Open awoie opened 2 weeks ago
To mitigate attacks described in the X.509 IETF RFC here, we should add something like the following language:
If x5c is the in unprotected header or was received out-of-band, the verifier MUST check the x5t protected header.
x5c
x5t
Note that COSE has this language built in, but JOSE leaves that open.
Noting that the current text requires using x5c and says nothing about protected vs. unprotected
https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-04.html#name-issuer-signed-jwt-verificat
To mitigate attacks described in the X.509 IETF RFC here, we should add something like the following language:
If
x5c
is the in unprotected header or was received out-of-band, the verifier MUST check thex5t
protected header.Note that COSE has this language built in, but JOSE leaves that open.