TODO Working Group S. Smith Internet-Draft ProSapien LLC Intended status: Informational 31 May 2022 Expires: 2 December 2022 Self-Addressing IDentifier (SAID) draft-ssmith-said-02 Abstract A SAID (Self-Addressing IDentifier) is a special type of content- addressable identifier based on encoded cryptographic digest that is self-referential. The SAID derivation protocol defined herein enables verification that a given SAID is uniquely cryptographically bound to a serialization that includes the SAID as a field in that serialization. Embedding a SAID as a field in the associated serialization indicates a preferred content-addressable identifier for that serialization that facilitates greater interoperability, reduced ambiguity, and enhanced security when reasoning about the serialization. Moreover, given sufficient cryptographic strength, a cryptographic commitment such as a signature, digest, or another SAID, to a given SAID is essentially equivalent to a commitment to its associated serialization. Any change to the serialization invalidates its SAID thereby ensuring secure immutability evident reasoning with SAIDs about serializations or equivalently their SAIDs. Thus SAIDs better facilitate immutably referenced data serializations for applications such as Verifiable Credentials or Ricardian Contracts. SAIDs are encoded with CESR (Composable Event Streaming Representation) [CESR] which includes a pre-pended derivation code that encodes the cryptographic suite or algorithm used to generate the digest. A CESR primitive's primary expression (alone or in combination ) is textual using Base64 URL-safe characters. CESR primitives may be round-tripped (alone or in combination) to a compact binary representation without loss. The CESR derivation code enables cryptographic digest algorithm agility in systems that use SAIDs as content addresses. Each serialization may use a different cryptographic digest algorithm as indicated by its derivation code. This provides interoperable future proofing. CESR was developed for the [KERI] protocol. Discussion Venues This note is to be removed before publishing as an RFC. Smith Expires 2 December 2022 [Page 1] Internet-Draft SAID May 2022 Source for this draft and an issue tracker can be found at https://github.com/WebOfTrust/ietf-said. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 2 December 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Generation and Verification Protocols . . . . . . . . . . . . 4 2.1. Example Computation . . . . . . . . . . . . . . . . . . . 5 2.2. Serialization Generation . . . . . . . . . . . . . . . . 5 2.2.1. Order-Preserving Data Structures . . . . . . . . . . 6 2.3. Example Python dict to JSON Serialization with SAID . . . 7 2.4. Example Schema Immutability using JSON Schema with SAIDs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5. Discussion . . . . . . . . . . . . . . . . . . . . . . . 9 3. Appendix: Embedding SAIDs in URLs . . . . . . . . . . . . . . 10 4. Appendix: JSON Schema with SAIDs . . . . . . . . . . . . . . 10 5. Conventions and Definitions . . . . . . . . . . . . . . . . . 10 Smith Expires 2 December 2022 [Page 2] Internet-Draft SAID May 2022 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 11 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The primary advantage of a content-addressable identifier is that it is cryptographically bound to the content (expressed as a serialization), thus providing a secure root-of-trust for reasoning about that content. Any sufficiently strong cryptographic commitment to a content-addressable identifier is functionally equivalent to a cryptographic commitment to the content itself. A self-addressing identifier (SAID) is a special class of content- addressable identifier that is also self-referential. This requires a special derivation protocol that generates the SAID and embeds it in the serialized content. The reason for a special derivation protocol is that a naive cryptographic content-addressable identifier must not be self-referential, i.e. the identifier must not appear within the content that it is identifying. This is because the naive cryptographic derivation process of a content-addressable identifier is a cryptographic digest of the serialized content. Changing one bit of the serialization content will result in a different digest. Therefore, self-referential content-addressable identifiers require a special derivation protocol. To elaborate, this approach of deriving self-referential identifiers from the contents they identify, is called self-addressing. It allows any validator to verify or re-derive the self-referential, self-addressing identifier given the contents it identifies. To clarify, a SAID is different from a standard content address or content-addressable identifier in that a standard content-addressable identifier may not be included inside the contents it addresses. Moreover, a standard content-addressable identifier is computed on the finished immutable contents, and therefore is not self- referential. In addition, a self-addressing identifier (SAID) includes a pre-pended derivation code that specifies the cryptographic algorithm used to generate the digest. An authenticatable data serialization is defined to be a serialization that is digitally signed with a non-repudiable asymmetric key-pair based signing scheme. A verifier, given the public key, may verify the signature on the serialization and thereby securely attribute the serialization to the signer. Many use cases Smith Expires 2 December 2022 [Page 3] Internet-Draft SAID May 2022 of authenticatable data serializations or statements include a self- referential identifier embedded in the authenticatable serialization. These serializations may also embed references to other self- referential identifiers to other serializations. The purpose of a self-referential identifier is to enable reasoning in software or otherwise about that serialization. Typically, these self- referential identifiers are not cryptographically bound to their encompassing serializations such as would be the case for a content- addressable identifier of that serialization. This poses a security problem because there now may be more than one identifier for the same content. The first is self-referential, included in the serialization, but not cryptographically bound to its encompassing serialization and the second is cryptographically bound but not self- referential, not included in the serialization. When reasoning about a given content serialization, the existence of a non-cryptographically bound but self-referential identifier is a security vulnerability. Certainly, this identifier cannot be used by itself to securely reason about the content because it is not bound to the content. Anyone can place such an identifier inside some other serialization and claim that the other serialization is the correct serialization for that self-referential identifier. Unfortunately, a standard content-addressable identifier for a serialization which is bound to the serialization can not be included in the serialization itself, i.e. can be neither self-referential nor self-contained; it must be tracked independently. In contrast, a self-addressing identifier is included in the serialization to which it is cryptographically bound making it self-referential and self- contained. Reasoning about self-addressing identifiers (SAIDs) is secure because a SAID will verify if and only if its encompassing serialization has not been mutated, which makes the content immutable. SAIDs used as references to serializations in other serializations enable tamper-evident reasoning about the referenced serializations. This enables a more compact representation of an authenticatable data serialization that includes other serializations by reference to their SAIDs instead of by embedded containment. 2. Generation and Verification Protocols The _self-addressing identifier_ (SAID) verification protocol is as follows: * Make a copy of the embedded CESR [CESR] encoded SAID string included in the serialization. * replace the SAID field value in the serialization with a dummy string of the same length. The dummy character is #, that is, ASCII 35 decimal (23 hex). Smith Expires 2 December 2022 [Page 4] Internet-Draft SAID May 2022 * Compute the digest of the serialization that includes the dummy value for the SAID field. Use the digest algorithm specified by the CESR [CESR] derivation code of the copied SAID. * Encode the computed digest with CESR [CESR] to create the final derived and encoded SAID of the same total length as the dummy string and the copied embedded SAID. * Compare the copied SAID with the recomputed SAID. If they are identical then the verification is successful; otherwise unsuccessful. 2.1. Example Computation The CESR [CESR] encoding of a Blake3-256 (32 byte) binary digest has 44 Base-64 URL-safe characters. The first character is E which represents Blake3-256. Therefore, a serialization of a fixed field data structure with a SAID generated by a Blake3-256 digest must reserve a field of length 44 characters. Suppose the initial value of the fixed field serialization is the following string: field0______field1______________________________________field2______ In the string, field1 is of length 44 characters. The first step to generating the SAID for this serialization is to replace the contents of field1 with a dummy string of # characters of length 44 as follows: field0______############################################field2______ The Blake3-256 digest is then computed on the above string and encoded in CESR format. This gives the following SAID: E8wYuBjhslETYaLZcxMkWrhVbMcA8RS1pKYl7nJ77ntA The dummy string is then replaced with the SAID above to produce the final serialization with embedded SAID as follows: field0______E8wYuBjhslETYaLZcxMkWrhVbMcA8RS1pKYl7nJ77ntA______ To verify the embedded SAID with respect to its encompassing serialization above, just reverse the generation steps. 2.2. Serialization Generation Smith Expires 2 December 2022 [Page 5] Internet-Draft SAID May 2022 2.2.1. Order-Preserving Data Structures The crucial consideration in SAID generation is reproducibility. This requires the ordering and sizing of fields in the serialization to be fixed. Data structures in most computer languages have fixed fields. The example above is such an example. A very useful type of serialization especially in some languages like Python or JavaScript is of self-describing data structures that are mappings of (key, value) or (label, value) pairs. These are often also called dictionaries or hash tables. The essential feature needed for reproducible serialization of such mappings is that mapping preserve the ordering of its fields on any round trip to/from a serialization. In other words the mapping is ordered with respect to serialization. Another way to describe a predefined order preserving serialization is canonicalization or canonical ordering. This is often referred to as the mapping canonicalization problem. The _natural_ canonical ordering for such mappings is _insertion order_ or sometimes called _field creation order_. Natural order allows the fields to appear in a preset order independent of the lexicographic ordering of the labels. This enables functional or logical ordering of the fields. Logical ordering also allows the absence or presence of a field to have meaning. Fields may have a priority given by their relative order of appearance. Fields may be grouped in logical sequence for better usability and labels may use words that best reflect their function independent of their relative lexicographic ordering. The most popular serialization format for mappings is _JSON_. Other popular serializations for mappings are CBOR and MsgPack. In contrast, from a functional perspective, lexicographic ordering appears un-natural. In lexicographic ordering the fields are sorted by label prior to serialization. The problem with lexicographic ordering is that the relative order of appearance of the fields is determined by the labels themselves not some logical or functional purpose of the fields themselves. This often results in oddly- labeled fields that are so named merely to ensure that the lexicographic ordering matches a given logical ordering. Smith Expires 2 December 2022 [Page 6] Internet-Draft SAID May 2022 Originally mappings in most if not all computer languages were not insertion order preserving. The reason is that most mappings used hash tables under the hood. Early hash tables were highly efficient but by nature did not include any mechanism for preserving field creation or field insertion order for serialization. Fortunately, this is no longer true in general. Most if not all computer languages that support dictionaries or mappings as first-class data structures now support variations that are insertion order preserving. For example, since version 3.6 the default dict object in Python is insertion order preserving. Before that, Python 3.1 introduced the OrderedDict class which is insertion order preserving, and before that, custom classes existed in the wild for order preserving variants of a Python dict. Since version 1.9 the Ruby version of a dict, the Hash class, is insertion order preserving. Javascript is a relative latecomer but since ECMAScript ES6 the insertion ordering of JavaScript objects was preserved in Reflect.ownPropertyKeys(). Using custom replacer and reviver functions in .stringify and .parse allows one to serialize and de-serialize JavaScript objects in insertion order. Moreover, since ES11 the native .stringify uses insertion order all text string labeled fields in Javascript objects. It is an uncommon use case to have non-text string labels in a mapping serialization. A list is usually a better structure in those cases. Nonetheless, since ES6 the new Javascript Map object preserves insertion order for all fields for all label types. Custom replacer and reviver functions for .stringify and .parse allows one to serialize and de-serialize Map objects to/from JSON in natural order preserving fashion. Consequently, there is no need for any canonical serialization but natural insertion order preserving because one can always use lexicographic ordering to create the insertion order. 