https://github.com/or13/decanonicalization
From the moment we enter this life we are in the flow of it. We measure it and we mark it, but we cannot defy it.
https://github.com/or13/decanonicalization
Last synced: 12 months ago
JSON representation
From the moment we enter this life we are in the flow of it. We measure it and we mark it, but we cannot defy it.
- Host: GitHub
- URL: https://github.com/or13/decanonicalization
- Owner: OR13
- License: mit
- Created: 2023-01-31T18:00:23.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2023-02-07T17:37:32.000Z (over 3 years ago)
- Last Synced: 2025-04-02T23:41:32.361Z (about 1 year ago)
- Language: JavaScript
- Homepage: https://or13.github.io/decanonicalization
- Size: 33.2 KB
- Stars: 6
- Watchers: 2
- Forks: 2
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
#### 🔏 JSON Web Signatures are better at protecting content type `application/credentials+ld+json`.
[](https://github.com/OR13/decanonicalization/actions/workflows/ci.yml)
This reposistory demonstrates that [data integrity proof](https://www.w3.org/TR/vc-data-integrity/) `sign` and `verify` operation times are bound to the size of the input data interpreted as RDF.
This is because data integrity proofs require some form of canonicalizaton, most commonly [URDNA2015](https://www.w3.org/TR/rdf-canon/).
A clever attacker can ask a verifier expensive questions.
The verifier will be forced to cannonicalize before checking the signature.
This can cost the verifier a lot of compute time, for a proof that might not even verify.
See this twitter thread: [just... sign... the... bytes...](https://twitter.com/OR13b/status/1618415157235052545)
## Updates
The methodology used here has been challenged, see:
- https://github.com/w3c/vc-jwt/pull/44#issuecomment-1420981871
- https://lists.w3.org/Archives/Public/public-vc-wg/2023Jan/0036.html
- https://github.com/dlongley/decanonicalization/commit/4e3266620cf38e4c794b128f5fe204336430f606#r99192077