W3C home > Mailing lists > Public > semantic-web@w3.org > June 2021

Re: Chartering work has started for a Linked Data Signature Working Group @W3C

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 4 Jun 2021 16:05:37 -0400
To: semantic-web@w3.org
Message-ID: <8a867ec8-813d-69c6-a278-6239f95fa500@digitalbazaar.com>
On 6/4/21 12:44 PM, Dan Brickley wrote:
> If an attacker switched the context for just the right second or two

In a properly implemented system, there is no "if the attacker switch the
context for just the right second or two".

If this attack works on your system, you have an insecure system. Full stop.
This is a known attack vector and there are known attack mitigations against it.

To draw an analogy, this is like saying: "If you decide to not use a nonce in
your digital signature, an attack can perform a replay attack against you."

Well, yes... they can... and nonces prevent that, so... use nonces.

> there may be gullible workflows in which they could get nasty triples 
> parsed and signed, without other care being taken. It seems an avoidable 
> class of cornercases to have to work around.

These aren't corner cases... being gullible will almost guarantee attack
vectors. This is what the security considerations section is for, even if we
take JSON-LD out of the mix... what about if you're gullible and blindly
concatenate TURTLE documents together and someone resets @base? What if you
don't set the base URL?

These are security considerations and the group will have to entertain them in
*any* RDF serialization.

I appreciate that you're trying to reduce scope, but removing JSON-LD from the
list of serializations and expecting that it buys us a significant amount of
saved time feels misguided.

Unless I'm misunderstanding what you're suggesting.

You are suggesting that we take JSON-LD out of scope, right?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Friday, 4 June 2021 20:06:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:46:08 UTC