[Openid-specs-ab] Issue #1232: What is the scope of a signature? (openid/connect)
tomcjones
issues-reply at bitbucket.org
Wed May 12 16:47:33 UTC 2021
New issue 1232: What is the scope of a signature?
https://bitbucket.org/openid/connect/issues/1232/what-is-the-scope-of-a-signature
Tom Jones:
In the past a singer \(issuer, OP\) was attesting to all of the elements in the document signed. \(subject to the terms of course\). If signed “blobs” are included in a signed document, I propose that the the signer is taking responsibility for all of the attributes in the document **that are not signed by others**.
This issue came up wrt the mDL which is likely to be initiated by a MVD but include covid credentials from an IIS or even a private lab. I don’t believe the MVD is making any statement about the covid creds.
Note also that the expiry date becomes less absolute. As in the case of a passport, it has some extended validity for a year after expiry. Also a mDL my no longer work to authorize driving a car, but still allow you to buy alcohol. Composite docs will have expiry of different attributes at different times.
More information about the Openid-specs-ab
mailing list