shc-covid19-decoder icon indicating copy to clipboard operation
shc-covid19-decoder copied to clipboard

Published 20 hours ago verified publisher icon fproulx

Read public key location from iss in QR code - Fixes CA SHC

Open thardie opened this issue 3 years ago • 2 comments

  • Read public key location from iss in QR code - Should allow to work with any SHC. Fixes CA SHC (Fixes #4)
  • Also Updated library version

thardie avatar Jun 20 '21 17:06 thardie

@thardie I would suggest a couple of changes to the approach to avoid someone repeating the Quebec security incident (should they take this code base as a start to a verifier):

  • Have some type of authoritativeIssuerURI (or provided pub key) variable defaulted to null
  • If that variable is configured at start then only download pub keys from that issuer (or use the provided pub key) to validate documents
  • if there is no authoritativeIssuer or provided pub key, then put a warning that the app is running in "debug validation mode (all pub keys accepted)" or something like that and download whatever pub key is at the document issuer (as your patch does now).

@superay123 not sure the exact reason Quebec doesn't publish their public key, maybe because they don't need it until they rotate to a new pub key (their app is targeting provincial use only initially).

deftdawg avatar Sep 06 '21 14:09 deftdawg

@thardie I would suggest a couple of changes to the approach to avoid someone repeating the Quebec security incident (should they take this code base as a start to a verifier):

  • Have some type of authoritativeIssuerURI (or provided pub key) variable defaulted to null
  • If that variable is configured at start then only download pub keys from that issuer (or use the provided pub key) to validate documents
  • if there is no authoritativeIssuer or provided pub key, then put a warning that the app is running in "debug validation mode (all pub keys accepted)" or something like that and download whatever pub key is at the document issuer (as your patch does now).

@superay123 not sure the exact reason Quebec doesn't publish their public key, maybe because they don't need it until they rotate to a new pub key (their app is targeting provincial use only initially).

All the suggestions sound great. I'll try and find some time to implement that, so don't merge until I update this PR with those suggestions.

thardie avatar Sep 06 '21 20:09 thardie