search

w3c / vc-di-ecdsa

Data Integrity specification for ECDSA using NIST-compliant curves
https://w3c.github.io/vc-di-ecdsa/
Other
9 stars 9 forks source link

Add normative guidance that Deterministic signatures SHOULD be used #28

Closed msporny closed 10 months ago

msporny commented 10 months ago

From the PING's review (https://github.com/w3cping/privacy-request/issues/120):

Is there value in allowing non-deterministic signatures or should this spec just require the usage of RFC6979 as noted in section 4.2 of the security considerations section, but this seems like an opportunity for the spec to eliminate behavior that has been implemented incorrectly quite a few times and led to private key reveal issues.

... and follow up from PING:

We reviewed these points today during the PING call and there appeared to be consensus agreement to address these points with the exception that the non-deterministic signatures can be left as SHOULD.

/cc @kdenhartog

msporny commented 10 months ago

PR #34 has been raised to address this issue. This issue will be closed once PR #34 is merged.

msporny commented 10 months ago

PR #34 has been merged, closing.