On 2025-04-28, at 09:03, Anders Rundgren <[email protected]> wrote: > >> (How do you know the extent of the data being covered by the signature?) > > Good question! In the current solution, this is defined by validation > policies set at the API level.
You need a *mechanism* for checking the signature; it is dangerous to leave that to *policy* as it is too easy for an attacker to find cracks in these policies. (Yes, “checking” the signature goes beyond mechanism where you check whether the signature *authorizes* a specific action; but I’m still talking about the *authentication* of the signature here.) Grüße, Carsten _______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
