Skip to content

Security considerations: Clarify audience values treatment in DC API #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jogu opened this issue Apr 12, 2025 · 0 comments
Open

Security considerations: Clarify audience values treatment in DC API #541

jogu opened this issue Apr 12, 2025 · 0 comments
Assignees
@awoie
Labels
has-PR
Milestone
Final 1.0

Comments

@jogu
Copy link
Collaborator

jogu commented Apr 12, 2025
edited
Loading

From draft Stuttgart security analysis:

Section 14.1.2 and DC API: [OID4VP draft 24, Section 14.1] should be updated to incorporate OID4VP
over the DC API. Paragraph 3, for example, says that the audience value must be the client ID but
in this case the audience value is always the origin asserted by the DC API.

(I think there was some discussion already about splitting out security considerations for DC API & non-DC API cases... if anyone has the issue handy please add it!)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awoie awoie

Labels
has-PR
Projects
None yet
Milestone
Final 1.0
Development

No branches or pull requests
3 participants
@jogu @awoie @Sakurann