Comments (9)
I'll dig into this @dlongley and come up with a PR. I'll also check on the test vector generation @filip26 to conform to the PR.
Cheers Greg
from vc-di-ecdsa.
Hi all (@filip26 and @dlongley), had a conversation with the author of the most popular JavaScript CBOR library : cbor, he has a new library cbor2 which doesn't tag Uint8Arrays by default. Our discussion can be found here: node-cbor issue 191.
He thought it would be reasonable to turn off tagging as part of our specification, he also had some other items he might recommend but they don't seem to apply to our use-case (we're either byte strings or arrays of text).
So do we want a MUST turn off tagging, or a SHOULD turn off tagging? Or something less rigid? Let me know what folks think and I can come up with some text and regenerate the test vectors in the same PR.
from vc-di-ecdsa.
In the Example 60 - Signed Base Document Tag(64)
is added to byte arrays.
from vc-di-ecdsa.
Hi folks, had to dig into CBOR a bit to start to sort this out. First, in CBOR types
are different from tags
. See CBOR Major Types and for our byte arrays for signatures, keys, etc... major type 2 encoding is being used in all cases including the current test vectors.
Where we are seeing a difference between CBOR libraries is in the Tagging of items. "In CBOR, a data item can be enclosed by a tag to give it some additional semantics, as uniquely identified by a tag number."
Decoders do not need to understand tags of every tag number, and tags may be of little value in applications where the implementation creating a particular CBOR data item and the implementation decoding that stream know the semantic meaning of each item in the data flow. The primary purpose of tags in this specification is to define common data types such as dates. A secondary purpose is to provide conversion hints when it is foreseen that the CBOR data item needs to be translated into a different format, requiring hints about the content of items. Understanding the semantics of tags is optional for a decoder; it can simply present both the tag number and the tag content to the application, without interpreting the additional semantics of the tag.
I did a quick survey of the most popular JavaScript CBOR libraries (ordered from most popular): cbor -- this library automatically tags Uint8Arrays, raised an issue and working with the authors to see about making this optional; cborg -- this library doesn't seem to tag Uint8Arrays by default. cbor-x -- this library has an option (though a bit tricky to figure out how to use it) to turn off tagging of Uint8Arrays (it is on by default).
Controlling tagging requires more work by the implementer and may not be supported by all libraries in all languages. Are we trying for a deterministic encoding as discussed in RFC8949: Deterministically Encoded CBOR or do we just want to advise them that alternative valid encodings can be produced?
from vc-di-ecdsa.
I can confirm tags
are not an issue to verify a signature. I've found that the example uses tag(64)
when I was implementing it in Java, and was curious why my signature does not match the example with the same input vectors.
FYI: it's not hard to add a tag in Java, but I would rather recommend not using tags at all.
SDProofValue.java - tags added only to verify the implementation generates the same result as in the example.
from vc-di-ecdsa.
+1 to not using tags at all, it's extra complexity we don't need. It's probably just JavaScript implementations that have some issue with this. Every other language is likely not to bump into this at all and using tags will probably create an interop problem for all of them (a larger set). The JS implementations (1-2 libs?) that have trouble should be fixed (or not used in implementations, e.g., just use cborg
which does not have the problem).
from vc-di-ecdsa.
Hmm, @filip26 I didn't see your name come up when adding reviewers to the above PR. Can you take a look. Cheers Greg
from vc-di-ecdsa.
@Wind4Greg thank you, but I'm not a member of the group, my review is not "substantive" ;)
from vc-di-ecdsa.
PR #59 has been merged to address this issue; closing.
from vc-di-ecdsa.
Related Issues (20)
- Was this really created in 2019? HOT 2
- Remove `proofValue` MUST be a detached ECDSA normative statement HOT 6
- Confirming `EcdsaSecp256r1VerificationKey2019` -> `Multikey` transition HOT 13
- Clarifying `publicKeyMultibase` encoding: `did:key` style with multicodec code, or not? HOT 3
- Add normative guidance that Deterministic signatures SHOULD be used HOT 2
- Point Privacy and Security Considerations section back to Data Integrity HOT 2
- Excelsior Pass divergence HOT 3
- Ensure to pass SHA-384 param and fetch verification method early to get key size HOT 2
- Add definition for secretKeyMultibase serialization HOT 1
- Remove references to MULTIBASE and MULTICODEC HOT 3
- Initial Review, Suggestions, Test Vectors... HOT 2
- Ensure `created` proof option is optional HOT 5
- Ensure additional custom proof options provided via `proof` are included in the proof configuration HOT 3
- "Section 4: Retrieving Cryptographic Material" => "Section 4: Retrieve Verification Method" HOT 1
- Update contexts in examples HOT 3
- Update DataIntegrityProof proofValue admissible encodings HOT 1
- Recommended HMAC key length for ecdsa-sd-2023? HOT 4
- Unify Error Handling Language HOT 2
- ECDSA Signature and Curve Definition/Terminology HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vc-di-ecdsa.