Design Review #922

#922: BBS Cryptosuite v2023 Securing Verifiable Credentials with Selective Disclosure using BBS Signatures

Opened Dec 15, 2023

こんにちは TAG-さん!

I'm requesting a TAG review of BBS Cryptosuite v2023 Securing Verifiable Credentials with Selective Disclosure using BBS Signatures.

The BBS Cryptosuite v2023 specification describes a mechanism for ensuring the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs. It is one of several cryptosuites within the VC Data Integrity framework. This specification offers constant size signatures over multiple messages, selective disclosure and unlinkable proofs.

Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/vc-di-bbs/blob/main/EXPLAINER.md
Specification URL: https://www.w3.org/TR/vc-di-bbs/
Tests: https://github.com/w3c/vc-di-bbs/tree/main/TestVectors
User research: responding to user desired for data minimization via selective disclosure and unlinkability.
Security and Privacy self-review²: https://github.com/w3c/vc-di-bbs/issues/106
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/vc-di-bbs/issues
Primary contacts (and their relationship to the specification):
- Greg Bernstein (@Wind4Greg), Independent consultant, Invited Expert, Editor, BBS implementer
- Manu Sporny (@msporny), Digital Bazaar, Editor
Organization(s)/project(s) driving the specification: Verifiable Credentials
Key pieces of existing multi-stakeholder review or discussion of this specification: This is a new cryptosuite for the VC Data Integrity framework which provides for the additional privacy features of selective disclosure and unlinkable proofs. It is based on the soon to be standardized BBS signature scheme at the IETF.
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): None.

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: Transition to Candidate Recommendation in January 2024
The group where the work on this specification is currently being done: Verifiable Credentials
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): Verifiable Credentials.
Major unresolved issues with or opposition to this specification: None.
This work is being funded by:

You should also know that...

This is a new cryptosuite for the VC Data Integrity framework which provides for the additional privacy features of selective disclosure and unlinkable proofs. It is based on the soon to be standardized BBS signature scheme at the IETF.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

Discussions

2024-01-15

Minutes

Hadley: assuming the algo is sensible - it's a way of signing and verifying signatures of whoever issued a verifiable credentials.. They've been algo-agnostic...

Amy: is it's because they're doing cryptosuites for several different algos? E.g. Jose & Cose?

Hadley: data integrity spec does contain BBS, elliptic curve, edwards.. So yes. That being the case - miltiple crypto-suites as options for same use case - that seems good...

Amy: they've indicated "17 implementers" demonstrating interop...

Matthew: we had a look at this in APA... One of our members spotted something interesting. We did an a11y self-review... date formats... they allowed people to specify dates in different formats - we asked about it - they have replied...

Hadley: all VC?

Matthew: specific to BBS cryptosuite...

Yves: many protocols are using plain text dates... more readable... Lots of libraries process those strings...

Matthew: it seems weird... it seeems like there has been a mistake ...

Dan: seems like this is in hand

Matthew: yes doesn't seem architectural in nature... part of horizontal review.

Yves: the discussion before is about interop and what would be mandated...

Hadley: i don't see any reason to hold it up

Amy: it's following the pattern they're using for other cryptosuites - i don't have any concerns.

Hi all, Thanks for sending this our way. We are explicitly not reviewing the BBS Digital Signature Algorithm itself (for avoidance of doubt), but your cryptosuite using it seems fine to us.

We note that verifiable credentials signed with BBS aren't likely to be interoperable with those signed with other algorithms. (We recognise this is probably unavoidable, given the architecture you're using.)

Let us know if you have any specific questions or issues for us. Otherwise, we are happy to close it.

</blockquote>

2024-02-05

Minutes

need amy or hadley

2024-02-12

Minutes

We review comments including Manu's call for the TAG to get involved and weigh in on the topic of unlinkable digital signatures.

Dan: Could we delegate this to PING?

Yves: It could be if it's part of wide review.

Hadley: I second that.

Yves: also PING should have credibility here...

Dan to contact Jeffrey and float this possibility

we need to work on a response here.... we know that PING is working on this here https://github.com/w3cping/credential-considerations .. should we just review their outputs? unknown at this point

2024-02-26

Minutes

Amy: we offered to close it... we got more comments I don't have a strong opinion because I don't have the right expertise. Everyone seems to be agreeing in the thread. I'm not sure what we can add.

<blockquote> The TAG has discussed and we don't have anything further to add at this time regarding the issue raised by Manu. We agree that it would be useful to have unlinkable credentials. We don't have an opinion about whetether this should be a requirement, but it shouldn't be excluded as a possibility. We think this issue should be discussed further in PING and we look forward to reviewing the outcome of their discussion. </blockquote>

Agree to post this and close with resolution SATISFIED