Re: Chartering work has started for a Linked Data Signature Working Group @W3C from Dan Brickley on 2021-06-04 (semantic-web@w3.org from June 2021)

From: Dan Brickley <danbri@danbri.org>
Date: Fri, 4 Jun 2021 21:23:40 +0100
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: semantic-web@w3.org
Message-ID: <CAFfrAFrSoSzsu8FNZ3xW2kVyzOhfEpvdYTp0BV9T-Ur=YHePJg@mail.gmail.com>

On Fri, 4 Jun 2021 at 21:08, Manu Sporny <msporny@digitalbazaar.com> wrote:

> On 6/4/21 12:44 PM, Dan Brickley wrote:
> > If an attacker switched the context for just the right second or two
>
> In a properly implemented system, there is no "if the attacker switch the
> context for just the right second or two".
>
> If this attack works on your system, you have an insecure system. Full
> stop.
> This is a known attack vector and there are known attack mitigations
> against it.
>
> To draw an analogy, this is like saying: "If you decide to not use a nonce
> in
> your digital signature, an attack can perform a replay attack against you."
>
> Well, yes... they can... and nonces prevent that, so... use nonces.
>
> > there may be gullible workflows in which they could get nasty triples
> > parsed and signed, without other care being taken. It seems an avoidable
> > class of cornercases to have to work around.
>
> These aren't corner cases... being gullible will almost guarantee attack
> vectors. This is what the security considerations section is for, even if
> we
> take JSON-LD out of the mix... what about if you're gullible and blindly
> concatenate TURTLE documents together and someone resets @base? What if you
> don't set the base URL?
>
> These are security considerations and the group will have to entertain
> them in
> *any* RDF serialization.
>
> I appreciate that you're trying to reduce scope, but removing JSON-LD from
> the
> list of serializations and expecting that it buys us a significant amount
> of
> saved time feels misguided.
>
> Unless I'm misunderstanding what you're suggesting.
>
> You are suggesting that we take JSON-LD out of scope, right?
>

I am suggesting that if you want to persuade w3c to charter the work you
want, either

1) make it a Verifiable Credentials with Signatures WG since the focus is
clearly VC oriented, driven, etc and continue with json-ld centre stage -

Or

2) if pursuing the idea that this is w3c’s approach to signing RDF in
general, stick a less complicated rdf syntax as the central focus.

The bnode labelling work items could be really handy in lots of rdf
situations- without even needing signatures

Why not just call it a VC thing and be done? If it works for other usecases
too that’s awesome and a foundation to build on.




> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>
>

Received on Friday, 4 June 2021 20:25:19 UTC