Should did-core restrict the use of JWK? #240
Comments
|
Noting that existing verification methods, are currently not defined in did core, at all.... w3c/did-extensions#21 So this will indeed be difficult to do :) [Edit: this is not longer the case !] |
|
I'd argue this ticket is not possible to address, and is outside of the scope of this WG... DID Method Implementers may choose to use Because how a DID Method treats publicKeyJwk is defined in the DID Method software, we cannot mandate that the software ignore / or enforce properties defined in the DID Core data model... There is no way to reflect the RFC compliant data model for a JWK in JSON-LD other than using From the charter: https://www.w3.org/2019/09/did-wg-charter.html
I consider altering the expected behavior of JWKs to be defining a specific cryptographic mechanism for expressing keys, and their relationship to signing / encryption (limiting JWK functionality defines through exclusion a novel cryptographic representation). From the in scope section:
extending JWK to work with DIDs seems fine to me (by adding them to a did document).... disabling expected functionality defined by IETF for JWKs, is not an extension, it is a restriction, one which alters what can be expressed as a JWK... this means we would be defining a new cryptographic standard for "DID Document JWKs", which are like "JWKs" but limited by the DID Core working group. Further, we had multiple calls where we agreed that JWK was a valid representation for all possible key types in the did document... Are we asserting now that we did not understand the defintion of a JWK on those calls? when we say JWK, are we sure we are talking about the RFC? or were some people imagining that JWK mean't "JWK but with some restrictions I have not yet shared with the group"... On those key representation calls, and in general... when I hear "JWK" I think we are talking about: https://tools.ietf.org/html/rfc7517 When I hear "verificationMethod" I think of this language from the did core spec:
I am unable to find definitions for:
All of the current verificationMethods rely on: For their vocabulary definitions in JSON-LD, (and since these are not defined anywhere else in did core, this is the only place i could look for definitions). https://w3id.org/security#assertionMethod ^ none of these definitions exist. How can we as a working group understand the relationship between something that is defined in an IETF RFC, and things which have 1 or 2 references in did core, and 0 definitions in a web page that was last updated in 2016. If the main objection to defining properties further, is that we cannot continue to define properties until https://w3id.org/security is updated... I completely agree, and have stated so on the did core registries. Since this working group cannot update w3id.org, we have a blocking external dependency, that no one in this WG can fix... On the last did core registries call, people objected to even discussing w3id.org and JSON-LD fixes on the call... So I'm worried we won't be able to make any progress on this issue at all. I propose the following solutions to this problem:
|
|
@msporny I suggest we add the label "security" / "critical-blocker" to this, and @burnburn @brentzundel we probably need some time on a call to discuss this issue. |
|
I agree that resolving this should be a priority and warrants a special call. |
|
@kdenhartog @msporny requested we discuss the implications of supporting the full JWK RFC: https://tools.ietf.org/html/rfc7517 Based on the comments in the PR, it seems that there are 2 positions which need to be debated:
I will update the title of the ticket for clarity. |
OR13
changed the title
kdenhartog
added
discuss
|
These are things that we should consider restricting in JWK in order to narrow the security attack surface for DID Methods that chose to use JWK. I expect that a number of these suggestions will be controversial (and thus, not all of them will stick):
That's just off of the top of my head, there may be others, but not limiting JWK at all will result in a much larger security attack surface and thus a far weaker DID Core specification. |
|
Rather than trying to rule out uses of specific algorithms and features, it would probably be more productive to define which specific algorithms are RECOMMENDED and REQUIRED. The nature of active registries is that things will be added over time. If you're saying "don't do X, Y, and Z" and then "P, D, and Q" get added, the presumption will be that use of anything added is fair game. |
I almost completely agree with you that it would be a better approach. I'll note that RSA is still Recommended/Recommended+ -- and this community might not be aligned with that viewpoint. I don't know of any DID Method that uses RSA... that said, given verification methods, it's going to be difficult to eliminate RSA due to deployed infrastructure. |
|
We need to have a special topic call on this to discuss JsonWebKey2020 and whether or not we should restrict JWKs expressed in DID Documents. |
msporny
added
needs special call
|
We can discuss this on the same special topic call as #170. |
|
Is this topic still alive? I'm currently hitting a wall where we need to use ECDH-ES / ECDH-1PU kw with JWE(encryption side using any EC key) while maintaining the normal verification methods using say There is no way in the spec that shows this verification vs encryption keys separation. I noticed KeyAgreement is being used for a similar purpose, but it only specifies I would love to see other types of key agreements where peers can use different keys for verification and encryption (other than the correlated Ed25519 to X25519 key conversion). For instance a peer may use a key of type There's currently no way to implement a new key agreement type unless I invent a new one on my own which breaks interoperability. Currently I need the following types: where ECDH-1PU is defined here and the KW process comes from NIST.800-56A (Section 5.8.2.1) Eventually, I'm looking to add the following ones once the above are integrated in our framework: I strongly believe in key separation of purpose (or aimed use), e.g: there should be no correlation/conversion between them like the case of My apologies for interjecting into this issue, but I thought since the discussion here was about JWKs, this comment seems somewhat related. I can create a new issue if it makes sense. |
|
This is the exact problem I was trying to resolve by creating JsonWebKey2020. See this comment for reference: https://github.com/w3c-ccg/lds-jws2020/issues/11#issuecomment-642308779 In sum total, I don't think the restriction around KeyAgreement or VerificationKey suites get us what we want and by deciding to use JsonWebKey2020 and setting good recommendations (e.g. MUST NOT use prohibited algs in the JOSE registries) around how JWKs should be used, we'll be setting ourselves up for a good balance between allowing things that people need for the variety of restrictions encountered while also managing to get a high degree of interoperability. |
The thread you linked is closely related to my comment @kdenhartog. I do agree with the last paragraph of your referenced comment, we're saying the same thing: to not share/correlate signing and encryption keys. I'm open to using JsonWebKey2020 for the ECDH key wrapping algorithms. The reason why I find |
|
@kdenhartog to emphasize my point about key formats for these new keys. I too want these new key agreement types to be JSON marshalled JWKs are standard, we can probably base64URL encode the marshalled value. |
|
@Baha-sk FYI, Trying to understand your last comment.... are you saying you think that a Thats not the case today @kdenhartog and I are proposing that the same be possible with Speaking for my self / my company.... I am really opposed to JSON-LD naming conventions degrading the usability of JOSE... thats why we created that suite in the first place.... to make JOSE work with DIDs... and JOSE keys are called JSON Web Keys.... not verification and key agreement keys.... we already encode purpose in the relationship, we don't need to repeat it in the key name... and if you want to... go ahead and create a new ld crypto suite.... its up the the suite author to name the verificationMethod type and proof type... I created that suite, and chose https://github.com/w3c-ccg/lds-jws2020#supported-jose-algorithms BTW... the same issue also exists for GPG suites... https://github.com/transmute-industries/lds-gpg2020 Because both GPG and JOSE have their own concept of 1 key representations for multiple key types... and its insanity to expect people familiar with these technologies to create a new ld suite for each key type.... just to give an idea of what that would look like:
... now repeat for Or....
I'd say |
I think this is the last point of contention. We went to great lengths with Linked Data Security to be very clear about what a key should be used for. While many developers that work with crypto on a regular basis don't really think about how weird the term "public key" and "private key" is... it's really weird... and really terrible. Both words are terrible because they don't map to what their real world equivalents do (the analogy breaks down in horrible ways). The PKI industry's first major sin was using the wrong analogy... digital signatures don't work like physical keys. They work more like royal seals and decoder rings. I have had multiple conversations with developers that thought that a "private key" is something you keep on your Apple Keychain, but it's totally fine to publish it to the Internet, because "I can take my private physical keys out of my pocket and jingle them at someone and that's totally fine... they can't get into my house until I give them my keys." Apple keeps my Keychain keys safe, so I can take anything from that chain and publish it and I'll still be safe (except, you won't be). There is also a misguided notion that a "public key" is used to do signatures, when it's really meant to mainly do verification of a digital signature. So, we have tried very hard to type keys that are used publicly with something that people with no knowledge of crypto can understand... like "VerificationKey"... but even that is bad, because it has nothing to do with how you use a physical key. Cryptographers have traditionally been really terrible at picking good names... d, x, dp, dq, ed25519... what is wrong with our industry!? These violate even the "name your variables with useful names" tenet that most of us follow in our code. So, this goes back to the problem with "But, I want to be able to express private keys!?" I hear some poor developer lament. The answer to that is "Great, figure out how to do that in your application"... because the second we give some misguided soul the ability to do that using a standard term, that someone will shove it into In a more ideal world, we would be using something like So, all that to say, can we please at least name |
That's not what I meant @OR13 . It is ok to have multiple relationships for keys in a DID doc, I'm saying we need to separate the encryption key from being 'converted' from the verification key as is the case today (Ed25519 -> X25519). The closest I can think of adding this separation is to have a 1:1 link between verification key and an KeyAgreement entry (representing an encryption key that's unrelated to the verification key) to state that this DID doc can be verified for verKey A and can be packed (encrypted) by keyAgreement B. Keys A and B can be totally different, say A can be Ed25519 key and B can be P-384 EC key.
