-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This issue documents security fixes to the identity map #95
Comments
Just adding the hash of the claim signer may not sufficient. If the claim signer is a large company with thousands of users, then all I need to do is get an account with the same large claim signer as the victim in order to pass the hash check. Ensuring that the timestamps are within a window of each other probably isn't sufficient because replay attacks could be within a short interval. |
re @puhley
I'm mostly concerned about Claim Signature stripping/replacement attacks, which are likely to happen long after the initial Claim Signature was generated. So, I do think that timestamps are a useful mitigation. The reason I say this is that I hope/expect that users will pick Claim Signers that they trust for the initial signature. |
The claim signer isn't the only one who could conduct the attack. The claim signer could just be a tool used by the attacker for the attack. That is why I said that the "trusted" claim signers would be the ideal target because they would have thousands of users. If the claim signer isn't cross-referencing the identity signature provided with a known identity in their system, then an attacker could send any existing identity signature to the claim signer. There would be claim signers who won't be able to verify that the signed identity assertions that they were provided matches the human behind the account. |
This issue documents the work in signer-payload-fixes and supersedes #67
Fixes in this branch:
The "security goal" encoded in this change/issue is motivated by scenarios where the "butt on the line" is the entity creating the ID assertion. The changes ensure that no substantive changes to the Claim can be made subsequent to the ID assertion being signed.
A PR will be linked soon.
The text was updated successfully, but these errors were encountered: