Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PoP attestation binding #47

Open
peppelinux opened this issue Sep 25, 2023 · 5 comments
Open

PoP attestation binding #47

peppelinux opened this issue Sep 25, 2023 · 5 comments

Comments

@peppelinux
Copy link

peppelinux commented Sep 25, 2023
edited
Loading

Even if remote, there is the possibility that an implementation re-uses the same cryptographic keys for different scopes.

the PoP JWT could be used with the same cryptograhic key attested in more than a single attestation and therefore be replicated for different endpoints/audience

What do you think about getting the ath claim inside the DPoP token as requested?

In this way, a DPoP token cannot be replicated when the key that proves possession is the same within different attestations.

Even if DPoP specs defines ath in relation to an access token, may we consider that any kind of JWT could represent an access token, in relation of its scope, the flow where it is used and its usage in general?

Then, could we provide a binding of the PoP to a specific attestation where the possession aims to be proved?
@peppelinux
Copy link
Author

For better clarity

an aud is not enough where a pop is used on a different attestation that has in common the same key used for the signature of another attestation

it's an implementation risk where an implementer would use the same key for different attestations

once you have one, you can replay the same PoP for another/different attestation that has in common the same key
hash of the attestation is then required, WDYT?

@asharif1990
Copy link

Even if remote, there is the possibility that an implementation re-uses the same cryptographic keys for different scopes.

the PoP JWT could be used with the same cryptograhic key attested in more than a single attestation and therefore be replicated for different endpoints/audience

What do you think about getting the ath claim inside the DPoP token as requested?

In this way, a DPoP token cannot be replicated when the key that proves possession is the same within different attestations.

Even if DPoP specs defines ath in relation to an access token, may we consider that any kind of JWT could represent an access token, in relation of its scope, the flow where it is used and its usage in general?

Then, could we provide a binding of the PoP to a specific attestation where the possession aims to be proved?

I can see the benefits of binding the wallet instance attestations to the specific proof to avoid the possibility that it could be swapped in the case that the same cryptography keys are used by the implementers. I agree that the usage of a similar countermeasure like ath that is defined in the DPoP specification can work here as a mitigation. However, it would be better to introduce a new claim for this to be included in PoP as ath meant for the Access Token, and here as we deal with Wallet Instance Attestation maybe we can use the following claim wiah?

@paulbastian
Copy link
Collaborator

Do you propose a new claim in the Client Attestation PoP JWT thats value is the hash of the corresponding Client Attestation JWT?

@asharif1990
Copy link

Do you propose a new claim in the Client Attestation PoP JWT thats value is the hash of the corresponding Client Attestation JWT?

Yes Paul. That is the idea.

@paulbastian
Copy link
Collaborator

We will explore this, but initially it does not seem like a bad idea

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peppelinux @paulbastian @asharif1990