Skip to content
This repository has been archived by the owner on Mar 8, 2024. It is now read-only.

Verifiable PayID structure inconsistency #704

Open
molowny opened this issue Nov 3, 2020 · 0 comments
Open

Verifiable PayID structure inconsistency #704

molowny opened this issue Nov 3, 2020 · 0 comments

Comments

@molowny
Copy link

molowny commented Nov 3, 2020

The structure of the Verifiable PayID seems to be wrong according to the current interface description at https://docs.payid.org/payid-interfaces

This is Verifiable PayID from docs (https://docs.payid.org/verifiable-payid-tutorial):

{
  "payId": "verifiabledemo$127.0.0.1",
  "addresses": [],
  "verifiedAddresses": [
    {
      "payload": "{\"payId\":\"test$example.com\",\"payIdAddress\":{\"paymentNetwork\":\"XRPL\",\"environment\":\"TESTNET\",\"addressDetailsType\":\"CryptoAddressDetails\",\"addressDetails\":{\"address\":\"rDk7FQvkQxQQNGTtfM2Fr66s7Nm3k87vdS\"}}}",
      "signatures": [
        {
          "protected": "eyJuYW1lIjoiaWRlbnRpdHlLZXkiLCJhbGciOiJFUzI1NksiLCJ0eXAiOiJKT1NFK0pTT04iLCJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCIsIm5hbWUiXSwiandrIjp7ImNydiI6InNlY3AyNTZrMSIsIngiOiI2S0dtcEF6WUhWUm9qVmU5UEpfWTVyZHltQ21kTy1xaVRHem1Edl9waUlvIiwieSI6ImhxS3Vnc1g3Vjk3eFRNLThCMTBONUQxcW44MUZWMjItM1p0TURXaXZfSnciLCJrdHkiOiJFQyIsImtpZCI6Im4zNlhTc0M1TjRnNUtCVzRBWXJ5d1ZtRE1kUWNEV1BJX0RfNUR1UlNhNDAifX0",
          "signature": "rsoKeVLzwg2PpGRK0S10fpmh5WNtttF9dyJgSv3USEr4aN3bUBzp5ImRQo8wlh3E00GtZ2cse-lhoQ4zJKj0Jw"
        }
      ]
    }
  ]
}

so the payload of the verified address contains:

{
  "payId": "test$example.com",
  "payIdAddress": {
    "paymentNetwork": "XRPL",
    "environment": "TESTNET",
    "addressDetailsType": "CryptoAddressDetails",
    "addressDetails": {
        "address": "rDk7FQvkQxQQNGTtfM2Fr66s7Nm3k87vdS"
    }
  }
}

This structure doesn't exist in the specification, furthermore, it seems to be incorrect because if we POST this data to admin API and then try to GET it from public API, the test$example.com is omitted (this information isn't written to the database) and replaced with the top-level pay id verifiabledemo$127.0.0.1. And as long as, the JWS verification requires the original payload, it will be failed.

It leads to the conclusion that verifiedAddresses should be created from Address interface and signed without additional wrapping into an unknown structure.

please correct me if I'm wrong
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@molowny