Coder Social home page Coder Social logo

Comments (10)

OR13 avatar OR13 commented on July 19, 2024 2

I am concerned about the "verifiable presentation" side of this.

In relation to securing protocols that use "audience / domain", "nonce / challenge".

If these protocol parameters are not secured, or checked during presentation verification, there can be serious security issues impacting authentication.

from vc-data-model.

msporny avatar msporny commented on July 19, 2024 1

@awoie, would making these normative requirements on securing mechanism specifications work for you? For example:

  • Securing mechanism specifications MUST have protected all the data in the conforming document returned by the securing mechanism verification algorithm. ALTERNATIVE: Non-protected data MUST NOT be returned in the conforming document returned by the securing mechanism verification algorithm.
  • Securing mechanism specifications SHOULD protect information referenced by a URL that is critical to validation. Mechanisms that can achieve this protection include: relatedResource, digestSRI, digestMultibase, well-known permanently cached URLs (such as JSON-LD Context URLs), and RDF Canonicalization (for JSON-LD Context URLs).

from vc-data-model.

msporny avatar msporny commented on July 19, 2024

@OR13 wrote:

If these protocol parameters are not secured, or checked during presentation verification, there can be serious security issues impacting authentication.

Yes, and the language that has been proposed covers those cases. What concrete text are you looking to have added to the specification to cover your concern?

from vc-data-model.

msporny avatar msporny commented on July 19, 2024

PR #1380 has been raised to address this issue. This issue will be closed once PR #1380 has been merged.

from vc-data-model.

awoie avatar awoie commented on July 19, 2024

I'd also miss something like the following:

  • A securing mechanism MUST protect the integrity of the verifiable credential
  • A securing mechanism MUST verify the authorship of the verifiable credential (although this could be a requirement for the algorithm but in the VCDM)

Are we intentionally allowing strange securing mechanisms? These are extreme examples but the current definition would allow securing mechanisms such as phoning home to the issuer; having to call some random number on the phone etc.

from vc-data-model.

awoie avatar awoie commented on July 19, 2024

From a verifier perspective especially now that we have the verification algorithm in the VCDM, I want to know what I get when I execute the security mechanism verification algorithm successfully.

from vc-data-model.

awoie avatar awoie commented on July 19, 2024

If we cannot make such general statements about securing mechanism verification algorithms, then we should add to the specification that the verifier MUST understand how the securing mechanism secures the verifiable credential and verifiers SHOULD not treat all securing mechanisms as equal.

from vc-data-model.

awoie avatar awoie commented on July 19, 2024

I made some suggestions in the PR

from vc-data-model.

iherman avatar iherman commented on July 19, 2024

The issue was discussed in a meeting on 2023-12-13

  • no resolutions were taken
View the transcript

2.13. Specify guarantees that all securing mechanisms must provide. (issue vc-data-model#1374)

See github issue vc-data-model#1374.

Brent Zundel: specify requirements for securing mechanisms.
… a PR exists.

See github pull request vc-data-model#1380.

Brent Zundel: there is a request for changes from oliver.

Manu Sporny: seems we are on a good trajectory, one thing that is concerning, he is saying verifier needs to know who the issuer of a VC is.
… that sounds like validation.
… I will try to make that a part of it, but I don't want to cover trust frameworks, or trust lists.
… the current text can be made clearer... the securing mechanism should not need to understand our data model.
… I will try to address oliver's suggestions.

from vc-data-model.

msporny avatar msporny commented on July 19, 2024

PR #1380 has been merged, remaining concerns tracked in issue #1386, closing.

from vc-data-model.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.