Re: Chartering work has started for a Linked Data Signature Working Group @W3C from Ivan Herman on 2021-05-22 (semantic-web@w3.org from May 2021)

From: Ivan Herman <ivan@w3.org>
Date: Sat, 22 May 2021 12:43:35 +0200
To: "Peter F. Patel-Schneider" <pfpschneider@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, semantic-web@w3.org
Message-Id: <2744D796-B6FE-49E2-9541-2A10FB45EA45@w3.org>
Peter,

I agree that these are issues to handle/settle in a final specification. And I let Manu reply to the specifics.

However, I would regard these to be done during the life time of the Working Group, if it gets approved; after all, making sure of these required quality checks are one of the strong points of the W3C Process. The Linked Data Proof draft specification is not even the FPWD of the WG's deliverables, it is just a referenced document.

Thanks

Ivan

> On 21 May 2021, at 22:40, Peter Patel-Schneider <pfpschneider@gmail.com> wrote:
> 
> I would be fine with any faculty member at a decent university whose
> speciality is crypographic computer security saying that the algorithms
> in https://w3c-ccg.github.io/ld-proofs/#algorithms are secure assuming
> that the canonicalization algorithm works as stated.  Even better would
> be that person also stating that the RDF dataset normalization
> algorithm doesn't introduce any problems when used as a
> canonicalization algorithm.
> 
> 
> 
> Linked Data Proofs 1.0 - https://w3c-ccg.github.io/ld-proofs/ - has
> several parts: canonicalization, signing, and embedding.  It has no
> pointers to implementations of the entire method.
> 
> https://github.com/digitalbazaar/vc-js talks about verifiable
> credentials and verifiable presentations.  It's unclear what the
> relationship between these and linked data proofs is.  I'm looking for
> commands that have the same inputs and outputs as the algorithms in
> https://w3c-ccg.github.io/ld-proofs/#algorithms
> 
> https://github.com/spruceid/didkit has a set of commands, in
> https://github.com/spruceid/didkit/tree/main/cli
> It does reference Linked Data Proofs 1.0.
> Its didkit vc-issue-credential command looks close to what is required,
> but I don't see a complete correspondence.
> 
> https://github.com/danubetech/verifiable-credentials-java links to some
> examples that look close to what is required, but I don't see something
> that looks like Example 6 of Linked Data Proofs 1.0.
> 
> 
> What I would like to see is some code and associated documentation that
> says something like:
> 
> To sign a document that encodes an RDF dataset as in
> https://w3c-ccg.github.io/ld-proofs/#proof-algorithm run
> FOO document options key
> where document is the name of a file containing a document that encodes
> an RDF dataset, key is an X private key, and options contains a W key-
> pair identifier with key as private key and a current date in UTC.
> This will canonicalize the document using Y and sign the result using X
> with key in such a way that any document encoding an RDF dataset
> isomorphic to the one in the original document will have the same
> signature.
> A signed document will be output on standard output.  
> 
> And similarly for the verification algorithm.
> 
> I didn't recognize this anywhere I looked.
> 
> 
> peter
> 
> 
> 
> On Fri, 2021-05-21 at 10:23 -0400, Manu Sporny wrote:
>> Peter Patel-Schneider wrote:
>>> So I'm waiting for some security expert sign-off on the entirety of
>>> the 
>>> proof algorithms in Linked Data Proofs 1.0, and also for an open-
>>> source 
>>> reference implementation of the algorithms.   I don't think that the
>>> WG 
>>> should start until both of these have been made available.
>> 
>> Multiple open source reference implementations, a corresponding test
>> suite,
>> and higher-level Verifiable Credential libraries that used the RDF
>> Dataset
>> Canonicalization algorithms were provided to you here (over a week
>> ago):
>> 
>> https://lists.w3.org/Archives/Public/semantic-web/2021May/0126.html
>> 
>> As for your request for "security expert sign-off" -- please mention
>> who,
>> specifically, that you would like to sign off on the implemented
>> algorithms.
>> Or at least, provide an extensive and complete list of qualifications
>> you'd
>> like to see for the "security expert". The people that have reviewed
>> the work
>> to date over the last 8+ years don't seem to be meeting your nebulous
>> set of
>> qualifications and I expect you will have to be far more precise
>> regarding
>> your "security expert" definition.
>> 
>> This sort of "expert review" (which has been done to the degree that
>> has
>> already been documented) is also one of the reasons we convene W3C
>> Working
>> Groups... so demanding it all happen before a group is created tends to
>> defeat
>> one of the reasons for creating the group in the first place.
>> 
>> -- manu
>> 
> 
> 
> 


----
Ivan Herman, W3C 
Home: http://www.w3.org/People/Ivan/
mobile: +33 6 52 46 00 43
ORCID ID: https://orcid.org/0000-0003-0782-2704
Received on Saturday, 22 May 2021 10:43:42 UTC