Clarify verifiable claims TLS requirement. #16
Conversation
| @@ -455,6 +455,8 @@ specification. | |||
|
|
|||
| All tokens, Client, and User credentials MUST only be transmitted over TLS. | |||
|
|
|||
| All resources required to verify claims: Issuer, WebID and Client WebID; MUST only be transmitted over TLS. | |||
There was a problem hiding this comment.
I think the intention here is good, but I'm concerned that this might be over-specifying things.
First, an RS may cache JWKS resources in a local keystore (hence, transfer is between local keystore and application, which may not be TLS)
Second, there may be other secure transfer mechanisms (mTLS) that are possible
Third, WebID documents (according to the WebID spec) may use either the http or https scheme
Fourth, if a WebID is a DID, the resolver may have its own mechanism to securely transfer resources
There was a problem hiding this comment.
Part of my concern is specifically about WebIDs being transferred over an insecure connection.
I imagine it is not an obvious security concern since the trusted issuer check is "always?" going to be a backchannel operation.
But I'm not a security expert and it would be good to have a serious opinion on that and understand the implications.
No matter what, I would tend to think (even though it's beyond my capacity to exploit it) that having an insecure connection involved in authentication is a serious attack vector.
There was a problem hiding this comment.
If this is principally about WebID documents using http vs https schemes, then the text in this PR should focus on how this specification constrains how the WebID specification should be followed.
|
We should handle this one together with #76 |
No description provided.