You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently all certificates need to be present in the chain. However according to e.g. COSE x509, and mDL spec the root cert should not be in the chain.
So we need to be smarter about this and not directly check if the cert is included.
I see the auth0 mdl lib used PKI.js before, which is from PeculiarVentures (same as our x509 libraries). It might make sense to use their x509 CertificateChainValidationEngine.
Currently we're not able to verify mDLs signed with a chain if it does not include the root IACA certificate. (which is explicitly disallowed by mDL spec).
Currently all certificates need to be present in the chain. However according to e.g. COSE x509, and mDL spec the root cert should not be in the chain.
So we need to be smarter about this and not directly check if the cert is included.
I see the auth0 mdl lib used PKI.js before, which is from PeculiarVentures (same as our x509 libraries). It might make sense to use their x509
CertificateChainValidationEngine.https://github.com/PeculiarVentures/PKI.js
Currently we're not able to verify mDLs signed with a chain if it does not include the root IACA certificate. (which is explicitly disallowed by mDL spec).
Example usage in cose-kit: https://github.com/jfromaniello/cose-kit/blob/d06430ec482321a8fd500008b393ef4de4e0ab40/src/cose/SignatureBase.ts#L89
It seems
x5cparameter in JWS is less clear about whether the whole chain needs to present (https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6), and points to RFC 5280 (https://www.rfc-editor.org/rfc/rfc5280). So we need to determine if we can reuse the same logic for both COSE and JOSE, or that there's difference?The text was updated successfully, but these errors were encountered: