Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing security considerations on MITM, cloning etc. #1138

Closed
awoie opened this issue May 24, 2023 · 3 comments · Fixed by #1238
Closed

Missing security considerations on MITM, cloning etc. #1138

awoie opened this issue May 24, 2023 · 3 comments · Fixed by #1238
Assignees
@decentralgabe
Labels
post-CR

Comments

@awoie
Copy link
Contributor

awoie commented May 24, 2023

We should add to the security considerations section that the VCDM does not prevent from MITM, replay and cloning attacks. This applies to online and offline use cases. The VCDM does not have any mechanisms to allow a verifier to understand whether the presented VC belongs to the holder.
@awoie
Copy link
Contributor Author

awoie commented May 24, 2023

We should probably point out that this is typically handled by securing mechanisms or contextual claims matching, e.g., picture matching, identifier matching etc. Contextual claims matching requires additional vocabs that are out of scope of the core data model.

@awoie awoie mentioned this issue Jun 7, 2023
Closed
@decentralgabe
Copy link
Contributor

+1 to pointing to this being handled by securing mechanisms. As part of this it may be worth opening issues on existing securing mechanisms to make sure this is covered.

@iherman
Copy link
Member

iherman commented Jul 12, 2023

The issue was discussed in a meeting on 2023-07-12

  • no resolutions were taken
View the transcript

5.2. Missing security considerations on MITM, cloning etc. (issue vc-data-model#1138)

See github issue vc-data-model#1138.

Brent Zundel: missing security considerations... seems post CR.

Manu Sporny: +1 to after CR.

Brent Zundel: who will be assigned?

Gabe Cohen: I can take it.

@decentralgabe decentralgabe mentioned this issue Aug 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decentralgabe decentralgabe

Labels
post-CR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add language on mitm, replay, spoofing attacks w3c/vc-data-model
4 participants
@iherman @decentralgabe @brentzundel @awoie