[Openid-specs-ab] Issue #1218: Verifiable Presentations do not work outside of their own protocol. (openid/connect)

tomcjones issues-reply at bitbucket.org
Wed Apr 14 22:06:34 UTC 2021

New issue 1218: Verifiable Presentations do not work outside of their own protocol.

Tom Jones:

This is sort-of a follow up to Tony’s concerns.

It may be that a work-around exists, but if so that needs to be explicitly documented. The following is a question i had on Slack with Orie and Tobias. It seems that VPs, on their own, do not prevent replay. They depend on the outer protocol. I hope that some one can create documentation on their use in SIOP that proves me \(and Tony\) wrong, but i haven’t been convinced. It seems to be an inherent defect in the VP data format. They are only valid within the protocol and not on their own.

**Tobias posted a VP exchange & I responded to that.**  
**Tom Jones**  [1 hour ago](https://difdn.slack.com/archives/C4X50SNUX/p1618434656211300?thread_ts=1618430393.211100&cid=C4X50SNUX)  
I am not intimately familiar with the format, but since I don't see an aud or nonce, I don't understand how you propose to prevent replays.

**Orie Steele \(Transmute\)**  [9 minutes ago](https://difdn.slack.com/archives/C4X50SNUX/p1618436891211900?thread_ts=1618430393.211100&cid=C4X50SNUX)  
domain and challenge in the W3C VC Data Model  address this exact concern \(edited\) 

**Orie Steele \(Transmute\)**  [8 minutes ago](https://difdn.slack.com/archives/C4X50SNUX/p1618436912212100?thread_ts=1618430393.211100&cid=C4X50SNUX)  

[w3.org](http://w3.org)[**Verifiable Credentials Data Model 1.0**](https://www.w3.org/TR/vc-data-model/#example-2-a-simple-example-of-a-verifiable-presentation)Credentials are a part of our daily lives; driver's licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.

**Tom Jones**  [< 1 minute ago](https://difdn.slack.com/archives/C4X50SNUX/p1618437374212500?thread_ts=1618430393.211100&cid=C4X50SNUX)  
[@Orie Steele \(Transmute\)](https://difdn.slack.com/team/UFF643U5A) [@Kristina \(MSFT/MyData/OIDF\)](https://difdn.slack.com/team/UKVJ1BBTR) That might be a problem with SIOP.  I think we need to get together on this.

More information about the Openid-specs-ab mailing list