[Openid-specs-risc] openid/sharedsignals: New Issue opened
github at oidf.org
github at oidf.org
Tue Sep 24 13:43:35 UTC 2024
openid/sharedsignals event
Issue opened
Issue Title: Receivers should validate aud value in StreamConfiguration response
https://github.com/openid/sharedsignals/issues/207
The first recommendation from the final security audit: While Receivers are mandated to validate the audience value in SETs (due to [RFC7519, Section 4.1.3]), they are currently not required to validate the audience value in stream configurations returned by a Transmitter, e.g., in a stream creation response. Our Receiver model respects this and hence mostly ignores streams’ audience values. For SET validation, our Receiver model instead compares the SET’s audience value against an expected value based on the access token used by the Receiver when requesting creation of the stream (since this is where the Transmitter is required to derive an audience value from the Receiver’s authorization, see [15, Section 7]). However, it is likely that implementers use the stream’s audience value to validate SETs against, hence, we recommend to mandate Receivers-side validation of stream audience values.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240924/09e826ce/attachment.html>
More information about the Openid-specs-risc
mailing list