Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OID4VCI: distinguish two types of pre-auth code abuse. #23

Open
OIDF-automation opened this issue Feb 28, 2023 · 0 comments · May be fixed by #464
Open

OID4VCI: distinguish two types of pre-auth code abuse. #23

OIDF-automation opened this issue Feb 28, 2023 · 0 comments · May be fixed by #464
Labels
has-PR security
Milestone
Final 1.0

Comments

@OIDF-automation
Copy link
Contributor

OIDF-automation commented Feb 28, 2023
edited by Sakurann
Loading

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1838

Original Reporter: KristinaYasuda

TODO The spec does not distinguish between replay (attacker forwards code to other wallet/end-user) and stealing the code (attacker scans code intended for other user). This needs to be fixed.

From the security analysis: openid / connect / Pull Request #468: First draft of OpenID 4 VC Security Analysis — Bitbucket cc @danielfett
@Sakurann Sakurann added security and removed bug labels Sep 30, 2023
@Sakurann Sakurann added this to the Final 1.0 milestone Dec 18, 2024
surfnet-niels pushed a commit to surfnet-niels/OpenID4VCI that referenced this issue Feb 25, 2025
Added text to distinguish between various forms of replay. Resolves o…
a7e0472 
…penid#23
@surfnet-niels surfnet-niels linked a pull request Feb 25, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has-PR security
Projects
None yet
Milestone
Final 1.0
Development

Successfully merging a pull request may close this issue.

Added text to distinguish between various forms of replay. surfnet-niels/OpenID4VCI
2 participants
@Sakurann @OIDF-automation