- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 11 Mar 2025 19:31:06 -0400
- To: W3C Credentials CG <public-credentials@w3.org>
Credentials Community Group Transcript for 2025-03-07 Topics: 1. Introduction 2. BBS Alignment 3. Ligero + ECDSA Organizer: Manu Sporny Scribe: Our Robot Overlords Present: Manu Sporny, Eddie Dennis, Sam Schlesinger, Greg Bernstein, Dave Longley, Hiroyuki Sano, Andrea Vesco, Will Abramson, Geun-Hyung Kim, Markus Sabadello Audio: https://meet.w3c-ccg.org/archives/w3c-ccg-data-integrity-2025-03-07.ogg Video: https://meet.w3c-ccg.org/archives/w3c-ccg-data-integrity-2025-03-07.mp4 Our Robot Overlords are scribing. Manu Sporny: All right welcome everyone to the data Integrity call this is Friday March 7th 2025. Manu Sporny: Um we are going to continue with our fairly loose agenda today you know we're just covering the things that people want to cover from week to week I think specifically today we have Sam joining us who I am I'm gonna let you do your your own intro but Sam's interest is in BBS and so I think we're gonna well BBS and privacy preserving you know crypto and that kind of stuff so we're gonna do a round of introductions just to introduce ourselves to Sam and then we will jump into kind of what Sam's working on at Google and Beyond and then I'd like to I mean you know if we can get to like. Manu Sporny: Working on and what the current BBS specs do that might take you know 20 minutes to kind of explain and or through that stuff um. Manu Sporny: And then we can move on to other items I think Greg you had a number of things that you kind of want to discuss about the Leggero ecdsa stuff as well which I think Sam has an interest in as well so. Manu Sporny: Uh I think that's it at a high level any other items that we want to add to the agenda anything else we want to discuss today. Manu Sporny: Okay if not we'll go on we do try to keep the meanings to 30 minutes but today I don't think that's going to happen so you'll we'll probably eat up most of the hour uh but that's okay you know we're here to try and. Topic: Introduction Manu Sporny: Work going forward and whatever we need to do to make that happen is is what we'll do all right let's jump into introductions real quick and I'm going to ask you Sam to introductions you to go first and then we'll go around uh with with other folks so go ahead Sam. Sam Schlesinger: Awesome hi hi all I'm Sam Schlesinger I work at Google on privacy sandbox so specifically I'm on the antifraud team I work in between sort of security people and privacy people sort of all very upset about anything that we do saying that it's going to destroy the internet and my job is to sort of try to find solutions that I think are sort of as private and as secure as as possible and so really at the end of the day that just sort of brings me to Anonymous credentials because that's where we have like the most efficient versions of those of those types of Primitives that offer maximum privacy and security and so in doing so me and some cryptographers I'm not a cryptographer by trade but I I've learned quite a lot about it since since doing this but but me and some much more proficient cryptographers have developed some BBS based Anonymous credentials for the web so some of those are private BBS so those will be deployed in such a way that the issuer and the verifier will be the same entity and then some of those are public BBS which is. Sam Schlesinger: what you guys are. Sam Schlesinger: Working on here and and. Sam Schlesinger: I think you're a much more used to. https://github.com/w3c-fedid/delegation/issues/3 Sam Schlesinger: so the the place that we've publicly talked about deploying this technology is in Federated identity so I'll send that right now and that is using the same type of BBS like the publicly verifiable BBS I shouldn't even call the other 1 BBS but yeah that's what it's called in the literature um. Sam Schlesinger: But the Federated identity stuff is is is thinking of using BBS and the hope is that we can we can make a world where you know Federated identity even in like the broadest identity providers that we that we have can be a lot more private and there's sort of like a 2-phase approach to that that we can we could talk about in the future. Sam Schlesinger: but it uses. Sam Schlesinger: Stuff that that actually is. Sam Schlesinger: Very similar to what you guys are doing so in particular it's like BBS per verifier is is really what I'm going for we do something slightly different and we could talk about the technical differences but that's the gist of of what I can say publicly. Manu Sporny: Awesome welcome to the group Sam a wonderful to have you here let's go to Greg next if you can go please. Greg Bernstein: Hi Gregg Bernstein uh. Greg Bernstein: I'm working on. Greg Bernstein: With both the diff and the CFR G BBS stuff. Greg Bernstein: And with the w3c crypto Suites so I'm an editor on a lot of the crypto Suites at the w3c at the. Greg Bernstein: Ietf irtf CFR g whatever you want to call it. Greg Bernstein: Been working on the blind signature and the. Greg Bernstein: Pseudonym stuff and been working with the most recently been working with some folks about standardizing. Greg Bernstein: Sigma protocols for General use and this also got us in touch with the Apple folks on the ark which is anonymous rate limited credentials kind of for privacy pets. Greg Bernstein: But they're dealing with that's also a 2-party models hence you'll hear them talk about keyed verification type of stuff you know in a different kind of flavor of BBS that doesn't involve pairings and so we've been working with them Michelle Oru it's kind of been working between us and so we're going to be having a discussion a little discussion at uh. Greg Bernstein: On some of those things about uh where we can. Greg Bernstein: Kind of synergized and such like that because nobody needs to keep coming up with new Sigma protocol base proofs if we kind of have a general template in mechanism to do that. Greg Bernstein: But so we can talk more. Manu Sporny: Awesome thank you Greg. Sam Schlesinger: Yeah I just want to briefly mention that that we we've been talking to I think the same folks Chris and Kathy and I believe that some folks from from our side will be in those conversations as well. Manu Sporny: We love. Manu Sporny: See people coming together to work on cool new crypto things Andrea vesco why don't you go next please. Manu Sporny: And you might be muted. Manu Sporny: Here we go. Manu Sporny: That's great to hear Andre in same Andre is working on a lot of post-quantum stuff and and you know that kind of comes in when we're get interested in some of the post-quantum unlink schemes but we're also working on kind of post-quantum schemes here as well let's see will Abramson you mind going next. Will Abramson: Uh so hi uh. Will Abramson: I've been developing a crypto Suite using bit 340 small signatures as part of a did method I'm building. Will Abramson: Excessive you know oh I'm also the chair of the Dead working group and the gocha of the ccg. Manu Sporny: Thanks well Eddie go ahead. Eddie Dennis: Yeah Eddie Dennis I'm. Eddie Dennis: Been digital Bazaar for about 6 months uh help them work with operations for for quite a few years so um in my previous role and um. Eddie Dennis: Helping them run operations now uh. Eddie Dennis: in my role now so I'm glad to glad to be here and you know see kind of what's Happening. Eddie Dennis: On this side of everything. Manu Sporny: Awesome welcome to the call Eddie please. Manu Sporny: Wonderful thank you Dave Longley. Dave Longley: Hi everyone I'm Dave I'm with digital Bazaar I do standards work at w3c on things like decentralized identifiers verifiable credentials and data Integrity I also work on implementations of the specs for example the data Integrity BBS crypto Suite. Manu Sporny: Awesome thanks Dave please. Manu Sporny: And you might be muted again. <geun-hyung kim> Yes <geun-hyung kim> Sorry Manu Sporny: Can we still can't hear you if you're talking. Manu Sporny: No it's okay well we can come back to you um once you get the ability to kind of unmute or talk okay that's it for the intro so Sam hopefully you get you've got a we've got a very broad set of people here right but everyone that's here is involved at some level of the ITF specs or the w3c specs or the implementation so we've got a full stack of people here that can get everything from nent idea all the way to you know implemented to spec to global standard so we and we and we're well versed in doing that so we can we've we've got a good kind of work pipeline setup so that you know we can take new Concepts to implementation to global standard pretty quickly you know relatively speaking of course these are Global standards so it's like. Manu Sporny: Like you know. Manu Sporny: Once the year still okay um. Topic: BBS Alignment Manu Sporny: Let's let's go back around and talk about BBS BBS I guess alignment so Sam I know I know we threw a lot of specs at you but I think we're. Manu Sporny: To hear you know if you have seen you like differences in what's being done if those differences are uh like you know not important meaning like it doesn't matter how we do it as long as we have this the the the same outcome um but there are also things that might be missing like um. Manu Sporny: Uh certain features like the rate limiting stuff is particularly interesting the liero stuff is you know of interest post-quantum on linkability you know is of Interest so saying the floor is kind of yours I mean. Sam Schlesinger: Yeah yeah happy to chat about what I what I read and and where I see the the main differences I want to like rewind a sec and give a little bit more context around like Arc and arcs relation to the work that we're doing so Arc is anonymous rate limited credentials it's a potential standard by by Apple there are drafts out in the Privacy password working group they have not been adopted they're they're going to be discussed in Bangkok and we've we've met with with apple and we've we've chatted about it and and we have a we have a a draft we don't actually have a a standard draft it's just sort of um a latte document that we wrote up but I will link it in the chat. https://github.com/SamuelSchlesinger/authenticated-pseudonyms/blob/dev/design/Range.pdf Sam Schlesinger: And this draft is very very similar in a lot of ways to what apple is doing I'll put in the chat here and the gist is that what apple is doing is they're saying you know here's a a credential that you can you know authenticate with you know end times what we're doing is something slightly different we say that we divide up time into epochs and again in this context we're using key verification but all of the rate limiting techniques and ideas are all completely transferable over to public verification um. Sam Schlesinger: And so what we do is that we we split time into epochs so that's like pre-agreed upon such that at any given time you can sort of like you know just know the epoch ID of the current moment and then we say that per Epoch we want you to have a rate limit of like let's say R and then we do something actually very similar to um. Sam Schlesinger: Per verifier re relaty which is to say we produce these pseudonyms that we prove the validity of in a very similar way however we don't reveal 1 of the inputs to the pseudonym in particular we don't reveal the the input I which is a counter that ranges between zero and R minus 1. Sam Schlesinger: So we proved that you know we you've got 1 of your R valid pseudonyms for this Epoch but we don't tell you which 1 or anything like that and so the idea is that if you wanted to provide somebody with a credential that shows some critical information about themselves. Sam Schlesinger: You want them to be able to authenticate with that many times you want there to be some sort of cost to them giving that credential to somebody else because it means that it's eating into their budget. Sam Schlesinger: for that period. Sam Schlesinger: Period of time. Sam Schlesinger: Whereas if if it was totally free to to present your credentials then you know I'll just share my credential with like a million Bots and then the whole the whole scheme is kind of useless like the value of the of the show is is useless now um. Sam Schlesinger: And and we we kind of like oh yeah yeah. Manu Sporny: Yeah I just wanted to ground what you're saying in a use multiple use cases that this group is is interested in so so you know there's the H verification thing that you know a number of