-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify guarantees that all securing mechanisms must provide. #1374
Comments
@awoie, would making these normative requirements on securing mechanism specifications work for you? For example:
|
I am concerned about the "verifiable presentation" side of this. In relation to securing protocols that use "audience / domain", "nonce / challenge". If these protocol parameters are not secured, or checked during presentation verification, there can be serious security issues impacting authentication. |
@OR13 wrote:
Yes, and the language that has been proposed covers those cases. What concrete text are you looking to have added to the specification to cover your concern? |
I'd also miss something like the following:
Are we intentionally allowing strange securing mechanisms? These are extreme examples but the current definition would allow securing mechanisms such as phoning home to the issuer; having to call some random number on the phone etc. |
From a verifier perspective especially now that we have the verification algorithm in the VCDM, I want to know what I get when I execute the security mechanism verification algorithm successfully. |
If we cannot make such general statements about securing mechanism verification algorithms, then we should add to the specification that the verifier MUST understand how the securing mechanism secures the verifiable credential and verifiers SHOULD not treat all securing mechanisms as equal. |
I made some suggestions in the PR |
The issue was discussed in a meeting on 2023-12-13
View the transcript2.13. Specify guarantees that all securing mechanisms must provide. (issue vc-data-model#1374)See github issue vc-data-model#1374. Brent Zundel: specify requirements for securing mechanisms. See github pull request vc-data-model#1380. Brent Zundel: there is a request for changes from oliver. Manu Sporny: seems we are on a good trajectory, one thing that is concerning, he is saying verifier needs to know who the issuer of a VC is. |
In PR #1338, @awoie noted:
This PR is to track that concern and possibly add guarantees that all securing mechanisms must provide in order to be "conforming securing mechanisms".
The text was updated successfully, but these errors were encountered: