Add ECDSA secpr1 cryptosuite to VCWG input documents. #63
Conversation
msporny
requested review from
iherman,
brentzundel,
peacekeeper,
Sakurann,
tplooker and
OR13
| @@ -219,8 +219,10 @@ <h3> | |||
| signatures or proofs of existence, for bounded documents, such as verifiable | |||
| credentials. Concrete serializations will be provided based on <a | |||
| href="https://w3c.github.io/vc-data-model/#json-web-token">VC-JWT</a>, the <a | |||
| href="https://w3c-ccg.github.io/lds-ed25519-2020/">Ed25519 Cryptosuite</a>, and | |||
| the <a href="https://w3c-ccg.github.io/lds-ecdsa-secp256k1-2019/">Secp256k1 | |||
| href="https://w3c-ccg.github.io/lds-ed25519-2020/">Ed25519 Cryptosuite</a>, | |||
There was a problem hiding this comment.
AFAIK the charter can in fact refer to work items anywhere on the internet... not just in the W3C CCG.
There was a problem hiding this comment.
I expect W3C AC Members to raise IPR concerns if they see that a draft is being pulled in (for a normative work item) from a location that they are not familiar with. Specifically, if the IPR for any work item isn't clear (using language that has been agreed to by W3C Members), there is a strong chance that one or more AC Representatives will take issue with it (e.g., as a stall tactic), even to the point of raising a formal objection. In the very best case, they're going to ask the document author to track down everyone that contributed to that document and sign an IPR release for the draft before it can be pulled into the WG. This IPR uncertainty when W3C AC Members review our charter is all stuff that we should avoid as much as possible... it'll unnecessarily slow the work down.
W3C AC Reps understand W3C Community Group specification -> W3C Working Group specification. They raise their eyebrows at most anything else. We should avoid giving them targets to shoot at.
There was a problem hiding this comment.
Being allowed to do something, and having it be a good idea are not the same thing.
I don't think the W3C CCG is somehow "better" than other places when it comes to links related to "Verifiable Credentials"... and I am not sure the AC Members would agree with your assertions, but your clarity does help.
|
I suggest we try our best to merge all these link PRs so the section can be reorganized... I am happy to do a PR to clean them up, but not with so many open PRs trying to add links. |
|
@msporny Is this still a WIP? It has sufficient approvals that I would like to merge it. |
We are still waiting on a co-sponsor in CCG for the work item. If the Chairs are ok with listing a work item that has not yet been accepted as a CCG work item (and under the W3C CCG IPR policy), then please merge away. I expect this item to be either 1) accepted by the CCG, or 2) removed from the VCWG charter. |
|
IMO, we should be accepting #51 and not this PR. |
That is why Data Integrity now covers doing exactly that for key formats (if the WG decides that they want to head in that direction): https://w3c-ccg.github.io/data-integrity-spec/#multikey
If the WG wants to define a cryptosuite for NIST curve families, it can do that. Again, blocking an input document that would go into that conversation is probably not a way to ensure that all options are on the table. |
|
@msporny seems like this PR title has been overtaken by events, are we already linking to https://w3c-ccg.github.io/data-integrity-spec/#multikey ? Why do we need this PR if we can just link directly to that section? |
Because there is no focused cryptosuite defined for ECDSA using secpr1. Yes, JsonWebSignature2020 exists, but it pulls in many other cryptosuites that could be viewed as not relevant to systems that only want to support ECDSA using secpr1. The ECDSA secpr1 cryptosuite might support publicKeyJwk, publicKeyMultibase, AND publicKeyPem... or only publicKeyMultibase... or something else -- that's up to the WG to decide (if we decide to separate key formats from cryptosuites -- which would be a good thing, imho). At the same time, if we separate key formats from cryptosuites, where will publicKeyPgp live? Where do we define it? In any case, this PR continues to exist for the reasons stated in the first paragraph above. |
|
It feels like we are trying to do 2 things under this charter item:
I support both of these things. If the best we can do is point to a few different specs to speak to the desire to do multikey, that is the best we can do I suppose. It feels like something like MultiCodecSignature2020 that supported Ed25519 and secp384r1 and others would be better than listing them one at a time. |
|
I don't see the relevance of a key format to the signature format. The VCWG should only be concerned with the way that the data model is used to attach a signature to the credential. It's up to the DID Core or other relevant key representation specs to define the key formats. It's easy enough to convert a public key and associated metadata without needing to couple it to the signature format. This coupling brings in unnecessary couplings in my opinion. |
Co-authored-by: Orie Steele <[email protected]>
msporny
changed the title
Done. |
|
I replied to a similar comment here: #51 (comment) |
|
@kdenhartog wrote:
@OR13 wrote:
I'm starting to feel like a broken record at this point, but just repeat myself again: This is already contemplated in the Data Integrity spec: https://w3c-ccg.github.io/data-integrity-spec/#multikey ... and in the spec pointed to by this PR: The text clearly still needs work, but there is an expectation written in these input documents that we do plan to separate key format from cryptosuite in the general case, but still provide the option to specify key format in cryptosuites to support things like EthereumEip712Signature2020 (which doesn't have a JWK/JWS mapping, nor a Multikey mapping, and probably won't because it's more proof than signature). PGP falls into the same category of not having mappings in either JWK/JWS or Multikey. PEM, while having a JWK mapping (kinda sorta, but not really because many implementations do totally different things there) also falls into this category. |
|
PR #77 has been merged, which includes this change, closing. |
This PR adds the ECDSA secpr1 cryptosuite to the set of VCWG input documents. The work item is currently being processed for adoption by the CCG:
w3c-ccg/community#228
The PR is meant to be a placeholder until its adoption in CCG (and then the URLs to the spec will be updated).
Preview | Diff