- changed status to new
[OpenID4VP over BLE] How to establish authentication in practice
Issue #1998
new
#1997 made me wonder how the standard is supposed to establish authentication in practice. What I mean by that is: I presume the protocol is meant to be run interactively between two humans (e.g., one person asking for a ticket and another person presenting it). In such cases, the verifier has no means to establish that the person in front of them is indeed the one who presented the ticket. Outside of adversarial contexts, there could be race conditions in BLE connection setups at large events when QR codes for connection establishment are not used.
It might be desirable to extend the protocol such that the wallet can present something (e.g., a QR code) that assures the verifier which device presented them the VC. This is not a feature proposal just now, I’m more wondering about the scope of the specification and would like to start this discussion.
Comments (3)
-
-
- changed component to BLE profile
-
Felix good thinking but is that something we need in the protocol? Can it not be solved just by simple UX that lets the user connect but send it only when he is sure? Also a simple confirmation message on the screen after the transfer report (successful)?
- Log in to comment
