-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reworded security section about NDEF signature #518
Conversation
index.html
Outdated
these, the NFC Forum introduced [[NDEF-SIGNATURE]]. | ||
In order to protect the integrity and authenticity of NDEF messages, the NFC | ||
Forum introduced [[NDEF-SIGNATURE]]. Signing NDEF records prevents malicious | ||
use of NFC tags. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but it is also the other way around.
This sounds like you harden the tag instead, but it also allows the reader to only accept such hardened tags and thus hardens the reader as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not how I intended to be understood ;)
How would you rephrase it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would remove "Signing NDEF records prevents malicious use of NFC tags."
That is inaccurate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed it.
@@ -4080,11 +4080,9 @@ <h3>Parsing content</h3> | |||
<!-- - - - - - - - - - - - - Security and Privacy - - - - - - - - - - - - - --> | |||
<section> <h2 id="security">Security and Privacy</h2> | |||
<p> | |||
NFC technology involves multiple levels of security. Payments done with NFC | |||
are considered to be secure at hardware level, but the whole software stack | |||
needs to be security hardened. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add a separate sentence, like
"As general security measure, the whole software stack needs to be security hardened".
And place where you think it adds most clarity/value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems obvious to me and not specific to Web NFC, don't you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC security reviewers insisted on stating the obvious :), but it's the editors' call, indeed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WDYT of ae9e547
We already take that data as untrusted. |
I'll let you update the explainer and I'll remove it. |
Preview | Diff