allow for empty VPs to be build when no credentials are requested #2840
Conversation
There was a problem hiding this comment.
This can now issue VPs that contain no credentials, audience, or challenge. The only restriction is expiration time, which can be set to 1000 year during development and then forgot about. This could result in a golden replayable VP, should this be allowed? Possible a security consideration worth tracking in an issue for now.
VP proofs can contain a domain and/or challenge (JSON-LD), or audience and/or nonce (JWT). So that can still be used? I don't think we need to limit the expiration time (not up to us to decide on that i.m.o.). |
* master: (40 commits) Bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#2889) StatusList2021: add e2e test (#2881) remove default storage backend (#2885) Bump github.com/lestrrat-go/jwx/v2 from 2.0.20 to 2.0.21 (#2887) SQL: Rename table vdr_didweb to did (#2882) VDR: Replace v2 API panics with errors (#2872) Network: don't enable TLS when not configured (#2877) Statuslist: Merge issuer and verifier (#2851) revert go-version to stable (#2879) set column length for did and id (#2878) Bump golang from 1.22.0-alpine to 1.22.1-alpine (#2876) Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#2875) Docker: drop 'v' prefix from versions (#2855) Upgrade to go 1.22 (#2862) Bump google.golang.org/grpc from 1.62.0 to 1.62.1 (#2874) Bump golang.org/x/crypto from 0.20.0 to 0.21.0 (#2859) HTTP: correct status code logging for errors (#2848) IAM: Handle ErrNotFound for unknown tokens when introspecting (#2847) Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#2849) allow for empty VPs (#2840) ...
closes #2800
needed changes to allow for empty VPs to be built when requested so by an empty presentation definition.
This makes testing without any credentials easier when still conforming to specs.