V2: Verification and Signature

[kimdhamilton]

Updated per RWoT 2017 conference, where it was decided to create a MerkleProof2017 signature suite. That spec is still in draft, but this new proposal will fit the proposed structure.

See comment on 4/24.

Goals

• Verification and signature should be explicit and allowed to vary, to support (at least) differing choices of:
  • proof types, e.g. Proof of Publication, Chainpoint
  • crypto key types
  • blockchain
  • domain-specific concerns
• Update standard to ensure at issuing, view, and verifying time, all properties have been mapped at property in the JSON-LD context. Verification should warn (at least) or fail if there are additional properties. This is because of dropping of unmapped properties during JSON-LD canonicalization. See RDF Dataset Normalization

Non-goals

• These changes will not add reference implementations for any of the variations described above. The goal is to help make the blockcerts standard more portable across domains, blockchains, etc, in response to community requests
• The ideal solution is to use IPFS/IPNS for storage of certain certificate elements, but that's premature for this phase of the standard. Instead, future-proof to allow such extensions.
• TBD: signature chains

Verification

Blockcerts verification types will be added as OBI extensions

"verification": {
    "type": "MerkleProofVerification2017",
    "creator": "https://example.org/issuer/keys/1.9.1.1"
  }

Signature

This is out of date. See updated version of signature, comment on 4/24/2017

About signature type

Signature will use the blockcerts type LinkedDataEcdsaKoblitzSignature. This is an extension to EcdsaKoblitzSignature2016 type, but adapted for OBI extension.

This type is also heavily borrowed from Proof of Publication; however, the latter is still in draft and Blockcerts requires slight variations including the ability to continue using chainpoint for the Merkle proof. Therefore, this currently (re)defines elements in the blockcerts context.

  "signature": {
    "type": ["EcdsaKoblitzSignature2016", "Extension", "LinkedDataEcdsaKoblitzSignature"],
    "created" = "2017-03-24T21:48:24Z",
    "creator" = "ecdsa-koblitz-pubkey:1LGpGhGK8whX23ZNdxrgtjKrek9rP4xWER",
    "merkleProof": {  
      // currently supported type is chainpoint, but will include others like PoP (https://web-payments.org/specs/source/pop2016/)
      ...
    },
    "signatureValue": "OGQzNGVkMzVm4NTIyZTkZDY...NmExMgoYzI43Q3ODIyOWM32NjI="
  }

Example Signatures

Signature with chainpoint

  "signature": {
    "type": ["EcdsaKoblitzSignature2016", "Extension", "LinkedDataEcdsaKoblitzSignature"],
    "created" = "2017-03-24T21:48:24Z",
    "creator" = "ecdsa-koblitz-pubkey:1LGpGhGK8whX23ZNdxrgtjKrek9rP4xWER",
    ....
    "merkleProof": {
      "type": "ChainpointSHA256v2",
      "merkleRoot": "68f3ede17fdb67ffd4a5164b5687a71f9fbb68da803b803935720f2aa38f7728",
      "targetHash": "c9ead76a54426b4ce4899bb921e48f5b55ea7592e5cee4460c86ebf4698ac3a6",
      "proof": [{
        "right": "7fef060cb17614fdfddd8c558e102fbb96433f5281e96c80f805459773e51163"
      }],
      "anchors": [{
        "sourceId": "8623beadbc7877a9e20fb7f83eda6c1a1fc350171f0714ff6c6c4054018eb54d",
        "type": "BTCOpReturn"
      }],
    }
   ...
  }

