 Okay, you were live. Very good. Thank you, David. Thank you to the hyperledger community for giving us the opportunity today to present the finding on our independent security code review of the Ursa library. My name is Pierre Robert, I'm the general manager of the digital identity lab. I'm happy to share that today's presentation will be available in French later in June schedule for June 23. I want to see some of my my my French colleague in the zoom so there will be another presentation June 23 in French. I was told that we're welcoming over 140 people across the globe today so very happy to have you and be aware that this event is registered. I will ask that you present your question in the chat, but we will answer those question at the end, and I will be assisted to do that. Very good. So, today's today's presentation the agenda brief introduction about the ID lab. We need to do a bit of level setting about hyperledger and Ursa. Beneath of the presentation today will be in the genesis the scope and the engagement process describing the engagement process, the finding in the summary. Today's meeting is really tailored for the hyperledger enthusiast for the decentralized identity practitioner and other digital ID program and project manager. If you're particularly looking at the crypto with the security detail of the review, I invite you to look at the full report that has been published. It's on the website of the hyperledger research website. I've put a URL encoded, I've encoded the URL here for your convenience, and this is where you'll find all of the details for that will be presented today. So if you want to learn about the journey we went through, if you want to learn about the scope, the conclusion, please stay with us. Small, small clarification, I am not a cryptographer. And while I'm happy to present here today, I just want to make that clear. So there was again a bit of level setting. So very briefly about the digital identity lab. The digital identity lab is a not for profit organization that exists that that is mission is to accelerate the conformity and the interoperability of digital identity. Ultimately, we're arms length independent organization that exists to promote the adoption of digital identity. We are tech, we're technology agnostic, we are not an incubator, and we do not develop or sell digital ID technology. So about hyperledger and Ursa. So some, some necessary context setting here to start for everybody's benefit. Hyperledger multi project open source community. It's a technology stack, primarily looking at blockchain technology and related tools. And there is many use of the an adoption of the hyperledger technology and digital identity rollout. Ursa specifically is the shared cryptographic library that is being used. That's a not in repository for the various hyperledger project. It's being used today by Indy by Aries by fabric and by other. There's many benefit of having this modular shared library. One is to avoid duplication, the crypto implementation are notoriously hard to implement. So having a single library makes it easier for the implementation, avoiding unnecessary duplication of extra work and make it easier to apply security review and exercise and activity like we've done with the report. The shared library is also the place where we can have a team of, there's a team of security and expert that can review the implementation. So it's a single location where it simplifies substantially the review of the security analysis and maintaining the code. Ultimately also the library provide for cross-platform interoperability. So when two project use the same library, the same crypto, it's a lot easier for the verification because they use the same protocol on both sides. So ultimately it's make it easier for existing project and for new project to start from the ground up. I'm sorry, what happened? I'm good. Okay, so digital identity is being adopted globally around the world. There's a number of different projects. Canada is home to a number of those projects, lead both on from a public and private sector organization. The hyperledger technology is being considered in a large number of these projects. So the report find its genesis and parts with and the due diligence process required for the possible use of the hyperledger technology and production. Already the best practices are in place within ERSA to ensure quality engineering and proper security, but there was no public arms land independent review that we could find. So some public and private sector organization retain the service of the ID lab to perform the security review. A quick parenthesis, Canada's birth to privacy by design from Dr. Ann Kevukian. And privacy by design is reflected in so many way and how we deployed digital ID in Canada. So I thought it was appropriate to talk about trust but verify. So the work we've done was really in that spirit, trust but verify. We're not expecting nightmare. We're not, we didn't expect back door. We expected good cyber hygiene, but it's in that trust but verify exercise that the work was done and supporting that due diligence process. I mentioned that many organization required before they can go live to production. I want to point out that there is perceived value in open source project that working in the open and working with other like minded community of practice is is is a value. And that was really the spirit under which right from the beginning, the project sponsor for this wanted to make this report public see this report as public good, and and and wanted to make it to the benefit of the community. So we're quite happy to to share the show those finding today with you. So the Ursa library review there was a number the code was examined from a number of different angle entry points coding standard data storage and transfer and others you have the bullet there. But but briefly so the entry point. This is a library after all right so there's a large number of function that I've public scope. Binding are is also present which constitute further means to call the library from the client code. This, this reason, this is about 138 entry point just on on C linkage and and and over rust it's over 2700 27, 2732 entry points that were analyzed and review. We wanted to we've done a code coding standard review to validate and assess that the coding standard utilize to implement and the implementation of the code. We looked at the cryptography and the key management included but not limited to the random number generator, the key generation designing the verification and identify possible backdoor data storage and transfer is always part of a security review. We look at caching we look at temporary file creation that said for this library we really think about data storage and the responsibility of the the client code that is that that is using the data storage. API and API security was also looked at because it's a library because it's open source basically the entire source code has been reviewed to ensure that the entry point were valid and and and there was no issues that that could be linked or identify toward that. We look at some language issue included memory issues or race condition on cut exception. We look for logical flaws in the implementation possible logical flaws. And we also look at the user of third party library, particularly to assess the sustainability in the Ursa library. On the cryptographic side, we focus on ensuring that the use of the cryptography within the library is secure, and we look at the entropy. Looking at the method that the random number generation was done and if it was deemed appropriate and we look at general best practices so we examine the key length and use of different curve, following best practices in the industry. So the engagement process this was about a four month project from inception to today. We started with a scope and definition and I've shared those those were the what that was the previous slide we have shared. Then we start we we identify which code which version of the code we wanted to use so we use the branch for the branch version 0.3.7. Then there was examination that was done by a group of expert. Following the examination in February there was validation and the validation and the remediation was done together was done in partnership straight from the beginning with the community. So we had David with us that was that was part of this effort and we also work with the DR server representative so I would like to name them they've been a key contributor to to the work so art Montgomery, Mike Lauder, Cam Para and Nathan George. These were the DR server representative that collaborate with us during the validation and the remediation planning that was made in place. Remediation itself will be done by the Ursa community but there was there is action action item and plan that were put in place and and today we are reporting and communicating with you to report for this. So, I've also included in the in the presentation the link to the report you added in the in the URL encoding earlier this is the URL of the report. And the work again was done by a group of people so we have we have the identity lab we have the I pro ledger foundation Ursa group and consult I period. We're doing with time we're good. So the finding summary. Bottom line there that the it was a very successful review I think we didn't expect to find any, any major issue and it, we did not find any major issue. Like, like it's always good to have extra pair of fresh eyes looking at the code and I think there was some issues, low severity issues that were identified and were documented. There were some issues around the build process. So we need to be careful with this. There was also minor issue with the possible vulnerability in the open SSL so I think it's important to use the latest version of the open SSL and keep track of the vulnerability that exists in that project but if you link the project you inherit those so it's important to we've identified this for the for the community to keep an eye on and that that's primarily a build issue. There has been some minor issue related to lack of support for message authentication to issues came come to mind so one was around the implementation. It does not check for the signature in an element of a prime order subgroup in the and and and so that was it's always good practices to verify your signature. And there was also something around the public key check in the lib or so BLS module. These were these issue were identified one was identified as a low severity one was identified as a medium severity and both have been the the the the the severity was in the the setting of the severity was done with with the Ursa team I think it was accepted as as as this and there's some it's being taken care right now. Right inside the the community to resolve. There was some minor issue related to the subgroup validation. I will I will not go into the detail here. And there was one issue around the breaking the unlink ability of the identity mixer using malicious key. This is probably the biggest surprise and the the the you know the biggest surprise in the review. So basically we it was identified that if you have a malicious issuer in an ecosystem. They would be way for for the for the issuer to that wanted to collude in the marketplace and that could be that could be possible. So further research is is being done on this to create more efficient way to do the proof generation and the community is looking at addressing this to the the general process. I'm going more faster than I was planning. All in all, the the the review concluded that the hyper ledger Ursa project was well maintained good engineering good practices in place. But basically a clean bill of health could be could be described as as the outcome of the of the review. I want to thank them for their work. Neil Kettles. Matthew Barker. Justin gauge. Liz. Sure. Liz Roy. Francis. Bruce deli. Thank you very much for your contribution with the report. If there is any specific question about the Ursa library itself I invite, I invite members, I invite people to connect to the discord server of the Ursa of Ursa. I put the URL encoded. The encoding of the barcode for the URL. I'm sorry. It's present there. And my name is Piero bears I'm happy to have shared a result with you today. Thank you for taking the time to participate today. Thank you for watching. And then we'll take some Q&A right now. And if there are questions that there's a few different ways you can ask the zoom chat. It's a good option. You can raise use the raise hand feature or you just come off mute. David, do you want to talk a bit about the the exercise and this or or your. You're learning out of the process. Um, sure. You know, putting you on the spot. Yeah, let me think about so what say more about what you'd like me to cover just about the kind of the community side of things. Yeah. Yeah, so basically, you know, this project I think this project was really done and from a community perspective. We have a community of developer that that putting sweat and time into into the library we have a community of user that's looking to adopt. And I think this was really foster and and and and the idea that we want to, you know, how do we get ready to use hyper ledger technology into production and doing that necessary trust but verify exercise so this is really how our sponsor came at it. This is how the lab that came at that but from an hyper ledger standpoint with what did what did you, how did it go. Well, sure. Well, in the same way that you're taking a look at the, you know, doing a review of the code for some and I think if somebody's considering adopting open source project they, you know, they may also want to similarly do a, you know, review of the community of the code, for example, because, you know, no open source project is not just, you know, a set of code, you know, some code somewhere in some repository right it's the, you know, the people, the infrastructure the ecosystem around that code right so just like we're doing right now if you're interested in Ursa and you have a question and want to use it you know where do you go right you know you know and so having a healthy community getting involved in the community letting people know about what's happening in the community is, you know, kind of my angle on things I'm not super technical myself I don't really have an opinion on the, you know, the Ursa code side of things but in terms of, you know, is the community a place where somebody is who wants to adopt Ursa can they go and interact and engage you know is really my angle so it's great to see us talking about this it's great to see people, you know, join, you know and be interested in the discussion. So I would encourage people to ask questions if they have some and I see that Tim just did post something in zoom. Tim, I see a question here, so I read the question, were there any unexpected insight, for example, better way of architecting better composability of solution, etc. So, unexpected, I'm not sure unexpected mean different thing to different people but there's a high level of care that needs to be put in the build process. And so we could argue if the build process is part of the library itself or not. But as, as, as organization are looking to adopt the library I think it's important. And because it's open source, I think it's you need to put a level of care, as much level of care and how your your build environment is set up than the library itself because it would be we can have a clean library. The build process would allow for injecting potential risk into that. And so, while there is some issues that I've been identified as as implementation cautious, they are part of the overall equation of security and to end so I invite people to not over oversee that or having this in their blind spot. I hope that answer your question, Tim. Yeah, it's good. Thanks. Any other question. When you think you have for 30 minutes of the material and you realize you have for 20. Good. So, I want to go back while people may be right there question. I want to go back. So there's today's presentation they will be a blog that will be posted soon. Think about it as something you can for for people to share within their within their project team or within their organization to talk about about the review the finding and the process. The actual report itself a 28 page report I believe is accessible on is publicly accessible and you can find it under the you can find it under the research menu under learning. Any other question. Not yet. Another thing Tim maybe I'll go back to to Tim your question. There is a balance. There is an issue that was identified around verifying signature as part of the. When you're using the library and I think there's a there's a performance trade off. Where do you want to explicitly verify every single signature as you go or or or not for performance reason. There was one issue give me one second here there was one issue that was identified along those line. So in the LibRSA BLS module there's does not check the public key consistently. And so this has been considered in the past by the Ursa community if they're aware of this. For performance reason it was not it was not addressed or or change. The report resulted in an agreement to raise this issue again for further consideration by the Ursa community. So balance of performance and security is in the in production. So in Canada in Canada there's a number of organizations that are looking at using hyper ledger technology and their and their roll out. My understanding. I know that hyper ledger technology broadly is used in the province of Alberta. I'm not sure exactly if they're using Andy. Maybe there's somebody else that can that can let us know what there's few Canadian on the call today. But yeah and we are aware of a number of deployment in Canada and outside of Canada where where in the air is another of the technology stack source or own that hyper ledger are being used. Here we are. I'm adding a link to our case studies page on the website there are some examples of Andy being used there specifically here I'll drop. I'll drop a link specifically Kiva for example is using Andy and Africa for digital ID system there and there are some examples. Here I'll drop another one. This one is a case study about the see you ledger credit unions. Right. And then you reference the BC gov link I'll drop the BC gov link case studies right there as well. So one of Tim's question is about the broader certification scheme or approach. I think there is need for broader certification and of scheme and and and so on the the exercise here was to review the particular implementation. I think that one of the advantage of a shared library is that that cross that interoperability that that's created that by sharing the same library. Where did I add that. So that that is one way to do that but as the marketplace open up as there is more ecosystem or more network that are using BBS plus signature and some of the other cryptographic function that are increasingly common and digital identity. I think there will be a need for. It would promote adoption if we were able to test those and ensure interoperability between different implementation but this is over and above the particular work that was done in this report. Well. One last one last round of question. So I have a lot of people online so it's a lot of name here. They. Tim is your microphone on. Yeah, yeah sure I can ask a question probably a broader context like for me this is an especially valuable exercise and due diligence especially again where I came from a public sector. I have to make strategic bets or strategic investments that are very difficult to roll back or if there's something that is like a deficiency or an error. And it impacts like a public sector service is really hard to roll back and regain trust so I just see this as a as a super valuable exercise for not only not only government but for any sector for that matter. I use this as a fundamental building block for the solution so I just want to first of all applaud the work I was really excited to see this report. And it is a missing piece. That's necessary in terms of the due diligence is beyond like a single vendor claim or even the claim of the contributors to the project. And this is just an opportunity to just see the evolution of these type of efforts into what we're seeing into some more formal standards based and certification schemes and that's, I just I just want to point this out so this is excellent work and but there still is a need that if if I was a public sector decision maker. This would give me some comfort it would enable me to advocate for solution with like eyes wide open recently on what the risk might be and it's just another another great piece to the corpus if you will. Now totally totally agree and will echo what you're saying I think it's part of that that maturity level I think the the Ursa team has done a fantastic work in and putting the library recognizing the need for a common library. The quality of the engineering the implementation the documentation was visible across the code. But this you need, you know, and that third party validation arms land neutral validation I think is is another milestone for for broader adoption by in the marketplace. And so the stage is set I think for for a number of upcoming product rollout or service rollout. And it was also important for the other thing I'll point out it's also important for organization that don't use I per ledger today. I think that broadly if we look at the industry of digital identity there's a number of organization that are involved there's a you know many way of getting to have of implementing self sovereign identity or their flavor of digital identity. But we are all in it together because if one ecosystem fell miserably it doesn't it has a ripple effect on the others there's a there's a kind of a brand risk or an or or an implement or a state you know a risk to the state of the art. And so even if you are not using I per ledger today in your in your organization maybe you should. But I think you can take you should take comfort and and the report showing that in the technology and the technology stack of hyper ledger has been done properly and so you can you can move your attention to do something else that's something else but one less point on your radar. Very good. David do we do we want to conclude. There aren't any other questions we certainly can thank you everybody I mean if you do have other questions while we're here certainly feel free to ask. And we will also be sharing these sorry go ahead here. I'm sharing the so the conversation can continue on the discord server for Ursa. As well. Yeah that's great thank you for that and I was gonna say I was gonna share some of these links with everybody who signed up on the meetup pages and I'll add the discord link as well I'll put the report and this recording and the discord link so everybody can join us there for further discussion. Actually, did you put the report okay I could put the report for doing two things at the same time. I'll put the report to the the link to the report. Yeah thanks for adding I had put a link to the research page but didn't directly drop the report link but yeah thanks for adding that. It's when you want to find it that doesn't happen. Looks like it just got added. Okay. Oh, thank you Regis. Excellent. Well thank you everyone you have 25 minute back in your day. And and for the if you were again looking for some of the crunchy technical detail or cryptographic detail please enjoy the report it's available right now. Thank you. Have a great day. Thanks everyone. Bye bye. Thanks a lot.