Re: RDF graph serialization as bytes: A solved problem? from David Booth on 2020-08-31 (semantic-web@w3.org from August 2020)

From: David Booth <david@dbooth.org>
Date: Mon, 31 Aug 2020 18:14:50 -0400
To: semantic-web@w3.org
Cc: Linking Open Data <public-lod@w3.org>
Message-ID: <53d0e9f4-d00c-7830-5f60-cb215535a07b@dbooth.org>

On 8/31/20 4:13 PM, Harry Halpin wrote:
> I am reading the W3C Verified Credentials Data Model, and I'm noticing 
> there's not a W3C Verified Credentials Syntax 
> (https://www.w3.org/TR/vc-data-model/#syntaxes). Instead, there is JSON 
> and JWT, JSON-LD, perhaps with LD Proofs. The obvious problem is that 
> you cannot specify a cryptographic signature scheme unless you have a 
> concrete bytestring you are signing (you usually have to hash the 
> message to sign). So, its quite unclear what it means to "sign" a graph 
> unless you have a single version of the graph as *bytes*.

The lack of a standard graph (or dataset) canonicalization for RDF is 
recorded as issue #26, and remains an unsolved problem:
https://github.com/w3c/EasierRDF/issues/26

> There's a Community Specification called "RDF Dataset Normalization":
> 
> http://json-ld.github.io/normalization/spec/

AFAIK that is the closest we have come toward reaching a standard for 
this, and I'm grateful that the JSON-LD group got as far as they did 
with it.  However, it does have one very significant gap that I believe 
is important to address: it is focused only on the digital signatures 
use case.  The algorithm needs improvement to better address the diff 
use case, in which small, localized graph changes should result in 
small, localized differences in the canonicalized graph.  Aidan Hogan 
has done a lot of work on blank nodes and canonicalization that could 
probably help.  Here is one of his papers:
http://aidanhogan.com/docs/rdf-canonicalisation.pdf

David Booth

> 
> However, it does not actually specify a syntax, just a graph 
> normalization algorithm (which is unclear if it actually works, usually 
> you need proofs for these sorts of things).
> 
> Second, there is Linked Data Proofs, which also does not actually seem 
> to feature a way to convert arbitrary linked data graphs to bytes and is 
> also not normative.
> 
> https://w3c-ccg.github.io/ld-proofs/
> 
> Perhaps this is just a solved problem, but given that the usage of 
> signatures in Verified Credentials requires getting this right (see the 
> various attacks on XML DSIG), I'd like to know if 1) there is a 
> normative normalization to bytes of RDF graphs and 2) If it has some 
> proofs or real interoperability, not just a JS library.
> 
>     thanks,
>         harry
> 
> 
> 
>

Received on Monday, 31 August 2020 22:24:24 UTC