[Openid-specs-ab] OpenID for Verifiable Presentations over BLE - draft 00 ready for review

Tom Jones thomasclinganjones at gmail.com
Wed Aug 23 14:30:37 UTC 2023 

The key words there are untrusted terminals. Any user app MUST assume all
attempts to connect are untrusted and avoid sharing any data until trust is
established.

thx ..Tom (mobile)

On Wed, Aug 23, 2023, 1:18 AM <sasi at duck.com> wrote:

> I am 100% with you on this. Random QR code scanning is equivalent to
> clicking a URL from an unknown sender. Of course the risk remains the same
> for untrusted NFC terminals.
>
>
> https://www.techtarget.com/whatis/feature/6-potential-enterprise-security-risks-with-NFC-technology
>
> The phishing risk remains the same irrespective of the technology.  If you
> have some interesting ways to prevent this from happening we would love to
> hear from you.
>
> FYI: This spec should have an enhancement soon to support NFC tap as well.
>
>
> Thanks
> Sasikumar Ganesan
> https://github.com/gsasikumar/
> https://www.linkedin.com/in/sasikumarganesan/
> https://twitter.com/g_sasi_kumar
>
>
> On Sat, Aug 19, 2023 at 8:19 PM Tom Jones <
> thomasclinganjones_at_gmail.com_sasi at duck.com> wrote:
>
>> Scanning an unknown QR code is no different from clicking on an unknown
>> URL. DON'T DO IT! Basic app bata can be used for tracking. This is a
>> privacy nightmare! https://www.scmagazine.com/news/novel-ph
>> Scanning an unknown QR code is no different from clicking on an unknown
>> URL. DON'T DO IT!  Basic app bata can be used for tracking.
>>
>> This is a privacy nightmare!
>>
>>
>> https://www.scmagazine.com/news/novel-phishing-qr-codes-bing-url-microsoft-security
>>
>> thx ..Tom (mobile)
>>
>> On Sun, Jul 30, 2023, 2:22 AM <sasi at duck.com> wrote:
>>
>>> The way the protocol is defined the user has to take action (In ble you
>>> are near to each other physically and you do know to whom you are
>>> connecting) in order to connect. So in its core the user is aware and is
>>> the initiator of the connection. So once the user is aware of this the
>>> wallet identifies itself to the verifier.
>>>
>>> Now if any one creates the QR and sticks it on a wall of a stadium
>>> entrance and waits for his bait then all he could get is the basic wallet
>>> information, remaining trust is based on the wallet knowing the relying
>>> party, which would not be possible for the verifier to prove (section 7.2).
>>>
>>> Will you consider the basic information about the wallet as a PII?
>>>
>>> Thanks
>>> Sasikumar Ganesan
>>> https://github.com/gsasikumar/
>>> https://www.linkedin.com/in/sasikumarganesan/
>>> https://twitter.com/g_sasi_kumar
>>>
>>>
>>> On Sat, Jul 29, 2023 at 12:22 AM Tom Jones via Openid-specs-ab <
>>> openid-specs-ab_at_lists.openid.net_sasi at duck.com> wrote:
>>>
>>>> I have a fundamental problem with OpenID for Verifiable Presentations
>>>> over BLE flow diagrams. It seems that the user wallet identifies itself to
>>>> the verifier before the user knows the identifier of th
>>>> I have a fundamental problem with OpenID for Verifiable Presentations
>>>> over BLE flow diagrams.
>>>> It seems that the user wallet identifies itself to the verifier before
>>>> the user knows the identifier of the verifier.
>>>> There is a statement about the advertisement "5.2 The QR Code contains
>>>> the name and the ephemeral public key of the Verifier."
>>>> Is the presumption that the physical context of the QR code is
>>>> sufficient?.
>>>> It seems that anyone could go about pasting QR codes in any place that
>>>> lead to attack sites.
>>>>
>>>> I am creating some BLE code to see if section 5.1 is any better. It is
>>>> not clear from the docs that i have what information is in the ad.
>>>> ..tomj
>>>>
>>>>
>>>> On Tue, Apr 25, 2023 at 4:37 AM Torsten Lodderstedt via Openid-specs-ab
>>>> <openid-specs-ab at lists.openid.net> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> the initial revision of the OpenID for Verifiable Presentations over
>>>>> BLE draft is now available
>>>>> https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html
>>>>> .
>>>>>
>>>>> Please review the specification and give feedback either here on the
>>>>> list or through issues at
>>>>> https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam
>>>>> .
>>>>>
>>>>> Thanks in advance,
>>>>> Torsten.
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230823/9876462e/attachment-0001.html>

More information about the Openid-specs-ab mailing list