Re: Adding a JSON Web Key to a schema Person? from Manu Sporny on 2020-10-21 (public-schemaorg@w3.org from October 2020)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 21 Oct 2020 09:56:51 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>, "schema.org Mailing List" <public-schemaorg@w3.org>
Message-ID: <7d341082-5f87-ad72-c697-033829927526@digitalbazaar.com>

On 10/21/20 5:12 AM, Melvin Carvalho wrote:
> What would be useful would be to add a public key to the JSON for a schema Person

Please don't add it directly to a person... that's an anti-pattern that leads
to ambient authority security attacks.

Instead, add it as a relationship that the person has to the key, where the
person is identifying the key, via a verification relationship, effectively:

<_:person> <verificationRelationshipToKey> <publicKey> .

For example, if the person intends to use the key for authentication:

<_:person> <sec:authenticationMethod> <LdSecPublicKey> .

There already exists a vocabulary to do this:

https://w3id.org/security/

... and is what we're using in the DID WG:

https://w3c.github.io/did-core/#a-simple-example

There are JWK examples in the appendix:

https://w3c.github.io/did-core/#example-35-did-document-with-many-different-verification-methods

> I was wondering if there already exists a practical way to do this?

Yes, that is the primary goal of the DID WG, to create this mechanism. So, if
you do anything in schema.org, please align it with what the WG is doing.
Going another direction (like just listing a bunch of keys associated with a
person) will most likely lead to security vulnerabilities that we've long
known about.

There is a body of work (Linked Data Proofs/Signatures) that has been
exploring this space for 8+ years... at a minimum, please align the efforts
with those approaches. In the end, if you choose not to use DID Documents,
then the design pattern becomes this:

{
  "@context": [
    "https://schema.org",
    "https://w3id.org/security/v2"
  ],
  "id": "https://example.com/#me",
  "type": "Person",
  "authentication": {
    "id": "did:example:123#aOEkw",
    "type": "JsonWebKey2020",
    "controller": "https://example.com/#me",
    "publicKeyJwk": {
      "kty": "EC"
      "crv": "P-256",
      "x": "38M1FDts7Oea7urmseiugGW7tWc3mLpJh6rKe7xINZ8",
      "y": "nDQW6XZ7b_u2Sy9slofYLlG03sOEoug3I0aAPQ0exs4"
    }
  }
}

The example above is based on years of WG consensus, please don't deviate from
it... or at least, if you plan to, please let us know what you intend to do so
we can try to talk you out of some of the more dangerous pitfalls in this area. :)

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Wednesday, 21 October 2020 13:57:05 UTC