-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New CAIP - Web of Trust Primitives (Split of former: Community-powered trust assessment in software components) #261
base: main
Are you sure you want to change the base?
Conversation
Update Specification, Add Test Cases, Security Considerations and Privacy Considerations
…ite-to-generalize Chain agnostic editorial/pr 261 rewrite to generalize
CAIPs/caip-261.md
Outdated
"proof": {} | ||
``` | ||
|
||
- The `securityStatus` is the final result of the security assessment, that can be either `Secured` or `Unsecured`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be optional? Because I'm wondering if it isn't too reductive. With most software applications we use we accept to take on some level of risk, but it's not black or white.
The smart contract audits that I've seen have findings with different levels of criticality, but I guess auditors don't want to be forced to draw the line somewhere to declare that a piece of software is Secured
or Unsecured
when the reality is more nuanced than that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe auditors would be more comfortable with a boolean like audited
, and even then they'd probably want it applied only to a specific binary and/or commit-height in a git history😅
CAIPs/caip-261.md
Outdated
- **Trust List:** This allows individuals to define their trusted peers, shaping their trust graph; | ||
- **Expert Report:** This enables experts to publish insights and conclusions about a given resource (e.g. an audit in the case of software components); | ||
- **Peer Review:** This allows individuals to endorse or dispute claims made about resources by peers; | ||
- **Trust Score:** This enables any trust computer to publish computed trust scores about resources and/or about the actors behind the other 3 primitives. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be useful to define "trust computer"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
YES PLEASE (basically the only change needed before I can approve and merge this)
CAIPs/caip-261.md
Outdated
{ | ||
"id": "snap://CLwZocaUEbDErtQAsybaudZDJq65a8AwlEFgkGUpmAQ=", | ||
"currentStatus": "Disputed", | ||
"reason": ["Scam", "Phishing"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if someone wants to provide a longer explanation for the reason? To hack my way around that personally I would post the explanation on hackmd for example and put the link as one of the items in this array 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The primary purpose of this credential is to facilitate quick reactions to another assertion or any discrete resource, akin to the thumb up/thumb down, upvote/downvote, or emojis used in social networks. Given this context, perhaps renaming the credential to "ReactionCredential" would more accurately reflect its intended use, as opposed to "ReviewCredential".
For more detailed analyses, we would utilize the "Expert Report" credential. This format is designed to comprehensively address issues, including descriptions and references to external resources. Considering your feedback, it might be appropriate to consider names like "ReportCredential" or retain "ReviewCredential" for this purpose.
Please note, this data element has been removed from CAIP-261 and will be included in the forthcoming CAIP-x.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is what this modeling would look like.
Report Assertion
A report presents a detailed presentation of factual information and objective analysis.
"type": ["VerifiableCredential", "ReportCredential"],
"issuanceDate": "2024-02-15T07:05:56.273Z",
"issuer": "did:pkh:eth:0x44dc4E3309B80eF7aBf41C7D0a68F0337a88F044",
"credentialSubject":
{
"id": "ipfs://QmPTqvH3vm6qcZSGqAUsq78MQa9Ctb56afRZg1WJ5sKLiu",
"type": "Security",
"result": -1,
"issues": [
{
"criticality": 1,
"type": "Key leak",
"description": "`snap_getBip44Entropy` makes the parent key accessible",
"uri": "https://hackmd.io/@ra-phael/DummySnap5KeyLeak"
},
{
"criticality": 0.5,
"type": "Buffer Overflow"
"uri": "https://hackmd.io/@ra-phael/DummySnap5BufferOverflow"
},
{
"criticality": 0.25,
"type": "Phishing"
"uri": "ipfs://QmElreH3vm6qcASGqAUsq78MQa9Ctb56afRZg1WJ5sKLpl"
},
{
"criticality": 0,
"type": "Data leak",
"description": "API can communicate data to a centralized server"
},
]
},
"proof": {}
Note that the Report Assertion could pertain to matters beyond 'Security,' including 'User Experience,' 'Compliance,' and 'Performance' reports, among others.
Reaction Assertion
A reaction represents a quantifiable expression of agreement or disagreement with the report's content, typically reflecting the collective sentiment of the community.
"type": ["VerifiableCredential", "ReactionCredential"],
"issuanceDate": "2024-02-15T07:05:56.273Z",
"issuer": "did:pkh:eth:0x44dc4E3309B80eF7aBf41C7D0a68F0337a88F044",
"credentialSubject":
{
"id": "ipfs://QmPTqvH3vm6qcZSGqAUsq78MQa9Ctb56afRZg1WJ5sKLiu",
"reaction": "Endorsed",
"reason": ["Provide important context", "Vulnerabilities clearly defined"],
},
"proof": {}
The example above illustrates a reaction to a Report, but it can also apply to a reaction towards a discrete resource, such as a software component.
@ra-phael @bumblefudge @Vid201 @mirceanis @dbcfd Wdyt about this representation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i like these representations! my only bikeshedding would be to suggest new property names:
type
is too easy to confuse with VC, filesystem, programming language, and other uses of the term; i'd use something that makes more explicit that it's an issue type, likeissueType
,issueClass
,tag
,category
, etc.uri
is a type (or a "domain" in some old-school contexts), i.e. a constraint on the structure of the string that the value of that property can be-- since the function of this particular URI is to anchor semantics or disambiguate/explain/enrich theissueType
preceding it, maybe a more explicit name would betypeDefinition
orclassDefinition
etc, ortagContext
ordefinition
, etc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
^ Not blocking changes to merge but highly recommended before this goes FINAL :D
Yes it makes sense, so it would be a resource pointed in the "context" field in the context of VC? |
Caips split part-1 Web of Trust Primitives
As mentioned in some comments, we have decided to ultimately split this CAIP into three parts, each addressing the following aspects:
All above comments should have been addressed in this new CAIP-261 version.
|
Yes, both context and credentialSchema. So both context files and credential schemas goes into some registry. |
Note that both |
EIP-712 should be considered a complementary cryptographic proof method alongside others like ECDSA, EdDSA, Schnorr, and RSA for on-chain verifiable credentials. | ||
Its inclusion emphasizes the importance of user-friendly, secure, and efficient interactions with blockchain-based identity and credential systems. | ||
It is noteworthy that EIP-712 mandates the presence of all fields, even if some are left empty in order to enable their verification. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This example proof object looks a little iffy? https://w3c-ccg.github.io/ethereum-eip712-signature-2021-spec/ makes it sound like there are some mandatory fields missing here?
The verification process is crucial to ensure the use of valid and up-to-date assertions, thus maintaining the trust system's reliability and accuracy. | ||
This step ensures the integrity and reliability of the assertions, which is essential for supporting trust and interoperability within the ecosystem. | ||
|
||
## Test Cases |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mmm, these aren't test cases so much as possible use-cases. It might be good to mark this section as non-normative explicitly, or leave it out of the CAIP itself and just add these in, say, the eth-magicians thread promoting the CAIP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we use "test cases" more in the sense of "test vectors" -- I don't think you really need this section anyways since the examples provided throughout are pretty illustrative and seem (unless mircea and raphael missed any syntax nits) to be valid both as VCs and as examples of your data model?
CAIPs/caip-261.md
Outdated
- Sustainability. | ||
|
||
#### Trust Update | ||
When an issuer needs to update a trust assertion, they simply generate a new assertion containing the revised information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any tombstoning system for assertions that have been superceded? could/should there be, at least optionally? people unfamiliar with IPFS may not realize they have manage their own garbage collection in a system where superceding/updating records are submitted often...
I added a big commit which you might want to review in case I changed anything you disagree with; almost ready to merge except for adding "trust computer" definition to terminology list and maybe another 1 or 2 minor things int he above conversation? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good for me.
Initial proposal for a standardized data framework designed to facilitate community-powered trust evaluation in software components.