Add "Relay Attacks" to security considerations #1041
Comments
|
Related thread from RATs WG at IETF: |
|
IMO, we cannot say when relay is legitimate. We can only point out under which circumstances relay can happen and what verifiers can do to mitigate that risk. I suggest, after we merge PR #1054, we extend the security considerations section to add some language around relay. |
|
This issue is blocked by the holder binding discussion. It really depends on whether such a feature is available. It makes a difference for the security consideration section whether a VC has some protection against impersonation or not. |
|
Closing this issue, I think it is not addressable in the core data model, it applies to securing formats. |
You opened this as a Security Consideration, which it remains, and which does not require addressing in the core data model — Security Considerations are about awareness and consideration regarding whatever deployment... So I don't understand its closure, as opposed to adding a few sentences to the Security Considerations section. |
|
@TallTed you are welcome to raise a new issue or file a PR that implements changes you want to see. |
covering cases where challenges are forwarded / related to holder binding / VPs, etc...
We should describe when relay is legitimate, and where it might cause problems.
relevant attacks on in person presentation, or man in the middle... etc.
The text was updated successfully, but these errors were encountered: