- From: Henry Story <henry.story@gmail.com>
- Date: Fri, 21 May 2021 15:13:31 +0200
- To: Peter F Patel-Schneider <pfpschneider@gmail.com>
- Cc: Eric Prud'hommeaux <eric@w3.org>, Dan Brickley <danbri@danbri.org>, Aidan Hogan <aidhog@gmail.com>, semantic-web <semantic-web@w3.org>, Antoine Zimmermann <antoine.zimmermann@emse.fr>
- Message-Id: <F63A5AC4-4039-4799-BACC-E3E9714DC77A@gmail.com>
> On 21. May 2021, at 14:21, Peter Patel-Schneider <pfpschneider@gmail.com> wrote: > > On Fri, 2021-05-21 at 13:48 +0200, Eric Prud'hommeaux wrote: >> On Fri, May 21, 2021 at 07:01:02AM -0400, Peter Patel-Schneider >> wrote: >>> On Fri, 2021-05-21 at 09:20 +0100, Dan Brickley wrote: >>>> >>>> >>>> On Fri, 21 May 2021 at 00:34, Peter Patel-Schneider < >>>> pfpschneider@gmail.com> wrote: >>>>> On Thu, 2021-05-20 at 18:58 -0400, Aidan Hogan wrote: >>>>>> [...] >>>>>> >>>>>> RDF Dataset canonicalisation has indeed undergone review by >>>>>> trained >>>>>> mathematicians as mentioned before, but to the best of my >>>>> knowledge, >>>>>> the >>>>>> people involved (those findable from the explainer) are not >>>>> security >>>>>> or >>>>>> cryptography experts. Which security and cryptography >>>>>> engineers >>>>> have >>>>>> reviewed which parts? It would be good to see input from such >>>>> experts >>>>>> regarding (2) and particularly (3). >>>>>> >>>>> >>>>> Indeed. As far as I know [3], i.e., the idea of augmenting >>>>> graphs >>>>> while signing and removing the augmentations while verifying >>>>> isn't a >>>>> standard part of security and cryptography. Which experts >>>>> have >>>>> signed >>>>> off on this? >>>>> >>>> >>>> >>>> On this detail, does it recurse reliably? >>>> >>>> If Ale writes some RDF, Brin signs it to assure basic integrity >>>> of the >>>> communication, publishes the result, and then a couple days later >>>> Cary >>>> signs it to indicate institutional endorsement of the original >>>> claims, >>>> etc. Are there any cases where manipulating an additional signing >>>> could >>>> mess with embedded earlier signings, to malicious ends? >>>> >>>> Dan >>> >>> Indeed, my reading of >>> https://w3c-ccg.github.io/ld-proofs/#algorithms >>> leads me to believe that recursively signed graphs cannot be >>> verified. >>> I think the intent of recursive signing is slightly different than >>> your >>> gloss - the second signer is not signing the original graph but is >>> signing the signed graph, perhaps to lend their approval of the >>> first >>> signing. >>> >>> Ale writes G. >>> Brin signs G and adds its own proof triples, resulting in G'. >>> Cary takes G', removes the proof triples in it to get G, and uses >>> Brin's proof triples to verify that Brin signed G. >>> Cary takes G' and adds its own proof triples, resulting in G''. >>> Dave takes G'', removes the proof triples in G'' to get G, and >>> tries to >>> use Cary's proof triples to verify that Cary signed G. >>> But Cary did not sign G so the verification fails! >>> >>> I believe that the described process for manipulation of the graph >>> permits an opponent to inject unsigned content into signed graphs >>> and >>> still have the verification succeed. >> >> Of course, this is just a limitation of how you can sign graph. >> Nothing prevents you from creating a second graph which references >> the first, and signing that second graph, etc. I can sign your >> signature; I just can't sign it in the same document as your >> signature. > > Signing remote objects has its own problems, as far as I can tell. > What happens if the remote object is modified? What happens if the > remote object is reverted to an earlier version? You might be able to > include a signing of the remote object, but that's not part of the > current algorithms as far as I can tell. > > You could sign named graphs in the same dataset, of course, and I think > that that would work reasonably well (as it is quite similar to signing > parts of an email message), except that I think you again run into > problems when you want to do recursive signing because RDF datasets > don't have named datasets. But, again, this isn't part of the > algorithm in Linked Data Proofs 1.0. Actually this is a really interesting point, I have been wondering about for some time. Do RDF DataSets not allow DataSets to contain DataSets? That would seem like a pretty useful thing to allow. It seems to me that N3 allows that, and does not SPARQL too? That would be quite unsatisfactory especially as nothing stops one creating a datatype for RDF Graphs as argued by Antoine Zimmermann recently https://lists.w3.org/Archives/Public/semantic-web/2021May/0052.html which would allow one to have graphs within graphs. > So I'm waiting for some security expert sign-off on the entirety of the > proof algorithms in Linked Data Proofs 1.0, and also for an open-source > reference implementation of the algorithms. I don't think that the WG > should start until both of these have been made available. > > peter
Received on Friday, 21 May 2021 13:14:47 UTC