search

web-payments / web-payments.org

Web Payments website and core specifications
https://web-payments.org/
29 stars 13 forks source link

JSON-LD Context security considerations #21

Open msporny opened 10 years ago

msporny commented 10 years ago

We should elaborate on the requirement for payment processors to cache the JSON-LD contexts used for performing financial transfer (or any sort of operation that has legal ramifications or could be used for theft if corrupted).

Manu Sporny wrote:

Talking specifically about the PaySwarm JSON-LD context, it will always be built into the software due to attack vectors through the JSON-LD context if the w3id.org website or the web-payments.org website were to ever be compromised. It's possible to reverse transactions by switching the meaning of "source" and "destination" in a PaySwarm transaction. To protect against that attack, PaySwarm payment processor software always uses local, verified, up-to-date copies of all JSON-LD contexts used for financial transaction purposes. Elf Pavlik wrote: Very interesting! Does it stand somewhere in 'Security Considerations' of one of Web Payments specs? Might make sense to put it somewhere around: https://web-payments.org/specs/source/web-payments/#the-transaction-algorithm

The discussion started here: http://lists.w3.org/Archives/Public/public-webpayments/2013Dec/0098.html

elf-pavlik commented 10 years ago

maybe adding in JSON-LD something like contextHash would also help later on with contexts for web-identity etc. ?

msporny commented 10 years ago

Well, the problem w/ contextHash (we've considered doing something like it before), is that you can layer other JSON-LD contexts on top of base contexts. So, someone could have a context line that looks something like this:

'@context': ['https://w3id.org/payswarm/v1', 'https://mycontext.org/foo/v1']

What would the context hash for that be? If the context hashes don't match, should the entire operation fail? What if the term was not used in the message?

We answered those questions like so: there shouldn't be context hashes because they're brittle. The operation should succeed as long as the data that both sides are expressing is the same (and you can verify that it is the same by running the JSON-LD expand operation). If the term isn't used in the message, and the data that both sides are communicating matches, then the operation should succeed.