Handles issue of acceptance of self-signed ticket

Question

Handles issue of acceptance of self-signed ticket

Closed this issue 3 years ago · 3 comments

Currently attestation.jar will use the optional public key included in a ticket to validate it (this is not the case in the smart contract or authenticator, though).
While it was originally a feature which allowed easy proof-of-concept validation along with public key validation, it is currently not used like that and hence is a security issue.

Answer 1 · 2022-05-15T10:05:06.000Z

To the best of our knowledge no tickets are issues with a public key so far.

Answer 2 · 2022-05-15T22:43:49.000Z

same question for publicKey, included in attestation. we use only external publicKey to validate signature, not embedded one, but smartContract use GAS to read attestationPublicKey length and jump through this value.

maybe its according to some standart, I am not sure about it and I dont know if we have to follow this standart.

Answer 3 · 2022-05-16T07:28:18.000Z

The public key included in the attestation is the one for the subject, not the signer of the attestation, but the owner of the attestation. It is used in VerifyTicket.sol to recover the address of the user who holds the ticket.

An alternative would be to require this to be encoded int he subject common name instead. Which is definitely doable, but would also mean we move further away form the x509 format which we have tried hard to keep.

In any case, as it is not the public key is actually not redundant and is strictly needed in the smart contract.