vc-imp-guide icon indicating copy to clipboard operation
vc-imp-guide copied to clipboard

Published 20 hours ago verified publisher icon w3c

Be suspicious of QR Code flows that don't also check digital signatures at some point

Open msporny opened this issue 2 years ago • 2 comments

From this article:

https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/

One of the security compromises had to do with the QR Code being trusted in some way without a digital signature being used. It's unclear what, if any, protection mechanism was in place for the QR Code, but what is clear was that it was not a digital signature that was being verified. Or if it was, the signature was created client-side and was not being checked for validity or revocation by the verifier.

Implementers should strive for digitally signed QR Codes. For example, every QRCode in the TruAge age verification program is a unique, digitally signed VC encoded as CBOR-LD and displayed as a QR Code. The verifier must check that the issuer is valid and the signature is valid before processing the data. QR Codes that don't result in a digital signature check happening at some point in the process are asking for trouble. We should provide some guidance to implementers that note that the use of QR Codes w/o some sort of digital signature validation at some point in the process is dangerous.

msporny avatar May 25 '22 21:05 msporny

Can we add Security Considerations section in the vc-imp-guide?

Sakurann avatar Feb 07 '23 16:02 Sakurann

The issue was discussed in a meeting on 2023-02-07

  • no resolutions were taken
View the transcript

2.1. Be suspicious of QR Code flows that don't also check digital signatures at some point (issue vc-imp-guide#67)

See github issue vc-imp-guide#67.

Manu Sporny: this issue has to do with a compromise with Australia's digital drivers license. The app wasn't even checking the digital signature.
… the app was showing a QR code that wasn't signed. This was to add language to say make sure you've actually checked a digital signature..
… next steps here is pretty straightforward - add guidance to actually check digital signatures..

Kristina Yasuda: that Australia implementation made some waves, it would be good to add this..

Phillip Long: Isn't best practice the QR code should have a signature?.

Manu Sporny: Yes, but it's more difficult to do than it sounds :).

iherman avatar Feb 08 '23 10:02 iherman