w3c-ccg/security-vocab

Security vocab for Sr25519 which is used in Polkadot and substrate

lovesh opened this issue · 3 comments

lovesh commented

We want to propose supporting Sr25519 in the security context, i.e. https://w3id.org/security/v2.
We propose adding Sr25519Signature2020 and Sr25519VerificationKey2020 in the @context.

Would this be a new version like security/v3 or can the existing v2 be updated by updating @version? Would like to understand the process of getting this approved, is updating (or creating new) context and updating the index.html sufficient?

Sr25519 is Schnorr signature using the Ristretto compression of curve25519. It has a Rust implementation called Schnorrkel that compiles to WASM and thus usable in JS applications (from polkadot-js). Relevant links

  1. What is sr25519 and where did it come from?
  2. Details on Schnorrkel
OR13 commented

I suggest we create security-v3-unstable note that its unstable, and add this, and a lot of other stuff there. @msporny @dlongley thoughts?

amarts commented

Wanted to check if this is under consideration to get added?

  • 👍1
msporny commented

Wanted to check if this is under consideration to get added?

The W3C VC2WG is getting ready to spin up soon to tackle these sorts of questions. The short answer is that, yes, we can support Sr25519 signatures in the new work... there is a big design refactor (that's backwards compatible) that's going to be performed, so your keys and signatures might end up looking like this:

{
  "@context": ["https://w3id.org/security/multikey/v1"],
  "id": "did:example:123456789abcdefghi#keys-1",
  "type": "MulticodecVerificationKey",
  "controller": "did:example:123456789abcdefghi",
  "publicKeyMultibase" : "zsJV1eTDACogBS8FMj5vXSa51g1...m1kweTABZZNRSc"
}

and your signatures might end up looking like this:

{
  "@context": ["https://w3id.org/security/data-integrity/v1"],
  "type": "DataIntegritySignature",
  "cryptosuite": "eddsa-sr-2022",
  "created": "2021-11-29T20:35:38Z",
  "verificationMethod": "did:example:123456789abcdefghi#keys-1",
  "proofPurpose": "assertionMethod",
  "proofValue": "z2rb7doJxczUFBTdV5F5pehtbUXPDUgKVugZZ99jniVXCUpojJ9PqLYV
                 evMeB1gCyJ4HqpnTyQwaoRPWaD3afEZboXCBTdV5F5pehtbUXPDUgKVugUpoj"
}

You can read more about the cryptosuites under consideration for the VC2WG work here:

https://w3c.github.io/vc-wg-charter/#deliverables

All that to say, you won't need to request that any new vocabulary terms are added to the security vocabulary. There will be ONE cryptosuite you'll have to register (something to the effect of eddsa-sr-2022) with the cryptosuite registry... but that's it. Hope that helps.