You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've using verifyResource(). I have an origin and i want to find + verify any linked dids. I can't see anywhere that verifyResource() will verify that the origin in the domain linkage credentials matches the origin I expect. So I need to do that myself, is that correct? It seems dangerous to not do this check, because an adversary could simply copy a legitimate did configuration onto their own domain. Please correct me if I'm wrong.
For example I would expect
When I provide an origin as an argument - verifyResource() would verify that the origin matches whats found in the fetched did configuration
I should be able to provide both an origin and a did configuration resource (currently not allowed) - and have verifyResource() verify that the linkages match.
I see that this is a little tricky at the moment because most of the VC handling is delegated to the verifySignatureCallback, and it would be nice to avoid parsing (i.e. decoding in the case of a jwt) VCs twice. Perhaps:
the expected origin could be passed into the verifySignatureCallback as an arg, and the callback could do the origin verification itself.
the verifySignatureCallback could return the origin (and ideally the did), and verifyResource could take care of the verifying the match.
similar 2, but return the parsed/decoded form of the VCs. Then verifyResource() can verify that the structure is as expected and do the extracting.
Similarly i would find it useful for verifyResource() to return the did and origins that are extracted in the credentials field available the verification result. Otherwise i have to parse/decode(in the case of jwt) domainLinkageCredentials myself after doing the verification to get the did. which means there's two parses happening. Let me know your thoughts.
Thanks again :)
The text was updated successfully, but these errors were encountered:
Hey! thanks for building this.
I've using
verifyResource(). I have an origin and i want to find + verify any linked dids. I can't see anywhere thatverifyResource()will verify that the origin in the domain linkage credentials matches the origin I expect. So I need to do that myself, is that correct? It seems dangerous to not do this check, because an adversary could simply copy a legitimate did configuration onto their own domain. Please correct me if I'm wrong.For example I would expect
verifyResource()would verify that the origin matches whats found in the fetched did configurationverifyResource()verify that the linkages match.I see that this is a little tricky at the moment because most of the VC handling is delegated to the verifySignatureCallback, and it would be nice to avoid parsing (i.e. decoding in the case of a jwt) VCs twice. Perhaps:
Similarly i would find it useful for verifyResource() to return the did and origins that are extracted in the credentials field available the verification result. Otherwise i have to parse/decode(in the case of jwt) domainLinkageCredentials myself after doing the verification to get the did. which means there's two parses happening. Let me know your thoughts.
Thanks again :)
The text was updated successfully, but these errors were encountered: