Comments (10)
I am concerned about the "verifiable presentation" side of this.
In relation to securing protocols that use "audience / domain", "nonce / challenge".
If these protocol parameters are not secured, or checked during presentation verification, there can be serious security issues impacting authentication.
from vc-data-model.
@awoie, would making these normative requirements on securing mechanism specifications work for you? For example:
- Securing mechanism specifications MUST have protected all the data in the conforming document returned by the securing mechanism verification algorithm. ALTERNATIVE: Non-protected data MUST NOT be returned in the conforming document returned by the securing mechanism verification algorithm.
- Securing mechanism specifications SHOULD protect information referenced by a URL that is critical to validation. Mechanisms that can achieve this protection include:
relatedResource
,digestSRI
,digestMultibase
, well-known permanently cached URLs (such as JSON-LD Context URLs), and RDF Canonicalization (for JSON-LD Context URLs).
from vc-data-model.
@OR13 wrote:
If these protocol parameters are not secured, or checked during presentation verification, there can be serious security issues impacting authentication.
Yes, and the language that has been proposed covers those cases. What concrete text are you looking to have added to the specification to cover your concern?
from vc-data-model.
PR #1380 has been raised to address this issue. This issue will be closed once PR #1380 has been merged.
from vc-data-model.
I'd also miss something like the following:
- A securing mechanism MUST protect the integrity of the verifiable credential
- A securing mechanism MUST verify the authorship of the verifiable credential (although this could be a requirement for the algorithm but in the VCDM)
Are we intentionally allowing strange securing mechanisms? These are extreme examples but the current definition would allow securing mechanisms such as phoning home to the issuer; having to call some random number on the phone etc.
from vc-data-model.
From a verifier perspective especially now that we have the verification algorithm in the VCDM, I want to know what I get when I execute the security mechanism verification algorithm successfully.
from vc-data-model.
If we cannot make such general statements about securing mechanism verification algorithms, then we should add to the specification that the verifier MUST understand how the securing mechanism secures the verifiable credential and verifiers SHOULD not treat all securing mechanisms as equal.
from vc-data-model.
I made some suggestions in the PR
from vc-data-model.
The issue was discussed in a meeting on 2023-12-13
- no resolutions were taken
View the transcript
2.13. Specify guarantees that all securing mechanisms must provide. (issue vc-data-model#1374)
See github issue vc-data-model#1374.
Brent Zundel: specify requirements for securing mechanisms.
… a PR exists.
See github pull request vc-data-model#1380.
Brent Zundel: there is a request for changes from oliver.
Manu Sporny: seems we are on a good trajectory, one thing that is concerning, he is saying verifier needs to know who the issuer of a VC is.
… that sounds like validation.
… I will try to make that a part of it, but I don't want to cover trust frameworks, or trust lists.
… the current text can be made clearer... the securing mechanism should not need to understand our data model.
… I will try to address oliver's suggestions.
from vc-data-model.
PR #1380 has been merged, remaining concerns tracked in issue #1386, closing.
from vc-data-model.
Related Issues (20)
- Consider explicitly allowing/recommending language maps for use in internationalisation. HOT 9
- Example of Use of renderMethod HOT 3
- Suggest to make explicit reference to the JADES standard HOT 8
- EnvelopedVerifiablePresentation missing in https://www.w3.org/ns/credentials/v2 HOT 3
- VC-JWT examples are out-of-date HOT 6
- Inconsistency between spec and schema HOT 2
- Unify cryptographic hash expression formats HOT 4
- Could not define "name" and "description" as attributes of my type HOT 13
- Comments/Suggestions on Privacy Considerations HOT 7
- SD-JWT fields in the v2 context should use `"@type": "@json"` HOT 4
- Ensure reserved terms are in v2 context HOT 2
- Add Security Considerations related to advances in Artificial Intelligence HOT 3
- consider registering `application/vc-ld` and `application/vp-ld` HOT 19
- Imprecise definition of what should be secured in a VP HOT 4
- Re-evaluate support for `@vocab` in base VCDM v2 context HOT 9
- Pin down the input type of verification algorithms HOT 5
- Verification algorithm drops an input map on the floor HOT 4
- Do VCs support transferrability? HOT 1
- Enable GitHub Discussions HOT 5
- Enhance Context Validation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vc-data-model.