us are working on true age that would benefit from this type you know of approach there are also potentially you know payments use cases that benefit from this approach um certainly rate limiting there's also another 1 saying that I forgot to mention when we talked last time which was the proof of personhood work that we're working on with I mean we wrote this paper with with openai and a number of researchers there that you know how do you tell whether or not you know an entity that's engaging with the website is a bot is an AI agent operating on behalf of someone a pro my agent or whatever this work that you're describing is also useful there so I think it's it's something that we haven't discussed. Manu Sporny: In this group in particular but it has I think it has great applicability so just wanted to ground that to every for everyone else in the group to say like this is really interesting stuff back over to you Sam. Sam Schlesinger: Yeah and I want to emphasize that the draft that I just linked it really is purpose-built to do the age verification problem and so if you take the draft and then you implement the publicly verifiable variant which there is such a thing in the draft you basically just have a purpose-built solution already for publicly verifiable age checks like specifically with range proof on the age you can't like reveal the age you can modify it but we we don't. Sam Schlesinger: Value in reviewing the age and so 1 way if you are draft and I think the way we're going to present it probably in 2 its from now but you know we can't promise this but this is my hope is that we'll present it as um. Sam Schlesinger: A privacy pass primitive. Sam Schlesinger: Which is essentially just um. Sam Schlesinger: What I suggested. Sam Schlesinger: With with thinking about the age instead of as an age as you might think of it for age verification think of it instead as like an expiration date. Sam Schlesinger: Your privacy press credential can expire but until it expires you get to have you know. Sam Schlesinger: Our our authentications per Epoch so yeah I would love to hear feedback from from the group broadly about about the rate limiting idea like I'm sure people have thought about about it before I can get into some of the technical details if that's interesting to people yeah. Manu Sporny: So so the first question I have Sam is you know I think we're largely. Manu Sporny: We tend to focus on 3 party models not 2 party models right so you know we we're pretty strongly driven by the decentralized identifiers use cases the verifiable credential ecosystem and so these are kind of like public verification systems and so a lot of what we do is kind of driven by the the the utilization of VBS to do you know the types of proofs that you're talking about but for the rate limiting and H verification stuff like that I I I'm pretty sure you said like sure they're public versions of it we can use BBs for it um. Sam Schlesinger: Oh I'm sorry so I should be clear that if you go to section 4.2 of the draft it's it's it's explicit how to transform the the scheme there into a publicly verifiable scheme and in my implementation and rust I have the publicly verifiable range proof scheme as well the 1 sorties algorithm and so there there are reasons why it's been a little Annoying to make it constant time but but that's sort of the the 1 cavitt. Manu Sporny: Okay excellent Greg what are what are your thoughts on has this come up with some of the BBS work you know before or. Manu Sporny: Any questions on the like the the rate limiting. Manu Sporny: Approach or do we just need some more time to kind of read up on it. Greg Bernstein: 1 Of the things is. Greg Bernstein: That's come up. Greg Bernstein: How to extend particular so it seemed everybody's kind of getting towards the pseudonym thing. Greg Bernstein: Variations and extra stuff about it and what we're trying to do is figure out. Greg Bernstein: To offer the extensions and this is where we should I uru with his um. Greg Bernstein: More generalization of I mean kind of standardization of how you do these Sigma protocols because. Greg Bernstein: What I'm I wasn't the folks with apple had 1 approach you've got. Greg Bernstein: Range proof thrown in there theirs was something I guess simpler but it wasn't clear in their paper what they exactly in their draft what they were doing so. Sam Schlesinger: Yeah that draft is pretty hard to read. Greg Bernstein: Yeah I was like trying to go backwards from the code to go what is it how are they doing this. Sam Schlesinger: Yeah I think they're just implementing like like the the 2 2014 version of CMZ so I think that reading 1 of those papers is actually a little bit easier than reading their draft. Greg Bernstein: Yeah so um. Greg Bernstein: Work is trying to figure out. Greg Bernstein: How we can pull some of these things in without getting. Greg Bernstein: You know because we know you know there's these optional features that we added to the w3c spec because you know as we discussed and maybe Dave will have more to say about this people are saying you know we need something like this we really need something like the pseudonyms and you know pseudonyms have been around a while and it turns out you know this is a pseudo men bound to a credential and. Greg Bernstein: The the keyed verification case the 2-party case versus. Greg Bernstein: Party case is like well we're going to use pairings but we're going to use a similar style of proof generally to include it and that's where we were saying oh there's some good overlap Dave you might have more to say on the requirements part and such. Dave Longley: So I got on the the queue to say over the last few years and trying to get privacy preserved credentials into the ecosystem we've bumped into 2 I'd say say 2 main problems the first is in just getting people to use on unlikable credentials and making it clear that they need to be unlikable and so on there have been a number of different efforts that get credentials into the ecosystem but for per for personal use but not in an unlink way and then the other piece of that is making sure that unlikable credentials can't just be be used for first what we've been calling first party fraud where a holder sets up the holder of the credential sets up some kind of scheme or maybe uses a a tool that someone else has written to allow their credential to be unlink presented essentially an infinite number of times and so it's really vital that we have this pseudonym piece I guess the other piece that I would mention is that some people have suggested Solutions. Dave Longley: To this problem. Dave Longley: Is pretty fraud problem by suggesting that people should have their devices locked down or or restrict how they can use them and more or less wheeled uh. Dave Longley: Hardware security against the holder of the credential themselves on their own device not only do we think that's not a good idea from a liberty perspective but and also isn't very effective solution to the problem because anyone that is ever able to who who all anyone who wants to attack that has direct access to the device and there are a lot of Papers written about thwarting those sorts of things and it's like chasing a never-ending problem and so pseudonyms are a really good solution to that problem and we want to make sure that that's built into anyone of these to all of the the Technologies and solutions we're we're looking for uh as as a basic part of any sort of API to use any unlabel credential at ITF and for BBS we've got um we we have an A a pseudonym approach and that's being included in all the specs up to the w3c level. Dave Longley: Importantly we're also we're then looking for. Dave Longley: https://blog.identity.foundation/cryptographic-pseudonyms/ Dave Longley: Some things to use on top of the features that are exposed there to make better use of those synonyms we wrote sort of a public facing paper some of us in this group wrote a sort of public facing paper um. Dave Longley: About this sort of problem and about pseudonyms and we do mention in there 1 of the things you can do is when you're building a context around a particular pseudonym is is using a time-based value and so it it's very good to hear about this work we're very interested in in coming up with a nice standard way to express that they could be used to present these credentials in a number of different places and so we're excited to hear that and we hope that we can layer all these things together and and get the use out of them that we want. Sam Schlesinger: Yeah I I think um. Sam Schlesinger: There there's definitely an implementation overlap in pseudonyms versus the the rate limiting I I want to sort of hesitate to say that they are the same so like an example is like if I'm doing a time-based context then I get to know. Sam Schlesinger: Who you're not because I can see who else used the particular time and had a different pseudonym and so this isn't exactly the same as re identifiability but it's like a really important distinction from unlink I think. Sam Schlesinger: And and while I I definitely appreciate that they look very similar they are slightly different I do think that there's a world where you could specify them. Sam Schlesinger: and they look. Sam Schlesinger: The same um. Sam Schlesinger: or you could. Sam Schlesinger: Imagine you know sort of what what Greg suggested which is like you know you could try to layer the the you know rate limit proof as part of pseudonyms part of me feels that that might be a mistake from from like a technical perspective just because it might be very easy to get. Sam Schlesinger: A little a little bit over complicated in the spec by doing so um. Sam Schlesinger: Yeah and and my my concern is is is not with with specifying Sigma protocols I think everybody would like to have I've spoken at length with Mikel I I've I've promised but haven't delivered on on actually helping with the sigma protocols draft I really should do that um. Sam Schlesinger: But but I I don't necessarily think that there needs to be um. Sam Schlesinger: Strong coupling between pseudonyms and rate limiting especially because you could actually imagine really different implementations. Manu Sporny: Yeah so so let's see. Manu Sporny: I'm gonna go. Manu Sporny: A little more high level like this is all great like I you know I think Sam what you're hearing is like we definitely want to see this feature and we just need to figure out how to get there and then you're saying well there's some challenges and we want to make sure that we don't. Manu Sporny: You know. Manu Sporny: Complicate things or technically buying things to 1 another that that are going to limit. Sam Schlesinger: Yeah I just I just specifically want to avoid overcomplicating the perverse spec I think that spec is really clean how it is um. Sam Schlesinger: I you know making it much more complicated seems to be. Manu Sporny: Yeah exactly so so here's here's the and and you know forgive me I don't know how much experience you have in the whole like f3c standardization uh space but the the challenge that we're working with right now is largely not technical it's process related so whenever we need whenever we have this cool new thing that we want to do we've got to push it through simultaneously at ITF nw3c which means that we need active working groups at both places in we need you know proper cryptographic review at ITF which unfortunately as you probably know takes forever and and it's and it's it's it's and it's taking forever because the expertise isn't there to to you know there's so few people that understand this stuff at depth that can do an actual you know good technical review that it takes a really long time at at ITF so so what you know the where Greg's coming from is like. Manu Sporny: If we can figure. Manu Sporny: Figure out a way. Manu Sporny: And we may not be able to do this but if we can figure out a way to layer this we get speed to Market but as you said Sam we may not want to do that because it's the wrong thing to do technically and we definitely do not want to do the wrong technical thing right. Sam Schlesinger: Well it's I I don't want to have what I said misconstrued as it's the wrong thing technically it actually might be the right thing technically but for that exact reason that this stuff is very complicated um. Sam Schlesinger: Like yeah on the 1 hand we have getting it through the CFR but on the other hand you have adoption on the other side. Sam Schlesinger: I know we have implementers in here and so for you guys you're like so familiar with all this that this isn't going to stop you but we we have. Sam Schlesinger: Presumably a lot of potential implementers out there in the world who don't know anything about cryptography right and they expect these specs to come out. Sam Schlesinger: And get implemented by enthusiastic library maintainers in all languages and I assume we don't have those people in inside of this group and those people need to like come into existence and they come into existence by like reading those drafts and implementing. Sam Schlesinger: Oh wow okay. Manu Sporny: Yeah yeah we we we do so so so just to be clear you know we've got 25 plus different implementers they're not all here but we have the ability to kind of reach out to them and say hey we've got something here are you interested now the BBS stuff is a little less like I think we've got maybe 8 strong implementers there but in different languages right so we do have the ability to kind of push on them and and and you know move that ahead of the specs the the long pole in the tent Sam is is almost always like just the ITF process in the w3c process like we get this stuff implemented usually within 6 months and then we have to wait 2 years for it to work through the ITF and w3c process which is fast you know comp comparatively to to some other thing so um. Sam Schlesinger: It's it gets implemented but has it been like adopted in liked by people broadly like I guess. Sam Schlesinger: Yeah it helps yeah. Manu Sporny: No no not not at this point I mean we're still fighting with the whole like you know nist battle where nist is you know unwilling to recognize it as our most you know nation states you know cryptography bodies but at the same time you know as you said like if we have a big implementer like Apple or Google pushing it out that pushes them to take it more seriously right yeah so so anyway all that to say you know it's you know all of the you know all of these things are possible but some take more time than others I think what we want to do this group I think you know what we want to do in this group is just get the technical underpinnings right right we don't want hacks we don't want because you know pushing a hack through the global standardization process takes as long as pushing the right thing through so we want we want to do the right technical thing that gives us the most amount of flexibility right technical solution and then everything else kind of kind of follows from there. Sam Schlesinger: Yeah well in that case like so I think. Sam Schlesinger: Like taking a very bird's eye view thinking about what Apple wants what what Google needs like from my perspective what what you guys are asking for I feel like a draft that looks really good is. Sam Schlesinger: And this is I'm mostly talking to Greg here um is is 1 where we we do the pseudonym thing and and then we prove something about the pseudonym context so that you don't have to reveal the entire pseudonym context but instead you can just reveal some property of it to do that I think we I think you're right we do need mikela's or someone else's Sigma protocol spec but we could sort of like embed an arbitrary set of linear equations that that relate the the context to whatever other things are in the in the in the credential um. Greg Bernstein: Okay so do you get the straight you're you kind of like where we've gone with the pseudonym spec okay. Sam Schlesinger: I so I I can tell you the differences so the main difference is that you guys use hash to G1. Sam Schlesinger: Text raised to the secret. Sam Schlesinger: G1 like the generator of G1 raised to the 1 over parenthesis secret plus con plus hash to scalar context I I could be totally wrong but I don't actually think that there's like a serious difference between those 2 approaches we're we're using effectively a Dosey on polski prf you're using essentially like a a Peterson hash I can't see a difference in terms of security the 1 area that I see a difference is the BBS standard itself you guys are using a deterministic variant so you get computational hiding of the commitment for blind signatures not statistical hiding I don't love that I like statistical hiding for the blind signatures I don't necessarily think it's a deal-breaker on our end but it's definitely something that we've not chosen to do is is use computational hiding when we could have statistical hiding I think that the comment in the draft. Sam Schlesinger: Where you mentioned that we do that just in case somebody has like bad entropy source to me it strikes me as a dangerous attitude to take because then all the things surrounding all these drafts do require a solid entropy source. Greg Bernstein: Oh that's a core draft issue so that so. Greg Bernstein: Did you I mean. Greg Bernstein: Will respond now I wasn't involved with the core draft I accept as somebody who edit helps review it and such like that but that's an important thing to be brought up. Sam Schlesinger: Oh yeah yeah and I'm not saying that I'm yeah. Greg Bernstein: Right now as we were trying to address the I mean because at Bangkok there'll be a presentation that says hey. Greg Bernstein: The guys basalis and the other author these are how they address the cryptographers comments. Greg Bernstein: Week there the blind now so the core draft is pretty far along. Greg Bernstein: Could we add in some extra randomization in the blind signature draft. Greg Bernstein: And with that you know there's there's different ways to do this but. Greg Bernstein: That core kind of concern. Greg Bernstein: Raise it get oh you know there's another you know. Greg Bernstein: Meeting we have. Greg Bernstein: We have. Greg Bernstein: Monday call with the diff BBS folks where you know we kind of get together to talk about those things that can be that should be discussed handled. Greg Bernstein: With the cryptographers right. Sam Schlesinger: Agreed agreed and I'm not a cryptographer so it shouldn't be me I that was more of a I probably shouldn't have um made it sound so such a strong opinion it this is just like my my first reading today this is like the the second thought I had and yeah I agree that that we shouldn't take my concern right now and um. Sam Schlesinger: Treat it like it's the right thing to resolve for the BBS draft um. Sam Schlesinger: But that's my only only other difference so like the main 2 differences are you know the the. Sam Schlesinger: Essentially the randomization and the sum yeah that's exactly right yeah. Greg Bernstein: Now what about now the commitment computations and pseudonym and in line BBS you're using something that's the Petersons commitment. Sam Schlesinger: Yeah pretty similar stuff so like sometimes. Greg Bernstein: Okay so it's it's the pseudonym computation that you're concerned with. Sam Schlesinger: I'm not really concerned with it so like neither of these things are like deal breakers for us by any means um but they they are differences in in choices that we made I have to talk to the cryptographers on my end about the difference between using the Petersons hash and the doedic and polski prf I I actually don't know if they're if there are reasons why they chose not to do that I mean it seemed to be honest it seems like a Natural Choice to choose to do to do it that way oh no what am I saying no no no so okay going back to what we're what we were talking about as a standard for everybody um. Sam Schlesinger: If you want to prove something about the context. Sam Schlesinger: Then you want it to be in a scalar. Sam Schlesinger: Does that make sense. Greg Bernstein: Oh rather than an element. Sam Schlesinger: Yeah that's right that's right. Greg Bernstein: Oh that's a good point. Sam Schlesinger: So I think that if we want to have this the the rate limiting then I think we we actually do need it to be in an in a scalar rather than in a group element it could be that you could like sort of spell it in a way where you you sort of do both somehow but um. Sam Schlesinger: But I don't necessarily know if that's even secure um. Sam Schlesinger: so I. Sam Schlesinger: I think the dosem polski prf works a little better there it's not so different than what you're doing though like it doesn't really change very much at all. Sam Schlesinger: Yeah I'm tempted to not yeah. Manu Sporny: All right that's good I want to make sure that we are also able to get to to Greg's item today we've got about 15 minutes left but this has been a great discussion uh 1 thing that I'll raise Sam is you know the the core spec the BBS core spec is pretty much done at ITF and if we raise a serious issue with it at this point we're going to derail all of the work that is my greatest fear and and there's only so much yeah I know well so so what I'm saying is like what you what you're saying let's let's say you know it is a you know we do we do want to do it in a different way I think the place to hopefully put that is in these other specs that are a little behind the the core BBS spec there are definitely people that do not want to see this work happen and there is only so much time that the windows open for us to get specs. Manu Sporny: ITF right I mean the US are are working from limited funding you know in when we run out of funding it doesn't matter where we are in the process the work just ends and the thing dies right so so so anyway I I know everyone's you know conscious of that I just wanted to say it out loud because um there is you know there are people that don't want to see BBS happen and you know dragging it out is 1 good way to ensure that that it fails um. Sam Schlesinger: Yeah and I think on our end like we can just implement it using the the you know randomized values like nonis instead of the deterministic ones and like I don't think anything bad's going to happen if we have a Divergence in that way and I you know it's not actually so bad to to use the deterministic version I I it's just a taste thing really. Manu Sporny: Yep yep okay all right let's go ahead and rotate into the. Manu Sporny: What do you want to call this part it's the we're going to talk about the ecdsa leero stuff and you've done an analysis that's different than the MDOC stuff. Topic: Ligero + ECDSA Greg Bernstein: Yeah I would still well I was making an observation because I was you know I've been trying to get up to speed on ckps and then I I saw. Greg Bernstein: Do you know the uh. Greg Bernstein: I know he's not the first author but I know Abby name they brought in to the ietf. Greg Bernstein: Draft about doing kind of a general. Greg Bernstein: Specific type of zkp but they didn't go as they didn't make it as specific to MDOC. Greg Bernstein: And then. Greg Bernstein: When I was reviewing their paper. Greg Bernstein: You know you look at the different steps and such like that. Greg Bernstein: And at the point where they really make the paper specific to MDOC they go here's where we're going to like build a parser in code mini parser for sibur and I go. Greg Bernstein: God that's ugly and I was thinking about the way we do. Greg Bernstein: The way we do processing. Greg Bernstein: And process our credentials and get them into a form. Greg Bernstein: To pull into the cryptography right you know whether it was. Greg Bernstein: Ecdsa selective disclosure where we sign each of the statements how we turn things into a set of messages that goes into BBS and such like that I was going. Greg Bernstein: We should be able to do something I mean because the whole point of that exercise is so you can use your Hardware root of trust. Greg Bernstein: That can produce ecdsa signatures and if you were gonna. Greg Bernstein: Go ahead Sam. Sam Schlesinger: Oh no I want to I want to hear your your thoughts finish sorry for interrupting. Greg Bernstein: So I mean the purpose of the exercise is. Greg Bernstein: We all have TPM secure elements in our phones on our computers and right now. Greg Bernstein: Their their firmware. Greg Bernstein: Does you know the certain elliptic curves right and that and they can do the certain signing Ops. Greg Bernstein: MDOC uses that particular thing and anything else but the we have with verifiable credentials specially the data Integrity we can do. Greg Bernstein: I don't like to call it multi-sig it's just we can add as many different proofs using different signing mechanisms to a credential as we like. Greg Bernstein: And when we do that we process. Greg Bernstein: The Json LD and which I'm not an expert on but I've watched this process enough from people that are experts to put it in a form we like that we then can cryptographically process in a way. Greg Bernstein: That's more amenable to. Greg Bernstein: Whether it be BBS right we were able to go from. Greg Bernstein: A verifiable credential and Json LD to a set of BBS messages and make selective disclosure work nicely and such like that I was going. Greg Bernstein: I mean even reading that the the paper with the MDOC I go it still seems kind of difficult how we're going to make selective disclosure work and this only applies to MDOC what if we want to. Greg Bernstein: Secure some other credential and make it on linkable with ecdsa. Greg Bernstein: The general approach with the zkp could work but. Greg Bernstein: With verifiable credentials in the data Integrity approach. Greg Bernstein: We have a lot more flexibility to pre-process in a way that's nice to do the zkp thing over ecdsa that's my observation Dave Manu may or may not agree I don't know but that's my impression. Manu Sporny: Go ahead Sam. Sam Schlesinger: Yeah I agree with pretty much everything that you said if I recall it all correctly but I so the way I see it is that. Dave Longley: +1 The VC DI approach keeps the credential format stable and allows flexibility with all the crypto + multiple crypto methods at once. Sam Schlesinger: There's a lot of people who won't use what we that what we're working on because it's not. Sam Schlesinger: By you know the most sort of senior cryptography bodies as Manu has mentioned and so getting even to the point where people are using an equivalent solution to the types of stuff we're working on. Sam Schlesinger: Very very beneficial for our for our work in my in my personal opinion because. Sam Schlesinger: All Commerce in general but you know internet Commerce especially is very very sensitive to friction. Sam Schlesinger: If there's a drop in replacement for the work that they've done with MDOC that is a thousand times more efficient which you know is not exactly what we've got but we've got stuff that's like you know 50 times more efficient um and we haven't optimized at all um. Sam Schlesinger: And we could potentially wind up in a world where just via competition this BBS based work. Sam Schlesinger: Does very well and yeah so I think I feel not not very negatively about the work being done on on mdl I I definitely agree that like from a technical perspective it's not necessarily like very tasteful and I think that um. Sam Schlesinger: As has been mentioned device binding is not a sufficient solution when it comes to making a resource scarce and in fact if you escape the device binding then you have the same problem that you had without anything and so I think that from a. Sam Schlesinger: Our work on rate limiting will out compete it from a performance perspective I think the BBS work will out compete it. Sam Schlesinger: and so. Sam Schlesinger: I feel very positively overall about like the posture of this work versus that work though I think that work is really important in like getting broader adoption to a set of more conservative actors. Manu Sporny: Yeah and and plus 1 to that same I think we're we're all pretty much in the same boat here you know I think the the the whole well so here's here's the thing we don't have to pick here we can do all of these things right uh meaning the the thing that Greg just outlined we can apply the liero stuff to recsa you know data Integrity stuff but do it more generally so that it applies to any type of credential same as what you might not know is like we don't just deal with driver's licenses we deal with all sorts of things you know age verification permanent resident card citizenship certificates education certificates birth certificates you know that's certificates marriage like all kinds of these things you know go into a verifiable credential and the solution we have is generalized it's not just for you know driver's licenses MDOC it's it's for you know a more broader set of of documents so that's the first thing the the second thing is you know a Frank. Manu Sporny: The Whole. Manu Sporny: You have to do this through ecdsa because that's what's supported in Hardware is total BS right because you know look at the way we manage our Cloud infrastructure today these are SSH Keys sitting on people's machines where you don't really know you know if they're doing proper like encryption on the key and they're not in you know by and large corporations are slightly different right but but even within corporations you don't really know if the that that you know ecdsa key is actually being properly protected uh that the you know the person managing the the the cloud infrastructures managing and that is for the most critical stuff that that we run on on the web so you know the the whole like you have to use ecdsa is very much kind of a an argument that's used to bad aside the BBS and the more more advanced you know cryptography like it's a speed to Market thing largely a lot of the vendors arguing for it or you know have some kind of HSM game that. Manu Sporny: They're playing. Manu Sporny: Game that they're playing or they're just they don't want to you know they don't want to get in the the big long discussion with the national standards bodies around the fact that they're not actually doing a good job you know moving you know Advanced crypto for it so um. Manu Sporny: Can do this in parallel. Manu Sporny: Um meaning you know we can do the ecdsa liero you know whatever stuff in parallel so people making the argument that you have to use ecdsa that's fine we can meet meet that that bar and in parallel you know we can push the BBS stuff forward because it's pretty much kind of done in in in out there and it and there are organizations that will adopt you know the BBS stuff they don't care about National standard setting bodies they care about it being through ITF and w3c and if it's through that that's all they that's their bar right and the other thing that we haven't really talked about too much today we do also care about finding you know post-quantum model linkable scheme so all of these Primitives that we're putting together and all the thinking that we're we're putting into kind of the elliptic curve and the pairing based you know curved stuff The Hope is at some point you know we will you know spend quite a bit of time um with some post-quantum algorithms but using the same you know basic techniques to to. Manu Sporny: Um to get to a post-quantum on linkable scheme so all that to say that you know this is all good work Greg it's you know I I agree with you I I haven't been able to. Manu Sporny: The paper nor do I think I'm going to have a useful opinion after after it but but we have talked with venky and and Abby and in in Abby was fairly convinced that it should be you know more cleanly applicable to the verifiable credential uh stuff but of course you know that's not necessarily where um where the mdl people are putting putting their time right I mean they've got a format and it's fixed and they've got to get it working right so that's that's I think largely driving the the the current work um. Manu Sporny: All right uh. Manu Sporny: Let's let's talk about kind of next steps here saying maybe you know maybe you need a couple of days to think about it on what would be the most useful thing for the work that you know you're doing and how we can try and you know converge and prioritize work here to to move some of this stuff forward it's all exciting stuff right but I think you know realistically there's too much there for us to we've got we've got a prioritize right so we need to we need to figure out you know priority order and I think saying that might be up to you to talk to your team and figure out if there are some really bad gaps that need to be closed in the current set of specs that are in Flight right so if we can make some changes that positively impact the work that you're doing and get them to ietf CFR and an accelerated schedule. Manu Sporny: That helps you it helps us you know it helps it helps the the community and then maybe you know we we also think about like the these are the things that we're not going to be able to get in the current iteration so let's play in on the what the next iteration has to has to include on it so maybe you know we spend next week. Manu Sporny: About that a bit and then of course Greg if as things come up I what is is. Manu Sporny: Is ITF next week or the week after. Manu Sporny: Yeah yeah good good luck. Greg Bernstein: No week after so I gotta put together the present where we got to work on the presentation we have 10 minutes plus 5 for questions to cover 3 drafts but at least we're after most of the chems hybrid chem stuff where they're the list has been exploding so well we will not get pushed off we're at the beginning of the agenda. Manu Sporny: Okay that's good okay good. Greg Bernstein: And they group The 4 of us together the 3 of us together so us m m and the Ark draft were. Sam Schlesinger: Yeah I mean I can definitely off the top of my head I think the most important area to make sure that we can actually do do what we're trying to do with rate limiting as like sort of an extension of the perverter re identification would be to have the context being a a scalar um. Sam Schlesinger: and I think. Sam Schlesinger: Greg understood what I was talking about when I was talking about that earlier and I think we could we could collaborate on seeing just how that would work I mean like the draft that I think we really ought to have. Sam Schlesinger: A draft that supports. Sam Schlesinger: Both public private. Sam Schlesinger: Rate limiting solution and I think that that draft is like. Sam Schlesinger: pretty much. Sam Schlesinger: In that document that I sent but there's a lot of details that need to be specified further for engineering um that aren't there. Greg Bernstein: The nice latex document. Sam Schlesinger: yeah it's just a PDF right now but yeah like. Sam Schlesinger: Send a lot. Greg Bernstein: Oh the PDF okay I don't need late there no no no I I I prefer PDF I don't need to go produce. Sam Schlesinger: Put that in the chat I'll put that in the chat again because it gets run out by the by the bot um. https://github.com/SamuelSchlesinger/authenticated-pseudonyms/blob/dev/design/Range.pdf Sam Schlesinger: And and that repository has my implementation as well. Sam Schlesinger: But yeah so like if if I was to say like what is the tiniest little change we could do that would potentially make our work more compatible down the line would be putting the pseudonym context in the identifiers or sorry in the exponent um and then if I were to say like what should we do as a collaboration between Arc us and like not us I mean Ark this group and Google would be would be to make a full draft that had the rate limiting solution that Jonathan Katz has devised and that is in that document and. Sam Schlesinger: And that um. Sam Schlesinger: You know sort of needs a lot of needs that a lot of people have so like in particular it feels like it could basically work. Sam Schlesinger: More or less unaltered for for the age solution depending on what you want to do there it works for a web API that we're hopefully going to be shipping soon that you know is unannounced it works for Apple's stuff I think they're doing machine learning I really don't know what they're actually up to with Arc but yeah and so yeah if we could get that draft and and I think that that would probably go to privacy pass in particular because it's sort of has this like web authentication flavor to it but it would be immediately applicable to verifiable credentials as far as I understand um. Sam Schlesinger: But the the first step maybe just change the way that pseudonym generation is done to make it plausible to to prove something about the context. Manu Sporny: Okay sounds good we we are at the we're we usually try to finish up 5 minutes before the hour to get help people have a tiny break before their next call thank you very much for joining us Sam I hope you continue to join us as we go through each week we meet every Friday thanks everyone for the the wonderful discussion as always next week we'll kind of continue the discussion on collaboration and then Greg if you need anything last minute for ITF from us we'll we'll also touch on that and then of course if anybody else has any other items for the group we will discuss those items as well all right uh that's it for today have a wonderful weekend and we'll see you all next week.
Received on Tuesday, 11 March 2025 23:31:49 UTC