W3C home > Mailing lists > Public > semantic-web@w3.org > June 2021

Re: Chartering work has started for a Linked Data Signature Working Group @W3C

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 8 Jun 2021 14:15:27 -0400
To: semantic-web@w3.org
Message-ID: <1a2bac93-4bae-6e50-e59f-28d4fd739154@digitalbazaar.com>
> I'm just keeping one of the attacks here - the one I feel is most 
> important.

I presume you're dropping the others because it was shown why they are not
successful attacks.

>> Invalid. If the RDF Dataset is not what the producer signed, the 
>> signature fails verification.
>> 
> Not so.  The validation succeeds because it sees the RDF dataset the 
> producer signed.  The consumer sees a different dataset because the third 
> party changes the remote context between the time the verification is done 
> and the time that the consumer extracts the dataset from the document.

Invalid. There are two protections in place that prevent the above from happening:

1. Any "remote context" that could suffer such an attack
   must always be loaded from a vetted local storage
   location.

2. The RDF Dataset is only ever extracted from a verified
   result, which is static and cannot change.

> One reason I want an implementation of the algorithms as commands is to 
> show exactly how this attack works against the algorithms.

What you want is an implementation that has neither of the two protections
listed above. I don't think anyone wants to provide that implementation to you
because it would be knowingly implementing a piece of software with two
security flaws in it.

Writing cryptographic software with known flaws crosses certain ethical
boundaries that at least I am unwilling to cross.

Now, if you can find an attack that actually works against the existing
software I'm sure the implementers will fall over themselves to fix the flaw.
To date, no such flaw has been surfaced by you; but I urge you to keep trying.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Tuesday, 8 June 2021 18:17:30 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:46:09 UTC