Example Signature with PoP

"signature": {  
    "type": ["EcdsaKoblitzSignature2016", "Extension", "LinkedDataEcdsaKoblitzSignature"],
    "created" = "2017-03-24T21:48:24Z",
    "creator" = "ecdsa-koblitz-pubkey:1LGpGhGK8whX23ZNdxrgtjKrek9rP4xWER",
    "merkleProof": {  
      "type": "PoP2016",
      "ledger": "bitcoin",
      "transactionId": "7ea0cef6a31c65590d6c1d61abbfa02d3006da6509a018cdbc709d0a781a7c28",
      "merkleRoot": "80ab866e989432e023b51e866545c141e00d456e59fa1e253fac3a561e1a6c14",
      "proof": [{
        "merkleParent": "f51cd07057a813f92a33a05ed58a0f26600d2205f9c590f3461f94bd8451b567",
        "merkleLeftSibling": "247911c653b43a2d13010538c7eae52e500a556448f17384d636857b2b63ae45",
        "merkleRightSibling": "93ca67aea78e996fb9e10368243110c6f037143dbeec726de0b9172766427399"
      }, {
        "merkleParent": "e6a881dd07c479eaf2afdd26ae34b441af2fede85c90b5281346846a5dc81bca",
        "merkleLeftSibling": "44c66b49e4024bf1ba370c38a3655f2094cd110caf91636f749d9e0385fb9272",
        "merkleRightSibling": "93ca67aea78e996fb9e10368243110c6f037143dbeec726de0b9172766427399"
      }]
    },
    // subsequent fields from https://web-payments.org/vocabs/security#signature
    "signatureValue": "OGQzNGVkMzVm4NTIyZTkZDY...NmExMgoYzI43Q3ODIyOWM32NjI="
  }

Clarifications and TBD

• Should the part of the certificate that's hashed and put on the blockchain announce which signature scheme will be used in the issuer verification node? This would prevent fraud in the cause of an attacker creating a fake "signature suite" that allows the signature to validate.
• The verification process could also enforce that the signature suite is one of the expected types, which would allow us to drop this.

[westurner]

• ld-signatures

  • Spec: https://w3c-dvcg.github.io/ld-signatures/
  • https://w3c-dvcg.github.io/ld-signatures/#terminology
  • signature suite
    • https://w3c-dvcg.github.io/ld-signatures/#dfn-signature-suite

    • A specified set of cryptographic primitives typically consisting of a canonicalization algorithm, a message digest algorithm, and a signature algorithm that are bundled together by cryptographers for developers for the purposes of safety and convenience.

    • https://w3c-dvcg.github.io/ld-signatures/#signature-suites

      • At a minimum, a signature suite must have the following attributes:

        • @id
          • https://w3id.org/security#LinkedDataSignature2015
        • @type: SignatureSuite
        • canonicalizationAlgorithm
          • https://w3id.org/security#URDNA2015.
        • digestAlgorithm
          • http://example.com/digests#sha512
        • signatureAlgorithm
          • http://www.w3.org/2000/09/xmldsig#rsa-sha256
  • signature set
    • https://w3c-dvcg.github.io/ld-signatures/#signature-sets

    • A signature set is useful when the same data needs to be signed by multiple entities, but where the order of signatures does not matter, such as in the case of a set of signatures on a contract. A signature set, which has no order, is represented by associating a set of signatures with the signature key in a document.

  • signature chain
    • https://w3c-dvcg.github.io/ld-signatures/#signature-chains

    • A signature chain is useful when the same data needs to be signed by multiple entities and the order of when the signatures occurred matters, such as in the case of a notary counter-signing a signature that had been created on a document. A signature chain, where order must be preserved, is represented by associating an ordered list of signatures with the signatureChain key in a document.

# EXAMPLE 4: A signature chain in a Linked Data document
{
  "@context": "https://w3id.org/identity/v1",
  "title": "Hello World!",
  "signatureChain": [{
    "type": "RsaSignature2015",
    "creator": "http://example.com/i/pat/keys/5",
    "created": "2011-09-23T20:21:34Z",
    "domain": "example.org",
    "nonce": "2bbgh3dgjg2302d-d2b3gi423d42",
    "signatureValue": "OGQzNGVkMzVm4NTIyZTkZDY...NmExMgoYzI43Q3ODIyOWM32NjI="
  }, {
    "type": "RsaSignature2015",
    "creator": "http://bank.example.com/notary/keys/7f3j",
    "created": "2011-09-23T20:24:12Z",
    "domain": "example.org",
    "nonce": "83jj4hd62j49gk38",
    "signatureValue": "yZTkZDYOGzNGVkMVm4NTIQz...M32NjINmExMDIyOWgoYzI43Q3O="
  }]
}

[edit]

# EXAMPLE 5: A complete example of a signature suite

{
  "id": "https://w3id.org/security#LinkedDataSignature2015",
  "type": "SignatureSuite",
  "canonicalizationAlgorithm": "https://w3id.org/security#URDNA2015",
  "digestAlgorithm": "http://example.com/digests#sha512",
  "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha256"
}

[kimdhamilton]

updated to clarify use of EcdsaKoblitzSignature2016

[kimdhamilton]

per this pyld issue, we can use vocab to create a fallback context to flag unmapped properties

fallback_ctx = {"@vocab": "http://fallback.org/"}

[westurner]

• "RDFa Core Initial Context"
  • https://www.w3.org/2011/rdfa-context/rdfa-1.1
  • https://www.w3.org/2013/json-ld-context/rdfa11

[westurner]

• "RDF integration: schema.org/Certification and schema.org/BadgeCriteria"
  RDF integration: schema.org/Certification and schema.org/BadgeCriteria openbadges-specification#9 (comment)

.

• "schema.org/Course -> schema.org/Credential"
  • https://schema.org/Course: Course, CourseInstance, EducationEvent [Schema.org Course Extension] schemaorg/schemaorg#195
  • ctrl-f "CTI "
    • @CTITechPlanning
  • ctrl-f "Credential"
    • Course, CourseInstance, EducationEvent [Schema.org Course Extension] schemaorg/schemaorg#195 (comment)
    • Course, CourseInstance, EducationEvent [Schema.org Course Extension] schemaorg/schemaorg#195 (comment)
  • https://schema.org/Credential (uri= http://schema.org/Credential)
    • westurner/schemaorg@1f268fc

[kimdhamilton]

Thanks @westurner! I'm catching up on the references you included. I wanted to confirm one takeaway I had, which is that our terminology is sometimes lax. For example, above I use "certificate" in the informal sense instead of the more precise "Credential". I agree that I should update that, but I also wanted to see if there are other nuances I missed.

[westurner]

"Credential" as the super type:

• CTI: https://github.com/CredentialTransparencyInitiative/vocabularies/blob/master/credentialType.ttl
• Course, CourseInstance, EducationEvent [Schema.org Course Extension] schemaorg/schemaorg#195 (comment)
  • westurner/schemaorg@1f268fc
    • Credential (that could be earned)
    • CredentialInstance (issuer={Person/Organization}, issuee={P/O}, validFrom, validUntil, ...)
    • e.g. Credential > Certificate > Diploma
      e.g. Credential > AcademicDegree > BachelorDegree
      e.g. Credential > Certification
      • note that https://schema.org/Course was released today (without grantsCredential or Credential yet)
        • https://schema.org/docs/releases.html#v3.2
          • http://blog.schema.org/2017/03/schemaorg-32-release-courses-fact.html

WebID

• | Wikipedia: https://en.wikipedia.org/wiki/WebID
• | Spec: https://www.w3.org/2005/Incubator/webid/spec/
• | Spec: https://www.w3.org/2005/Incubator/webid/spec/identity/
  • https://www.w3.org/2005/Incubator/webid/spec/identity/#publishing-a-webid-profile-using-the-rdfa-html-notation
• The Cert Ontology 1.0

The Cert Ontology 1.0 :

• https://www.w3.org/ns/auth/cert#
  • https://www.w3.org/ns/auth/cert#Certificate
    • foaf:Document > cert:Certificate > {cert:X509Certificate, cert:PGPCertificate}
    • "A certificate is a Document that is signed"
  • http://lov.okfn.org/dataset/lov/vocabs/cert

[kimdhamilton]

Per decision at RWoT 2017, there will be a separate signature suite for Merkle Proofs, using the Chainpoint v2.0 proof format. Details coming soon. In blockcerts it will look like this:

"signature": {
    "type": ["MerkleProof2017", "Extension"],
    "merkleRoot": "68f3ede17fdb67ffd4a5164b5687a71f9fbb68da803b803935720f2aa38f7728",
    "targetHash": "c9ead76a54426b4ce4899bb921e48f5b55ea7592e5cee4460c86ebf4698ac3a6",
    "proof": [{
        "right": "7fef060cb17614fdfddd8c558e102fbb96433f5281e96c80f805459773e51163"
    }],
    "anchors": [{
      "sourceId": "8623beadbc7877a9e20fb7f83eda6c1a1fc350171f0714ff6c6c4054018eb54d",
      "type": "BTCOpReturn"
    }]
  }

[kimdhamilton]

v2 updates are in all branches