search

italia / eudi-wallet-it-docs

Italian EUDI Wallet Technical Specifications
Creative Commons Zero v1.0 Universal
56 stars 20 forks source link

QR-Code Security Enforcements #504

Open peppelinux opened 7 hours ago

peppelinux commented 7 hours ago

https://github.com/openid/OpenID4VP/issues/329#issuecomment-2493079022

It would be beneficial to include the following in the QR code:

A nonce
An expiration time (exp)

The Relying Party (RP) should bind the user-agent with the issued QR code in such a way that a scam attack would not succeed unless the adversary knows and configures their user-agent with the same data as the victim's user-agent.

fmarino-ipzs commented 3 hours ago

@peppelinux @grausof this is something that we should handle in milestone 0.9. WDYT?