From c0721fe6c91a6f21cadd3377ee9145df46b9d1fe Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 24 May 2023 11:28:03 -0400
Subject: [PATCH 1/5] Add security considerations text.

- Addresses #70.
---
 spec/index.html | 46 ++++++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/spec/index.html b/spec/index.html
index 4eb6cc1..346f915 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2787,31 +2787,29 @@ <h2>Security Considerations</h2>
   <section>
     <h3>Dataset Poisoning</h3>
 
-    <p class="issue" data-number="70" title="Attackers can construct poison datasets">
-Add text that warns that attackers can construct datasets which are known to
-take large amounts of compute time to canonize. The algorithm has a mechanism to detect
-and prevent this sort of abuse, but implementers need to ensure that they
-think holistically about their system such as what happens if they don't have
-rate limiting on a service exposed to the Internet and they are the subject of
-a DDoS. Default mechanisms that prevent excessive use of compute when an
-attacker sends a poisoned dataset might be different from system to system.
+    <p>The canonicalization algorithm examines every difference in the
+      information connected to blank nodes in order to ensure that each will
+      properly receive its own canonical identifier. This process can be
+      exploited by attackers to construct datasets which are known to take
+      large amounts of compute time to canonize, but that do not express
+      useful information or express it using unnecessary complexity.
+      Implementers of the algorithm are expected to add mitigations that will,
+      by default, abort canonizing problematic inputs.
     </p>
-  </section>
-
-  <section>
-    <h3>Formal Verification Incomplete</h3>
-
-    <p class="issue" data-number="70" title="Formal verification of algorithm is incomplete">
-Add text that warns implementers that, while the algorithm has a mathematical
-proof associated with it that has had peer review, and while a W3C WG
-has reviewed the algorithms and that there are multiple interoperable
-implementations, that a formal proof using a system such as Coq isn't available
-at this time. We are highly confident of the correctness of the algorithm,
-but we will not be able to say with 100% certainty that it is correct until
-we have a formal, machine-based verification of the proof. Any system that
-utilizes this canonicalization mechanism should have a backup canonicalization
-mechanism, such as JCS, or other mitigations, such as schema-based
-validation, ready in the event that an unrecoverable flaw is found in this algorithm.
+    <p>Suggested mitigations include, but are not limited to:
+      <ul>
+        <li>providing a configurable timeout with a default value applicable to
+          an implementation's common use, and / or
+        <li>providing a configurable limit on the number of iterations of steps
+          performed in the algorithm, particularly recursive steps.
+      <ul>
+    </p>
+    <p>Additionally, software that uses implementations of the algorithm can
+      employ best-practice schema validation to reject data that does not meet
+      application requirements, thereby preventing useless poison datasets from
+      being processed. However, such mitigations are application specific and
+      not directly applicable to implementers of the canonicalization algorithm
+      itself.
     </p>
   </section>
 

From 802b17695178f472191ba0f80b2a02b12871719b Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 24 May 2023 11:32:04 -0400
Subject: [PATCH 2/5] Fix closing tags in Security Considerations section.

---
 spec/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec/index.html b/spec/index.html
index 346f915..f3338f2 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2799,10 +2799,10 @@ <h3>Dataset Poisoning</h3>
     <p>Suggested mitigations include, but are not limited to:
       <ul>
         <li>providing a configurable timeout with a default value applicable to
-          an implementation's common use, and / or
+          an implementation's common use, and / or</li>
         <li>providing a configurable limit on the number of iterations of steps
-          performed in the algorithm, particularly recursive steps.
-      <ul>
+          performed in the algorithm, particularly recursive steps.</li>
+      </ul>
     </p>
     <p>Additionally, software that uses implementations of the algorithm can
       employ best-practice schema validation to reject data that does not meet

From fb5f0add57fdc3ac6712278897c6422f8ccf527c Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Thu, 25 May 2023 10:22:00 -0400
Subject: [PATCH 3/5] Fix typo in Security Considerations section.

Co-authored-by: Dan Yamamoto <dan@iij.ad.jp>
---
 spec/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/index.html b/spec/index.html
index f3338f2..d19b658 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2791,7 +2791,7 @@ <h3>Dataset Poisoning</h3>
       information connected to blank nodes in order to ensure that each will
       properly receive its own canonical identifier. This process can be
       exploited by attackers to construct datasets which are known to take
-      large amounts of compute time to canonize, but that do not express
+      large amounts of computing time to canonize, but that do not express
       useful information or express it using unnecessary complexity.
       Implementers of the algorithm are expected to add mitigations that will,
       by default, abort canonizing problematic inputs.

From 0eeada66505da5a1d654e552542dafb217860768 Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Thu, 1 Jun 2023 13:08:34 -0400
Subject: [PATCH 4/5] Simplify suggested mitigation language.

Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
---
 spec/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/index.html b/spec/index.html
index d19b658..442a181 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2799,9 +2799,9 @@ <h3>Dataset Poisoning</h3>
     <p>Suggested mitigations include, but are not limited to:
       <ul>
         <li>providing a configurable timeout with a default value applicable to
-          an implementation's common use, and / or</li>
+          an implementation's common use</li>
         <li>providing a configurable limit on the number of iterations of steps
-          performed in the algorithm, particularly recursive steps.</li>
+          performed in the algorithm, particularly recursive steps</li>
       </ul>
     </p>
     <p>Additionally, software that uses implementations of the algorithm can

From 55c2aa48306812e4b204a6e766242d64d0394aed Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 7 Jun 2023 10:28:28 -0400
Subject: [PATCH 5/5] Use "canonicalize" language over "canonize".

---
 spec/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/index.html b/spec/index.html
index 442a181..af13bd6 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2791,10 +2791,10 @@ <h3>Dataset Poisoning</h3>
       information connected to blank nodes in order to ensure that each will
       properly receive its own canonical identifier. This process can be
       exploited by attackers to construct datasets which are known to take
-      large amounts of computing time to canonize, but that do not express
+      large amounts of computing time to canonicalize, but that do not express
       useful information or express it using unnecessary complexity.
       Implementers of the algorithm are expected to add mitigations that will,
-      by default, abort canonizing problematic inputs.
+      by default, abort canonicalizing problematic inputs.
     </p>
     <p>Suggested mitigations include, but are not limited to:
       <ul>