Digital Signatures on the Social Web from Manu Sporny on 2014-11-21 (public-socialweb@w3.org from November 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 20 Nov 2014 21:50:20 -0500
To: "public-socialweb@w3.org" <public-socialweb@w3.org>
Message-ID: <546EA86C.4040605@digitalbazaar.com>

Recently a thread from the Credentials Community Group found its way
over to this mailing list. I wanted to take a bit of time to provide
some background for that thread. Here's the TL;DR of this years long thread:

RDF (and JSON-LD) currently don't have a standardized normalization
algorithm. Normalization is required for digitally signing JSON-LD data.
There is building support to put the RDF Graph Normalization spec[1] on
the REC track at W3C. There is also a Linked Data friendly digital
signature and Web PKI mechanism called Secure Messaging[2] that
integrates nicely into systems that use Linked Data (and JSON-LD). Both
technologies currently reside in Community Groups.

The Web Payments CG and Credentials CG have been developing this stack
of specifications because we found JOSE to be a bad fit for JSON-LD
digitally signed messages for a variety of reasons[3].

What the Social Web WG needs to know:

1. The RDF Graph Normalization stuff is most likely going to happen.
2. The Secure Messaging stuff will happen if there is enough support
   for a Linked Data friendly way of expressing digital signatures on
   the Web.
3. This stack was designed specifically for the sorts of systems that
   the Social Web WG is building.

At some point this group is going to have to enable cryptographically
verifiable messages where you can both identify the authenticity of the
sender and the authenticity of the message. These are the sorts of
requirements that the Credentials CG and the Web Payments CG have had
for years. The Social Web WG could re-use a great deal of the work we've
done, or at the very least, learn from the many frustrations we faced in
the beginning while working with OAuth 1/2, OpenID Connect, and JOSE.

I don't think addressing any of this is in your current charter, but
Harry's emails seemed to indicate that JOSE has already been preordained
as the "correct" solution and I wanted to make sure that this group knew
that there are other groups out there that strongly challenge the notion
that the use of JOSE is a safe bet for JSON-LD.

-- manu

[1] http://json-ld.org/spec/latest/rdf-graph-normalization/
[2] https://web-payments.org/specs/source/secure-messaging/
[3] http://manu.sporny.org/2013/sm-vs-jose/

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Friday, 21 November 2014 02:50:46 UTC