Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should the revocation list credential issuer match the verifiable credential issuer? #18

Open
kdenhartog opened this issue Jul 21, 2020 · 0 comments
Open

Should the revocation list credential issuer match the verifiable credential issuer? #18

kdenhartog opened this issue Jul 21, 2020 · 0 comments
Labels
question Further information is requested

Comments

@kdenhartog
Copy link
Contributor

Our team was looking into the code and noticed that there's no check to make sure the revocationListCredential issuer matches the verifiable credential issuer. This creates the potential for the revocation list to be issued by a separate party which in the case where the server hosting the revocation list is compromised, it would allow for the adversary to create their own DID and to change the status of the credential to revoked or un-revoke it as well.

Should this check be added or was it intentionally left out?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattcollier @kdenhartog