VCR: LDProof expiry field is not according to JSON-LD context (potential vulnerability)

nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.

https://nuts-foundation.gitbook.io

GNU General Public License v3.0

25 stars 16 forks source link

VCR: LDProof expiry field is not according to JSON-LD context (potential vulnerability) #857

Closed reinkrul closed 2 years ago

reinkrul commented 2 years ago

Our JSON-LD Proof type specifies expirationDate, but the field does not exist in the JSON-LD context we specify (https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json): it is named expires there.

Consequence is that (according to @stevenvegt) the field isn't part of the actual signature. This could mean an attacker can alter the expiry date, making VCs/VPs that have expired valid again by adjusting the date, while the signature stays correct.

woutslakhorst commented 2 years ago

true, expirationDate is a VC field.