Re: RSA/DSA Public Keys and Payments from Manu Sporny on 2013-03-22 (public-webpayments@w3.org from March 2013)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 22 Mar 2013 10:31:29 -0400
To: Web Payments <public-webpayments@w3.org>
Message-ID: <514C6B41.9060006@digitalbazaar.com>

On 03/22/2013 09:04 AM, Melvin Carvalho wrote:
> I've noticed that both payswarm and webid seem to be RSA public key 
> oriented.

PaySwarm is PKI oriented, not particularly tied to RSA. It is true that
the current implementation uses RSA w/ SHA256, but that can be swapped
out at any point (as long as both the sender and receiver can agree on a
different encryption mechanism). The spec is the document that states
which encryption/cipher schemes must be supported. At the moment it's
RSA-SHA256 and AES-128-CBC.

> I've put in a patch to the webid ontology so that we can model both 
> DSA and RSA keys

I've always thought that directly expressing the key parameters was a
weakness of WebID. We lobbied in the early days to just use PEM
notation. While the WebID/RSA model is more explicit, it makes
implementers have to do more work than is necessary. It also
unnecessarily ties WebID to a particular crypto implementation.

> Is this already built in to web keys via the PEM notation, or is it 
> something that might be added?

You're right. ECDSA can already be implemented in Web Keys because we
use PEM notation. PEM keys are also easier to copy/transport because
they're opaque blobs of information that can be copy/pasted. For
example, if I asked you to copy the key on this page to some other page:

https://dev.payswarm.com/i/manu/keys/4

... you don't need to know anything about cryptography to understand
where you should probably start copying, and where you should stop.
Couple that with just about every popular crypto library supporting
PEM/ASN.1 for key input/output and there is really no compelling reason
to encode the parameters at a finer granularity in a web page.

Short answer: Yes, PaySwarm and Web Keys can support ECDSA (and can
support any future PEM-based format without requiring a change to the
Web Keys or PaySwarm specs).

Note: There are a number of active patents around ECDSA, which is why we
steered clear of it.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
President/CEO - Digital Bazaar, Inc.
blog: Aaron Swartz, PaySwarm, and Academic Journals
http://manu.sporny.org/2013/payswarm-journals/

Received on Friday, 22 March 2013 14:31:57 UTC