Be suspicious of QR Code flows that don't also check digital signatures at some point #67
Comments
|
Can we add Security Considerations section in the vc-imp-guide? |
|
The issue was discussed in a meeting on 2023-02-07
View the transcript2.1. Be suspicious of QR Code flows that don't also check digital signatures at some point (issue vc-imp-guide#67)See github issue vc-imp-guide#67. Manu Sporny: this issue has to do with a compromise with Australia's digital drivers license. The app wasn't even checking the digital signature. Kristina Yasuda: that Australia implementation made some waves, it would be good to add this..
|
From this article:
https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
One of the security compromises had to do with the QR Code being trusted in some way without a digital signature being used. It's unclear what, if any, protection mechanism was in place for the QR Code, but what is clear was that it was not a digital signature that was being verified. Or if it was, the signature was created client-side and was not being checked for validity or revocation by the verifier.
Implementers should strive for digitally signed QR Codes. For example, every QRCode in the TruAge age verification program is a unique, digitally signed VC encoded as CBOR-LD and displayed as a QR Code. The verifier must check that the issuer is valid and the signature is valid before processing the data. QR Codes that don't result in a digital signature check happening at some point in the process are asking for trouble. We should provide some guidance to implementers that note that the use of QR Codes w/o some sort of digital signature validation at some point in the process is dangerous.
The text was updated successfully, but these errors were encountered: