search

openwallet-foundation / safe-wallet-sig

This special interest group (SIG) will create, distribute and promote a set of material that will become the de-facto way to determine how "safe" the new breed of digital wallets is, and be able to compare them effectively. This SIG is a sub-group reporting to the OpenWallet Foundation's Technical Advisory Committee.
Creative Commons Attribution 4.0 International
9 stars 9 forks source link

Pillar 2: Security - Wallet Selection #43

Open tlodderstedt opened 2 months ago

tlodderstedt commented 2 months ago

I'm not sure what the security objective of this section is. I guess it is about the authenticity and trustworthiness of the wallet?

If so, I would suggest to spell that out and also describe how the measures describe contribute to that objective as well as which party in an ecosystem should apply those measures.

In general, this section would benefit from a more comprehensive description. For example, I'm not sure what is meant by "Secure connections and end-point management".

I'm also not sure, what role brute force attacks play in the context of this security objective. I guess this is more related to an adversary trying to break the user authentication of a wallet in order to steal data and/or impersonate the holder (?).

I would also argue "Man-in-the-Middle Attacks" deserve a dedicated section. I would assume those kind of attacks will be handled on the protocol level.

andy-tobin commented 2 months ago

Above noted, thanks. Likely this will need to go into a 2nd version of the paper as it could be quite comprehensive if, for example, a dedicated section is created for MITM attacks. Also noting that this is designed to be a high level paper that is digestible by non-experts, therefore we don't want to go to deep.

The SIG call attendees note that MITM attacks won't just be at the protocol level.