[Openid-specs-ab] OpenID for Verifiable Presentations over BLE - draft 00 ready for review

Sat Aug 19 14:49:20 UTC 2023

Scanning an unknown QR code is no different from clicking on an unknown
URL. DON'T DO IT!  Basic app bata can be used for tracking.

This is a privacy nightmare!

https://www.scmagazine.com/news/novel-phishing-qr-codes-bing-url-microsoft-security

thx ..Tom (mobile)

On Sun, Jul 30, 2023, 2:22 AM <sasi at duck.com> wrote:

> The way the protocol is defined the user has to take action (In ble you
> are near to each other physically and you do know to whom you are
> connecting) in order to connect. So in its core the user is aware and is
> the initiator of the connection. So once the user is aware of this the
> wallet identifies itself to the verifier.
>
> Now if any one creates the QR and sticks it on a wall of a stadium
> entrance and waits for his bait then all he could get is the basic wallet
> information, remaining trust is based on the wallet knowing the relying
> party, which would not be possible for the verifier to prove (section 7.2).
>
> Will you consider the basic information about the wallet as a PII?
>
> Thanks
> Sasikumar Ganesan
> https://github.com/gsasikumar/
> https://www.linkedin.com/in/sasikumarganesan/
> https://twitter.com/g_sasi_kumar
>
>
> On Sat, Jul 29, 2023 at 12:22 AM Tom Jones via Openid-specs-ab <
> openid-specs-ab_at_lists.openid.net_sasi at duck.com> wrote:
>
>> I have a fundamental problem with OpenID for Verifiable Presentations
>> over BLE flow diagrams. It seems that the user wallet identifies itself to
>> the verifier before the user knows the identifier of th
>> I have a fundamental problem with OpenID for Verifiable Presentations
>> over BLE flow diagrams.
>> It seems that the user wallet identifies itself to the verifier before
>> the user knows the identifier of the verifier.
>> There is a statement about the advertisement "5.2 The QR Code contains
>> the name and the ephemeral public key of the Verifier."
>> Is the presumption that the physical context of the QR code is
>> sufficient?.
>> It seems that anyone could go about pasting QR codes in any place that
>> lead to attack sites.
>>
>> I am creating some BLE code to see if section 5.1 is any better. It is
>> not clear from the docs that i have what information is in the ad.
>> ..tomj
>>
>>
>> On Tue, Apr 25, 2023 at 4:37 AM Torsten Lodderstedt via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> Hi all,
>>>
>>> the initial revision of the OpenID for Verifiable Presentations over BLE
>>> draft is now available
>>> https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html
>>> .
>>>
>>> Please review the specification and give feedback either here on the
>>> list or through issues at
>>> https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam
>>> .
>>>
>>> Thanks in advance,
>>> Torsten.
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230819/1568cec2/attachment.html>