Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feature/SDK-59 #299

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

feature/SDK-59 #299

wants to merge 3 commits into from

Conversation

sanderPostma
Copy link
Contributor

No description provided.

ronal2do
ronal2do reviewed Jan 10, 2025
View reviewed changes
packages/vc-handler-ld-local/src/ld-credential-module.ts
@@ -115,7 +115,7 @@ export class LdCredentialModule {
verificationMethodId: string,
challenge: string | undefined,
domain: string | undefined,
purpose: typeof ProofPurpose = !challenge && !domain
purpose: typeof ProofPurpose = !challenge // domain is not a mandatory var for AuthenticationProofPurpose per se, but challenge is.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only miss to have unit tests for this module, to verify regressions

Copy link
Contributor

@nklomp nklomp Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has this change been verified to be correct to begin with in the specs @sanderPostma? The fact the underlying Veramo functions allow for it doesn't mean this change is correct. I cannot remember a need ever to not have both.

Actually I do not even want this change, as it would promote not binding a domain to a proof

@ronal2do ronal2do self-requested a review January 10, 2025 08:52
nklomp
nklomp requested changes Jan 10, 2025
View reviewed changes
Copy link
Contributor

@nklomp nklomp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be checked against spec, but this change is dangerous in itself as it would start promoting not using domain bindings for proofs

@sanderPostma
Copy link
Contributor Author

sanderPostma commented Jan 10, 2025
edited
Loading

!challenge && !domain

@nklomp
what would be the alternative?
!challenge || !domain instead of !challenge && !domain
?
Or throw an error when we have a challenge but not a domain?

Because with did:web we have a domain but not a challenge.
We could add a challenge, but it's not mandatory by spec, so we need to be able to deal with it

The domain property within a proof is optional. It specifies the operational sphere or context in which the proof is intended to be valid, often used to prevent replay attacks by restricting the proof's validity to a particular domain.
Omitting the domain property can have implications:
Increased Risk of Replay Attacks: Without a specified domain, the proof might be accepted in unintended contexts, potentially allowing malicious actors to reuse the proof elsewhere.
Broader Validity Scope: The proof may be considered valid across multiple domains, which might not align with the issuer's intent.

@nklomp
Copy link
Contributor

nklomp commented Jan 10, 2025

We should make sure that our RP asks for a challenge to begin with. See the warning. That is the reason why I am hesitant to even allow it. Since it is in the spec I guess we should, but IMO I rather have an option to allow for the omission of a challenge, that defaults to false. I rather run into issues with certain RPs that do not require it, as they really should use it. So first and foremost we should fix it in our RP.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@nklomp nklomp nklomp requested changes

@ronal2do ronal2do ronal2do approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sanderPostma @nklomp @ronal2do