Invalid RDF in CMTR

Question

Invalid RDF in CMTR

Closed this issue 4 years ago · 7 comments

see transmute-industries/vc.transmute.world#16

Answer 1 · 2020-05-01T18:01:22.000Z

@dlongley I would love a review of this from you if you have time.

My guess is that my JSON-LD fu is not good enough here, and I need to update my context to make the type valid RDF... its also odd that Go vs JS would handle this differently... I would hope both would fail when invalid RDF was generated...

Answer 2 · 2020-05-01T18:50:05.000Z

@OR13 there's still an open issue to add a feature to jsonld.js to throw errors when quads get dropped so that jsonld-signatures can use it:

digitalbazaar/jsonld.js#199 (comment)

For now, the only remedy is to make sure your context is proper so there is no invalid RDF. We should look into expediting the feature to catch this stuff in the near term.

Answer 3 · 2020-05-05T23:31:55.000Z

Due to this RDF (see JSON LD Playground):

    "@type": [
      "https://www.w3.org/2018/credentials#VerifiableCredential",
      "https://json-ld.org/playground/CertifiedMillTestReport"
    ]

we are unable to verify this VC in the TrustBloc verifier:
https://github.com/w3c-ccg/vc-examples/blob/master/plugfest-2020/vendors/transmute/verifiable_credentials/CertifiedMillTestReport.json

Answer 4 · 2020-05-06T13:35:37.000Z

@troyronda thanks, I will try and use your http verifier to tweak the credential format until it passes, when I can.... that credential does verify with vc-js... so we should also ideally make that library fail as well.

Answer 5 · 2020-05-06T15:49:17.000Z

@troyronda I have created this repo to debug this issue: https://github.com/transmute-industries/ngrok-vc-http-api-toolkit

I am not able to verify secure key issued credentials using the secure key current http apis...

"proof validation error : decode new credential: check embedded proof: check linked data proof: ed25519: invalid signature

You may find this useful for testing other issues, as it allows you to host and mutate the context and credential payload locally.

Answer 6 · 2020-05-11T19:10:22.000Z

@OR13 we are dropping relative (aka invalid) RDF when we issue credentials. See here for the background: hyperledger-archives/aries-framework-go#1592 (comment) (@dlongley)

When we verify the credential proof, we are not dropping these relative RDFs. This behavior causes the discrepancy: we drop the invalid RDF during issuance and issuance succeeds. During verification, we don't drop the invalid RDF and the verification fails. Otherwise, during verification, it is not obvious that some elements of the payload have not been signed.

In any case, a separate test for denying any payload elements outside of the JSON-LD context would also fail verification.

Answer 7 · 2020-10-29T19:05:44.000Z

Please move any further discussion here if needed https://github.com/w3c-ccg/vc-http-api