OpenID4VCI PAR descriptions use ill-defined term authenticity
The recommendation to use PAR in https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#section-3.4 says:
With grant type
authorization_code
, it is RECOMMENDED to use PKCE as defined in [RFC7636] to prevent authorization code interception attacks and Pushed Authorization Requests [RFC9126] to ensure integrity and authenticity of the authorization request.
Likewise, the description of PAR at https://openid.bitbucket.io/connect/openid-4-verifiable-credential-issuance-1_0.html#section-5.1.4 says:
Use of Pushed Authorization Requests is RECOMMENDED to ensure confidentiality, integrity, and authenticity of the request data and to avoid issues due to large requests sizes.
The term “authenticity” doesn’t have a clear meaning as used above. It would be better to replace “authenticity” with something like “the ability to cryptographically identify the party making the request”.
Note that issue #1972 describes occurrences of other usages of the term “authenticity” that also need attention.
Comments (4)
-
-
reporter The problem is that we're currently not saying what's authentic about the request. What we mean is that the issuer is cryptographically verifiable, but we're currently not saying that, and we shouldn’t leave that ambiguity in our definitions.
-
reporter - changed status to open
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/562
-
- changed status to resolved
PR merged.
- Log in to comment
RFC4949 defines as following:
i think it fits the definition - will reference to rfc4949 help?