search

openid / OpenID4VP

58 stars 20 forks source link

OpenID4VCs: Security & Trust Model Document #8

Closed OIDF-automation closed 9 months ago

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1562

Original Reporter: tlodderstedt

We need a comprehensive analysis and description of the security of the OpenID4VCs protocol family, which also includes the underlying trust model. It is important to conduct the analysis end 2 end for the whole family since there are interdependencies.

Here are just some initial thoughts:

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: dwc8

Specify conceptual models first.

Re: design philosophy. Keep it simple, pin down options to mimimum for viable open interworking.

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

there is also Issue #1556

for VP spec:

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

also #1516

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

also #1425

OIDF-automation commented 2 years ago

Imported from AB/Connect bitbucket - Original Commenter: josephheenan

As discussed on today’s call, response_mode=post probably opens up some reflection/open proxy style attacks, and Brian commented that the cross-device flow in general likely has more.

Sakurann commented 9 months ago

this document has been adopted here: https://github.com/openid/OpenID4VC_SecTrust