Security considerations #444
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fmarino-ipzs
requested review from
grausof,
peppelinux,
fmarino-ipzs and
m-basili
m-basili
approved these changes
Oct 14, 2024
fmarino-ipzs
approved these changes
Oct 15, 2024
peppelinux
requested changes
Oct 16, 2024
|
|
||
| .. note:: | ||
|
|
||
| The focus of the analysis is the compliance of the design choices in the IT Wallet specification w.r.t the OpenID4VC protocols. |
There was a problem hiding this comment.
please don't use acronyms like w.r.t., explode it for better readability
Comment on lines
441
to
442
| In the IT Wallet specification, the **redirect_uri** is registered and validated beforehand during the Verifier onboarding using OpenID Federation. During the presentation | ||
| phase, the Wallet is able to validate this value by verifying the OpenID Federation Trust Chain related to the Verifier. |
There was a problem hiding this comment.
We need ref to the section describing how openid federation is used, therefore using the refs to the section about the trust infrastructure and removing all these explicit mentions to openid federation.
in the trust infrastructure section we use openid federation and we'll introduce all the required harmonization with x.509 during the milestone 0.9.0
for clarity, we can use example "such as using openid federation ... as defined ..."
This was referenced Oct 16, 2024
Co-authored-by: Giuseppe De Marco <[email protected]>
grausof
requested changes
Oct 18, 2024
m-basili
reviewed
Oct 21, 2024
grausof
approved these changes
Oct 24, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
reviewed
Oct 25, 2024
peppelinux
requested changes
Oct 25, 2024
Co-authored-by: Giuseppe De Marco <[email protected]>
giadas
commented
Oct 25, 2024
m-basili
reviewed
Oct 25, 2024
giadas
commented
Oct 25, 2024
giadas
commented
Oct 25, 2024
giadas
commented
Oct 25, 2024
m-basili
reviewed
Oct 25, 2024
giadas
commented
Oct 25, 2024
giadas
commented
Oct 25, 2024
Co-authored-by: Giuseppe De Marco <[email protected]> Co-authored-by: m-basili <[email protected]>
peppelinux
approved these changes
Oct 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #125
It consists of a new section "Security and Privacy Considerations" that provides an informal security analysis of the IT Wallet specification by analyzing the compliance with the security and privacy requirements identified in "Security and Trust in OpenID for Verifiable Credentials Ecosystems" specification.
For each requirement, we report its description and specifies whether the IT Wallet specification satisfies the requirement
(fully satisfied, partially satisfied, and not satisfied) and how/why. In case of partially or not satisfied, we provide also some tips on how to be compliant.
Editorial Note: Currently, we provide each requirement as a subsection in order to better navigate the analysis. However, this causes a long index. We should evaluate this aspect together.