Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security section on dynamic information. #89

Merged
merged 1 commit into from
Nov 3, 2017
Merged

Add security section on dynamic information. #89

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2065,9 +2065,18 @@ <h3>Bundling Dependent Claims</h3>
<section>
<h3>Highly Dynamic Information</h3>

<p class="issue">
Time periods should be shorter for highly dynamic information.
<p>
When verifiable <a>credentials</a> are issued for highly dynamic information,
implementers should ensure that the expiration times for the credential are
set appropriately. Expiration periods that are longer than the timeframe
where the credential is valid may create exploitable security vulnerabilities.
Expiration periods that are shorter than the timeframe where the information
expressed by the credential is valid create a burden on <a>holders</a> and
<a>verifiers</a>. It is therefore important to set validity periods for
credentials that are appropriate to the use case and the expected lifetime
for the information contained in the credential.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this in direct contradiction to the recommendation to use short-lived credentials?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, perhaps we need more specific recommendations or a sliding scale -- or just a note that "if credentials are too short-lived the drawbacks are X and if they are too long-lived the drawbacks are Y." Followed by: "Use technology T or policy P for use cases where you can't compromise on either."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we raise a new issue for this? I agree with both of you, but I feel like we need to refactor/merge multiple sections (that don't exist in the spec if we don't pull in this PR) based on this discussion.

</p>

</section>
</section>

Expand Down