This specification describes the Redaction Signature Suite created in 2016 for the Linked Data Signatures specification. It enables a sender to redact information in a message without invalidating the digital signature.

This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.

Introduction

This specification describes the Redaction Signature Suite created in 2016 for the Linked Data Signatures [[LD-SIGNATURES]] specification. It uses the Merkleized form of the RDF Dataset Normalization Algorithm [[RDF-DATASET-NORMALIZATION]] to transform the input document into its canonical form. It uses SHA-256 [[RFC6234]] as the message digest algorithm and RSASSA-PKCS1-v1_5 [[RFC3447]] as the signature algorithm.

Terminology

The following terms are used to describe concepts involved in the generation and verification of the Linked Data Signature 2016 signature suite.

signature suite
A specified set of cryptographic primitives typically consisting of a canonicalization algorithm, a message digest algorithm, and a signature algorithm that are bundled together by cryptographers for developers for the purposes of safety and convenience.
canonicalization algorithm
An algorithm that takes an input document that has more than one possible representation and always transforms it into a canonical form. This process is sometimes also called normalization.
message digest algorithm
An algorithm that takes an input message and produces a cryptographic output message that is often many orders of magnitude smaller than the input message. These algorithms are often 1) very fast, 2) non-reversible, 3) cause the output to change significantly when even one bit of the input message changes, and 4) make it infeasible to find two different inputs for the same output.
signature algorithm
An algorithm that takes an input message and produces an output value where the receiver of the message can mathematically verify that the message has not been modified in transit and came from someone possessing a particular secret.

The 2016 Redaction Signature Suite

The 2016 Redaction signature suite MUST be used in conjunction with the signing and verification algorithms in the Linked Data Signatures [[LD-SIGNATURES]] specification. The suite consists of the following algorithms:

Parameter Value Specification
canonicalizationAlgorithm https://w3id.org/security#MURDNA2015 [[RDF-DATASET-NORMALIZATION]]
digestAlgorithm http://example.com/digests#sha256 [[RFC6234]]
signatureAlgorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 [[RFC3447]]

Modification to Algorithms

No modifications to the Linked Data Signature algorithms are provided other than the algorithms specified in the previous signature suite section.

Security Considerations

The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.

TODO: We need to add a complete list of security considerations.

Examples

A simple example of a Redaction 2016 signature:

{
  "@context": ["http://schema.org/", "https://w3id.org/security/v1"],
  "description": "Hello world!",
  "socialSecurityNumber": "ni://redaction-sha256;813f2d3396f038c3226fb70327efacd068284c93a857453fc52441c90b0b797d",
  "signature": {
    "type": "RedactionSignature2016",
    "created": "2016-11-07T05:33:31Z",
    "creator": "https://example.com/jdoe/keys/1",
    "domain": "example.com",
    "signatureValue": "OQeEhRZYzHUm6B7eImIsIRmtEMzULkk1J2efEYT+qzk9v58E3C5iA8eCeQc/7+qRj2TfqXN29DtEGOGaKHMcp4d90AiJvVvMb+8z9PwvWNCDAZKQ9pZp23MtHqV7kym7s6KIaYWO8gMNpnEwSoaNIF61JQkuoEDrnNECHRRsAOY="
  }
}
      

To verify the signature above, a verifier would first use the RDF Dataset normalization algorithm to normalize the content above.

_:c14n0  "Hello world!" .
_:c14n0  "ni://redaction-sha256;813f2d3396f038c3226fb70327efacd068284c93a857453fc52441c90b0b797d" .
      

All redaction-sha256 hashes would be replaced with their hash value:

_:c14n0  "Hello world!" .
813f2d3396f038c3226fb70327efacd068284c93a857453fc52441c90b0b797d
      

All remaining lines would be hashed:

d5abfa3bb592cfdc09d130daa9de861768e129647de86cf239dcc1b1b4085597
813f2d3396f038c3226fb70327efacd068284c93a857453fc52441c90b0b797d
      

All hashes would then be sorted:

813f2d3396f038c3226fb70327efacd068284c93a857453fc52441c90b0b797d
d5abfa3bb592cfdc09d130daa9de861768e129647de86cf239dcc1b1b4085597
      

The data above would then be hashed again and then a standard signature verification algorithm, such as RSA, would be employed to verify that the signature is valid.