[Openid-specs-ab] Issue #1562: OpenID4VCs: Security & Trust Model Document (openid/connect)
tlodderstedt
issues-reply at bitbucket.org
Sat Jul 16 10:26:02 UTC 2022
New issue 1562: OpenID4VCs: Security & Trust Model Document
https://bitbucket.org/openid/connect/issues/1562/openid4vcs-security-trust-model-document
Torsten Lodderstedt:
We need a comprehensive analysis and description of the security of the OpenID4VCs protocol family, which also includes the underlying trust model. It is important to conduct the analysis end 2 end for the whole family since there are interdependencies.
Here are just some initial thoughts:
* Authentic claims - signed data by a trusted issuer
* trusted issuer - signed data / identification of issuer / management of trusted issuers
* Prevention of copying/replay of credentials / impersonation - holder binding \(cryptographic, biometric, claims-based\)
* Security of cryptographic holder binding - attestation of different kind
* Trustworthiness of processing by wallet - 3rd party verification / confirmation
* Design philosophy: issuer does the heavy lift, verifier can be sure all pre-requisites are fulfilled by wallet if there exists a credential issued by a trusted issuer \(since it conforms to its policy\)
* Confidentially of user claims - protected cloud systems / encryption on rest, encrypted transmission
* Issuance - Do we need nonce and audience in issuance?
* Impersonation by attacker - authentication to wallet
More information about the Openid-specs-ab
mailing list