Re: Chartering work has started for a Linked Data Signature Working Group @W3C

On Tue, 2021-05-25 at 18:42 -0400, Aidan Hogan wrote:
> [...]

>  The issues being discussed here relate more to the definitions of
> RDF 
> datasets -- how they are serialised or deserialised, how signature 
> metadata can be embedded and extracted, etc. -- than cryptography.
> 
> - We are not inventing new cryptography. Rather we are black-boxing 
> cryptography. The complicated stuff in terms of how the cryptography
> is 
> implemented and what guarantees this provides is done for us. The
> issue 
> then is to take those guarantees and reduce the current RDFy 
> specifications to them. For example, the cryptography black box 
> presumably will provide guarantees with respect to the difficulty of
> a 
> pre-image attack. Assuming this guarantee (without necessarily 
> understanding how it is implemented), one can then formalise
> guarantees 
> regarding the difficulty of attacks on an RDF level that equate to a 
> pre-image attack (e.g., using proof by contradiction, showing that
> the 
> RDF-level attack would constitute a pre-image attack). I think that
> this 
> sort of task requires a more detailed understanding of RDF than of 
> cryptography.
> 

Attacks on computer security come in different flavours.   There are
attacks on the fundamental crypographic primitives.  There are attacks
on how these primitive are used.  There are probablhy other kinds of
attacks, for example attacks that depend on the resources needed to do
RDF dataset canonicalization.

Developing good cryptographic primitives is difficult and often
requires inspiration.  Developing good usage may be even more difficult
and generally requires a lot of persperation - to enumerate all the
different ways that an opponent can take advantage of each and every
aspect of the signing/proof process.

> (Ceci n'est pas un audit de sécurité.)
> 
> Best,
> Aidan

peter

Received on Tuesday, 25 May 2021 23:49:42 UTC