From 4c8dd0b08dce75510b5aa0ba80b5525fc43ebeb4 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 26 Aug 2024 14:04:19 +0200 Subject: [PATCH] Update decentralized-identities.md As suggested here https://github.com/w3c/identity-web-impact/issues/29#issuecomment-2309436586 --- models/decentralized-identities.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/models/decentralized-identities.md b/models/decentralized-identities.md index eb05721..30aa3f5 100644 --- a/models/decentralized-identities.md +++ b/models/decentralized-identities.md @@ -369,7 +369,7 @@ One effective though inefficient approach to threat modeling is to cycle the var - *Mitigations*: - Implement Digital Signatures - During the presentation, Indicate proper messages for identifying the _Verifier_ to limit Phishing Attacks. - - During issuing, use proper LOAs depending on the issued credentials. + - During issuing, use proper LOAs depending on the issued credentials. - **Tampering** (Threats to Integrity): - *Description*: Modifying something on disk, network, memory, or elsewhere. @@ -477,6 +477,10 @@ Considering the specific case of government credentials issued to people, it is Another scenario is the use of a credential for authentication: - In contrast to what can happen with credentials in other identity models, where credentials are used primarily for authentication, it can be risky to use a credential issued by an issuer to authenticate to a service that is not under the control of the issuer, as a malicious issuer could generate a parallel ad-hoc credential to authenticate. For example, it may not be a good idea to log into your personal e-mail with a government-issued credential such as a passport. +Other threats that [must be considered](https://github.com/w3c/identity-web-impact/issues/29#issuecomment-2309436586): + - Identity leakage + - Identity impersonation + ## What are we going to do about it? Countermeasures/Features: