[Openid-specs-ab] Issue #1218: Verifiable Presentations do not work outside of their own protocol. (openid/connect)
tomcjones
issues-reply at bitbucket.org
Wed Apr 14 22:06:34 UTC 2021
New issue 1218: Verifiable Presentations do not work outside of their own protocol.
https://bitbucket.org/openid/connect/issues/1218/verifiable-presentations-do-not-work
Tom Jones:
This is sort-of a follow up to Tony’s concerns.
It may be that a work-around exists, but if so that needs to be explicitly documented. The following is a question i had on Slack with Orie and Tobias. It seems that VPs, on their own, do not prevent replay. They depend on the outer protocol. I hope that some one can create documentation on their use in SIOP that proves me \(and Tony\) wrong, but i haven’t been convinced. It seems to be an inherent defect in the VP data format. They are only valid within the protocol and not on their own.
**Tobias posted a VP exchange & I responded to that.**
**Tom Jones** [1 hour ago](https://difdn.slack.com/archives/C4X50SNUX/p1618434656211300?thread_ts=1618430393.211100&cid=C4X50SNUX)
I am not intimately familiar with the format, but since I don't see an aud or nonce, I don't understand how you propose to prevent replays.
**Orie Steele \(Transmute\)** [9 minutes ago](https://difdn.slack.com/archives/C4X50SNUX/p1618436891211900?thread_ts=1618430393.211100&cid=C4X50SNUX)
domain and challenge in the W3C VC Data Model address this exact concern \(edited\)
**Orie Steele \(Transmute\)** [8 minutes ago](https://difdn.slack.com/archives/C4X50SNUX/p1618436912212100?thread_ts=1618430393.211100&cid=C4X50SNUX)
[https://www.w3.org/TR/vc-data-model/#example-2-a-simple-example-of-a-verifiable-presentation](https://www.w3.org/TR/vc-data-model/#example-2-a-simple-example-of-a-verifiable-presentation)
[w3.org](http://w3.org)[**Verifiable Credentials Data Model 1.0**](https://www.w3.org/TR/vc-data-model/#example-2-a-simple-example-of-a-verifiable-presentation)Credentials are a part of our daily lives; driver's licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.
**Tom Jones** [< 1 minute ago](https://difdn.slack.com/archives/C4X50SNUX/p1618437374212500?thread_ts=1618430393.211100&cid=C4X50SNUX)
[@Orie Steele \(Transmute\)](https://difdn.slack.com/team/UFF643U5A) [@Kristina \(MSFT/MyData/OIDF\)](https://difdn.slack.com/team/UKVJ1BBTR) That might be a problem with SIOP. I think we need to get together on this.
More information about the Openid-specs-ab
mailing list