decentralized-id.github.io/_posts/identosphere-dump/open-standards/crypto.md
2022-12-04 02:46:02 -05:00

9.2 KiB
Raw Blame History

published
false

Crypto

This type of independent review is critically important for U.S. Government entities who are deploying capabilities based on these standards to ensure that the technologies conform to relevant U.S. Federal government standards and requirements, including the Federal Information Security Management Act (FISMA) and National Institute of Technology (NIST) standards for use of cryptography.

Please find attached (and online at the link below) the results of this independent review and the associated cryptography implementation recommendations.

I've posted a new SSI blog entitled: "Protecting Sensitive Parts of Credentials with Cryptographically Enforceable Policies".

It has a proposal that enables credential issuers to encrypt sensitive parts of credentials in such a way that can only be decrypted by parties tha satisfy the issuer's policy (that was used to encrypt these parts). The blog motivates the need, introduces a high-level architecture, explains how it would work, and discusses some issues that need to be looked into.

Cryptography Review of W3C Verifiable Credentials Data Model (VCDM) and Decentralized Identifiers (DIDs) Standards and Cryptography Implementation Recommendations by David Balenson & Nick Genise

It's largely a view from the US NIST cybersecurity standards, which are used through most of the world, but not everywhere. In any case, it's a valuable perspective that I hope the VC2WG and DIDWG takes into the next stage of the work.

We (Danube Tech) have a "Universal Verifier" here: https://univerifier.io/

But I don't claim that it actually supports all the credential formats  and signature suites in existence...

Especially considering that at the last Internet Identity Workshop a lot of different formats were identified:

It suggests updates to the SafeCurves website

We are happy to announce today that we have our first demonstration of cross-vendor interoperability between Danube Tech and Digital Bazaar for verification regarding the Data Integrity and Ed25519Signature2020 work items:

https://www.notion.soimages/image5.png

This is a publication request for four Data Integrity Community Group

Final Reports. Namely:

Jose-Cose

We've been working on generating test vectors for: https://datatracker.ietf.org/doc/html/rfc8391 $1$2

That we could use to register the kty and alg for XMSS such that it could be used by JOSE and COSE.

Quantum

What this means is that it is now possible to not have to depend on one signature format, and instead use multiple to meet different needs. The VC above supports NIST-approved cryptography today, while enabling the advanced use of BBS+ (if an organization would like to use it /before/ it is standardized at IETF), and also enabling protection if a quantum computer were to break both Ed25519 and BBS+... all on the same VC in a fairly compact format.

I look forward to continuing to work on JSON encoding for post quantum signature schemes.

In particular, support for JWS and JWK as building blocks for higher order cryptographic systems, such as DIDs and VCs.

If you are interested in contributing, please feel free to open issues here: https://github.com/mesur-io/post-quantum-signatures

The TLDR is to assume that we need hard answers as a community, and at the standards level, on crypto agility by 2024, as well as support for the key algorithms as listed above.

my colleague Sterre and I drafted a paper that we provisionally called Cryptographically Enforceable Issuer Policies, which describes our current thinking on this topic.

The paper isnt finished. We need more text in the discussions section, and hope that by making the draft available well get the discussions that we (or you?) can describe in there. Also, we might have missed stuff that you as a reader need for a proper understanding of what this is all about, and to start pondering for what (other) purposes all this might be used. Or why this proposal is a very bad idea that we should not spend any more time on.