Security considerations on integrity of Type Metadata #221
Comments
|
I was wondering about this part as well when reading the PR. My gut feeling would be that It might make sense to provide some mechanism with signed metadata as an option (for the cases where cannot make meaningful assumptions about the transport/provider of the metadata). |
awoie
added
NEEDS PR
awoie
changed the title
|
The (largely unwritten?) threat model behind all this credential and token stuff assumes trust in the issuer. I recognize this is potentially perceived different because the provider of type metadata is likely/sometimes not the same entity as the issuer. But the issuer still needs to be trusted and if not, aren't there bigger concerns than the integrity of Type Metadata? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here are considerations we could put into the security considerations section - or think about a mechanism solving the problem:
Authenticity of Provided Type Metadata
If the Type Metadata is retrieved from an HTTPS URL, it can be assumed that the retrieved information is authentic from the party in control of the URL. However, if the Type Metadata is provided via glue documents by the issuer, no such guarantees are provided and the issuer may accidentally or deliberately deliver outdated/wrong/manipulated Type Metadata. Note that
vct#integrityclaim protects the integrity of the type information, but does not guarantee that the information is authentic. The Issuer may deliver avct#integrityclaim that matches the metadata in the glue documents.The text was updated successfully, but these errors were encountered: