W3C home > Mailing lists > Public > semantic-web@w3.org > May 2021

Re: Chartering work has started for a Linked Data Signature Working Group @W3C

From: Peter F. Patel-Schneider <pfpschneider@gmail.com>
Date: Thu, 13 May 2021 10:15:50 -0400
To: Manu Sporny <msporny@digitalbazaar.com>, Ivan Herman <ivan@w3.org>
Cc: semantic-web <semantic-web@w3.org>
Message-ID: <d7368606-9c6b-ebe8-8cba-2f5d66fc07e6@gmail.com>
On 5/13/21 9:31 AM, Manu Sporny wrote:

> On 5/13/21 7:32 AM, Peter F. Patel-Schneider wrote:
>> I strongly suggest that you get a computer security expert to look through
>> the current version of the documents mentioned in the charter.  At this
>> point I think this review should be required even if the charter is revised
>> to no longer point to these documents.
> As an Editor of the proposed input documents, I'll be the first to admit that
> they could be in much better shape. Yes, the documents are trailing the
> implementations and need quite a bit of editorial clean up to be improved.
>
> That said, the most important aspects of these documents have undergone
> multiple reviews over the past several years by trained mathematicians
> analysing the formal proofs as well as security and cryptography engineers, as
> stated in the explainer:
>
> https://w3c.github.io/lds-wg-charter/explainer.html#generalProblem
>
> These specifications have implementations (starting as of 8+ years ago) and
> have been through multiple interoperability plugfests.
>
> Multiple vendors that have done implementations are also undergoing analysis
> via SRI, NIST, DHS, and other US and European Federal Government agencies (so
> far, so good).
>
> To be clear, we're not done and the more eyes the better. However, none of us
> should be under the impression that these technologies haven't had some level
> of security expert review.
>
> There is no expectation that input documents are frozen in time and can't be
> improved once the WG is under way...
>
> -- manu
>

My understanding is that each and every aspect of a proposal involving 
security is important, down to the smallest details.  So it isn't just that 
parts of the methods described in https://w3c-ccg.github.io/ld-proofs/ are 
considered to be secure, each and every part of the methods have to have been 
shown to be secure.   It is the case that the entirely of the methods in 
https://w3c-ccg.github.io/ld-proofs/ have been shown to be secure?


Where are the implementations of the methods in 
https://w3c-ccg.github.io/ld-proofs/? I'm willing to test them out.  In 
particular I'm looking for implementations that take a document encoding an 
RDF dataset and produce a document signing the dataset and implementations 
that take a document encoding a signed RDF dataset and verify the signing.  
I'll also need implementations that can encode RDF datasets into documents 
that are accepted by the signing implementations and implementations that can 
decode documents into RDF datasets.


peter
Received on Thursday, 13 May 2021 14:17:05 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 13 May 2021 14:17:07 UTC