QR-Code Security Enforcements #504
Comments
|
@peppelinux @grausof this is something that we should handle in milestone 0.9. WDYT? |
|
No it is only an open discussion with several concerns and weakness, I only tried to explain some further key elements but it is still not clear how they would appear as usefull or necessary for the improvement of the security of the qr-code no action for now, even because nonce and exp is something that can be explicitly handled by the RP in its backend, using bindings and expiration times after the issuance |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
openid/OpenID4VP#329 (comment)
It would be beneficial to include the following in the QR code:
The Relying Party (RP) should bind the user-agent with the issued QR code in such a way that a scam attack would not succeed unless the adversary knows and configures their user-agent with the same data as the victim's user-agent.
The text was updated successfully, but these errors were encountered: