Re: Horizontal review progress

On Fri, Jan 20, 2023 at 11:57 AM Phil Archer <phil.archer@gs1.org> wrote:
> starting with those two sections in the doc that might, just might, say "this specification does not raise any security or privacy issues".

:) -- I'm not as confident we'll be able to get away with that.

From a security perspective, we need to note that while there exists a
mathematical proof of the algorithm, and that multiple implementations
have been performed, that any bugs in supporting libraries that do
critical functions, such as hashing, could result in security
vulnerabilities if the canonicalization algorithm is used in a digital
signature process. I know that's a bit "tin foil hat", but we should
try to find ways to talk about security considerations given that this
primitive is meant to be used in security systems.

Another item that's not so tin foil hat is that it is possible to feed
poisoned graphs to the algorithm such that if there isn't a "bail out
after X iterations" limit on an implementation, you could launch a
denial of service on a system by continuously feeding it poisoned
graphs. This one is a bit less "tin foil hat" and is among the first
sort of attack I'd try against a system I knew implemented URDNA2015.

From a privacy considerations angle, we do have one mechanism that we
have to make sure gets in the spec (if it isn't already) related to
the BBS signature scheme, and we should speak to why that feature
exists (to ensure selective disclosure doesn't disclose other
information via the graph shape).

So, I expect we'll have at least one entry in both the Security and
Privacy Considerations sections. :)

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Friday, 20 January 2023 17:30:59 UTC