w3c · msporny · Sep 2, 2023 · Aug 21, 2023 · Aug 21, 2023 · Aug 22, 2023
@@ -408,11 +408,12 @@ <h4>DataIntegrityProof</h4>
 `controller`.
           </p>
           <p>
-The `proofValue` property of the proof MUST be an ECDSA or deterministic ECDSA
-signature produced according to [[FIPS-186-5]] using the curves and hashes as
-specified in section <a href="#algorithms"></a>, encoded according to section 7
-of [[RFC4754]] (sometimes referred to as the IEEE P1363 format), and serialized
-according to [[MULTIBASE]] using the base58-btc base encoding.
+The value of the `proofValue` property of the proof MUST be an ECDSA signature produced
+according to [[FIPS-186-5]] and SHOULD use the <em>deterministic</em> ECDSA
+signature variant, produced according to [[FIPS-186-5]] using the curves and
+hashes as specified in section <a href="#algorithms"></a>, encoded according to
+section 7 of [[RFC4754]] (sometimes referred to as the IEEE P1363 format), and
+serialized according to [[MULTIBASE]] using the base58-btc base encoding.
           </p>
 
           <pre class="example nohighlight"
@@ -446,6 +447,8 @@ <h2>Algorithms</h2>
       <p>
 The following section describes multiple Data Integrity cryptographic suites
 that utilize the Elliptic Curve Digital Signature Algorithm (ECDSA) [[FIPS-186-5]].
+When generating ECDSA signatures, the <em>deterministic</em> ECDSA algorithm
+variant SHOULD be used.
       </p>
 
       <section>
@@ -2591,10 +2594,14 @@ <h3>Implementation Considerations for ECDSA Algorithms</h3>
 The failure to properly generate this <em>k</em> value has lead to some highly
 publicized integrity breaches in widely deployed systems. To counter this problem,
 a hash-based method of determining the secret number <em>k</em>, called
-<em>Deterministic ECDSA</em>, is given in [[FIPS-186-5]] and [[RFC6979]].
+<em>deterministic ECDSA</em>, is given in [[FIPS-186-5]] and [[RFC6979]].
+        </p>
+        <p>
 Verification of a ECDSA signature is independent of the method of generating
-<em>k</em>. Hence it is generally recommended to use <em>Deterministic
-ECDSA</em> unless other requirements dictate otherwise.
+<em>k</em>. Hence it is generally recommended to use <em>deterministic
+ECDSA</em> unless other requirements dictate otherwise. For example, using
+different <em>k</em> values results in different signature values for the same
+document which might be a desirable property in some privacy enhancing situations.
         </p>
       </section>
       <section class="informative">
@@ -2663,7 +2670,7 @@ <h2>Privacy Considerations</h2>
     <section class="appendix informative">
       <h2>Test Vectors</h2>
       <p class="note">
-All test vectors are produced using <em>Deterministic ECDSA</em>. The
+All test vectors are produced using <em>deterministic ECDSA</em>. The
 implementation was validated against the test vectors in [[RFC6979]].
       </p>
       <section>