- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 21 Jan 2024 16:02:15 -0500
- To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Cc: Julien Fraichot <julien.fraichot@hyland.com>
On Wed, Jan 17, 2024 at 8:51 AM Julien Fraichot <Julien.Fraichot@hyland.com> wrote: > As discussed privately with Manu I have a few questions about the ecdsa-sd-2023 crypto suite implementation and I thought having them on the public list could help others at least get those answered too, should they need it one day. Yes, great idea, Julien! Happy to try and answer what I can. Some other engineers from our organization might chime in on some details if I get something wrong, more below. > If the verifier asks for mandatory fields, it means that they should have quite a precise knowledge of the structure of the document, which might not always be the case, for instance in the case of a more universal verifier. Wouldn’t it make more sense to have the issuer specify what are those mandatory fields, through a property of the VC or its proof? When the base proof is created in ecdsa-sd, the issuer provides the list of mandatory disclosure fields to the Holder. The Holder knows if they don't always disclose these fields in the disclosure proof that the verifier will fail to verify the signature, specifically the signature over the mandatory fields. The Verifier doesn't have to know what they are or ask for them, if they are not provided by the Holder, the signature verification will fail. These "mandatory" fields aren't shared as paths in the document, but rather indexes for each canonicalized statement. Thanks to Greg Bernstein, there is a detailed example in the appendix that covers this topic. The mandatory fields are asserted here by the issuer: https://www.w3.org/TR/2023/CRD-vc-di-ecdsa-20231227/#example-mandatory-pointers and then they are encoded in the base signature here and given to the holder: https://www.w3.org/TR/2023/CRD-vc-di-ecdsa-20231227/#example-add-base-signing When the holder derives a proof, they tell the verifier which indexes (in the canonicalized document) are mandatory and which ones are selective disclosures: https://www.w3.org/TR/2023/CRD-vc-di-ecdsa-20231227/#example-derived-group-indexes What this does is allow the verifier to receive a VC that looks like any other VC, canonicalize it, and then determine which statements go into the "mandatory disclosure proof" and which statements have individual selective disclosure proofs on them. So, to answer your question, the verifier doesn't need to know what the mandatory fields are (they will get them and they can't verify the selectively disclosed VC without them). For the selectively disclosed fields, they just need to know what field they need (they don't need to know about any of the other selectively disclosable fields). > When selecting the fields to disclose, I understand this would be the responsibility of both the holder (from the user perspective) and the wallet (for the technical action of doing so). There is an example of what the verifier might ask to disclose to the holder, but contrary to the BBS+ suite where the reveal document serves of some kind of binding contract to the disclosed data, here it seems entirely up to the holder to choose which properties to disclose. So, at that point, how can we “automate” the verification, to make sure the actual requested data is disclosed without human intervention (which would imply reading a JSON file basically)? Hmm, when you say BBS+, are you referring to only the IETF work on the primitives, the old BBS cryptosuite, or the new one? :) The new one (bbs-2023) works like ecdsa-sd-2023, so you can reason about it in much the same way. > Why isn’t it possible to verify the initially signed full VC when signed with @digitalbazaar/ecdsa-sd-2023-cryptosuite? It's possible, but it's not necessary. Either the disclosure proof verifies or it doesn't. The only way you can create a disclosure proof is if you have a valid base proof. If you want to see if you have a valid base proof, one way to do it is to generate a selective disclosure proof for all the mandatory statements, and then one for each selective disclosure statement. Doing so is largely unnecessary unless you're debugging your implementation. One other concern that we had was that people would accidentally confuse base proof verification with disclosure proof verification. So, if we included an algorithm for base proof verification, someone might accidentally think that their implementation should be sending the base proof to the verifier (which it definitely shouldn't be doing). By NOT specifying that algorithm, any system that accidentally forwards a base proof is far more likely to result in a verification failure at the verifier (followed by a bug being reported and the implementer fixing their implementation). > Is support for predicates envisioned for this spec? Simple predicates can be done with static values. That is: "over age 15", "over age 18", "over age 21". Range predicates are not supported, such as "bank account balance greater than 10,000". We are unlikely to support range predicates in this version of the spec unless someone has a really good idea on how to accomplish it w/ ECDSA /and/ is willing to coordinate multiple implementations, add to the test suite, and convince the WG that it's worth going through another Candidate Recommendation phase to do so. :) -- it's possible, but unlikely at this point in time. > I didn’t quite understand the reasoning behind the blank node ids? Looking at this example https://w3c.github.io/vc-di-ecdsa/#example-canonical-hmac-document, is the goal just to obfuscate the _c14n indexes so one wouldn’t be able to guess the structure of the original document? Yes, exactly. Certain selective disclosure schemes, such as SD-JWT, leaks information based on the document structure (unless you proactively know to add decoys to the data). For example, if you have an array of "children", you don't want the size of the array or the array position to leak information. ecdsa-sd avoids this problem by obfuscating any blank node id so that you don't know how many members might be in any particular set. That's what the HMAC operation on the indexes does. It protects set information w/o having to have application-specific knowledge of the data structure being decoyed. > Otherwise thanks as always to the Digital Bazaar team for the spec and open sourcing of the solution. Thanks for looking over all of this, Julien. Let us know if we can help further! :) -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Sunday, 21 January 2024 21:02:58 UTC