From: Markus Sabadello <markus@danubetech.com>

Date: Mon, 24 May 2021 18:44:04 +0200

To: semantic-web@w3.org

Message-ID: <c0086f58-c422-db55-212c-06d929d4ec55@danubetech.com>

Date: Mon, 24 May 2021 18:44:04 +0200

To: semantic-web@w3.org

Message-ID: <c0086f58-c422-db55-212c-06d929d4ec55@danubetech.com>

Hello Peter, You mentioned you were looking for code, and you listed the verifiable-credentials-java library as one example. You may also want to look at this one: https://github.com/weboftrustinfo/ld-signatures-java This I think is quite close to the Example 6 you referred to. It uses the following Java implementation of RDF dataset normalization: https://github.com/setl/rdf-urdna/ Markus On 21.05.21 22:40, Peter Patel-Schneider wrote: > I would be fine with any faculty member at a decent university whose > speciality is crypographic computer security saying that the algorithms > in https://w3c-ccg.github.io/ld-proofs/#algorithms are secure assuming > that the canonicalization algorithm works as stated. Even better would > be that person also stating that the RDF dataset normalization > algorithm doesn't introduce any problems when used as a > canonicalization algorithm. > > > > Linked Data Proofs 1.0 - https://w3c-ccg.github.io/ld-proofs/ - has > several parts: canonicalization, signing, and embedding. It has no > pointers to implementations of the entire method. > > https://github.com/digitalbazaar/vc-js talks about verifiable > credentials and verifiable presentations. It's unclear what the > relationship between these and linked data proofs is. I'm looking for > commands that have the same inputs and outputs as the algorithms in > https://w3c-ccg.github.io/ld-proofs/#algorithms > > https://github.com/spruceid/didkit has a set of commands, in > https://github.com/spruceid/didkit/tree/main/cli > It does reference Linked Data Proofs 1.0. > Its didkit vc-issue-credential command looks close to what is required, > but I don't see a complete correspondence. > > https://github.com/danubetech/verifiable-credentials-java links to some > examples that look close to what is required, but I don't see something > that looks like Example 6 of Linked Data Proofs 1.0. > > > What I would like to see is some code and associated documentation that > says something like: > > To sign a document that encodes an RDF dataset as in > https://w3c-ccg.github.io/ld-proofs/#proof-algorithm run > FOO document options key > where document is the name of a file containing a document that encodes > an RDF dataset, key is an X private key, and options contains a W key- > pair identifier with key as private key and a current date in UTC. > This will canonicalize the document using Y and sign the result using X > with key in such a way that any document encoding an RDF dataset > isomorphic to the one in the original document will have the same > signature. > A signed document will be output on standard output. > > And similarly for the verification algorithm. > > I didn't recognize this anywhere I looked. > > > peter > > > > On Fri, 2021-05-21 at 10:23 -0400, Manu Sporny wrote: >> Peter Patel-Schneider wrote: >>> So I'm waiting for some security expert sign-off on the entirety of >>> the >>> proof algorithms in Linked Data Proofs 1.0, and also for an open- >>> source >>> reference implementation of the algorithms. I don't think that the >>> WG >>> should start until both of these have been made available. >> Multiple open source reference implementations, a corresponding test >> suite, >> and higher-level Verifiable Credential libraries that used the RDF >> Dataset >> Canonicalization algorithms were provided to you here (over a week >> ago): >> >> https://lists.w3.org/Archives/Public/semantic-web/2021May/0126.html >> >> As for your request for "security expert sign-off" -- please mention >> who, >> specifically, that you would like to sign off on the implemented >> algorithms. >> Or at least, provide an extensive and complete list of qualifications >> you'd >> like to see for the "security expert". The people that have reviewed >> the work >> to date over the last 8+ years don't seem to be meeting your nebulous >> set of >> qualifications and I expect you will have to be far more precise >> regarding >> your "security expert" definition. >> >> This sort of "expert review" (which has been done to the degree that >> has >> already been documented) is also one of the reasons we convene W3C >> Working >> Groups... so demanding it all happen before a group is created tends to >> defeat >> one of the reasons for creating the group in the first place. >> >> -- manu >> > >Received on Monday, 24 May 2021 16:44:20 UTC

*
This archive was generated by hypermail 2.4.0
: Monday, 24 May 2021 16:44:22 UTC
*