Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: c_nonce is recommended and AS takes care #323

Closed
wants to merge 8 commits into from
Closed

chore: c_nonce is recommended and AS takes care #323

wants to merge 8 commits into from

Conversation

peppelinux
Copy link
Member

This PR aims to resolve the issue #313 where @andprian expressed her sensibility about some details that amtters about the security and the behaviour that an implementer may expect from the AS.

This PR does not address the revocation of a credential when a request for the same credential type occurs. As noted in the related issue, this behavior may be influenced by various factors outside the scope of this specification, including legal requirements already mentioned.

bc-pi
bc-pi requested changes May 20, 2024
View reviewed changes
Copy link
Member

@bc-pi bc-pi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO c_nonce from the AS's token endpoint shouldn't even be an option and, while there wasn't enough consensus to remove it*, I'm absolutely not okay recommending it.

@andprian
Copy link

How about adding this recommendation for the c_nonce in section 7.3 for the Credential Response? This would prevent replay attacks for all subsequent requests.

@andprian andprian mentioned this pull request May 21, 2024
Open
@Sakurann
Copy link
Collaborator

Sakurann commented May 27, 2024
edited
Loading

if the point of this PR is to recommend the usage of c_nonce in general (regardless of how the issuer provides c_nocne), the specification right now actually intends to mandate c_nonce (either from the token endpoint or credential endpoint)....

i am inclined to close this issue until there is more clarity on the issues including #331

@Sakurann
Copy link
Collaborator

with the discussion in #331, the direction is to remove an option to return c_nonce from the token endpoint

@Sakurann Sakurann closed this Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmhsfelix pmhsfelix pmhsfelix left review comments

@paulbastian paulbastian paulbastian requested changes

@bc-pi bc-pi bc-pi requested changes

@tlodderstedt tlodderstedt Awaiting requested review from tlodderstedt

@Sakurann Sakurann Awaiting requested review from Sakurann

@jogu jogu Awaiting requested review from jogu

@c2bo c2bo Awaiting requested review from c2bo

@awoie awoie Awaiting requested review from awoie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@peppelinux @andprian @Sakurann @pmhsfelix @paulbastian @bc-pi