-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DAP spec open to impersonation via use of UTF-8 #42
Comments
punycode is one (partial) solution to these types of issues for domain-name spoofing. Consider this DAP Can the DAP spec be limited to ASCII, and apps use punycode to convert customer-entered DAPs to punycode? This still relies on the converted punycode to be displayed to the customer (this is done in the address bar for domain-names). I'm not sure there is an equivalent for DAPs. |
For reference, see ENSIP-15: ENS Name Normalization Standard for how Ethereum Name Service attempts to combat this. Note that ENS uses namehash to convert the name to a hash, and the hash would be different given an attempt to impersonate a known name. See #43 where I suggest using a visual representation of a hash of the DAP (or the resolved DID), which might function similarly. Perhaps we need to consider both these issues together. |
I just noticed the DAP spec does mentioned control characters being disallowed https://github.com/TBD54566975/dap#local-handles
I'm not sure if that mitigates the risk fully. |
Some other considerations for impersonation
|
I think there is a high risk for impersonation of DAPs if the
handle
anddomain
can use arbitrary UTF-8.Restricting the
handle
to ASCII would preclude the use of "real names" for a very large percentage of the world's population.Similarly, the
domain
part of a DAP should support practical domains, which already support IDNsHow can the DAP spec be changed to help mitigate these risks?
The text was updated successfully, but these errors were encountered: