- From: BigBlueHat via GitHub <noreply@w3.org>
- Date: Mon, 25 Aug 2025 20:06:13 +0000
- To: public-security@w3.org
@simoneonofri does the "three-party model" presented in this [figure in the Verifiable Credentials Data Model specification](https://www.w3.org/TR/vc-data-model-2.0/#roles) mitigate (or perhaps just avoid) this scenario? If the ecosystem of Wallets/Holders are detached from the Issuers and the Verifiers, then the "understanding of [the] victims' operational environment" becomes harder to achieve perhaps. Additionally, the greater the choice of Wallets in the marketplace, the harder a complete spoof would be to create--as you'd have to present me not only with a single screen with a Wallet I use but potentially also present me with the list of other Wallets I could pick from for that identity credential. Knowing that full list (which might also change over time) would be far harder than knowing that x% of enterprises use a specific IdP provider. It might be worth engaging with the VC WG around this particular risk as it feels at least lessened by the three party model. Cheers! 🎩 -- GitHub Notification of comment by BigBlueHat Please view or discuss this issue at https://github.com/w3c/securityig/issues/24#issuecomment-3221581180 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 25 August 2025 20:06:14 UTC