add verifier public key to the session transcript#470
Conversation
awoie
requested review from
Sakurann,
bc-pi,
c2bo,
davidz25,
hlozi,
jogu and
martijnharing
c2bo
left a comment
c2bo
left a comment
There was a problem hiding this comment.
Type should either be bstr if we use the hash directly, or we need to clarify that the hash is base6url encoded
changed to |
paulbastian
left a comment
paulbastian
left a comment
There was a problem hiding this comment.
I think this is a substantial important changes, that needs further elaboration on the motivation:
- add a note under this section that this is a security measurement for unsigned requests
- please add security consideration that the RP should check that jwk_thumbprint matches its key and what to do when it does not match
I can add a note regarding the purpose of the same section since it only applies to mdocs.
The RP does not have to check that the |
|
@paulbastian please review again. I added the purpose of this to the respective section. |
awoie
force-pushed
the
awoie/add-pub-key-to-session-transcript
branch
from
7153d73 to
4ca6448
Compare
|
I believe a dedicated section in the security considerations to give guidance for Verifier in these cases would be appropriate, but that shouldn't block this from being merged. |
I agree.. we should be more diligent in adding security considerations when we do PRs that apply cc @danielfett |
We have already a note on that in the PR as @paulbastian requested. IMO, a security considerations section would only make sense if it applies to all credential formats but we decided to do this for mdocs only to begin with. If @paulbastian could unblock since we added a note? |
5 participants
Depends on #448 (on the removal of
client_idfromSessionTranscript).This PR includes the thumbprint of the public verification key of the verifier in the
SessionTranscript.Fixes #400