Comments (6)
iherman
commented on June 19, 2024
Note that if we make a change on this, similar changes ought to be done in the DI spec.
from vc-data-model.
msporny
commented on June 19, 2024
Yep, just found the issue on a version of openssl that modern Macs ship... turns out that a number of openssl options aren't universally supported for anything other than sha2-256.
Agree that anything more than sha2-256 is unnecessary. No other production system at the moment, including ones approved for high security governmental use, require more than sha2-256.
Let's just remove the sha3 hashes. The file is version controlled, is date-stamped, will be static at W3C, and it will have a sha2-256 hash. That is more than enough security around the vocabulary and context files.
from vc-data-model.
iherman
commented on June 19, 2024
The issue was discussed in a meeting on 2024-03-13
- no resolutions were taken
View the transcript
4.6. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455)
See github issue vc-data-model#1455.
Manu Sporny: add crypto hashes to files referred to. Disagreement on whether SHA-256 is enough, then folks wanted SHA-384 then why not 512.
… then why not a CLI that everyone has, then OpenSSL, but different on different platforms.
… NIST guidelines, PQ in year 2035, SHA-256 good until 2035.
Steve McCown: FYI, Apple us launching PQ for iMessages in the near term: https://security.apple.com/blog/imessage-pq3/.
Manu Sporny: so we have confirmation from NIST, so we should backoff multiple hashes.
… should change all hashes across the board for SHA2-256.
Ivan Herman: OpenSSL on Mac doesn't have SHA-3. It is possible to install alternative that has sha3, but a bit tricky... Not everyone will do that...
Dave Longley: i.e., no wide, default support for sha3.
Ivan Herman: happy to write a PR if group agrees. Only when PR 1454 is merged. Don't want merge conflicts.
… will write PR for DI spec to have everything aligned.
Joe Andrieu: disagree, we shouldn't get rid of extensibility.
Manu Sporny: to be clear a maintenance group can publish at any time. If SHA-256 is broken, many things would need to be rev'd.
… many things more important that hashes of vocabulary files. This is different from the cryptography used in ECDSA, EDDSA, etc...
… This is for vocabulary files.
Michael Jones: If SHA-256 is broken, then every piece of software that uses crypto will be broken.
Manu Sporny: Completely agree with Mike Jones... "It'll be a frikkin' big deal" <-- YES! :).
Dave Longley: +1 to Mike.
Brent Zundel: closing meeting for today, not meeting next week. Thanks.
from vc-data-model.
iherman
commented on June 19, 2024
PR #1459 has been raised. If that is accepted and merged, this issue can be closed.
from vc-data-model.
TallTed
commented on June 19, 2024
Dotting an I, PR #1459 has been merged, closing this.
from vc-data-model.
iherman
commented on June 19, 2024
The issue was discussed in a meeting on 2024-03-27
- no resolutions were taken
View the transcript
3.3. Do we need sha3-512 in the vocabulary tables? (issue vc-data-model#1455)
See github issue vc-data-model#1455.
Brent Zundel: this issue can be closed.
from vc-data-model.
Related Issues (20)
- What does the hash values in §B.2 mean? HOT 4
- Proposal: remove ambiguity and asymmetry as it relates to subject identifiers HOT 7
- Should we use `Ed25519Signature2020` in the Examples? HOT 4
- Unmatched HTML Tag HOT 3
- Revisit Verifiable Credential media types HOT 20
- consider merging 3.4 and 5.1 as both sections are about the credential lifecycle. HOT 1
- Add issuee definition HOT 17
- Truth (or falsity) is not part of VCDM ecosystem HOT 4
- `credential repository` vs `repository`, and definitions in _1.2 Ecosystem Overview_ vs _2. Terminology_ HOT 6
- Consider explicitly allowing/recommending language maps for use in internationalisation. HOT 5
- Example of Use of renderMethod HOT 3
- Suggest to make explicit reference to the JADES standard HOT 8
- EnvelopedVerifiablePresentation missing in https://www.w3.org/ns/credentials/v2 HOT 3
- VC-JWT examples are out-of-date HOT 6
- Inconsistency between spec and schema HOT 2
- Unify cryptographic hash expression formats HOT 4
- Could not define "name" and "description" as attributes of my type HOT 10
- Comments/Suggestions on Privacy Considerations HOT 1
- SD-JWT fields in the v2 context should use `"@type": "@json"`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vc-data-model.