29 lines
1.7 KiB
Markdown
29 lines
1.7 KiB
Markdown
# Security Review
|
|
|
|
## Findings
|
|
|
|
### High: assertion authenticity is assumed but not tied to required receiver behavior
|
|
|
|
The draft correctly says portable trust assertions need authenticated origin and integrity protection, but it does not make rejection behavior explicit. A receiver should not be allowed to consume an unauthenticated portable assertion and still claim conformance.
|
|
|
|
### High: replay handling depends on freshness, but the minimum stale-data rule is too soft
|
|
|
|
Freshness is mandatory, which is good, but receivers only SHOULD reject or downgrade stale assertions. For clearly expired assertions, that is too weak. A stronger interoperability floor is warranted.
|
|
|
|
### Medium: negative trust sharing creates reputational poisoning risk without minimum evidence discipline
|
|
|
|
The document warns about poisoning and privacy, yet evidence references remain entirely optional. That is reasonable for all assertions, but negative portable assertions may need a stronger requirement for explanation or evidence linkage.
|
|
|
|
### Medium: collusion risk is identified but not operationalized
|
|
|
|
The draft notes that multiple issuers may not be independent, but it gives no guidance on how a relying party should avoid double-counting related issuers. Even a brief cautionary requirement or implementation note would help.
|
|
|
|
## Open questions
|
|
|
|
- Should unauthenticated portable trust assertions be explicitly non-conformant?
|
|
- Should negative assertions require either evidence reference or explanation code?
|
|
|
|
## Residual risk
|
|
|
|
Even with improvements, dynamic trust will remain vulnerable to social and operational abuse that pure wire semantics cannot prevent. The draft should state those limits plainly.
|