Document attacks possible when WebID Document is hosted in a Solid Storage

solid / security-considerations

https://solid.github.io/security-considerations/

2 stars 1 forks source link

Document attacks possible when WebID Document is hosted in a Solid Storage #3

Open elf-pavlik opened 2 months ago

elf-pavlik commented 2 months ago

Solid-OIDC relies on solid:oidcIssuer delegation in WebID Document, SAI, similarly, relies on interop:hasAuthorizationAgent. Compromising any of them can lead to gaining owner-level access to all storage owned by the agent WebID denotes.

Prior discussion

https://github.com/solid/solid-oidc/issues/219

csarven commented 2 months ago

There is also https://github.com/solid/solid-spec/issues/106

After re-reading what you wrote above, are we saying the same thing: https://github.com/solid/solid-oidc/issues/219#issuecomment-2123508677 ? I mean the issuer origin. It is separate from the oidcIssuer value changing.

elf-pavlik commented 2 months ago

Let's separate those two cases. Here, I only focus on situations where the WebID Document is compromised and the triple with solid:oidcIssuer gets changed.

elf-pavlik commented 2 months ago

We plan to discuss it next week on Tuesday https://www.w3.org/events/meetings/b277ff65-0aad-425e-bd1d-64758cd4547a/20240604T140000/