2.3. Example Python dict to JSON Serialization with SAID Suppose the initial value of a Python dict is as follows: { "said": "", "first": "Sue", "last": "Smith", "role": "Founder" } As before the SAID will be a 44 character CESR encoded Blake3-256 digest. The serialization will be _JSON_. The said field value in the dict is to be populated with the resulting SAID. First the value of the said field is replaced with a 44 character dummy string as follows: Smith Expires 2 December 2022 [Page 7] Internet-Draft SAID May 2022 { "said": "############################################", "first": "Sue", "last": "Smith", "role": "Founder" } The dict is then serialized into JSON with no extra whitespace. The serialization is the following string: {"said":"############################################","first":"Sue","last":"Smith","role":"Founder"} The Blake3-256 digest is then computed on that serialization above and encoded in CESR to provide the SAID as follows: EnKa0ALimLL8eQdZGzglJG_SxvncxkmvwFDhIyLFchUk The value of the said field is now replaced with the computed and encoded SAID to produce the final serialization with embedded SAID as follows: {"said":"EnKa0ALimLL8eQdZGzglJG_SxvncxkmvwFDhIyLFchUk","first":"Sue","last":"Smith","role":"Founder"} The final serialization may be converted to a python dict by deserializing the JSON to produce: { "said": "EnKa0ALimLL8eQdZGzglJG_SxvncxkmvwFDhIyLFchUk", "first": "Sue", "last": "Smith", "role": "Founder" } The generation steps may be reversed to verify the embedded SAID. The SAID generation and verification protocol for mappings assumes that the fields in a mapping serialization such as JSON are ordered in stable, round-trippable, reproducible order, i.e., canonical. The natural canonical ordering is called field insertion order. 2.4. Example Schema Immutability using JSON Schema with SAIDs SAIDs make JSON Schema (https://json-schema.org/draft/2020-12/json- schema-core.html) fully self-contained with self-referential, unambiguously cryptographically bound, and verifiable content- addressable identifiers. We apply the SAID derivation protocol defined above to generate the $id field. Smith Expires 2 December 2022 [Page 8] Internet-Draft SAID May 2022 First, replace the value of the $id field with a string filled with dummy characters of the same length as the eventual derived value for $id. { "$id": "############################################", "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "properties": { "full_name": { "type": "string" } } Second, make a digest of the serialized schema contents that include the dummy value for the $id. EZT9Idj7zLA0Ek6o8oevixdX20607CljNg4zrf_NQINY Third, replace the dummy identifier value with the derived identifier value in the schema contents. { "$id": "EZT9Idj7zLA0Ek6o8oevixdX20607CljNg4zrf_NQINY", "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "properties": { "full_name": { "type": "string" } } Usages of SAIDs within authentic data containers as demonstrated here are referred to as self-addressing data (SAD). 2.5. Discussion As long as any verifier recognizes the derivation code of a SAID, the SAID is a cryptographically secure commitment to the contents in which it is embedded; it is a cryptographically verifiable, self- referential, content-addressable identifier. Because a SAID is both self-referential and cryptographically bound to the contents it identifies, anyone can validate this binding if they follow the _derivation protocol_ outlined above. To elaborate, this approach of deriving self-referential identifiers from the contents they identify, is called self-addressing. It allows any validator to verify or re-derive the self-referential, Smith Expires 2 December 2022 [Page 9] Internet-Draft SAID May 2022 self-addressing identifier given the contents it identifies. To clarify, a SAID is different from a standard content address or content-addressable identifier in that a standard content-addressable identifier may not be included inside the contents it addresses. Moreover, a standard content-addressable identifier is computed on the finished immutable contents, and therefore is not self- referential. 3. Appendix: Embedding SAIDs in URLs ToDo. Provide normative protocol for embedding a SAID in a URL to replace a bare SAID in a data structure (field map). The purpose is to ease the transition from web 2.0 URL centric infrastructure to zero-trust infrastructure. This is a caveated adoption vector because it mixes discovery (URL) with integrity (SAID) layers. The OOBI protocol is an example of using embedded SAIDs inside URLs merely for verifiable discovery while using the bare SAID in the discovered data item. 4. Appendix: JSON Schema with SAIDs ToDo. Provide normative rules for using SAIDs to lock-down JSON Schema (immutable) to prevent schema malleability attacks. 5. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 6. Security Considerations TODO Security 7. IANA Considerations This document has no IANA actions. 8. References 8.1. Normative References [CESR] Smith, S., "Composable Event Streaming Representation (CESR)", 2021, . Smith Expires 2 December 2022 [Page 10] Internet-Draft SAID May 2022 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 8.2. Informative References [KERI] Smith, S., "Key Event Receipt Infrastructure (KERI)", 2021, . Acknowledgments Members of the keripy development team and the ToIP ACDC WG. Author's Address S. Smith ProSapien LLC Email: sam@prosapien.com Smith Expires 2 December 2022 [Page 11]