-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public key signature constraint #35
Comments
thinking a bit more about it now, it might be smarter to let the verifier's side handle that, ie patterns like this:
|
Currently the algorithms I'd like support for are:
It would also be neat to support U2F/WebAuthN assertions (a P-256 ECDSA signature over a specific data structure). |
with #40 there will be a way to represent keys, so now we can think more about how to represent it. Facts needed for the query:
Queries from the verifier:
Caveats in the token:
The verifier will then check the caveats and the token will succeed if the required signatures are here. @titanous what do you think? |
This all makes a lot of sense! The main thing I'm thinking about is how the data to be signed will be formatted. I'm going to drop some notes below.
|
@daeMOn63 has implemented an experimental proof of possession scheme here: https://github.com/flynn/biscuit-go/blob/master/experiments/pop_test.go |
Are these use-cases covered by the third-party blocks? They allow to handle signatures / verifications outside of datalog, avoiding a lot of issues related to exposing crypto primitives from within datalog. |
To implement use cases such as third party caveats, or using a biscuit token as attestation accumulating acknowledgement from multiple parties, caveats should be able to verify a public key signature.
A few questions here:
Signature verification would work well as a constraint affecting 3 elements (message, key, signature) that could be filled in various ways:
verify(message, key, sig?)
: a signature from a specific key must be providedverify(message, key?, sig?)
: a signature must be provided, from any key, but we could have other constraints on that key here (like the key must be in a certain set)verify(message?, key, sig?)
: specify we must have a valid signature from a key, with other constraints on the messageThe text was updated successfully, but these errors were encountered: