Re: Chartering work has started for a Linked Data Signature Working Group @W3C

I would be fine with any faculty member at a decent university whose
speciality is crypographic computer security saying that the algorithms
in https://w3c-ccg.github.io/ld-proofs/#algorithms are secure assuming
that the canonicalization algorithm works as stated.  Even better would
be that person also stating that the RDF dataset normalization
algorithm doesn't introduce any problems when used as a
canonicalization algorithm.



Linked Data Proofs 1.0 - https://w3c-ccg.github.io/ld-proofs/ - has
several parts: canonicalization, signing, and embedding.  It has no
pointers to implementations of the entire method.

https://github.com/digitalbazaar/vc-js talks about verifiable
credentials and verifiable presentations.  It's unclear what the
relationship between these and linked data proofs is.  I'm looking for
commands that have the same inputs and outputs as the algorithms in
https://w3c-ccg.github.io/ld-proofs/#algorithms

https://github.com/spruceid/didkit has a set of commands, in
https://github.com/spruceid/didkit/tree/main/cli
It does reference Linked Data Proofs 1.0.
Its didkit vc-issue-credential command looks close to what is required,
but I don't see a complete correspondence.

https://github.com/danubetech/verifiable-credentials-java links to some
examples that look close to what is required, but I don't see something
that looks like Example 6 of Linked Data Proofs 1.0.


What I would like to see is some code and associated documentation that
says something like:

To sign a document that encodes an RDF dataset as in
https://w3c-ccg.github.io/ld-proofs/#proof-algorithm run
FOO document options key
where document is the name of a file containing a document that encodes
an RDF dataset, key is an X private key, and options contains a W key-
pair identifier with key as private key and a current date in UTC.
This will canonicalize the document using Y and sign the result using X
with key in such a way that any document encoding an RDF dataset
isomorphic to the one in the original document will have the same
signature.
A signed document will be output on standard output.  

And similarly for the verification algorithm.

I didn't recognize this anywhere I looked.


peter



On Fri, 2021-05-21 at 10:23 -0400, Manu Sporny wrote:
> Peter Patel-Schneider wrote:
> > So I'm waiting for some security expert sign-off on the entirety of
> > the 
> > proof algorithms in Linked Data Proofs 1.0, and also for an open-
> > source 
> > reference implementation of the algorithms.   I don't think that the
> > WG 
> > should start until both of these have been made available.
> 
> Multiple open source reference implementations, a corresponding test
> suite,
> and higher-level Verifiable Credential libraries that used the RDF
> Dataset
> Canonicalization algorithms were provided to you here (over a week
> ago):
> 
> https://lists.w3.org/Archives/Public/semantic-web/2021May/0126.html
> 
> As for your request for "security expert sign-off" -- please mention
> who,
> specifically, that you would like to sign off on the implemented
> algorithms.
> Or at least, provide an extensive and complete list of qualifications
> you'd
> like to see for the "security expert". The people that have reviewed
> the work
> to date over the last 8+ years don't seem to be meeting your nebulous
> set of
> qualifications and I expect you will have to be far more precise
> regarding
> your "security expert" definition.
> 
> This sort of "expert review" (which has been done to the degree that
> has
> already been documented) is also one of the reasons we convene W3C
> Working
> Groups... so demanding it all happen before a group is created tends to
> defeat
> one of the reasons for creating the group in the first place.
> 
> -- manu
> 

Received on Friday, 21 May 2021 20:42:01 UTC