search

1EdTech / cert-schema

The schema for Blockcerts
MIT License
75 stars 72 forks source link

Improve OBI signing step #9

Closed kimdhamilton closed 7 years ago

kimdhamilton commented 8 years ago

Improvements OBI signing step

Following are some improvements we should make to the OBI signing step, which currently is not actually OBI compliant.

Sign the entire assertion section

For OBI compliance we should sign the entire assertion. Currently we sign only the UID field. I believe the original rationale was the inability to rely on order in JSON.

The common technique for handling this is sorting the keys in the JSON object. However, to ensure consistency of results across platforms/libraries, we should specify the collation method.

For our purposes, a natural sort should suffice -- this is also the default behavior we get from the Python library json.dumps(sort_keys=True). Note that natural sort is commonly available across platforms/libraries. (However, we should call this out in the docs since the above python library call glosses over it).

Further, we should perform and provide guidance around stripping whitespace, normalizing or removing new-lines to avoid any platform-specific differences.

Use JWS (JOSE) header

Currently after signing the UID field, we add the result in the certificate field 'signature'. Instead, we should add this as a header, per JWS and OBI standards.

This library shows a JWS header with secp256k1 signing. I think we can modify our format to something like this and it will work nicely with the OBI standard

https://github.com/GitGuild/bitjws/blob/bcf943e0c60985da11fb7895a416525e63728c35/README.md

Use the OBI verify type of 'signed' instead of our custom 'secp256k(1)'

Because the signing algorithm is specified in the JWS header, I believe this change plus the previous 2 changes would make our certificate signature consistent with OBI standards.

Remove 'signer' URL field from schema

This information is a subset of what's available in the Issuer Identity endpoint. It's not part of OBI, and we should remove this when reworking OBI signing

1l2p commented 8 years ago

Yes! You're right - we only signed part of the assertion, because of sorting concerns. Your proposal like a great solution and improvement.

kimdhamilton commented 7 years ago

This is being replaced by #25