Weak chain of trust for key lookup (lack of DNSSEC)

DenisPitcher / verify.gov.bm

A simple verifier app for Bermuda's paper verifiable credentials

MIT License

1 stars 1 forks source link

Weak chain of trust for key lookup (lack of DNSSEC) #2

Closed raggi closed 3 years ago

raggi commented 3 years ago

The public key is fetched dynamically using dns.google and then parsing the result. As there is no DNSSEC configured for gov.bm or keys.gov.bm this process has few guard rails.

Recommendation: add the public key as a constant in the source. The key can not be rotated or revoked anyway (a weakness of the papercred design), so in any such event it is likely you would need to embed and date pin the key anyway.

DenisPitcher commented 3 years ago

I agree, the key was included in keys.gov.bm to support other apps according to the MIT spec, I'll be moving the key to be included in the source for this app in an upcoming update as there's no need to pull it from anywhere.