Internet DRAFT - draft-pfeairheller-cesr-proof

draft-pfeairheller-cesr-proof







TODO Working Group                                        P. Feairheller
Internet-Draft                                                     GLEIF
Intended status: Informational                              31 July 2023
Expires: 1 February 2024


                         CESR Proof Signatures
                    draft-pfeairheller-cesr-proof-01

Abstract

   CESR Proof Signatures are an extension to the Composable Event
   Streaming Representation [CESR] that provide transposable
   cryptographic signature attachments on self-addressing data (SAD)
   [SAID].  Any SAD, such as an Authentic Chained Data Container (ACDC)
   Verifiable Credential [ACDC] for example, may be signed with a CESR
   Proof Signature and streamed along with any other CESR content.  In
   addition, a signed SAD can be embedded inside another SAD and the
   CESR proof signature attachment can be transposed across envelope
   boundaries and streamed without losing any cryptographic integrity.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/trustoverip/tswg-cesr-proof-specification.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 1 February 2024.







Feairheller              Expires 1 February 2024                [Page 1]

Internet-Draft                 CESR-PROOF                      July 2023


Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Streamable SADs . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Nested Partial Signatures . . . . . . . . . . . . . . . .   3
     1.3.  Transposable Signature Attachments  . . . . . . . . . . .   4
   2.  CESR SAD Path Language  . . . . . . . . . . . . . . . . . . .   4
     2.1.  Description and Usage . . . . . . . . . . . . . . . . . .   4
     2.2.  CESR Encoding for SAD Path Language . . . . . . . . . . .   6
     2.3.  SAD Path Examples . . . . . . . . . . . . . . . . . . . .   6
     2.4.  Alternative Pathing / Query Languages . . . . . . . . . .   8
   3.  CESR Attachments  . . . . . . . . . . . . . . . . . . . . . .   9
     3.1.  Counter Four Character Codes  . . . . . . . . . . . . . .   9
     3.2.  Variable Size Codes . . . . . . . . . . . . . . . . . . .   9
     3.3.  CESR Signature Attachments  . . . . . . . . . . . . . . .  11
       3.3.1.  Signing SAD Content . . . . . . . . . . . . . . . . .  11
       3.3.2.  Signatures with Non-Transferable Identifiers  . . . .  12
       3.3.3.  Signatures with Transferable Identifiers  . . . . . .  12
     3.4.  Additional Count Codes  . . . . . . . . . . . . . . . . .  13
       3.4.1.  SAD Path Signature Group  . . . . . . . . . . . . . .  13
       3.4.2.  SAD Path Groups . . . . . . . . . . . . . . . . . . .  16
     3.5.  Small Variable Raw Size SAD Path Code . . . . . . . . . .  18
   4.  Nested Partial Signatures . . . . . . . . . . . . . . . . . .  18
     4.1.  Signing Nested SADs . . . . . . . . . . . . . . . . . . .  19
     4.2.  Signing SAIDs . . . . . . . . . . . . . . . . . . . . . .  20
   5.  Conventions and Definitions . . . . . . . . . . . . . . . . .  22
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  23
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  23
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  23
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  23
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  23
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  24
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  24




Feairheller              Expires 1 February 2024                [Page 2]

Internet-Draft                 CESR-PROOF                      July 2023


1.  Introduction

   Composable Event Streaming Representation (CESR) is a dual text-
   binary encoding format that has the unique property of text-binary
   concatenation composability.  The CESR specification not only
   provides the definition of the streaming format but also the
   attachment codes needed for differentiating the types of
   cryptographic material (such as signatures) used as attachments on
   all event types for the Key Event Receipt Infrastructure (KERI)
   [KERI].  While all KERI event messages are self-addressing data
   (SAD), there is a broad class of SADs that are not KERI events but
   that require signature attachments.  ACDC Verifiable credentials fit
   into this class of SADs.  With more complex data structures
   represented as SADs, such as verifiable credentials, there is a need
   to provide signature attachments on nested subsets of SADs.  Similar
   to indices in indexed controller signatures in KERI that specify the
   location of the public key they represent, nested SAD signatures need
   a path mechanism to specify the exact location of the nested content
   that they are signing.  CESR Proof Signatures provide this mechanism
   with the CESR SAD Path Language and new CESR attachment codes,
   detailed in this specification.

1.1.  Streamable SADs

   A primary goal of CESR Proof Signatures is to allow any signed self-
   addressing data (SAD) to be streamed inline with any other CESR
   content.  In support of that goal, CESR Proof Signatures leverage
   CESR attachments to define a signature scheme that can be attached to
   any SAD content serialized as JSON [JSON], MessagePack [MGPK] or CBOR
   [CBOR].  Using this capability, SADs signed with CESR Proof
   Signatures can be streamed inline in either the text (T) or binary
   (B) domain alongside any other KERI event message over, for example
   TCP or UDP.  In addition, signed SADs can be transported via HTTP as
   a CESR HTTP Request (todo: reference needed).

1.2.  Nested Partial Signatures

   CESR Proof Signatures can be used to sign as many portions of a SAD
   as needed, including the entire SAD.  The signed subsets are either
   SADs themselves or the self-addressing identifer (SAID) of a SAD that
   will be provided out of band.  A new CESR count code is included with
   this specification to allow for multiple signatures on nested
   portions of a SAD to be grouped together under one attachment.  By
   including a SAD Path in the new CESR attachment for grouping
   signatures, the entire group of signatures can be transposed across
   envelope boundaries by changing only the root path of the group
   attachment code.




Feairheller              Expires 1 February 2024                [Page 3]

Internet-Draft                 CESR-PROOF                      July 2023


1.3.  Transposable Signature Attachments

   There are several events in KERI that can contain context specific
   embedded self-addressing data (SADs).  Exchange events (exn) for
   peer-to-peer communication and Replay events (rpy) for responding to
   data requests as well as Expose events (exp) for providing anchored
   data are all examples of KERI events that contain embedded SADs as
   part of their payload.  If the SAD payload for one of these event
   types is signed with a CESR attachment, the resulting structure is
   not embeddable in one of the serializations of map or dictionary like
   data models.  (JSON, CBOR, MessagePack) supported by CESR.  To solve
   this problem, CESR Proof Signatures are transposable across envelope
   boundaries in that a single SAD signature or an entire signature
   group on any given SAD can be transposed to attach to the end of an
   enveloping SAD without losing its meaning.  This unique feature is
   provided by the SAD Path language used in either a SAD signature or
   the root path designation in the outermost attachment code of any SAD
   signature group.  These paths can be updated to point to the embedded
   location of the signed SAD inside the envelope.  Protocols for
   verifiable credential issuance and proof presentation can be defined
   using this capability to embed the same verifiable credential SAD at
   and location in an enveloping exn message as appropriate for the
   protocol without having to define a unique signature scheme for each
   protocol.

2.  CESR SAD Path Language

   CESR Proof Signatures defines a SAD Path Language to be used in
   signature attachments for specifying the location of the SAD content
   within the signed SAD that a signature attachment is verifying.  This
   path language has a more limited scope than alternatives like JSONPtr
   [RFC6901] or JSONPath [JSONPath] and is therefore simpler and more
   compact when encoding in CESR signature attachments.  SADs in CESR
   and therefore CESR Proof Signatures require static field ordering of
   all maps.  The SAD path language takes advantage of this feature to
   allow for a Base64 compatible syntax into SADs even when a SAD uses
   non-Base64 compatible characters for field labels.

2.1.  Description and Usage

   The SAD path language contains a single reserved character, the -
   (dash) character.  Similar to the / (forward slack) character in
   URLs, the - in the SAD Path Language is the path separator between
   components of the path.  The - was selected because it is a one of
   the valid Base64 characters.






Feairheller              Expires 1 February 2024                [Page 4]

Internet-Draft                 CESR-PROOF                      July 2023


   The simplest path in the SAD Path Language is a single - character
   representing the root path which specifies the top level of the SAD
   content.

   Root Path

    -

   After the root path, path components follow, delimited by the -
   character.  Path components may be integer indices into field labels
   or arrays or may be full field labels.  No wildcards are supported by
   the SAD Path Language.

   An example SAD Path using only labels that resolve to map contexts
   follows:

   -a-personal

   In addition, integers can be specified and their meaning is dependent
   on the context of the SAD.

   -1-12-personal-0

   The rules for a SAD Path Language processor are simple.  If a path
   consists of only a single -, it represents the root of the SAD and
   therefore the entire SAD content.  Following any - character is a
   path component that points to a field if the current context is a map
   in the SAD or is an index of an element if the current context is an
   array.  It is an error for any sub-path to resolve to a value this is
   not a map or an array.  Any trailing - character in a SAD Path can be
   ignored.

   The root context (after the initial -) is always a map.  Therefore,
   the first path component represents a field of that map.  The SAD is
   traversed following the path components as field labels or indexes in
   arrays until the end of the path is reached.  The value at the end of
   the path is then returned as the resolution of the SAD Path.  If the
   current context is a map and the path component is an integer, the
   path component represents an index into fields of the map.  This
   feature takes advantage of the static field ordering of SADs and is
   used against any SAD that contains field labels that use non-Base64
   compatible characters or the - character.  Any combination of integer
   and field label path components can be used when the current context
   is a map.  All path components MUST be an integer when the current
   context is an array.






Feairheller              Expires 1 February 2024                [Page 5]

Internet-Draft                 CESR-PROOF                      July 2023


2.2.  CESR Encoding for SAD Path Language

   SAD Paths are variable raw size primitives that require CESR variable
   size codes.  We will use the A small variable size code for SAD Paths
   which has 3 code entries being added to the Master Code Table, 4A##,
   5A## and 6A## for SAD Paths with 0 lead bytes, 1 lead byte and 2 lead
   bytes respecively.  This small variable size code is reserved for
   text values that only contain valid Base64 characters.  These codes
   are detailed in Table 2 below.  The selector not only encodes the
   table but also implicitly encodes the number of lead bytes.  The
   variable size is measured in quadlets of 4 characters each in the T
   domain and equivalently in triplets of 3 bytes each in the B domain.
   Thus computing the number of characters when parsing or off-loading
   in the T domain means multiplying the variable size by 4.  Computing
   the number of bytes when parsing or off-loading in the B domain means
   multiplying the variable size by 3.  The two Base64 size characters
   provide value lengths in quadlets/triplets from 0 to 4095 (64**2 -1).
   This corresponds to path lengths of up to 16,380 characters (4095 *
   4) or 12,285 bytes (4095 * 3).

2.3.  SAD Path Examples

   This section provides some more examples for SAD Path expressions.
   The examples are based on Authentic Chained Data Containers (ACDCs)
   representing verifiable credentials.


























Feairheller              Expires 1 February 2024                [Page 6]

Internet-Draft                 CESR-PROOF                      July 2023


   {
     "v": "ACDC10JSON00011c_",
     "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
     "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
     "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
     "a": {
       "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
       "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
       "dt": "2021-06-09T17:35:54.169967+00:00",
       "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
       "LEI": "254900OPPU84GM83MG36",
       "personal": {
         "legalName": "John Doe",
         "home-city": "Durham"
       }
     },
     "p": [
       {
         "qualifiedIssuerCredential": {
           "d": "EIl3MORH3dCdoFOLe71iheqcywJcnjtJtQIYPvAu6DZA",
           "i": "Et2DOOu4ivLsjpv89vgv6auPntSLx4CvOhGUxMhxPS24"
         }
       },
       {
         "certifiedLender": {
           "d": "EglG9JLG6UhkLrrv012NPuLEc1F3ne5vPH_sHGP_QPN0",
           "i": "E8YrUcVIqrMtDJHMHDde7LHsrBOpvN38PLKe_JCDzVrA"
         }
       }
     ]
   }

   Figure 1.  Example ACDC Credential SAD

   The examples in Table 1 represent all the features of the SAD Path
   language when referring to the SAD in Figure 1. along with the CESR
   text encoding.














Feairheller              Expires 1 February 2024                [Page 7]

Internet-Draft                 CESR-PROOF                      July 2023


     +==================+========================+==================+
     | SAD Path         | Result                 | CESR T Domain    |
     |                  |                        | Encoding         |
     +==================+========================+==================+
     | -                | The root of the SAD    | 6AABAAA-         |
     +------------------+------------------------+------------------+
     | -a-personal      | The personal map of    | 4AADA-a-personal |
     |                  | the a field            |                  |
     +------------------+------------------------+------------------+
     | -4-5             | The personal map of    | 4AAB-4-5         |
     |                  | the a field            |                  |
     +------------------+------------------------+------------------+
     | -4-5-legalName   | "John Doe"             | 5AAEAA-          |
     |                  |                        | 4-5-legalName    |
     +------------------+------------------------+------------------+
     | -a-personal-1    | "Durham"               | 6AAEAAA-         |
     |                  |                        | a-personal-1     |
     +------------------+------------------------+------------------+
     | -p-1             | The second element in  | 4AAB-p-1         |
     |                  | the p array            |                  |
     +------------------+------------------------+------------------+
     | -a-LEI           | "254900OPPU84GM83MG36" | 5AACAA-a-LEI     |
     +------------------+------------------------+------------------+
     | -p-0-0-d         | "EIl3MORH...6DZA"      | 4AAC-p-0-0-d     |
     +------------------+------------------------+------------------+
     | -p-0-certifiedLe | "E8YrUcVI...zVrA"      | 5AAGAA-p-0-certi |
     | nder-i           |                        | fiedLender-i     |
     +------------------+------------------------+------------------+

                                 Table 1

2.4.  Alternative Pathing / Query Languages

   The SAD Path language was chosen over alternatives such as JSONPtr
   and JSONPath in order to create a more compact representation of a
   pathing language in the text domain.  Many of the features of the
   alternatives are not needed for CESR Proof Signatures.  The only
   token in the language (-) is Base64 compatible.  The use of field
   indices in SADs (which require staticly ordered fields) allows for
   Base64 compatible pathing even when the field labels of the target
   SAD are not Base64 compatible.  The language accomplishes the goal of
   uniquely locating any path in a SAD using minimally sufficient means
   in a manner that allows it to be embedded in a CESR attachment as
   Base64.  Alternative syntaxes would need to be Base64 encoded to be
   used in a CESR attachment in the text domain thus incurring the
   additional bandwidth cost of such an encoding.





Feairheller              Expires 1 February 2024                [Page 8]

Internet-Draft                 CESR-PROOF                      July 2023


3.  CESR Attachments

   This specification adds 2 _Counter Four Character Codes_ to the
   Master Code Table and uses 1 _Small Variable Raw Size Code Type_ and
   1 _Large Variable Raw Size Code Type_ from the Master Code
   Table (each of which have 3 code entries).

3.1.  Counter Four Character Codes

   The SAD Path Signature counter code is represented by the four
   character code -J##.  The first two characters reserve this code for
   attaching the couplet (SAD Path, Signature Group).  The second two
   characters represent the count in hexidecimal of SAD path signatures
   are in this attachment.  The path is attached in the T domain using
   the codes described in the next section.  The signature group is from
   either a transferable identifier or a non-transferable identifier and
   therefore attached using the CESR codes -F## or -C## respectively as
   described in the CESR Specification [CESR].

3.2.  Variable Size Codes

   The code A is reserved as a Small Variable Raw Size Code and AAA as a
   Large Variable Raw Size Code for Base64 URL safe strings.  SAD Paths
   are Base64 URL safe strings and so leverage these codes when encoded
   in the CESR T domain.  To account for the variable nature of path
   strings, the variable size types reserve 3 codes each with prefix
   indicators of lead byte size used for adjusting the T domain encoding
   to multiples of 4 characters and the B domain to multiples of 3
   bytes.  For the _Small_ codes the prefix indicators are 4, 5 and 6
   representing 0, 1 and 2 lead bytes respectively and for _Large_ codes
   the prefix indicators are 7, 8, and 9 representing 0, 1 and 2 lead
   bytes respectively.  The resulting 6 code entries are displayed in
   the table that follows.

   The additions to the Master Code Table of CESR is shown below:
















Feairheller              Expires 1 February 2024                [Page 9]

Internet-Draft                 CESR-PROOF                      July 2023


   +==========+===========================+========+==========+========+
   |   Code   | Description               |  Code  |  Count   | Total  |
   |          |                           | Length |    or    | Length |
   |          |                           |        |  Index   |        |
   |          |                           |        |  Length  |        |
   +==========+===========================+========+==========+========+
   |          | *Counter Four Character   |        |          |        |
   |          | Codes*                    |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |   -J##   | Count of attached         |   2    |    2     |   4    |
   |          | qualified Base64 SAD path |        |          |        |
   |          | sig groups path+sig group |        |          |        |
   |          | (trans or non-trans)      |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |   -K##   | Count of attached         |   2    |    2     |   4    |
   |          | qualified Base64 SAD Path |        |          |        |
   |          | groups                    |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |          | *Small Variable Raw Size  |        |          |        |
   |          | Code*                     |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |   4A##   | String Base64 Only with 0 |   2    |    2     |   4    |
   |          | Lead Bytes                |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |   5A##   | String Base64 Only with 1 |   2    |    2     |   4    |
   |          | Lead Byte                 |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |   6A##   | String Base64 Only with 2 |   2    |    2     |   4    |
   |          | Lead Bytes                |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   |          | *Large Variable Raw Size  |        |          |        |
   |          | Code*                     |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   | 7AAA#### | String Base64 Only with 0 |   4    |    4     |   8    |
   |          | Lead Bytes                |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   | 8AAA#### | String Base64 Only with 1 |   4    |    4     |   8    |
   |          | Lead Byte                 |        |          |        |
   +----------+---------------------------+--------+----------+--------+
   | 9AAA#### | String Base64 Only with 2 |   4    |    4     |   8    |
   |          | Lead Bytes                |        |          |        |
   +----------+---------------------------+--------+----------+--------+

                                  Table 2







Feairheller              Expires 1 February 2024               [Page 10]

Internet-Draft                 CESR-PROOF                      July 2023


3.3.  CESR Signature Attachments

   CESR defines several counter codes for attaching signatures to
   serialized CESR event messages.  For KERI event messages, the
   signatures in the attachments apply to the entire serialized content
   of the KERI event message.  As all KERI event messages are SADs, the
   same rules for signing a KERI event message applies to signing SADs
   for CESR Proof Signatures.  A brief review of CESR signatures for
   transferable and non-transferable identifiers follows.  In addition,
   signatures on nested content must be specified.

3.3.1.  Signing SAD Content

   Signatures on SAD content require signing the serialized encoding
   format of the data ensuring that the signature applies to the data
   over the wire.  The serialization for any SAD is identified in the
   version string which can be found in the v field of any KERI event
   message or ACDC credential.  An example version string follows:

    {
        "v": "KERI10JSON00011c_"
    }

   where KERI is the identifier of KERI events followed by the
   hexidecimal major and minor version code and then the serialized
   encoding format of the event, JSON in this case.  KERI and ACDC
   support JSON, MessagePack and CBOR currently.  Field ordering is
   important when apply cryptographic signatures and all serialized
   encoding formats must support static field ordering.  Serializing a
   SAD starts with reading the version string from the SAD field (v for
   KERI and ACDC events message) to determine the serialized encoding
   format of the message.  The serialized encoding format is used to
   generate the SAID at creation and can not be changed.  The event map
   is serialized using a library that ensures the static field order
   perserved across serialization and deserialization and the private
   keys are used to generate the qualified cryptographic material that
   represents the signatures over the SAD content.

   The same serialized encoding format must be used when nesting a SAD
   in another SAD.  For example, an ACDC credential that was issued
   using JSON can only be embedded and presented in a KERI exn
   presentation event message that uses JSON as its serialized encoding
   format.  That same credential can not be transmitted using CBOR or
   MessagePack.  Controllers can rely on this restriction when verifying
   signatures of embedded SADs.  When processing the signature
   attachments and resolving the data at a given SAD path, the
   serialization of the outter most SAD can be used at any depth of the
   traversal.  New verison string processing does not need to occur at



Feairheller              Expires 1 February 2024               [Page 11]

Internet-Draft                 CESR-PROOF                      July 2023


   nested paths.  However, if credential signature verification is
   pipelined and processed in parallel to the event message such that
   the event message is not avaiable, the version string of the nested
   SAD will still be valid and can be used if needed.

   Each attached signature is accompanied by a SAD Path that indicates
   the content that is signed.  The path must resolve within the
   enveloping SAD to either a nested SAD (map) or a SAID (string) of an
   externally provided SAD.  This of course, includes a root path that
   resolves to the enveloping SAD itself.

3.3.2.  Signatures with Non-Transferable Identifiers

   Non-transferable identifiers only ever have one public key.  In
   addition, the identifier prefix is identical to the qualified
   cryptographic material of the public key and therefore no KEL is
   required to validate the signature of a non-transferable identifier
   [KERI].  The attachment code for witness receipt couplets, used for
   CESR Proof Signatures, takes this into account.  The four character
   couner code -C## is used for non-transferable identifiers and
   contains the signing identfier prefix and the signature [CESR].
   Since the verification key can be extracted from the identifier
   prefix and the identifier can not be rotated, all that is required to
   validate the signature is the identifier prefix, the data signed and
   the signature.

3.3.3.  Signatures with Transferable Identifiers

   Transferable identifiers require full KEL resolution and verfication
   to determine the correct public key used to sign some content [KERI].
   In addition, the attachment code used for transferable identifiers,
   -F## must specify the location in the KEL at which point the
   signature was generated [CESR].  To accomplish this, this counter
   code includes the identifier prefix, the sequence number of the event
   in the KEL, the digest of the event in the KEL and the indexed
   signatures (transferable identifiers support multiple public/private
   keys and require index signatures).  Using all the values, one can
   verify the signature(s) by retrieving the KEL of the identifier
   prefix and determine the key state at the sequence number along with
   validating the digest of the event against the actual event.  Then
   using the key(s) at the determined key state, validate the
   signature(s).









Feairheller              Expires 1 February 2024               [Page 12]

Internet-Draft                 CESR-PROOF                      July 2023


3.4.  Additional Count Codes

   This specification adds two Counter Four Character Codes to the CESR
   Master Code Table for attaching and grouping transposable signatures
   on SAD and nested SAD content.  The first code (-J##) is reserved for
   attaching a SAD path and the associated signatures on the content at
   the resolution of the SAD Path (either a SAD or its associated SAID).
   The second reserved code (-K##) is for grouping all SAD Path
   signature groups under a root path for a given SAD.  The root path in
   the second grouping code provides signature attachment
   transposability for embedding SAD content in other messages.

3.4.1.  SAD Path Signature Group

   The SAD Path Signature Group provides a four character counter code,
   -J##, for attaching an encoded variable length SAD Path along with
   either a transferable index signature group or non-transferable
   identifer receipt couplets.  The SAD Path identifies the content that
   this attachment is signing.  The path must resolve to either a nested
   SAD (map) or a SAID (string) of an externally provided SAD within the
   context of the SAD and root path against which this attachment is
   applied.  Using the following ACDC SAD embedded in a KERI exn
   message:




























Feairheller              Expires 1 February 2024               [Page 13]

Internet-Draft                 CESR-PROOF                      July 2023


   {
     "v": "KERI10JSON00011c_",
     "t": "exn",
     "dt": "2020-08-22T17:50:12.988921+00:00",
     "r": "/credential/offer",
     "a": {
       "credential": { // SIGNATURE TARGET OF TRANSPOSED SAD PATH GROUP
         "v": "ACDC10JSON00011c_",
         "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
         "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
         "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
         "a": {
           "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
           "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
           "dt": "2021-06-09T17:35:54.169967+00:00",
           "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
           "LEI": "254900OPPU84GM83MG36",
           "personal": {
             "legalName": "John Doe",
             "home": "Durham"
           }
         }
       }
     }
   }

   the following signature applies to the nested credential SAD signed
   by a transferable identifier using the transferable index signature
   group.  The example is annotated with spaces and line feeds for
   clarity and an accompanied table is provided with comments.

-JAB
6AAEAAA-a-credential
-FAB
E_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y
-EAB0AAAAAAAAAAAAAAAAAAAAAAB
EwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM
-AAD
AA5267UlFg1jHee4Dauht77SzGl8WUC_0oimYG5If3SdIOSzWM8Qs9SFajAilQcozXJVnbkY5stG_K4NbKdNB4AQ
ABBgeqntZW3Gu4HL0h3odYz6LaZ_SMfmITL-Btoq_7OZFe3L16jmOe49Ur108wH7mnBaq2E_0U0N0c5vgrJtDpAQ
ACTD7NDX93ZGTkZBBuSeSGsAQ7u0hngpNTZTK_Um7rUZGnLRNJvo5oOnnC1J2iBQHuxoq8PyjdT3BHS2LiPrs2Cg










Feairheller              Expires 1 February 2024               [Page 14]

Internet-Draft                 CESR-PROOF                      July 2023


   +==============================================+====================+
   | code                                         | description        |
   +==============================================+====================+
   | -JAB                                         | SAD path           |
   |                                              | signature group    |
   |                                              | counter code 1     |
   |                                              | following the      |
   |                                              | group              |
   +----------------------------------------------+--------------------+
   | 6AAEAAA-a-credential                         | encoded SAD        |
   |                                              | path               |
   |                                              | designation        |
   +----------------------------------------------+--------------------+
   | -FAB                                         | Trans Indexed      |
   |                                              | Sig Groups         |
   |                                              | counter code 1     |
   |                                              | following group    |
   +----------------------------------------------+--------------------+
   | E_T2_p83_gRSuAYvGhqV3S0JzYEF2dIa-OCPLbIhBO7Y | trans prefix of    |
   |                                              | signer for sigs    |
   +----------------------------------------------+--------------------+
   | -EAB0AAAAAAAAAAAAAAAAAAAAAAB                 | sequence number    |
   |                                              | of est event of    |
   |                                              | signer's public    |
   |                                              | keys for sigs      |
   +----------------------------------------------+--------------------+
   | EwmQtlcszNoEIDfqD-Zih3N6o5B3humRKvBBln2juTEM | digest of est      |
   |                                              | event of           |
   |                                              | signer's public    |
   |                                              | keys for sigs      |
   +----------------------------------------------+--------------------+
   | -AAD                                         | Controller         |
   |                                              | Indexed Sigs       |
   |                                              | counter code 3     |
   |                                              | following sigs     |
   +----------------------------------------------+--------------------+
   | AA5267...4AQ                                 | sig 0              |
   +----------------------------------------------+--------------------+
   | ABBgeq...pAQ                                 | sig 1              |
   +----------------------------------------------+--------------------+
   | ACTD7N...2Cg                                 | sig 2              |
   +----------------------------------------------+--------------------+

                                  Table 3

   The next example demostrates the use of a non-transferable identifier
   to sign SAD content.  In this example, the entire nested SAD located
   at the a field is signed by the non-transferable identfier:



Feairheller              Expires 1 February 2024               [Page 15]

Internet-Draft                 CESR-PROOF                      July 2023


-JAB
5AABAA-a
-CAB
BmMfUwIOywRkyc5GyQXfgDA4UOAMvjvnXcaK9G939ArM
0BT7b5PzUBmts-lblgOBzdThIQjKCbq8gMinhymgr4_dD0JyfN6CjZhsOqqUYFmRhABQ-vPywggLATxBDnqQ3aBg

   +==============================================+====================+
   | code                                         | description        |
   +==============================================+====================+
   | -JAB                                         | SAD path           |
   |                                              | signature group    |
   |                                              | counter code 1     |
   |                                              | following the      |
   |                                              | group              |
   +----------------------------------------------+--------------------+
   | 5AABAA-a                                     | encoded SAD        |
   |                                              | path               |
   |                                              | designation        |
   +----------------------------------------------+--------------------+
   | -CAB                                         | NonTrans           |
   |                                              | witness receipt    |
   |                                              | couplet            |
   +----------------------------------------------+--------------------+
   | BmMfUwIOywRkyc5GyQXfgDA4UOAMvjvnXcaK9G939ArM | non-trans          |
   |                                              | prefix of          |
   |                                              | signer of sig      |
   +----------------------------------------------+--------------------+
   | 0BT7b5... aBg                                | sig                |
   +----------------------------------------------+--------------------+

                                  Table 4

3.4.2.  SAD Path Groups

   The SAD Path Group provides a four character counter code, -K##, for
   attaching encoded variable length *root* SAD Path along with 1 or
   more SAD Path Signature Groups.  The root SAD Path identifies the
   root context against which the paths in all included SAD Path
   Signature Groups are resolved.  When parsing a SAD Path Group, if the
   root path is the single - character, all SAD paths are treated as
   absolute paths.  Otherwise, the root path is prepended to the SAD
   paths in each of the SAD Path Signature Groups.  Given the following
   snippet of a SAD Path Group:

   -KAB6AABAAA--JAB5AABAA-a...






Feairheller              Expires 1 February 2024               [Page 16]

Internet-Draft                 CESR-PROOF                      July 2023


   The root path is the single - character meaning that all subsequent
   SAD Paths are absolute and therefore the first path is resolved as
   the a field of the root map of the SAD as seen in the following
   example:

   {
     "v": "ACDC10JSON00011c_",
     "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
     "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
     "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
     "a": {  // SIGNATURE TARGET OF SAD PATH GROUP
       "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
       "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
       "dt": "2021-06-09T17:35:54.169967+00:00",
       "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
       "LEI": "254900OPPU84GM83MG36",
       "personal": {
         "legalName": "John Doe",
         "city": "Durham"
       }
     }
   }

3.4.2.1.  Transposable Signature Attachments

   To support nesting of signed SAD content in other SAD content the
   root path of SAD Path Groups or the path of a SAD Path Signature
   Group provides transposability of CESR SAD signatures such that a
   single SAD Path Signature Group or an entire SAD Path Group
   attachment can be transposed across envelope boundaries by updating
   the single path or root path to indicate the new location.  Extending
   the example above, the SAD content is now embedded in a KERI exn
   event message as follows:


















Feairheller              Expires 1 February 2024               [Page 17]

Internet-Draft                 CESR-PROOF                      July 2023


   {
     "v": "KERI10JSON00011c_",
     "t": "exn",
     "dt": "2020-08-22T17:50:12.988921+00:00"
     "r": "/credential/offer"
     "a": {
       "v": "ACDC10JSON00011c_",
       "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
       "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
       "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
       "a": { // SIGNATURE TARGET OF TRANSPOSED SAD PATH GROUP
         "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
         "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
         "dt": "2021-06-09T17:35:54.169967+00:00",
         "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
         "LEI": "254900OPPU84GM83MG36",
         "personal": {
           "legalName": "John Doe",
           "city": "Durham"
         }
       }
     }
   }

   The same signature gets transposed to the outer exn SAD by updating
   the root path of the -K## attachment:

   -KAB5AABAA-a-JAB5AABAA-a...

   Now the SAD Path of the first signed SAD content resolves to the a
   field of the a field of the streamed exn message

3.5.  Small Variable Raw Size SAD Path Code

   The small variable raw side code reserved for SAD Path encoding is A
   which results in the addition of 3 entries (4A##, 5A## and 6A##) in
   the Master Code Table for each lead byte configuration.  These codes
   and their use are discussed in detail in CESR Encoding for SAD Path
   Language.

4.  Nested Partial Signatures

   Additional signatures on nested content can be included in a SAD Path
   Group and are applied to the serialized data at the resolution of a
   SAD path in a SAD.  Signatures can be applied to the SAID or an
   entire nested SAD.  When verifying a CESR Proof Signature, the
   content at the resolution of the SAD path is the data that was
   signed.  The choice to sign a SAID or the full SAD effects how the



Feairheller              Expires 1 February 2024               [Page 18]

Internet-Draft                 CESR-PROOF                      July 2023


   data may be used in presentations and the rules for verifying the
   signature.

4.1.  Signing Nested SADs

   When signing nested SAD content, the serialization used at the time
   of signing is the only serialization that can be used when presenting
   the signed data.  When transposing the signatures and nesting the
   signed data, the enveloping SAD must use the same serialization that
   was used to create the signatures.  This is to ensure that all
   signatures apply to the data over the wire and not a transformation
   of that data.  The serialization can be determined from the version
   field (v) of the nested SAD or any parent of the nested SAD as they
   are guaranteed to be identical.  Consider the following ACDC
   Credential SAD:

   {
     "v": "ACDC10JSON00011c_",
     "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
     "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
     "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
     "a": {   // SIGNATURE TARGET OF SAD PATH GROUP
       "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
       "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
       "dt": "2021-06-09T17:35:54.169967+00:00",
       "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
       "LEI": "254900OPPU84GM83MG36",
       "personal": {
         "d": "E2X8OLaLnM0XRQEYgM5UV3bZmWg3UUn7CP4SoKkvsl-s",
           "first": "John",
           "last": "Doe"
       }
     }
   }

   To sign the SAD located at the path -a, JSON serialization would be
   used because the SAD at that path does not have a version field so
   the version field of its parent is used.  The serialization rules
   (spacing, field ordering, etc) for a SAD would be used for the SAD
   and the serialization encoding format and the signature would be
   applied to the bytes of the JSON for that map.  Any presentation of
   the signed data must always include the fully nested SAD.  The only
   valid nesting of this credential would be as follows:








Feairheller              Expires 1 February 2024               [Page 19]

Internet-Draft                 CESR-PROOF                      July 2023


   {
     "v": "KERI10JSON00011c_",
     "t": "exn",
     "dt": "2020-08-22T17:50:12.988921+00:00"
     "r": "/credential/apply"
     "a": {
       "v": "ACDC10JSON00011c_",
       "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
       "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
       "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
       "a": {   // FULL SAD MUST BE PRESENT
         "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
         "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
         "dt": "2021-06-09T17:35:54.169967+00:00",
         "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
         "LEI": "254900OPPU84GM83MG36",
         "legalName": {
           "d": "E2X8OLaLnM0XRQEYgM5UV3bZmWg3UUn7CP4SoKkvsl-s",
           "first": "John",
           "last": "Doe"
         }
       }
     }
   }

4.2.  Signing SAIDs

   Applying signatures to a SAD with SAIDs in place of fully expanded
   nested SAD content enables compact credentials for domains with
   bandwidth restrictions such as IoT.  Consider the following fully
   expanded credential:




















Feairheller              Expires 1 February 2024               [Page 20]

Internet-Draft                 CESR-PROOF                      July 2023


   {
       "v": "ACDC10JSON00011c_",
       "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
       "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
       "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
       "a": {
         "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
         "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
         "dt": "2021-06-09T17:35:54.169967+00:00",
         "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
         "LEI": "254900OPPU84GM83MG36",
         "legalName": {
           "d": "E2X8OLaLnM0XRQEYgM5UV3bZmWg3UUn7CP4SoKkvsl-s",
           "n": "sKHtYSiCdlibuLDS2PTJg1AZXtPhaySZ9O3DoKrRXWY",
           "first": "John
           "middle": "William"
           "last": "Doe"
         },
         "address": {
           "d": "E-0luqYSg6cPcMFmhiAz8VBQObZLmTQPrgsr7Z1j6CA4",
           "n": "XiSoVDNvqV8ldofPyTVqQ-EtVPlkIIQTln9Ai0yI05M",
           "street": "123 Main St",
           "city": "Salt Lake City",
           "state": "Utah",
           "zipcode": "84157"
         },
         "phone": {
           "d": "E6lty8H2sA_1acq8zg89_kqF194DbF1cDpwA7UPtwjPQ",
           "n": "_XKNVntbcIjp12DmsAGhv-R7JRwuzjD6KCHC7Fw3zvU"
           "mobile": "555-121-3434",
           "home": "555-121-3435",
           "work": "555-121-3436",
           "fax": "555-121-3437"
         }
       }
     }
   }

   The three nested blocks of the a block legalName, address and phone
   are SADs with a SAID in the d field and are candidates for SAID
   replacement in an issued credential.  A compact credential can be
   created and signed by replacing those three nested blocks with the
   SAID of each nested SAD.  The schema for this verifiable credential
   would need to specify conditional subschema for the field labels at
   each nesting location that requires the full schema of the nested SAD
   or a string for the SAID.  The commitment to a SAID in place of a SAD
   contains nearly the same cryptographic integrity as a commitment to
   the SAD itself since the SAID is the qualified cryptographic material



Feairheller              Expires 1 February 2024               [Page 21]

Internet-Draft                 CESR-PROOF                      July 2023


   of a digest of the SAD.  The same credential could be converted to a
   compact credential containing the SAIDs of each nested block and
   signed as follows:

   {
      "v": "ACDC10JSON00011c_",
      "d": "EBdXt3gIXOf2BBWNHdSXCJnFJL5OuQPyM5K0neuniccM",
      "i": "EmkPreYpZfFk66jpf3uFv7vklXKhzBrAqjsKAn2EDIPM",
      "s": "E46jrVPTzlSkUPqGGeIZ8a8FWS7a6s4reAXRZOkogZ2A",
      "a": {
        "d": "EgveY4-9XgOcLxUderzwLIr9Bf7V_NHwY1lkFrn9y2PY",
        "i": "EQzFVaMasUf4cZZBKA0pUbRc9T8yUXRFLyM1JDASYqAA",
        "dt": "2021-06-09T17:35:54.169967+00:00",
        "ri": "EymRy7xMwsxUelUauaXtMxTfPAMPAI6FkekwlOjkggt",
        "LEI": "254900OPPU84GM83MG36",
        "legalName": "E2X8OLaLnM0XRQEYgM5UV3bZmWg3UUn7CP4SoKkvsl-s",
        "address": "E-0luqYSg6cPcMFmhiAz8VBQObZLmTQPrgsr7Z1j6CA4",
        "phone": "E6lty8H2sA_1acq8zg89_kqF194DbF1cDpwA7UPtwjPQ"
      }
   }

   It is important to note that if this version of the credential is the
   one issued to the holder and the signature over the entire credential
   is on the serialized data of this version of the credential it is the
   only version that can be presented.  The full SAD data of the three
   nested blocks would be delivered out of band from the signed
   credential.  The top level schema would describe the blocks with
   conditional subschema for each section.  The credential signature
   becomes a cryptographic commitment to the contents of the overall
   credential as well as the content of each of the blocks and will
   still validate the presented credential with significantly less
   bandwidth.

   With this approach, credential presentation request and exchange
   protocols can be created that modify the schema with the conditional
   subschema, removing the conditions that allow for SAIDs in place of
   the required (or presented) nested blocks.  The modified schema can
   be used in such a protocol to indicate the required sections to be
   delivered out of bounds or as a commitment to provide the nested
   blocks after the crendential presentation has occurred.

5.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.



Feairheller              Expires 1 February 2024               [Page 22]

Internet-Draft                 CESR-PROOF                      July 2023


6.  Security Considerations

   TODO Security

7.  IANA Considerations

   The Internet Assigned Numbers Authority (IANA) is a standards
   organization that oversees global IP address allocation, autonomous
   system number allocation, root zone management in the Domain Name
   System (DNS), media types, and other Internet Protocol-related
   symbols and Internet numbers.

   This document has no IANA actions.

8.  References

8.1.  Normative References

   [ACDC]     Smith, S., "Authentic Data Chained Containers", 2021,
              <https://datatracker.ietf.org/doc/draft-ssmith-acdc/>.

   [CESR]     Smith, S., "Composable Event Streaming Representation
              (CESR)", 2021,
              <https://datatracker.ietf.org/doc/draft-ssmith-cesr/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [SAID]     Smith, S., "Self-Addressing IDentifier (SAID)", 2021,
              <https://datatracker.ietf.org/doc/draft-ssmith-said/>.

8.2.  Informative References

   [CBOR]     "CBOR Mapping Object Codes", n.d.,
              <https://en.wikipedia.org/wiki/CBOR>.

   [JSON]     "JavaScript Object Notation Delimeters", n.d.,
              <https://www.json.org/json-en.html>.







Feairheller              Expires 1 February 2024               [Page 23]

Internet-Draft                 CESR-PROOF                      July 2023


   [JSONPath] Gössner, S., Normington, G., and C. Bormann, "JSONPath -
              Query expressions for JSON", 25 October 2021,
              <https://datatracker.ietf.org/doc/draft-ietf-jsonpath-
              base/>.

   [KERI]     Smith, S., "Key Event Receipt Infrastructure (KERI)",
              2021, <https://arxiv.org/abs/1907.02143>.

   [MGPK]     "Msgpack Mapping Object Codes", n.d.,
              <https://github.com/msgpack/msgpack/blob/master/spec.md>.

   [RFC6901]  Bryan, P. C., Zyp, K., and M. Nottingham, "JavaScript
              Object Notation (JSON) Pointer", 2003,
              <https://datatracker.ietf.org/doc/html/rfc6901>.

   [RFC8949]  Bormann, C. and P. Hoffman, "Concise Binary Object
              Representation (CBOR)", 4 December 2020,
              <https://datatracker.ietf.org/doc/rfc8949/>.

Acknowledgments

   Dr Sam Smith, Kevin Griffin and the Global Legal Entity Identifier
   Foundation (GLEIF)

Author's Address

   Phil Feairheller
   GLEIF
   Email: Philip.Feairheller@gleif.org






















Feairheller              Expires 1 February 2024               [Page 24]