vc-api icon indicating copy to clipboard operation
vc-api copied to clipboard

Published 20 hours ago verified publisher icon w3c-ccg

PROPOSAL: verifiers MUST cryptographically sign their challenges

Open OR13 opened this issue 3 years ago • 3 comments

Can we remove the optionality from the "challenge" / "domain" part of requesting a presentation... and make a requirement.

I suggest we do whatever https://github.com/decentralized-identity/waci-presentation-exchange/ does, and use a JWT.

OR13 avatar May 20 '21 19:05 OR13

options should be actually optional or defined as a required parameter of a call if required

mprorock avatar May 20 '21 19:05 mprorock

I like this - the issue of trusting the verifier has come up in several conversations

Best regards,

Jim

[Image]

Jim St.Clair

Chief Trust Officer

@.@.> | 228-273-4893tel:228-273-4893

Let’s meet to discuss patient identity exchange: https://calendly.com/jim-stclair-1

From: Orie Steele @.> Sent: Thursday, May 20, 2021 2:44:48 PM To: w3c-ccg/vc-http-api @.> Cc: Subscribed @.***> Subject: [w3c-ccg/vc-http-api] PROPOSAL: should verifiers cryptographically sign their challenges? (#188)

Can we remove the optionality from the "challenge" / "domain" part of requesting a presentation... and make a requirement.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/w3c-ccg/vc-http-api/issues/188, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AMEIY6WU2TPBI25S356A5M3TOVRDBANCNFSM45HXUT3A.

jstclair2019 avatar May 20 '21 22:05 jstclair2019

We discussed this on the 2022-04-12 telecon. The group discussed how presentations might not always need to be signed. We also discussed how a Verifier App might decide to call credentials/verify or presentations/verify depending on if a challenge exists for the particular exchange. challenge might be a question of validation or verification. Signature checks shouldn't be done if challenge doesn't exist on Verifier systems. @dlongley might not support the notion of making the challenge a JWT; it doesn't seem like a JWT would reduce replay attacks (if that was supposed to solve a replay attack problem).

We need more information from @OR13 to proceed on this item. We do not have enough information to write a PR at this point in time.

msporny avatar Apr 12 '22 20:04 msporny

We discussed this on the 2022-11-08 telecon. The group discussed this issue again and was not sure what the issue is requesting be done to the specification. @dlongley noted that you can implement challenges in an authentic way without using cryptography, generate a challenge/store it, when signed presentation comes back you can see if challenge is in your storage or not. @mavarley noted that transport layer security might already exist on the request so we might not be able to mandate this for all presentation requests.

The group suggested that we close the issue in 7 days if we do not get more clarity on what this issue is attempting to address. /cc @OR13 @mprorock @mkhraisha

msporny avatar Nov 08 '22 20:11 msporny

I'm ok leaving the recommendation to make the API stateless to profiles, I recommend closing this issue.

OR13 avatar Nov 08 '22 23:11 OR13