Comments (2)
Wind4Greg
commented on July 30, 2024
1
Update:
I was able to get a hold of one of the papers authors via a GitHub issue: MystenLabs/ed25519-unsafe-libs#22. They are fine with us quoting definitions and test vectors. They have also written some work on dangers of some Ed25519 APIs which might also be good to mention in the security considerations section.
Proposal for security considerations section:
- Explain EdDSA Ed25519 provable security properties.
- Explain additional validation tests to ensure highest security
- Possibly add Ed25519 API cautions
- Add an appendix with test vectors for EdDSA Ed25519 signatures from https://github.com/novifinancial/ed25519-speccheck to allow developers to quickly assess a Ed25519 library. Note: that this is a single JSON file that is relatively small (just 12 test vectors).
Comments?
from vc-di-eddsa.
msporny
commented on July 30, 2024
Might we want to capture those in this specification as an appendix?
Yes, we want to capture the concepts in the security considerations section.
Additionally, we will want to add these to the test suite that's in process for vc-di-eddsa.
Opinions on how much guidance we should supply on this issue?
We should speak to each of the items you outline above in the security considerations section IF RFC8032 doesn't already cover them.
Explain EdDSA Ed25519 provable security properties.
Yes, just a paragraph would do with pointers to the papers or RFCs that further elaborate.
Explain additional validation tests to ensure highest security
Yes, high-level overview with references to the papers that discuss them in more depth.
Possibly add Ed25519 API cautions
+1, but not sure which "cautions" you're suggesting. Feel free to go forward with a PR and we can further refine there. Ideally, don't put more than 2-3 paragraphs per PR (as doing more than that can cause the PR to get logjammed).
Add an appendix with test vectors for EdDSA Ed25519 signatures from https://github.com/novifinancial/ed25519-speccheck to allow developers to quickly assess a Ed25519 library. Note: that this is a single JSON file that is relatively small (just 12 test vectors).
I'm a bit on the fence about this one. I think we should definitely put these tests in the test suite and make it mandatory that you pass all of these tests. Whether or not we also put that in the spec is a bit up in the air. I expect that we could safely also put it in the specification. What we might also want to do, which is where the controversy might come in, is add the tests as normative requirements for verification in the specification to ensure that people are aligned with all of the above.
Let's jut get the guidance in the specification in a non-normative capacity for now and then ratchet the requirements up to normative requirements in a separate PR.
from vc-di-eddsa.
Related Issues (20)
- Context (JSON-LD) for Examples and Test Vectors
- Algorithm diff's vs. full listings HOT 7
- Add definition for secretKeyMultibase serialization HOT 1
- Point Privacy and Security Considerations section back to Data Integrity HOT 2
- Remove references to MULTIBASE and MULTICODEC HOT 2
- Test vector issue in B.1 Representation: eddsa-rdfc-2022 HOT 1
- Fix byte length of `publickKeyMultibase` to 34 HOT 1
- Proof serialization signature doesn't match what vc-data-integrity expects HOT 1
- Add language clarifying that context injection must happen before canonicalisation HOT 1
- Ensure `created` proof option is optional HOT 3
- Ensure additional custom proof options provided via `proof` are included in the proof configuration HOT 2
- Some examples have the wrong / old context version HOT 2
- Wrong naming for the RDF Canonicalization spec? HOT 1
- eddsa-jcs-2022 and nested documents HOT 2
- Unify Error Handling HOT 7
- eddsa-rdfc-2022 Transformation passes wrong type to "Deserialize JSON-LD"
- Typo in appendix A: `eddsa-rdfc-2022` is wrongly named `edssa-2022` HOT 2
- Is the hashing formulation inconsistent? HOT 3
- Proof configuration and previousProof (maybe editorial) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vc-di-eddsa.