Protecting integrity of @context
#956
Comments
It's debatable if it does or not. :) Ideally, yes, everything would be content protected all the way down to the human readable text... but we're just not there yet (from an infrastructure standpoint). The security vocabulary has been brought under the purview of the VCWG: https://github.com/w3c/vc-data-integrity/tree/main/vocab/security So, the sorts of attacks we're talking about are attacks against humans or semantic reasoners. At present, no one is using semantic inference on these documents, and if they do, I'd expect them to keep a static copy of all machine-readable vocabulary documents. That leaves the attack on the human-readable text, in this case, it's probably unlikely that someone could trick a human into mis-implementing something based on what we've written in the vocabulary (because there are test suites that text for implementation correctness/conformance). The important thing is that everyone is using the same URLs for the terms, and in order to ensure that, all we need to do is embed the context in the spec and provide a SHA-256 digest for it. Does that help? |
No, I don't think so. But if you think so, you should draw out a concrete scenario where it's a significant issue so that it could be discussed and mitigations could be considered if it seems worthwhile to do so. There's only so much that cryptographic primitives can provide; a false sense of security might be thinking that you are totally safe if the natural language content behind a link was protected. That content can still be misinterpreted. It's an unavoidable problem. So, there's a spectrum of protection here. Additional protections usually come at some cost and comparisons between an infeasible, perfect system and a feasible, imperfect system need to be understood as such. |
Fair enough, but I think it would be preferable to defend against "creating a false sense of security" by addressing this point explicitly in Section B.1. As it stands, the section provides no hint that it doesn't fully address the issue, or what would be required in future to do so.
They'd still need to be confident that they have the correct static copy, just as for the Base context, right? Section B1 explicitly addresses this for the Base context, but is silent on the remaining documents.
I don't follow why ensuring everyone has the same URLs is "the important thing", without any guarantee that everyone will have the same content from those URLs. I do see references to hash links in the Implementation Guide, so can see that you've thought about how this issue could be addressed, but this is not used in the URLs included in the Base context.
Yes, somewhat, thanks. For context, I have been observing the various arguments: from @SmithSamuelM (e.g., here) that it's critical to ensure the integrity of content is protected (with which I agree) and that therefore JSON-LD is a non-starter (I don't yet agree); and from you (@msporny) that it's fine, people who don't want the extensibility of JSON-LD and don't want to do (formal) JSON-LD processing can be satisfied by only including the required base context, and this does not require (formal) JSON-LD processing. In trying to form an opinion about these seemingly competing positions, I made the observation that caused me to create this issue. |
@dlongley I agree regarding spectrum and especially "need to be understood as such". My "false sense of security" question asks whether the current spec is clear enough in this regard. See above response to @msporny, in which I say I think not yet. Thanks. |
brentzundel
added
discuss
ready for PR
|
Hey @mark-moir could you please provide some text that we could put in the specification that would address your concern? Having concrete text at this point would be helpful. |
|
Hi @msporny. The following would address my immediate "false sense of security" concern:
What do you think? |
@mark-moir thank you, that's an excellent start that we can word smith into something that will find its way into the spec. Do you want to raise the PR, or do you want me to raise it (with a few edits here and there)? I'll note that Oracle is not a member of the WG, so you might need to get your W3C AC Rep to add you before you submit the PR (to make the IPR release). If not, I've got a decent idea of what you're looking for now and can take a shot at some text, though I'd rather just start w/ yours as long as we have an appropriate IPR release in place. Oracle is a W3C member, so it shouldn't be difficult for you to join the group. Let me know how you'd like to proceed. |
|
Thanks @msporny. As you note, there would be some administrative overhead required for me to do a PR, and even then, according to my understanding, I would need to add an Oracle copyright notice, which I can't imagine is desirable for this small change. I'm happy for you to start with my input, edit as you see fit (or not), and include it in a PR. |
This wouldn't be needed, it (more or less) happens automatically when you join the group representing Oracle. That said, I hear you, I'll assign it to myself and do my best to represent your suggestion above. |
|
The issue was discussed in a meeting on 2022-09-15
View the transcript5.2. Protecting integrity of
|
|
@mark-moir, PR #1051 has been raised to address your concern. I had to modify your text to try to align it with the rest of the spec. Please let me know if this text works for you. |
msporny
added
pr exists
and removed
ready for PR
|
Hi @msporny, thanks! Here are some comments on #1051. Regarding:
Regarding:
|
|
Great, thanks for the feedback @mark-moir! In the future, please leave the feedback in the PR (ideally as change suggestions), as trying to coordinate all of the input into the section from various issues, the PR, and email (yes, someone emailed me directly about this PR) delays the time it takes to process the PR. In any case, grateful to you that you took a look.
Fixed in 4659e91.
Searched for a word that would be better, but failed to come up with one. I don't think "knowing" is misleading, in any case, it is "knowledge that is known." :)
Fixed in 4659e91 (by removing "locally cached" and focusing solely on the cryptographic hash).
Fixed in 4659e91 (by removing "verify" and just clearly stating that readers should go and look at that section for more information).
Fixed in aa4d74c |
|
PR #1051 has been merged, closing. |
Section 8.2 (Content Integrity Protection) highlights the dangers of depending on remote content that is not content-integrity protected, and suggests that developers use schemes such as Cryptographic Hyperlinks or IPFS to protect them.
Section B1 (Base Context) includes the content of (required) https://www.w3.org/2018/credentials/v1 and provides its SHA-256 digest. However, this content itself includes links that are not content-integrity protected (e.g., https://w3id.org/security#).
Doesn't Section B1 therefore create a false sense of security?
The text was updated successfully, but these errors were encountered: