Re: Chartering work has started for a Linked Data Signature Working Group @W3C from Markus Sabadello on 2021-05-24 (semantic-web@w3.org from May 2021)

From: Markus Sabadello <markus@danubetech.com>
Date: Mon, 24 May 2021 18:44:04 +0200
To: semantic-web@w3.org
Message-ID: <c0086f58-c422-db55-212c-06d929d4ec55@danubetech.com>
Hello Peter,

You mentioned you were looking for code, and you listed the
verifiable-credentials-java library as one example.

You may also want to look at this one:
https://github.com/weboftrustinfo/ld-signatures-java

This I think is quite close to the Example 6 you referred to.

It uses the following Java implementation of RDF dataset normalization:
https://github.com/setl/rdf-urdna/

Markus

On 21.05.21 22:40, Peter Patel-Schneider wrote:
> I would be fine with any faculty member at a decent university whose
> speciality is crypographic computer security saying that the algorithms
> in https://w3c-ccg.github.io/ld-proofs/#algorithms are secure assuming
> that the canonicalization algorithm works as stated.  Even better would
> be that person also stating that the RDF dataset normalization
> algorithm doesn't introduce any problems when used as a
> canonicalization algorithm.
>
>
>
> Linked Data Proofs 1.0 - https://w3c-ccg.github.io/ld-proofs/ - has
> several parts: canonicalization, signing, and embedding.  It has no
> pointers to implementations of the entire method.
>
> https://github.com/digitalbazaar/vc-js talks about verifiable
> credentials and verifiable presentations.  It's unclear what the
> relationship between these and linked data proofs is.  I'm looking for
> commands that have the same inputs and outputs as the algorithms in
> https://w3c-ccg.github.io/ld-proofs/#algorithms
>
> https://github.com/spruceid/didkit has a set of commands, in
> https://github.com/spruceid/didkit/tree/main/cli
> It does reference Linked Data Proofs 1.0.
> Its didkit vc-issue-credential command looks close to what is required,
> but I don't see a complete correspondence.
>
> https://github.com/danubetech/verifiable-credentials-java links to some
> examples that look close to what is required, but I don't see something
> that looks like Example 6 of Linked Data Proofs 1.0.
>
>
> What I would like to see is some code and associated documentation that
> says something like:
>
> To sign a document that encodes an RDF dataset as in
> https://w3c-ccg.github.io/ld-proofs/#proof-algorithm run
> FOO document options key
> where document is the name of a file containing a document that encodes
> an RDF dataset, key is an X private key, and options contains a W key-
> pair identifier with key as private key and a current date in UTC.
> This will canonicalize the document using Y and sign the result using X
> with key in such a way that any document encoding an RDF dataset
> isomorphic to the one in the original document will have the same
> signature.
> A signed document will be output on standard output.  
>
> And similarly for the verification algorithm.
>
> I didn't recognize this anywhere I looked.
>
>
> peter
>
>
>
> On Fri, 2021-05-21 at 10:23 -0400, Manu Sporny wrote:
>> Peter Patel-Schneider wrote:
>>> So I'm waiting for some security expert sign-off on the entirety of
>>> the 
>>> proof algorithms in Linked Data Proofs 1.0, and also for an open-
>>> source 
>>> reference implementation of the algorithms.   I don't think that the
>>> WG 
>>> should start until both of these have been made available.
>> Multiple open source reference implementations, a corresponding test
>> suite,
>> and higher-level Verifiable Credential libraries that used the RDF
>> Dataset
>> Canonicalization algorithms were provided to you here (over a week
>> ago):
>>
>> https://lists.w3.org/Archives/Public/semantic-web/2021May/0126.html
>>
>> As for your request for "security expert sign-off" -- please mention
>> who,
>> specifically, that you would like to sign off on the implemented
>> algorithms.
>> Or at least, provide an extensive and complete list of qualifications
>> you'd
>> like to see for the "security expert". The people that have reviewed
>> the work
>> to date over the last 8+ years don't seem to be meeting your nebulous
>> set of
>> qualifications and I expect you will have to be far more precise
>> regarding
>> your "security expert" definition.
>>
>> This sort of "expert review" (which has been done to the degree that
>> has
>> already been documented) is also one of the reasons we convene W3C
>> Working
>> Groups... so demanding it all happen before a group is created tends to
>> defeat
>> one of the reasons for creating the group in the first place.
>>
>> -- manu
>>
>
>
Received on Monday, 24 May 2021 16:44:20 UTC