Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relation between the did id and the issuerId in the anoncreds resources? #2

Open
TimoGlastra opened this issue Apr 30, 2024 · 5 comments
Open

Relation between the did id and the issuerId in the anoncreds resources? #2

TimoGlastra opened this issue Apr 30, 2024 · 5 comments

Comments

@TimoGlastra
Copy link

The anoncreds resources in the example contain an issuerId. Should there be some verification between the did:web and the value of issuerId?

Or should maybe the issuerId be omitted from the hosted resource, and inject by the resolver? So there's no way to spoof the issuerId of a resource?
This was referenced Apr 30, 2024
Open
Merged
@genaris
Copy link
Contributor

genaris commented May 2, 2024

I think it would be simpler to keep original object structure (including their issuerId) in the hosted resource. But I agree with you that it will be good for resolvers to do the matching between the DID resolved and the issuerId of the objects.

@PatStLouis do you remember any reason why we left this particular point open other than simplicity? BTW @TimoGlastra opened some good points for discussion here, it would be nice if you can review them!

@PatStLouis
Copy link
Collaborator

My PoC implementation was directly derived from the spec. issuerId is part of the schema JSON structure to be published. This was also before the recent CWU from BCGov and based on experimental anoncreds in w3c work from the time.

@TimoGlastra the schema issuer may be different than the cred def issuer. Multiple issuers could publish a cred def from a common schema published by an author as is the case with indy-based anoncreds issuance. So the relationship from the VC issuer's did and the schema author's did may or may not exist. The issuerId from the cred_def resource and the schema resource might not be the same. The VC issuer must match the cred_def issuer, the same way a VC issuer would need to match the did in control of the verification method of other cryptographic suites.

I think the verification between the did:web and the issuerId value of the schema would fall into the controllers business rules but since there's no cryptographic elements at play I wouldn't see a security issue here, maybe I'm wrong? What current verification happens on into around the did that published the schema of a credential?

{
  "issuer":"did:web:my.did.web",
  "credentialSchema": {
    "type":"AnonCredsDefinition",
    "id":"did:web:my.did.web#123,
    "schema":"did:web:some.other.did.web#123
  },
  "proof": {
    "type": "DataIntegrity",
    "cryptosuite": "anoncreds-2024",
    "verificationMethod":  "did:web:my.did.web#123"
  }
}

I'm against resolvers injecting data as this can create interop issues. This is a problem with did:indy resolvers and did:key resolvers.

If it was up to me I would get rid of the schema resource entirely and just include this information in the cred_def 🤷

@TimoGlastra
Copy link
Author

Thanks for the input @PatStLouis.

I agree that the cred def issuer and schema issuer don't have to be the same.

The thing I'm concerned about is e.g a schema with the following content:

{
  "issuerId": "did:web:usa.gov",
  "name": "Example schema",
  "version": "0.0.1",
  "attrNames": ["name", "age", "vmax"]
}

while the schema id is: did:web:maliciousActor.com?service=anoncreds&relativeRef=/123.

There should be a relation between the schema/cred-def and the did it is linked to. With did:cheqd and did:indy this is handled by the blockchain (cheqd with did-linked resources, while for indy anoncreds support is baked into the blockchain)

I'm against resolvers injecting data as this can create interop issues. This is a problem with did:indy resolvers and did:key resolvers.

I see this more as a specification issue in that case. For did:cheqd we on purpose don't store the issuerId in the resource and inject it in the client, as the data inside a resource is not validated while we have verified the resource is linked to a did (which we know in the client) . This makes it less prone to security issues as there's only one place where you can find the value. If we were to add the issuerId to the resource, an implementation needs to check it against the did of the resource to be sure the issuerId is valid, which adds one more security check that a client needs to implement.

In the Credo implementation I now made a PR to always ensure the issuerId and the did that links to it are the same, to prevent spoofing of the issuerId value in a published schema/cred-def/rev-reg

@TimoGlastra
Copy link
Author

Maybe it would also be interesting to look at signing of the anoncreds objects with your did:web? That way the anoncreds object is undeniably linked and published by a did?

@PatStLouis
Copy link
Collaborator

I see what you mean, in this case yes there should be a check for this, the issuerId value must match the did included in the resource id. I'm un-opinionated in if this should be in the resource object or not, it feels like having it present is an additional security measure that proves this schema was intended to be referenced by this ID and provides information as to where it comes from.

Signing these resources is also interesting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@genaris @TimoGlastra @PatStLouis