[GNAP] FW: [secdir] W3C VC/DID WG Security Review Coordination Request

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 18 July 2021 12:24 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EF8253A1DB7 for <txauth@ietfa.amsl.com>; Sun, 18 Jul 2021 05:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mgVGa9LL5dpb for <txauth@ietfa.amsl.com>; Sun, 18 Jul 2021 05:24:26 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BDD43A1DAF for <txauth@ietf.org>; Sun, 18 Jul 2021 05:24:26 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id k16so16483713ios.10 for <txauth@ietf.org>; Sun, 18 Jul 2021 05:24:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=y94ruHTOe2iDM6UhV20r1SHPjWTLITugeJLWn7896eo=; b=dWJ5GYOh8LQ0rrCoCLpTN2/DoOLfB3ldFQZR7JFqPhTaw6K0Ed9qYm+fwUWNHjUdsL tc4Rjmt6SPLFnNdlhTr9oShg1vnnjP+0AyDAJxLKdqv0SsVUH3KwPuoOE9pjiwHrPMYb QKluVaQFUGI+C47uYsQVIJfeZsvAHDEc1J5D6S7SPhAem5RzGj/JdAJc5MbAdQ94FVtf hBmh1D8ineHOFrsxLpT20T5vEaIoSGe9K3ief49MHjcbOFl7cndyAt2RM4/EVcAzQHQv k/1OQbEI2cDe5rB0uIJmvlsTE6NNzCyaO2B0upJQAZuQ2l2SvsVf50SiTjfWTRZ8NQf8 b2MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=y94ruHTOe2iDM6UhV20r1SHPjWTLITugeJLWn7896eo=; b=h4/xzh+y7XWi4WgIhfLBuLoc0ZwV83yKLSxsZPtqMTcxilnN2UIsXMUgdtYHZ5i1oL UlrQ/1t1emTwIkTh1J4TAJXGw8n1R1KLXUGq40nyXvPMVIsD0wjJx73dRWOBztihk1YQ bVMFHmli83BAbQoCuFJiA/Ff1+nr1vC4enMnXetEk+sr5f+5B4PX7tcu/f3Li9QBf5aB wWyNAEbbHi9W75FqA2EwdBY8vEKYNraLaiwZPTgURq0C8A22sjApBS25nIJxcqUwdTMv YuGu77fiiD4cIwJJVf5ykyze6fY7cM52i3mrMz0RMgbMx2LUs9U9f2I7hqwvNfr0UJed /Reg==
X-Gm-Message-State: AOAM533HCo0AXwjd7RaJzW9RYUHg+xLxHYJeX2z3lZtsoy2ahjDjr5E5 Wlz+TS6aYztQLDWESDFHd4/QdgPmKN5brA==
X-Google-Smtp-Source: ABdhPJwR3LBOinLive0ZMIyv4z0nHhu3ZTvntOs0tr2NtfMXjGBfedNFusYKMSu2+yzFUo4z1WHW/A==
X-Received: by 2002:a02:7f47:: with SMTP id r68mr16966629jac.127.1626611064972; Sun, 18 Jul 2021 05:24:24 -0700 (PDT)
Received: from [] (bzq-79-182-62-6.red.bezeqint.net. []) by smtp.gmail.com with ESMTPSA id c4sm8026676ilq.70.2021. for <txauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Jul 2021 05:24:24 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.51.21071101
Date: Sun, 18 Jul 2021 15:24:21 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Message-ID: <6E114EAE-0441-4CA0-9F3C-9B689A4A13E7@gmail.com>
Thread-Topic: [secdir] W3C VC/DID WG Security Review Coordination Request
References: <f8ce3e90-221d-6ce1-dd1d-3848e646419e@digitalbazaar.com>
In-Reply-To: <f8ce3e90-221d-6ce1-dd1d-3848e646419e@digitalbazaar.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/AhCmNKQfvFZDcSjaInD266e4Fno>
Subject: [GNAP] FW: [secdir] W3C VC/DID WG Security Review Coordination Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jul 2021 12:24:32 -0000

This may be of interest to people on this list.

On 7/18/21, 00:09, "secdir on behalf of Manu Sporny" <secdir-bounces@ietf.org on behalf of msporny@digitalbazaar.com> wrote:

    Benjamin, Roman, and the IETF Security Area Directorate,

    I am writing on behalf of the Chairs, Staff, and Members of multiple current
    chartered W3C Working Groups related to Verifiable Credentials[1] (VCs) and
    Decentralized Identifiers[2] (DIDs). The outcome of this message also could
    affect future W3C Working Groups currently in the pre-chartering process
    related to RDF Dataset Canonicalization and Hashing, and Linked Data Integrity[3].

    TL;DR: There are two requests in this message. The first is from the DID WG,
    for a best-effort security review of the Decentralized Identifier Core
    specification[4] by an appropriate IETF group. The second is from the current
    VC and DID WGs, on behalf of themselves and the above-mentioned pre-charter
    WGs, to set up regular and recurring security reviews of specific W3C
    specifications that will be developed over the next several years, in a
    capacity that is more coupled than a traditional W3C-IETF liaison relationship.

    Both requests are further detailed in the rest of this message.

    Review of DID Core Specification

    Mark Nottingham, Co-Chair of the HTTP WG, recently inquired about the security
    and privacy reviews that were performed on DID Core. The W3C DID WG has
    performed multiple security and privacy reviews on the specification[6], per
    the W3C process. In addition to those reviews, we are hoping that the IETF
    secdir or CFRG will guide us toward receiving additional security reviews on
    the specification. What would be the best path to getting an initial
    best-effort security review of the DID Core specification, and subsequent
    security reviews every six months or so on iterations of that specification?

    I will note two important considerations. The first is that the initial DID WG
    charter expires in September 2021, the specification comes out of the 2nd W3C
    Candidate Recommendation phase in mid-July 2021, and according to W3C Process,
    the DID WG has enough implementation experience (32 implementations for many
    features) to move on to the W3C Proposed Recommendation phase. The second
    consideration is that the DID WG has only defined a data model and has not
    defined any cryptographic algorithms or protocols in this iteration of the
    specification. That said, the specification is expected to be used with
    cryptographic systems, and furthermore, protocol work might be included in the
    work of  a re-chartered (future) group. Thus, we desire more eyes on the
    specification, especially from IETF Security Area Directorate and IRTF CFRG.

    Benjamin and Roman, what mechanism would be most effective for achieving a
    timely, best-effort review of the W3C Decentralized Identifiers specification?

    Targeted Engagement with Future DID and VC-related work at W3C

    Since the Recommendation of the W3C Verifiable Credentials specification[7],
    and the expected Recommendation of the W3C Decentralized Identifiers
    specification[4], there has been increased movement in government and the
    private sector towards issuing credentials for a variety of use cases in a
    production capacity. As a result, it is highly likely that both the W3C
    Verifiable Credentials WG and the W3C Decentralized Identifiers WG will be
    re-chartered to maintain and/or advance the work.

    In addition, new cryptographic packaging formats and protocols[3][8] based on
    active IETF work[9][10] and/or RFCs are expected to be advanced in parallel.
    The chartered W3C Working Groups are requesting a more direct liaison
    relationship that goes beyond periodic reviews of the specifications under
    development by these groups. Ideally, participants in the IETF Security Area
    would be active members of these W3C Working Groups with an additional liaison
    relationship to groups like the IRTF CFRG. There is a strong expectation that
    newly chartered groups that are related to the technologies mentioned
    throughout this email will request the same type of relationship.

    Benjamin and Roman, what mechanism would be most effective for setting up this
    more formal and active relationship between the IETF Security Area and the W3C
    Working Groups mentioned above?


    Thank you for your time in considering the questions that we have put forward
    in this message. We know that this is only the beginning of the discussion, so
    don't expect definitive answers in initial responses, but hope for some
    concrete guidance on next steps.

    On behalf of the Editors, Chairs, and Staff contacts for W3C Verifiable
    Credentials WG and the W3C Decentralized Identifiers WG,

    -- manu


    Manu Sporny - https://www.linkedin.com/in/manusporny/
    Founder/CEO - Digital Bazaar, Inc.
    News: Digital Bazaar Announces New Case Studies (2021)

    secdir mailing list
    wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview