Joseph Heenan
Joseph Heenan
To expand on my previous comment, I believe when using wallet attestations for client authentication the attack will fail at step 1 - Aud in the client authentication will be...
Discussed on today's WG call: seemed to be a consensus that wallet attestations do prevent the attack, but use of `iss` may still be a mitigation that could be used...
Further discussion about what we do with IAR in 1.0: It's feeling a bit too rush and not feeling good enough to ship yet, could be a footgun. Many people...
> When the verifier returns a response (accepting or declining the authorization response) to any one of the requests, an attacker in control of the network can redirect it to...
An attacker with that level of control of the network could always cause a state mismatch though? > creating a mismatch between the wallet’s state and the verifier’s actual decision....
> the verifier notifies the wallet of the correct processing of the credentials. (your statement) I didn't go that far - the 200 response from the verifier to the wallet...
Discussed on yesterday's WG call. We think it would be good to include something about verifiers being careful to form json correctly (particularly in the case where they are, e.g.,...
> Thank you @jogu! Do you want me to work on the PR text? @simoneonofri sure, if you have some ideas on how to address the feedback please feel free...
Marked as 1.1 as I really don't think we should expand the scope of 1.0, but also this is likely a requirement if we want to avoid 23220-3 Annex C...
As per agreement on today's WG call - we don't have the implementation experience to define this before 1.0 goes for wglc / public review. It can be defined as...