Limiting and verifying attribute issuer

pgp4privacy · December 12, 2023, 5:35pm

My application has a need to verify a specific user attribute before authorizing access to a resource…but that user attribute must be issued by a specific application to have the integrity necessary to use that attribute.

I apologize if this is stupid(I am new to building on Solid), but I can’t seem to determine how I can build an ACP that binds a user attribute to a specific attribute issuer. Any help would be greatly appreciated!

A_A · December 15, 2023, 10:46am

Can you use digital signatures for this?

In general this would include:

the attribute issuer has a private and public key
the attribute issuer would sign the attribute (or hash of it) with its private key, see eg HMAC
the attribute issuer saves the attribute and signature in the pod
your application reads the attribute and signature from the pod and the public key from the attribute issuer
your application verifies the signature with the public key

Note that the private key should stay private. So either it always stays in the backend of the application. Or if it is used in the frontend, the person using the application should be trusted (as they could copy the private key).

I think verifiable credentials go into the same direction, though I haven’t looked into this.

pgp4privacy · December 15, 2023, 9:50pm

@A_A That absolutely makes sense! I think this implementation would be rather simple…thank you for taking the time to respond.

Topic		Replies	Views
Have any of the Pod Browsers got ACP built in yet? Build a Solid App	3	467	July 27, 2021
A security issue for developpers POD Build a Solid App	3	541	February 22, 2020
Insecure Solid Authentication Mechanism Developer Experience	10	1717	April 18, 2019
Basic question about authentication Solid: The Basics	12	5687	November 24, 2018
Use Case - Vaccination Cards	11	500	November 10, 2022

Limiting and verifying attribute issuer

Related topics