Email not validated in DevCon flow

Question

Email not validated in DevCon flow

jot2re opened this issue 2 years ago · 8 comments

The user's email is not validated by attestation.id when issuing attestations based on a magic link. I.e. the ticket issuer is trusted to implicitly do the validation through the secret in the magic link.

See section 2.2.5 in the Token-negotiator report.
See (Jira issue 291)[https://smarttokenlabs.atlassian.net/browse/PR-291].

Answer 1 · 2022-06-17T12:09:25.000Z

@weiwu-zhang as far as I have understood from you, this issues goes against both the scope of what we want of attestation.id, but it also goes against the threat model.
However, this greatly increases usability and I think it might be "won't fix" issue. Can you confirm if this is the case or not?

Answer 2 · 2022-06-20T02:28:29.000Z

@jot2re , we dont use attestation by magic link nomore, because it generate valid emailAttestation and user can use this emailAttestation for other projects and it means that one-time magicLink lead leads to forever emailAttestation compromise.

in case if we need emailAttestation based on magicLink then we need to limit emailAttestation per token and this need to share tokens schema/keys with attestation.id, but attestation.id should stay separate independent project.

@weiwu-zhang , am I right?

Answer 3 · 2022-06-20T03:12:43.000Z

Won't fix until DevCon is over.

Answer 4 · 2022-06-20T03:14:12.000Z

@weiwu-zhang as far as I have understood from you, this issues goes against both the scope of what we want of attestation.id, but it also goes against the threat model. However, this greatly increases usability and I think it might be "won't fix" issue. Can you confirm if this is the case or not?

Wont' fix till DevCon is over.

Answer 5 · 2022-06-20T07:37:11.000Z

@weiwu-zhang , devcon confirmet to use OTP email confrmation, so we dont use magicLink attestation in our projects at the moment. Is it OK?
cc @AW-STJ

Answer 6 · 2022-06-20T08:20:19.000Z

@jot2re , we dont use attestation by magic link nomore, because it generate valid emailAttestation and user can use this emailAttestation for other projects and it means that one-time magicLink lead leads to forever emailAttestation compromise.

@oleggrib my understanding was that the attestation validity was still time restricted to 1 hour or 1 day (at least it was the case the last time I went through the attestation.id flows). Is that not the case anymore? Or do you simply mean that because the user has access to the magic link, they can always construct a new email attestation?

Answer 7 · 2022-06-20T09:43:25.000Z

@oleggrib my understanding was that the attestation validity was still time restricted to 1 hour or 1 day (at least it was the case the last time I went through the attestation.id flows). Is that not the case anymore?

current emailAttestations with Auth0 flow has TTL 1 month,

Or do you simply mean that because the user has access to the magic link, they can always construct a new email attestation?

yes, exactly, this is why we dont use it. @jot2re

Answer 8 · 2022-07-05T12:10:27.000Z

No longer relevant; has been fixed. Closing the issue.