You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In case the the credential includes a link to the hosted metadata, the relying party will fetch it like:
GET /.well-known/jwt-vc-issuer HTTP/1.1
Host: example.com
A malicious issuer could add unique subdomains to add a tracker, e.g. the jti value or another internal identifier <jti>.exmaple.com/.well-known/jwt-vc-issuer. This can not be detected by the relying party since the url of the jwks_uri must not match with the same host as the vct value (or the issuer uses an x509 that must also not be bound to a domain, or maybe it's a wildcard one).
Suggestion:
Add a privacy consideration note that this can be used for presentation tracking. An alternative suggestion would be to allow the Wallet to include the vct issuer metadata into the e.g. presentation response when using OID4VP. In this case the issuer may only know that the wallet is presenting a credential, when the VCT it was not cached before (in case an integrity value was provided, the wallet can be sure it never has an outdated version of the vct values).
The text was updated successfully, but these errors were encountered:
In case the the credential includes a link to the hosted metadata, the relying party will fetch it like:
A malicious issuer could add unique subdomains to add a tracker, e.g. the jti value or another internal identifier
<jti>.exmaple.com/.well-known/jwt-vc-issuer. This can not be detected by the relying party since the url of thejwks_urimust not match with the same host as the vct value (or the issuer uses an x509 that must also not be bound to a domain, or maybe it's a wildcard one).Suggestion:
Add a privacy consideration note that this can be used for presentation tracking. An alternative suggestion would be to allow the Wallet to include the vct issuer metadata into the e.g. presentation response when using OID4VP. In this case the issuer may only know that the wallet is presenting a credential, when the VCT it was not cached before (in case an integrity value was provided, the wallet can be sure it never has an outdated version of the vct values).
The text was updated successfully, but these errors were encountered: