Presentation request format validation #152
Comments
|
I think we need to work with the protocols to ensure there is clarity about which validation rules are enforced where in the stack. We've heard from EUDI designers that the browser/OS precisely validating the request is inconsistent with the requirements for EUDI. We captured this in the explainer with this text:
While some validation may be OK, I don't think we can have the DC API just blindly say the user agent validates all properties of the request. Perhaps protocol specifications should be clear about which bits are OK to validate in the browser vs. which bits are expected to be validated by the wallet? In particular, where the points for future extensibility are? |
|
I see the benefit of early syntax checks, I also see the challenges associated with it. Just checking whether a JSON request object is correct JSON is one thing, going deeper into the structure might result in additional obstacles for the deployment of any change. I think the decision that needs to be made is, whether the introduction/modification of presentation protocols defined on top of DC API requires modifications to the browsers/platforms. I'm very hesitant about this as I don't see how this would work in a predictable/deterministic fashion. |
|
Just to cross-post, I expanded a bit some concerns I have in the PR itself: #156 (comment) |
note that’s not what we are proposing. We’re saying that the protocol spec is in charge of dictating how the members are validated, and which are be validated by the browser. At the same time, even if the browser blindly passed all the data to a wallet, a wallet still needs to do all the validation: there’s no escaping having to do the validation somewhere. This is supposed to serve as a forcing function to assure a high degree of privacy and security, as we would expect from any W3C standard that interacts with the browser, OS, or native applications. Take again the example of expected_origins in openid4vp. As it currently stands, that member is underspecified and not implementable because it lacks any validation rules. See openid/OpenID4VP#224 for details. That’s not to pick on openid4vp. I’m just highlighting the challenges that we face as either browser implementers or wallet implementers. The browser is in a uniquely powerful position to report and fix developer errors, normalize data, and secure things. The net effect being maximized interoperability through well defined validation and data normalization behavior. more concretely, imagine if every wallet treats |
|
Fixed the above to reference “expected_origins”, but my point stands with any URL that could be passed along to a wallet. Those needs to be checked as URLs are a source of security bugs when blindly dereferenced by the receiving application (be it the OS, or wallet). Just as a counter example, let’s say the wallet tried to attack the RP through the response: browsers have ton of security infrastructure the prevents, for example, dereferencing things like file://, fetching from local network addresses, etc. it’s not realistic to expect native apps serving as wallets to have the same level of security (or operate under a “same origin” model), because they are operating under different assumptions and platform. |
|
@tlodderstedt wrote:
See how we will handle it in WebKit: it should be pretty straightforward. We did a lot of the same things in the Payment Request API and I think Web Auth does similar things. |
When ingesting any presentation format, presumably there will be a set of requirements/constraint that need to be satisfied. For example, expected_origins in OpenID4VP:
Parsing those URLs may result in parsing error, which should reported a
TypeError.I think generally any validation error in the request format will result in a
TypeError.The text was updated successfully, but these errors were encountered: