-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rename "VerificationKey" to "JsonWebKey2020" #19
Comments
Related: w3c/did-core#185 (comment) |
Thanks for filing this issue. Yes, I'd like to see us rename this key suite so that we can use JWKs and other representations (which may be out of scope for this repo) for multiple cryptographic algorithm suites. After thinking about this further, ideally, I'd like to see key representation separated from the algorithms, and then referenced by cryptographic algorithms later. The purpose of the key represenation suites would be for highlighting how a key can be represented in different forms in JSON-LD. E.g. a KeySuite2020 spec would define support for: {
"id": "did:example:123#_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A",
"type": "JsonWebKey2020",
"controller": "did:example:123",
"publicKeyJwk": {
"crv": "Ed25519",
"x": "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ",
"kty": "OKP",
"kid": "_Qq0UL2Fq651Q0Fjd6TvnYE-faHiOpRlPVQcY_-tA4A"
}
} and additionally {
"id": "did:example:123456789abcdefghi#keys-2",
"type": "Ed25519VerificationKey2018",
"controller": "did:example:pqrstuvwxyz0987654321",
"publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
} I could see the spec additionally define support for how these keys are converted between each other. |
Big -1. Making it easy to publish a publicKey with a 'd' field in it is the type of foot gun that we've successfully avoided for years in the Linked Data Security specs. Allowing it is an anti-pattern that should be avoided at all costs, there is just no good reason to do it. |
@msporny if you are using JWK and you don't know what I feel that it's condescending to assume an absence of competence, especially w.r.t. established cryptography such as JOSE. Maybe its because I had to go to school for this, and got told over and over again, don't roll your own crypto, don't use unpopular libraries, javascript is fundamentally unsafe, don't try and hack on crypto you are not familiar with outside of a research setting, etc... JOSE uses the concept of "key" differently than what you believe is best... they define private key property name in a formal way: https://tools.ietf.org/html/rfc7518#section-6.2.2.1 in contrast, crypto-ld, and JSON-LD generally, don't even provide vocabulary definitions for but Nothing stops a developer from doing this:
I think at the heart of this issue, is that JSON-LD security community has no common way of describing what a private key is, especially across representations... thats something which I am working on... but which is not the same as the question "How does JSON-LD security community represent JWKs"... |
... and yet there aren't board certifications to use cryptography. It's illegal to pretend to be a doctor. It's not illegal to be a developer that accidentally misuses cryptography because they don't know any better. This is the crux of the disagreement. There are many, many more developers that don't know what We should protect developers from this sort of stuff in the same way that we protect people in cars by giving them seat belts and airbags. I'm saying, hey, you guys are building a car without seat belts and airbags, and I think that's a bad idea. So bad, that I'm trying to engage you on the topic and attempt to change your mind by drawing attention to what I believe to be a large blind spot in your thinking.
I make no value judgement on developers that don't know this stuff. In fact, quite the opposite, I empathize with them. As a developer, I don't want another developer to hand me a software library that is going to result in harm to me or my customers. I don't have the spare time to learn everything about everything. At some point, I have to trust that the people that build the standards and tools that I'm using help me get the job done, quickly and safely. In short: Don't give me a foot gun. Examples of cryptographic foot guns:
So, out of empathy for developers that don't have time to learn about this stuff (they have other more important things to do), we should be incredibly purposeful in how we design how these things are exposed and used. /cc @kdenhartog @tplooker @dlongley @dmitrizagidulin @rhiaro |
Perhaps we can fix this issue by providing the following structure (with the appropriately crafted context behind it):
now replace https://w3c-ccg.github.io/lds-ed25519-2018/#the-ed25519-key-format Which is more of a footgun? A home rolled crypto suite spec in the W3C CCG or a home rolled crypto suite spec in the W3C CCG that relies on a IANA for pretty much everything important? For example, w3c-ccg/lds-ed25519-2018#1 I can see the argument that even building on JOSE is less secure than starting in a formally verifiable system like Coq or Agda and proving your way through OpenSSL... but thats also not a realistic solution for people who are trying to integrate with stuff that runs in the browser today: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey Which Ed25519 does not.... in fact the only browser capable crypto suite that is defined was recently marked as deprecated due to being wildly out of date: https://github.com/w3c-ccg/lds-rsa2018 If this is mostly a documentation issue, I'm confident that the more documentation reuse we get (by supporting responsible algorithmic agility as JOSE does) the more contributors will show up to fix documentation.... If its a semantics issue, lets be more specific, lets define |
My take on this is less so about privateKeys and more so about the ability to reuse public key representations throughout multiple ld crypto suites. I'd even consider explicitly disallowing privateKeys to be included in However, I think my reason behind suggesting this change may have be misunderstood. Specifically, what I'm looking to do is elevate the purpose of a key to it's own layer within the ld-proof stack and allow representations (aka In past threads I've made mention of the ability to transform keys such as Ed25519 to X25519, or reusing P-256 for ECDSA and ECDH. However, nothing stops me from already doing that today and this change wouldn't prevent me from doing it tomorrow. By representing the same publicKey with a different type, an implementer can re-represent the same cryptographic material in a way that may be dangerous as it stands today. In other words, an implementer already has possession of the foot gun and they don't even know it. That's more the concern of cryptographers who conduct research on the algorithms and are developing the algorithms in my opinion and it's our jobs to relaying these concerns during the defining of the representations, so it's not misunderstood along the way. That's not what we're doing here though. We're defining a representation, which in some cases can have overlaps with the concerns of cryptographers, and rather than defining that implementers shouldn't be doing this we're stating nothing about it. In those cases, I'd rather list these explicitly as security considerations in crypto suite specifications or publickey suite specification. An example of a statement we might put in either Ed25519Signature2020 or Ed25519PublicKey2020 would be "Transformation of Ed25519 public keys into X25519 public keys has not been vetted as a secure reuse of cryptographic material. With this in mind, implementers SHOULD NOT reuse cryptographic material in Ed25519 public keys for the purposes of deriving an X25519 public key from the same cryptographic material." At least then we're being more clear about what an implementer should and should not do. |
JWK by default allows for custom properties... and its JSON-LD so, I'm not sure that banning for example: a key under Settings that discussion aside... a major motivation for this crypto suite was to support JOSE, because its very popular, has lots of tooling in many different languages, and due to this, could be an easier path to adoption for LD crypto, since implementers need only tackle RDF Canonization / Linked Data concerns, not everything at once in a novel implementation in a new language. JOSE defines key use here: https://www.iana.org/assignments/jose/jose.xhtml#web-key-use so a JWK can be used for Here is an example for P-384 https://en.wikipedia.org/wiki/P-384 A NIST Curve which might be required for certain work with governments... it says that it supports both The proper way to represent this in a DID Document is as a JsonWebKey2020 If we want it to function like a its one thing to ask them not to port over and that they are not allowed to use any of the other key types not registered under https://w3c.github.io/did-core/#dfn-publickey Which is what we are implicitly doing by requiring this burdensome W3C registration process for each and every key type and purpose in the IANA registry: https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve Do we want json-ld to work with legacy systems and gain valuable contributors or do we want to piss them all off by saying its an open world, but making the registration process impossible for things that they are required to use when working with governments or legacy systems? The sooner JSON-LD works with JOSE, the sooner we can stop trying to get it to work and start working on base58 / multicodec / multibase stuff... because we know we will have things that cover our use cases, and we will have time to work on future facing crypto... This debate is blocking DIDComm and SDS, but I agree that we need to discuss it on a working group call and come to some kind of agreement regarding support for government requirements and legacy (but very popular) crypto systems. |
@OR13 when/will the LD crypto suite registry be updated to reflect this change? |
https://w3id.org/security/suites/jws-2020/v1 was created a weekend ago, the entire ld registry and did spec registries are currently still in the format they were when verification methods where in the did core context, and they both need to be updated. |
This issue is stale, closing |
@kdenhartog
We discussed maybe being able to use a key for both verification, and key agreement... and maybe with future suites as well...
Choosing something like
JsonWebKey2020
, might be more future facing... we could specify thatJsonWebSignature2021
also supportsJsonWebKey2020
keys... in the suite.The text was updated successfully, but these errors were encountered: