bumblefudge
commented
1 year ago Discussed on today's meeting:
-
JSONPath uses "function extensions" (incl regex), which account for most of the security surface
- remove "func ext" in the future and move all variability and expressivity to the JSON Schema filtering (via logical operators)? that might be a major-version/breaking change tho
- "match" in JSON Schema might also be too insecure for some people... more likely to impact current implementations to remove it, tho
- PSubm objects maybe don't need filtering in the meantime, because wallet/agent can express everything as an absolute path
- implementation guide could warn people NOT to use them (can't ban them until next major version)
-
JSONPointer would work for PS but not PD (need to know paths in advance)
-
Niels will elaborate a bit here and then test-balloon these proposals with OIDC4VP implementers
kimdhamilton
Discussed in today's meeting: if there is significant implementer interest in using JSONPointer instead of JSONPath and making the latter an optional feature, interop would require all JSONPath implementations treating JSONPointer inputs the same way (i.e. having a deterministic translation, which might require slightly constrained usage to avoid ambiguities like this one or this one.