-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verifiable Credential Data Integrity (and vc-di-eddsa and vc-di-ecdsa) 2023-06-15 -> 2023-07-31 #120
Comments
VC Data Integrity specsNotes for PING ReviewersNoting that the terms This spec is one of two classes of proof suites (the other is VC-JWT - no PING horizontal review request yet) that is used to produce a signature of the claims. The proofs can be used either to prove the assertions came from the issuer, or to assert the presentation by a holder to the verifier. Specifically with Data Integrity, this spec is standardizing the method of JSON-LD signatures which relies upon Summary of review
ECDSA-2019 spec
EdDSA v2022
|
@kdenhartog and PING, thank you for your thoughtful review of the W3C Data Integrity and cryptosuite specifications. I see no reason why we cannot address each of the items you raise above in the specification text using the suggestions that you provide above. The next step is to create an issue per item that you raise above in the W3C Data Integrity and cryptosuite repositories and process each one separately as a PR. We will cc you, @kdenhartog, on each issue and PR to ensure that you are given a chance to review and provide feedback on the text that ends up going in the final specification. |
We reviewed these points today during the PING call and there appeared to be consensus agreement to address these points with the exception that the non-deterministic signatures can be left as SHOULD. To do this the WG should add these points as privacy considerations sections to the specification and that would be the only aspects necessary to address this review. Once you get those issues tag me in them and I'll work with the WG to discuss review the text to get them added. |
@kdenhartog Issues have been raised for each of the items mentioned in the PING review and discussed during the PING call yesterday (see above). You have been tagged in each issue and will see progress as we make progress. A fair number of the issues have been tagged as "during CR" (which means that we will add the guidance to the Security and Privacy Considerations sections after we enter the Candidate Recommendation phase, which is expected to happen in a few weeks). Issues that might require normative guidance (or for us to check to make sure there is normative guidance) have been tagged as "before CR" and we will raise PRs as soon as possible to address those issues before we go into CR. Thank you again for the thorough review and the extra time given on the PING call yesterday to review the concerns and proposed path forward. We really appreciate it! :) |
Name of specs to be reviewed:
URL of specs:
What and when is your next expected transition?
What has changed since any previous review?
Please point to the results of your own self-review (see https://w3c.github.io/apa/fast/checklist.html)
Where and how to file issues arising?
Pointer to any explainer for the spec?
Other comments:
The three specifications listed above are cryptographic message securing mechanisms and are intended to be reviewed together. The first specification, Verifiable Credential Data Integrity, is the base specification that defines the base concepts and algorithms. The "EdDSA Cryptosuite" and "ECDSA Cryptosuite" specifications are concrete implementations of the base specification and each define specific cryptographic algorithms and processes to be used when providing data integrity protection for Verifiable Credentials.
When reviewing the Security and Privacy considerations, it is important to first be aware of the Security and Privacy Considerations for Verifiable Credentials:
and then consider the Security and Privacy considerations provided in the Verifiable Credential Data Integrity specification:
and then finally consider the Security and Privacy considerations for each cryptography suite.
The text was updated successfully, but these errors were encountered: