Re: Chartering work has started for a Linked Data Signature Working Group @W3C from Peter Patel-Schneider on 2021-05-21 (semantic-web@w3.org from May 2021)

From: Peter Patel-Schneider <pfpschneider@gmail.com>
Date: Fri, 21 May 2021 07:01:02 -0400
To: Dan Brickley <danbri@danbri.org>
Cc: Aidan Hogan <aidhog@gmail.com>, semantic-web@w3.org
Message-ID: <e0242e581b442e0b1790a40efbae6120ae509d42.camel@gmail.com>

On Fri, 2021-05-21 at 09:20 +0100, Dan Brickley wrote:
> 
> 
> On Fri, 21 May 2021 at 00:34, Peter Patel-Schneider <
> pfpschneider@gmail.com> wrote:
> > On Thu, 2021-05-20 at 18:58 -0400, Aidan Hogan wrote:
> > > [...]
> > > 
> > > RDF Dataset canonicalisation has indeed undergone review by trained
> > > mathematicians as mentioned before, but to the best of my
> > knowledge,
> > > the 
> > > people involved (those findable from the explainer) are not
> > security
> > > or 
> > > cryptography experts. Which security and cryptography engineers
> > have 
> > > reviewed which parts? It would be good to see input from such
> > experts
> > > regarding (2) and particularly (3).
> > > 
> > 
> > Indeed.  As far as I know [3], i.e., the idea of augmenting graphs
> > while signing and removing the augmentations while verifying isn't a
> > standard part of security and cryptography.   Which experts have
> > signed
> > off on this?
> > 
> 
> 
> On this detail, does it recurse reliably? 
> 
> If Ale writes some RDF, Brin signs it to assure basic integrity of the
> communication, publishes the result, and then a couple days later Cary
> signs it to indicate institutional endorsement of the original claims,
> etc. Are there any cases where manipulating an additional signing could
> mess with embedded earlier signings, to malicious ends?
> 
> Dan

Indeed, my reading of https://w3c-ccg.github.io/ld-proofs/#algorithms
leads me to believe that recursively signed graphs cannot be verified.
I think the intent of recursive signing is slightly different than your
gloss - the second signer is not signing the original graph but is
signing the signed graph, perhaps to lend their approval of the first
signing.

Ale writes G.
Brin signs G and adds its own proof triples, resulting in G'.
Cary takes G', removes the proof triples in it to get G, and uses
Brin's proof triples to verify that Brin signed G.
Cary takes G' and adds its own proof triples, resulting in G''.
Dave takes G'', removes the proof triples in G'' to get G, and tries to
use Cary's proof triples to verify that Cary signed G.  
But Cary did not sign G so the verification fails!

I believe that the described process for manipulation of the graph
permits an opponent to inject unsigned content into signed graphs and
still have the verification succeed.

peter

Received on Friday, 21 May 2021 11:01:17 UTC