Review on 2023-01-26 by Greg Bernstein, Test Vector Suggestions

[Wind4Greg]

Review

• Reference to Multiformats is out of date. New reference: https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-06
• On example 1 "An Ed25519 public key encoded as a Multikey", Should this example use the context field as shown in section 2.3.1.2 of Data Integrity specification? i.e., add @context": ["https://w3id.org/security/multikey/v1"],?
• In example 2 "An Ed25519 public key encoded as a Multikey in a controller document" do we also need to add the additional item "https://w3id.org/security/multikey/v1" to the @context array?
• Section 2.2.1 DataIntegrityProof. It says: "The proofValue property of the proof MUST be a detached EdDSA produced according to [RFC8032], encoded according to [MULTIBASE] using the base58-btc base encoding." Doesn't this need to be produced according to the "Algorithms" section (which includes RFC8032 as part of the procedure.) editorial would revise to: The proofValue property of the proof MUST be a detached EdDSA produced according to section 3 Algorithms"
• Question for clarification. Are DataIntegrityProof and Ed25519Signature2020 two containers for the same information the former being more general? Is one to be preferred? Should something be said about this in the text?
• Section 3.2 Hashing. Step 3 "Let hashData be the result of concatenating transformedDocumentHash and proofConfigHash." Using VC generated by the CHAPI Playground or Verifiable Credentials JS Library I verified sample credentials Example: Verifying Verifiable Credentials with the order of these to hashes reverse, i.e., in Python test_combined_hash = proof_hash + doc_hash. Am I misinterpreting the text or is this an error.
• The current test vectors don't seem to verify and could use more elaboration. It would be nice to illustrate all the steps: private and public keys, raw document, options, canonized versions of both, hashes of both, raw signature, encoded signature.
• I've furnished an example set of test vectors below in with proof type "Ed25519Signature2020".
• Test vectors: do we want two different example chains? One corresponding to DataIntegrityProof and one to Ed25519Signature2020, i.e., to produce something like examples 5 and 6 as output.

Test Vector Suggestion

Key Information

Console logged the keypair info from the VC ReSpec plugin...

{
    publicKeyMultibase: "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2", 
    privateKeyMultibase: "zrv4fUrY27wFmySt7kSQ1yUqsobTkN8uPvAH1WB4sCJ4d7Q4yDpJNN3AVxQZybuM2txbXbWYCRDKZxenLmGz32Tp5bt" 
}

Notes: The private key above is actually two keys. We only want the first 32 bytes. Can show these in Multibase or hex format.

Credential with Proof

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": [
    "VerifiableCredential",
    "UniversityDegreeCredential"
  ],
  "issuer": "https://example.edu/issuers/565049",
  "issuanceDate": "2010-01-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2022-12-07T21:31:08Z",
    "verificationMethod": "https://example.edu/issuers/565049#key-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "z2RczMj342tVhAjgjEPV4TeHbi2ggnTRKTc5BFQCgaWJ3nhcg5HgCeC2eV4Lc1fYdhfoLyPjxoq4BtqrsyNvxZ8nE"
  }
}

Credential with Proof Removed

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": [
    "VerifiableCredential",
    "UniversityDegreeCredential"
  ],
  "issuer": "https://example.edu/issuers/565049",
  "issuanceDate": "2010-01-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  }
}

Canonized Document without Proof

<did:example:ebfeb1f712ebc6f1c276e12ec21> <https://example.org/examples#degree> _:c14n0 .
<http://example.edu/credentials/3732> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#UniversityDegreeCredential> .
<http://example.edu/credentials/3732> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://www.w3.org/2018/credentials#VerifiableCredential> .
<http://example.edu/credentials/3732> <https://www.w3.org/2018/credentials#credentialSubject> <did:example:ebfeb1f712ebc6f1c276e12ec21> .
<http://example.edu/credentials/3732> <https://www.w3.org/2018/credentials#issuanceDate> "2010-01-01T00:00:00Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
<http://example.edu/credentials/3732> <https://www.w3.org/2018/credentials#issuer> <https://example.edu/issuers/565049> .
_:c14n0 <http://schema.org/name> "Bachelor of Science and Arts"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#HTML> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://example.org/examples#BachelorDegree> .

Hash of Canonized VC w/o Proof

As a hexadecimal string:

6c6b2795e7fa33a9fb28062527142b3c6edf7ba239942439b6f0bb0851b3cce3

Proof Options Document

{
  "type": "Ed25519Signature2020",
  "created": "2022-12-07T21:31:08Z",
  "verificationMethod": "https://example.edu/issuers/565049#key-1",
  "proofPurpose": "assertionMethod",
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ]
}

Canonized Proof Options

_:c14n0 <http://purl.org/dc/terms/created> "2022-12-07T21:31:08Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> .
_:c14n0 <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/security#Ed25519Signature2020> .
_:c14n0 <https://w3id.org/security#proofPurpose> <https://w3id.org/security#assertionMethod> .
_:c14n0 <https://w3id.org/security#verificationMethod> <https://example.edu/issuers/565049#key-1> .

Hash of Canonized Proof Options

As a hexadecimal string:

565a2884ebb2d38aa34871108074ab51631ec812d33eb2473178bce19937ad09

Concatenate and Sign with Private Key.

Concatenation of proof_hash then raw doc_hash (in this order):

565a2884ebb2d38aa34871108074ab51631ec812d33eb2473178bce19937ad096c6b2795e7fa33a9fb28062527142b3c6edf7ba239942439b6f0bb0851b3cce3

Signature in hexadecimal:

'473fb02a4aaf5863a2ef33f104bd55617e40907bc311e29e87278d15d7596f201639f41ec0e00db11159e9139f673d9257558e1f0134e1f67ac73f91ed89670b'

Signature Base58btc encoded:

'z2RczMj342tVhAjgjEPV4TeHbi2ggnTRKTc5BFQCgaWJ3nhcg5HgCeC2eV4Lc1fYdhfoLyPjxoq4BtqrsyNvxZ8nE'

[msporny]

Review

Thanks for the thorough review, @Wind4Greg! Commentary below:

• Reference to Multiformats is out of date. New reference: https://datatracker.ietf.org/doc/html/draft-multiformats-multibase-06

Yes, agreed that this needs to be updated.

• On example 1 "An Ed25519 public key encoded as a Multikey", Should this example use the context field as shown in section 2.3.1.2 of Data Integrity specification? i.e., add @context": ["https://w3id.org/security/multikey/v1"],?

We should probably use https://w3id.org/security/data-integrity/v1 instead. https://w3id.org/security/multikey/v1 is meant to be used when the only thing you need to do is define a multikey in a document. The example you are referring to is a controller document, so we probably want the examples to use the broader https://w3id.org/security/data-integrity/v1 value (after we define Multikey in that file), IIRC.

@dlongley thoughts?

• In example 2 "An Ed25519 public key encoded as a Multikey in a controller document" do we also need to add the additional item "https://w3id.org/security/multikey/v1" to the @context array?

No, if we do the thing referenced in the previous question, I think all we have to use is https://w3id.org/security/data-integrity/v1.

• Section 2.2.1 DataIntegrityProof. It says: "The proofValue property of the proof MUST be a detached EdDSA produced according to [RFC8032], encoded according to [MULTIBASE] using the base58-btc base encoding." Doesn't this need to be produced according to the "Algorithms" section (which includes RFC8032 as part of the procedure.) editorial would revise to: The proofValue property of the proof MUST be a detached EdDSA produced according to section 3 Algorithms"

Yes, good catch, correct.

• Question for clarification. Are DataIntegrityProof and Ed25519Signature2020 two containers for the same information the former being more general? Is one to be preferred? Should something be said about this in the text?

Yes, they are two containers for the same information. DataIntegrityProof is preferred. Yes, we should say something about this. Ed25519Signature2020 escaped into production deployments and so we're defining it here just to make sure people can interop on it... but we should probably immediately deprecate it and strongly urge people to switch to the more generalized DataIntegrityProof format.

• Section 3.2 Hashing. Step 3 "Let hashData be the result of concatenating transformedDocumentHash and proofConfigHash." Using VC generated by the CHAPI Playground or Verifiable Credentials JS Library I verified sample credentials Example: Verifying Verifiable Credentials with the order of these to hashes reverse, i.e., in Python test_combined_hash = proof_hash + doc_hash. Am I misinterpreting the text or is this an error.

I would expect there to be an error in the specification text. The implementations are the real source of truth, especially https://www.npmjs.com/package/@digitalbazaar/vc. Ping'ing @dlongley to confirm.

• The current test vectors don't seem to verify and could use more elaboration. It would be nice to illustrate all the steps: private and public keys, raw document, options, canonized versions of both, hashes of both, raw signature, encoded signature.

Yes, agreed, and saw that you did this in your review -- THANK YOU! We should replace all the test vectors with your ones.

• I've furnished an example set of test vectors below in with proof type "Ed25519Signature2020".

Great, thank you!

• Test vectors: do we want two different example chains? One corresponding to DataIntegrityProof and one to Ed25519Signature2020, i.e., to produce something like examples 5 and 6 as output.

Yes, that would be helpful.

Test Vector Suggestion

The updated test vectors look great, thank you! Please raise a PR to replace the current test vectors w/ the new ones you generated. I'll have some minor suggestions in the PR, but overall, huge improvement.