DRAFT: digital signatures decorator and message family #79
Conversation
Signed-off-by: Kyle Den Hartog <kdenhar@gmail.com>
text/digital-signatures/README.md
Outdated
| The `@sig` feild decorator may be used with any field of data. Its value should match the json object format of the Signature Message Family outlined below. | ||
|
|
||
| ```JSON | ||
| "example_feild.@sig": { |
There was a problem hiding this comment.
thanks, I'll get this changed on my next update.
|
This is like the "attachments" HIPE in that it makes sense, but it would be great to have some use cases as to where this would be used. I'm also intrigued as to using this with anoncrypt vs. using authcrypt. Could I get the same impact (same business function) of authcrypt by using anoncrypt and adding the signature decorator on the ciphertext field? I'm guessing not... :-) |
|
Great HIPE, once this has matured further I might modify #75 to use this functionality to provide proof of ownership of a routing identifier. |
text/digital-signatures/README.md
Outdated
|
|
||
| ```JSON | ||
| { | ||
| @type: signature/1.0/ecdsa |
There was a problem hiding this comment.
Is there some sort of standardized signature qualification we could use here?
There was a problem hiding this comment.
yeah, I believe the DID spec specifies them. This will need to be added before the propose phase.
I agree, I think a perfect first use case is with @tplooker PR #75 and we'll eventually need it for credentials as well. With regards to the anoncrypt w/ signature decorator there is a slight difference. The difference being that with Authcrypt, repudiable authentication is used, where as with the suggestion you included it's non-repudiable authentication. These properties have subtle difference that will affect privacy which is why we've defaulted to using authcrypt with the option of adding non-repudiable signatures for authentication. |
Connection protocol (and later maintenance) needs this. |
|
As I see it, these signatures can be processed by a receiving agent prior to presenting the data to a message handler. Then the handler can access the verified signature metadata and the signed data easily. as an alternative, convenience functions can be used to access signed data inside the handler, to simplify the processing of these signatures. Some quick text describing that intent could be helpful in the HIPE to help explain how the complexity of using these signatures can be mitigated. |
There was a problem hiding this comment.
I don't know where you might build a list of acceptable signatures but we need to do it. At Real World Crypto 2019 Nadia Heninger presented a paper that uses lattice crypto to reverse engineer signatures to derive the private keys based on poorly generated nonces.
kdenhartog
changed the title
Signed-off-by: Sam Curren <telegramsam@gmail.com>
Updated handling, field renaming
Signed-off-by: Kyle Den Hartog <kdenhar@gmail.com>
Signed-off-by: Kyle Den Hartog <kdenhar@gmail.com>
| How should multiple signatures be represented? | ||
| - One solution is to do [<digital_sig1>, <digital_sig2>] for `signature` and do [<verkey1>, <verkey2>] for `signers` |
There was a problem hiding this comment.
Cool idea but should be a separate HIPE.
Signed-off-by: Kyle Den Hartog <kdenhar@gmail.com>
| @type: "did:sov:BzCbsNYhMrjHiqZDTUASHg;spec/signature/1.0/ed25519Sha512_single" | ||
| "signature": <digital signature function output> | ||
| "sig_data": <base64URL(64bit_integer_from_unix_epoch||message_data)> | ||
| "signers": <signing_verkey> |
There was a problem hiding this comment.
should this be signer insted of signers given that there will only be one for this signature type?
There was a problem hiding this comment.
signers makes sense so its future proof. I vote for signers.
There was a problem hiding this comment.
Are you seeing multi-sig format and single signer formats being the same @mikelodder7? That's what I was intending as well in which signers would make sense to use for this.
|
I could use some detail on the timestamp representation, "append timestamp as 8 bytes to the front of the message data". Is that a big-endian unsigned (long) int? |
| ## Rationale and alternatives | ||
| [alternatives]: #alternatives | ||
|
|
||
| JSON Web Signatures is an alternative to this specification. The reason we've chosen to diverge from this specification is do to the inability to support our need for message decorators. Additional concerns around non-support for BLS signatures and other multi-signature schemes caused us to want to diverge. |
There was a problem hiding this comment.
Could you explain why JWS precludes message decorators? I don't get that from skimming the JWS spec.
The "non-support for BLS signatures" is a crypto thing beyond me, but it seems to me that the reasons need to be good for not to go with an existing spec.
There was a problem hiding this comment.
I believe JWS formats won't work with CL Signature schemes, so if we intend to use this decorator with credentials, it wouldn't make sense to use it. However if we're looking to do just basic ed25519 signatures JWS would likely be the best format.
There was a problem hiding this comment.
We could support BLS signatures for both threshold and multisigs, or even a single signer because those signatures are 1/2 the size of ECC sigs. CL sigs wouldn't work for JWS.
There was a problem hiding this comment.
In the case of CL signatures and other considered Credential signatures would it make sense to use this format anyways? If it doesn't I see value in moving this format to align with the JWS work to allow for us to integrate with other identity systems more easily. (E.g. OAuth and openID connect servers)
That's what I thought it was. I agree it should be clarified to state "This timestamp field is a 64-bit unsigned big-endian integer. It records the number of seconds elapsed between January 1, 1970 UTC and the time the token was created." |
Thank you for clarifying. I hadn't gotten around to looking up what was being used in the standard. I'll add this detail to the HIPE. |
Signed-off-by: Kyle Den Hartog <kdenhar@gmail.com>
|
What's our consensus on moving this towards JWS? I'm in favor at this point. |
|
@kdenhartog Would you agree that this should now be moved over to aries-rfcs? |
|
I'd actually like to deprecate and close it (supersede in favor of 0066 is fine as well). This moves in a different direction than 0066 does, and I'm not wanting to separate out the decorator portion from the cryptographic envelope portion. This is superseded by Aries RFC #66 |
Signed-off-by: Kyle Den Hartog kdenhar@gmail.com
rendered text