I like this table, it's definitely useful. Although as we try to introduce Anoncrypt vs Authcrypt packing of messages, there was a need to enhance the key wrapping algorithms by using a sender authentication mechanism like the Unified Process Model described by NIST. This means the introduction of new algorithms defined as "ECDH-1PU+A256KW" as shown in the table of this ietf draft: https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03#section-2 I do agree with you though, using the key type and curve name can deduct the key wrapping algorithm, but now we need to differentiate between ECDH-ES (anoncrypt) vs ECDH-1PU (authcrypt) mode.
the only available key agreement value right now is: |
To me, Verification means signature verification, this implies the key is used solely for signing/verification. |
You are thinking too narrowly about just this use case. Note that LD Security keys can be expressed /anywhere/ (note: not the same thing as /used to verify a signature/) and some of those places (like a big bucket of cryptographic keys) don't give you that contextual information. Even if that contextual information exists, it's not the case that you always have access to that information, even if a system is operating on the same graph. For example, if you only send the graph for the key into a function, you lose context, so having the type information is useful in those use cases. You can't assume that you'll always have the relationship to the key. |
As a point of clarification: you're not doing LD sec right if, when you go to verify a proof, you don't check to make sure that the controller of the key authorized it for the appropriate purpose. That aside, I think we do harm to conflate "proof purposes" with "key usage". A proof purpose (and its helper twin "verification relationship") is about encoding your intent into a proof such that a verifier can ensure the proof isn't accepted for an inappropriate purpose. This is not the same thing as expressing the type of cryptographic operation or protocol that a key should be used for -- which is what "key usage" is about. This "key usage" information is what is encoded in the key type with LD keys. |
|
I think we have agreement that the LD Cryptosuite will do the restriction, not the DID Core spec.... does anyone object to that? |
|
on the special topic call, we agree to add language regarding not putting private key stuff in a did document, but we have also agreed that the type of |
|
leave this open until language is added. |
msporny
removed
the
needs special call
|
So I think this still needs to be discussed on a special topic call. I'm still very much confused regarding the overlap of LD signature WG and our WG and who is on point to do what. We have painted ourselves into a corner with the necessity to support JWS and yet their is conflicting solutions on how to represent this in other formats such as CBOR/COSE. as @OR13 pointed out above we agreed that the type of |
Wouldn't a |
|
I suppose we need to create an INFRA structure that can be used to support the concept of JWK in order to close this issue. |
This would also make the DID Core vocabulary specification more complete. At this point, that part is really missing. |
No, we do not need to do this. The data model already supports anything you would want to express in JSON (modulo numbers, which we now have a resolution to fix). Just because we can lots new datatypes doesn't mean we should -- that's the path to madness. -1 to a JWK data type in the abstract data model; it's unnnecessary... the JWK structure can be expressed via an INFRA map and basic strings. We already support this in the spec today. Anyone arguing for a new datatype needs to put forward a concrete use case that they want to accomplish that is impossible to accomplish given what we have today. |
|
I don't understand. @jricher @talltree @peacekeeper If we don't provide an example of every did core property in the abstract data model, how will people convert? If we don't need a JWK data type in the ADM.... why do we need any other data types (aside from number). Do we need a data type for "cryptographic key" that can be converted to |
|
I did not read the comment of @OR13 as a new data type. At least in my interpretation what is missing is a clear map with the JWK terms that we allow for the purpose of DID Documents. That seems to be missing right now. |
|
We seem to have consensus to do the following:
We need PRs for both items above. |
|
editors to define |
|
Still waiting on #240 (comment) Proposed text: |
OR13
added
pr exists
|
PR #490 addresses this and has been merged. Closing. |
There was some debate on the did core registries about whether JWK is safe to allow in did documents, without this spec making some restrictions:
This thread has some similar arguments:
https://github.com/transmute-industries/lds-jws2020/issues/4
Probably a special call is needed to address this....
The text was updated successfully, but these errors were encountered: