This specification describes the OpenPGP Signature Suite created in 2019 for the Linked Data Signatures specification.
This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.
This specification describes the OpenPGP Signature Suite created in 2019 for the Linked Data Signatures [[LD-SIGNATURES]] specification. It uses the RDF Dataset CANONICALIZATION Algorithm [[RDF-DATASET-CANONICALIZATION]] to transform the input document into its canonical form. It uses SHA-256 [[RFC6234]] as the message digest algorithm and the OpenPGP sign detached algorithm defined in OpenPGP [[RFC4880]] as the signature algorithm.
The following terms are used to describe concepts involved in the generation and verification of the Linked Data Signature 2019 signature suite.
The 2019 OpenPGP signature suite MUST be used in conjunction with the signing and verification algorithms in the Linked Data Signatures [[LD-SIGNATURES]] specification. The suite consists of the following algorithms:
Parameter | Value | Specification |
---|---|---|
canonicalizationAlgorithm | https://w3id.org/security#GCA2015 | [[RDF-DATASET-CANONICALIZATION]] |
digestAlgorithm | https://www.ietf.org/assignments/jwa-parameters#SHA256 | [[RFC6234]] |
signatureAlgorithm | Open PGP Detached Signatures | [[RFC4880]] |
This signature suite uses detached Open PGP Signatures as described in [[RFC4880]]. The signature algorithm used is determined by the key type provided, armored OpenPGP keys contain the information necessary to know the specific method, and this flexibility supports integration with exiting software systems that use OpenPGP, GPG or PGP. The steps to construct and verify the digital signature are defined below.
The digital signature algorithm defined in Section 11.4: Signature Algorithm takes tbs, a privateKey, and options as inputs and produces a signatureValue as output.
-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js...
.
or when passed with compact option:
wl4EARMIAAYFAlw6KOAACgkQSnoBzSruDWC...
.
The digital signature algorithm defined in Section 11.4: Signature Verification Algorithm takes the value to be verified, tbv, the public key to the signature algorithm and returns a boolean value.
true
, otherwise return false
.
The following section describes security considerations that developers implementing this specification should be aware of in order to create secure software.
A simple example of an OpenPGP 2019 signature:
{ "@context": ["http://schema.org/", "https://w3id.org/security/v1"], "description": "Hello world!", "proof": { "type": "OpenPgpSignature2019", "created": "2017-10-24T05:33:31Z", "creator": "https://example.com/jdoe/keys/1", "domain": "example.com", "signatureValue": "wl4EARMIAAYFAlw6...KOAACgkQSnoBzSruDWC" } }