- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 11 Jan 2020 15:27:26 -0500
- To: public-credentials@w3.org
On 1/10/20 7:58 AM, Oliver Terbu wrote: > If DID Doc consumers have "remote context retrieval" enabled for > arbitrary URIs Don't do this in production... ever. :) The attack you are concerned about is completely mitigated by not allowing software to arbitrarily download and execute code from the Internet. This is a general security practice in any software system. If you are writing production grade software and security is a concern, don't let your software retrieve random documents from the Internet. With respect to the attack you outlined, there is zero difference between *properly implemented* JSON processors vs. JSON-LD processors. > Please note, that this is not an exhaustive list of attacks. It > would take quite an effort to identify all vulnerabilities that are > potentially(!) enabled by just using JSON-LD. You have, to date, identified zero successful attacks for properly implemented systems using JSON-LD. > Additionally, I want to explicitly note, that I'm not saying that > there are no attacks possible on JSON-only DID Docs. But it will have > a different risk profile. You have yet to produce a single attack model that differentiates a proper JSON implementation from a proper JSON-LD implementation. ... but this is fun, keep going. :) We should be critical of these systems and try different attack models to see if there are vulnerabilities. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny) Founder/CEO - Digital Bazaar, Inc. blog: Veres One Decentralized Identifier Blockchain Launches https://tinyurl.com/veres-one-launches
Received on Saturday, 11 January 2020 20:27:30 UTC