Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extended status assertion errors table added #53

Merged
merged 21 commits into from
May 25, 2024
Merged

Extended status assertion errors table added #53

merged 21 commits into from
May 25, 2024

Conversation

SaraConsoliACN
Copy link
Contributor

This commit aims to resolve issue #46.

@peppelinux peppelinux requested review from OR13 and marinaado May 22, 2024 10:15
SaraConsoliACN and others added 2 commits May 22, 2024 12:28
@SaraConsoliACN
Commit suggestion applied
7bc4736 
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
@SaraConsoliACN
Commit suggestion applied
837c25a 
Co-authored-by: Giuseppe De Marco <giuseppe.demarco@teamdigitale.governo.it>
OR13
OR13 reviewed May 22, 2024
View reviewed changes
draft-demarco-oauth-status-attestations.md
"credential_hash": $CREDENTIAL-HASH,
"credential_hash_alg": "sha-256",
"error": "credential_revoked",
"error_description": "Credential is revoked."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, the holder can never prove the credential is revoked, they can only prove if its not.

I wonder if treating revocation as an error is a good idea. I can see pro's and con's.

An alternative would be to issue an assertion that the credential was revoked, and return a different structure for errors with the request or on the server (4xx, 5xx).

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please do a proposal, I would like to have draft 03 before the next interim meeting

I used status code set to 200 for two reasons:

  1. the result is an array with multiple embedded responses, be these assertions or errors
  2. adversaries won't take any behavioral information from the endpoint without inspecting the JWT/CWT contained in the response array

I want to know from you if you want a different approach or if you only want remove this error type about the already revoked credential

@fmarino-ipzs
Apply suggestions from code review
56679ca 
Co-authored-by: fmarino-ipzs <77629526+fmarino-ipzs@users.noreply.github.com>
@OR13 OR13 mentioned this pull request May 25, 2024
Merged
@peppelinux
Copy link
Owner

I have improved the alg parameter description and also proposed a section explaining the rationale behind the unsigned status assertion errors, specifying that it's an implementation choice and the requirement to validate the signature when it is present

@OR13 @fmarino-ipzs ^

@peppelinux peppelinux requested review from OR13 and fmarino-ipzs May 25, 2024 13:51
@peppelinux peppelinux merged commit b4cabe4 into peppelinux:main May 25, 2024
1 check passed
@peppelinux peppelinux mentioned this pull request May 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peppelinux peppelinux peppelinux approved these changes

@fmarino-ipzs fmarino-ipzs fmarino-ipzs approved these changes

@OR13 OR13 OR13 approved these changes

@marinaado marinaado Awaiting requested review from marinaado

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@SaraConsoliACN @peppelinux @OR13 @fmarino-ipzs