- From: Peter F. Patel-Schneider <pfpschneider@gmail.com>
- Date: Thu, 13 May 2021 10:15:50 -0400
- To: Manu Sporny <msporny@digitalbazaar.com>, Ivan Herman <ivan@w3.org>
- Cc: semantic-web <semantic-web@w3.org>
On 5/13/21 9:31 AM, Manu Sporny wrote: > On 5/13/21 7:32 AM, Peter F. Patel-Schneider wrote: >> I strongly suggest that you get a computer security expert to look through >> the current version of the documents mentioned in the charter. At this >> point I think this review should be required even if the charter is revised >> to no longer point to these documents. > As an Editor of the proposed input documents, I'll be the first to admit that > they could be in much better shape. Yes, the documents are trailing the > implementations and need quite a bit of editorial clean up to be improved. > > That said, the most important aspects of these documents have undergone > multiple reviews over the past several years by trained mathematicians > analysing the formal proofs as well as security and cryptography engineers, as > stated in the explainer: > > https://w3c.github.io/lds-wg-charter/explainer.html#generalProblem > > These specifications have implementations (starting as of 8+ years ago) and > have been through multiple interoperability plugfests. > > Multiple vendors that have done implementations are also undergoing analysis > via SRI, NIST, DHS, and other US and European Federal Government agencies (so > far, so good). > > To be clear, we're not done and the more eyes the better. However, none of us > should be under the impression that these technologies haven't had some level > of security expert review. > > There is no expectation that input documents are frozen in time and can't be > improved once the WG is under way... > > -- manu > My understanding is that each and every aspect of a proposal involving security is important, down to the smallest details. So it isn't just that parts of the methods described in https://w3c-ccg.github.io/ld-proofs/ are considered to be secure, each and every part of the methods have to have been shown to be secure. It is the case that the entirely of the methods in https://w3c-ccg.github.io/ld-proofs/ have been shown to be secure? Where are the implementations of the methods in https://w3c-ccg.github.io/ld-proofs/? I'm willing to test them out. In particular I'm looking for implementations that take a document encoding an RDF dataset and produce a document signing the dataset and implementations that take a document encoding a signed RDF dataset and verify the signing. I'll also need implementations that can encode RDF datasets into documents that are accepted by the signing implementations and implementations that can decode documents into RDF datasets. peter
Received on Thursday, 13 May 2021 14:17:05 UTC