From be56990f3b7f38cbe671382d8b690524240bacb7 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Mon, 22 Jun 2026 09:46:19 +0200 Subject: [PATCH 1/4] add security considerations on untrusted inputs --- 1.1/openid-4-verifiable-presentations-1_1.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 198af1b2..4be77552 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1832,7 +1832,7 @@ While breaking changes to the specifications referenced in this specification ar The security properties of the OpenID for Verifiable Credentials family of specifications have been formally analyzed, see [@secanalysis.openid4vc]. -## Preventing Replay of Verifiable Presentations {#preventing-replay} +## Preventing Replay of Verifiable Presentations {#preventing-replay} An attacker could try to inject Presentations obtained from (for example) a previous Authorization Response into another Authorization Response, thus impersonating the End-User that originally presented the respective Verifiable Presentation. Holder Binding aims to prevent such attacks. @@ -1983,6 +1983,16 @@ these constraints. The Wallet is not controlled by the Verifier and the Verifier MUST perform its own security checks on the returned Credentials and Presentations. +## Parsing of untrusted inputs + +Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query. + +Wallets SHOULD run the following checks: + +* Enforce Schema Validation: Verify that the DCQL query conforms to the expected JSON schema and contains no unknown or malformed properties. + +* Apply Resource Limits: Enforce maximum length restrictions on strings, maximum depths for nested objects, and maximum item counts for arrays within the query. + # Privacy Considerations {#privacy-considerations} Many privacy considerations are specific to the Credential format and associated proof type used in a particular Presentation. From be6548fd5ee479dbc326bcf864910afb6485677b Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Mon, 22 Jun 2026 09:47:33 +0200 Subject: [PATCH 2/4] add document history entry --- 1.1/openid-4-verifiable-presentations-1_1.md | 1 + 1 file changed, 1 insertion(+) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 4be77552..6d17c8a0 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -3675,3 +3675,4 @@ The technology described in this specification was made available from contribut * Clarified that Multi-RP-sig section means Verifier Info instead of attestations * Updated origin examples to remove trailing slash * Clarified that request_uri_method is a case-sensitive string + * add seecurity considerations on untrusted input From 59f456aac692d10c0592bde5f776be169179e9a9 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Mon, 22 Jun 2026 09:50:16 +0200 Subject: [PATCH 3/4] improve language --- 1.1/openid-4-verifiable-presentations-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 6d17c8a0..29ab2f7f 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1987,7 +1987,7 @@ Presentations. Wallets MUST treat all incoming requests as untrusted input. To mitigate injection and resource exhaustion attacks, Wallets MUST implement input validation on the Authorization Request and its enclosed DCQL query. -Wallets SHOULD run the following checks: +Wallets SHOULD implement the following steps: * Enforce Schema Validation: Verify that the DCQL query conforms to the expected JSON schema and contains no unknown or malformed properties. From 6d8665546f79f8e2746926484e12ea31a219f43d Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Wed, 24 Jun 2026 00:18:37 +0200 Subject: [PATCH 4/4] Apply suggestion from @c2bo --- 1.1/openid-4-verifiable-presentations-1_1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1.1/openid-4-verifiable-presentations-1_1.md b/1.1/openid-4-verifiable-presentations-1_1.md index 29ab2f7f..d89d1861 100644 --- a/1.1/openid-4-verifiable-presentations-1_1.md +++ b/1.1/openid-4-verifiable-presentations-1_1.md @@ -1989,7 +1989,7 @@ Wallets MUST treat all incoming requests as untrusted input. To mitigate injecti Wallets SHOULD implement the following steps: -* Enforce Schema Validation: Verify that the DCQL query conforms to the expected JSON schema and contains no unknown or malformed properties. +* Enforce Schema Validation: Verify that the Authorization Request and DCQL query contain no malformed properties. Unknown parameters MUST be ignored. * Apply Resource Limits: Enforce maximum length restrictions on strings, maximum depths for nested objects, and maximum item counts for arrays within the query.