[Openid-specs-ab] OpenID for Verifiable Presentations over BLE - draft 00 ready for review

Wed Aug 23 08:23:39 UTC 2023

I am 100% with you on this. Random QR code scanning is equivalent to
clicking a URL from an unknown sender. Of course the risk remains the same
for untrusted NFC terminals.

https://www.techtarget.com/whatis/feature/6-potential-enterprise-security-risks-with-NFC-technology

The phishing risk remains the same irrespective of the technology.  If you
have some interesting ways to prevent this from happening we would love to
hear from you.

FYI: This spec should have an enhancement soon to support NFC tap as well.

Thanks
Sasikumar Ganesan
https://github.com/gsasikumar/
https://www.linkedin.com/in/sasikumarganesan/
https://twitter.com/g_sasi_kumar

On Sat, Aug 19, 2023 at 8:19 PM Tom Jones <
thomasclinganjones_at_gmail.com_sasi at duck.com> wrote:

> Scanning an unknown QR code is no different from clicking on an unknown
> URL. DON'T DO IT! Basic app bata can be used for tracking. This is a
> privacy nightmare! https://www.scmagazine.com/news/novel-ph
> *DuckDuckGo* did not detect any trackers.
> More →
>
> <https://duckduckgo.com/-G8uyYNULDpmO53aWLfbRkF33wXSBZYtib3AKgIC3Ib0PIGoLWwk-wha0sdV4XRenpSRUyKCS9Segd0hfSGd0yXgCI0gFNLmoO24HWggZna1U4Qf3PBdr1oPPTifA0dREYycW-bY5kk7BYEzqMjc_XPoGhwoZeHrAwBS0D5Lr13q95RQDg>
> Scanning an unknown QR code is no different from clicking on an unknown
> URL. DON'T DO IT!  Basic app bata can be used for tracking.
>
> This is a privacy nightmare!
>
>
> https://www.scmagazine.com/news/novel-phishing-qr-codes-bing-url-microsoft-security
>
> thx ..Tom (mobile)
>
> On Sun, Jul 30, 2023, 2:22 AM <sasi at duck.com> wrote:
>
>> The way the protocol is defined the user has to take action (In ble you
>> are near to each other physically and you do know to whom you are
>> connecting) in order to connect. So in its core the user is aware and is
>> the initiator of the connection. So once the user is aware of this the
>> wallet identifies itself to the verifier.
>>
>> Now if any one creates the QR and sticks it on a wall of a stadium
>> entrance and waits for his bait then all he could get is the basic wallet
>> information, remaining trust is based on the wallet knowing the relying
>> party, which would not be possible for the verifier to prove (section 7.2).
>>
>> Will you consider the basic information about the wallet as a PII?
>>
>> Thanks
>> Sasikumar Ganesan
>> https://github.com/gsasikumar/
>> https://www.linkedin.com/in/sasikumarganesan/
>> https://twitter.com/g_sasi_kumar
>>
>>
>> On Sat, Jul 29, 2023 at 12:22 AM Tom Jones via Openid-specs-ab <
>> openid-specs-ab_at_lists.openid.net_sasi at duck.com> wrote:
>>
>>> I have a fundamental problem with OpenID for Verifiable Presentations
>>> over BLE flow diagrams. It seems that the user wallet identifies itself to
>>> the verifier before the user knows the identifier of th
>>> I have a fundamental problem with OpenID for Verifiable Presentations
>>> over BLE flow diagrams.
>>> It seems that the user wallet identifies itself to the verifier before
>>> the user knows the identifier of the verifier.
>>> There is a statement about the advertisement "5.2 The QR Code contains
>>> the name and the ephemeral public key of the Verifier."
>>> Is the presumption that the physical context of the QR code is
>>> sufficient?.
>>> It seems that anyone could go about pasting QR codes in any place that
>>> lead to attack sites.
>>>
>>> I am creating some BLE code to see if section 5.1 is any better. It is
>>> not clear from the docs that i have what information is in the ad.
>>> ..tomj
>>>
>>>
>>> On Tue, Apr 25, 2023 at 4:37 AM Torsten Lodderstedt via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> Hi all,
>>>>
>>>> the initial revision of the OpenID for Verifiable Presentations over
>>>> BLE draft is now available
>>>> https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html
>>>> .
>>>>
>>>> Please review the specification and give feedback either here on the
>>>> list or through issues at
>>>> https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam
>>>> .
>>>>
>>>> Thanks in advance,
>>>> Torsten.
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230823/a15cab76/attachment.html>