Greg Bernstein:  Future Advanced discussions look at the list and 
  we can also see what folks might want to hear about in the future 
Greg Bernstein:  Back to you guys I think we kept it close to our 
  time and let me stop screen sharing.
Harrison_Tang: Thank you Greg yeah this is an amazing 
  presentation learned a lot from here any questions.
Bob Wyman:  Yeah my apologies of this is really dumb but if the 
  proof bundle includes the public key why can't people just 
  doesn't the disclosure of the public key ruin the anonymity.
Greg Bernstein:  The public key is of the issuer.
Greg Bernstein:  State of California issues me a driver's license 
  I want to prove that I am of age to go get that drink at the bar 
  they're going to use the issuer's public key but not my public 
  this is not my did personal did that goes with my driver's 
  license this is.
Greg Bernstein:   From the state of California.
Greg Bernstein:  Yeah so there's that's why I was trying to 
  remind folks that the issuer has their secret and public key the 
  thing that you might be wondering it's like wait is somebody else 
  gets this signature couldn't they pretend to be me and Vera and 
  have their credential verified against the public key of the 
  original issue okay.
Greg Bernstein:   So but.
Greg Bernstein:  Every little bit like the public key would leak 
  information would like reveal that this is a driver's license 
  this is a state of California driver's license.
Greg Bernstein:  So think of the anonymity from the holders 
  perspective not the issuer's perspective.
Bob Wyman:  Right I got it okay I understand.
Harrison_Tang: Right next up he'll Keith me.
PL/T3-ASU: I think you mean me is that right here so yeah I think 
  one of the things that often is confused in this project and this 
  BBS selective disclosure is whether the properties that you do 
  not wish to disclose our encrypted but sent or alighted from the 
  credential that is actually presented to the endpoint.
PL/T3-ASU:  can you elaborate on that.
Greg Bernstein:  It is very similar to the alighted okay because 
  what you're it's very much like the gordian envelopes because 
  underneath how this kind of works is they are for each message 
  you're doing a hash there encoding that in these groups and such 
Greg Bernstein:   Like that.
Greg Bernstein:  You send the proof you're basically sending 
  somewhat like a hash value it's it's in it's in an imminent it's 
  randomized more than you would in like a gordian envelope type of 
  collision but it is really like removing it and substituting 
  something like a hash but it's more randomized because that's how 
  we get the unlink ability.
PL/T3-ASU: Right but just just wanted to clarify whether they 
  ended up with the whole credential and those pieces that you've 
  left or to be disposed visible and in to the receipt recipient 
  and the rest of it's still there but simply in an encrypted form 
  which potentially could be worked on.
Greg Bernstein:  Yeah no it's not even it's not even in an 
  encrypted format you could it's it's hashed in map to the curve 
  via group and randomized it's it's kind of there but it's not in 
  a way that we can see it.
PL/T3-ASU: Got it right right it still takes it still takes some 
  space but it's not the entire it's not what was in the original 
Greg Bernstein:  It doesn't it doesn't even take space it gets 
  mixed in so it's even harder to get it out.
Harrison_Tang: And you have to.
Harrison_Tang: Hi Greg sorry do you mind actually also clarify go 
  a little bit deeper into the trade-off of different selected 
  disclosure in mechanisms like PBS verses earlier you talked about 
  hash Bayside accordion envelope like what are the trade-offs.
Greg Bernstein:  Yeah this really needs more than one slide I'm 
  sorry about that and we may want to have a whole talk on it 
  that's it.
Harrison_Tang: Maybe I can schedule a follow-up conversation on 
  this topic of different options yeah.
<steve_magennis> is the bbs demo available somewhere to play 
Greg Bernstein:  Yeah cuz I look at it from a theoretical point 
  of view of like three main classes which okay if you sign 
  individual messages you have to have a signature for each message 
  so your overall signature size is M times the number of messages 
  times the size of the signature so for EDSA.
Greg Bernstein:   It'd be M times.
Greg Bernstein:  Okay however when you go to disclose.
Greg Bernstein:  You don't have any extra okay you just send with 
  what you disclosed with the signature that goes with it BBS in 
  the Merkel hash on the other hand they have one small fixed size 
  signature for arbitrary number of messages but you have to decide 
  when you do your proof derivation you have to say something about 
  the undisclosed messages you have to have some some kind of 
  filler that's the intuition.
Greg Bernstein:   A very different between the two but.
Greg Bernstein:  Thing is about the same okay undisclosed 
  messages so my proofs got bigger what would go for BBS versus if 
  I have lots of individually signed messages and I'm only 
  revealing two out of a hundred is only going to be like 102 times 
  64 bytes you know so it's important this is an important thing 
  because selective disclosure is important and we need to 
Greg Bernstein:   The trade-off.
Greg Bernstein:  These things because.
Greg Bernstein:  You can do some things that others can't at all 
  but then it's got its trade-offs because we saw about that unlink 
  able anonymity that may not be achievable based on what you're 
  revealing Okay so.
Greg Bernstein:   All these.
Greg Bernstein:  I say all these approaches are pretty good so if 
  we want to talk more and evaluate these things it's a good topic.
Harrison_Tang: Cool thank you no I will take you up on that I'll 
  I'll talk to you offline about scheduling a topic on this 
  presentation on this topic so thank you thank you and.
Greg Bernstein: https://www.grotto-networking.com/BBSDemo/
Greg Bernstein:  Okay and take and take a look if folks want to 
  take a look at the slides that say Advanced topics if that's 
  where we could try and pull in like the syllabus and some of 
  those Owen here's the link to the demo just in case all these 
Greg Bernstein:  You will be sent against by Harrison and case 
  you didn't get the links but they're all up on my website easy to 
  get to.
<kimberly_wilson_linson> Thank you!
Harrison_Tang: All right thank you Greg I learned a lot so this 
  is amazing presentation and thanks a lot and I think this 
  concludes today's a w3c shiji meeting I will send those notes 
  links and and also the links to the slides and the demo in a 
  follow-up email to the to the email agenda email that's sent out 
  earlier so thanks thanks a lot.

Received on Wednesday, 24 May 2023 17:46:24 UTC