Can BPN validation be bypassed?

[SebastianOpriel]

Describe the bug

I would like to know if BPN validation can be bypassed if Catena-X portal does not check Connector URLs of onboarded connectors (need to admit, not being too deep into BPN details yet). Thus, how this risk is mitigated currently?

Potential vector

1. You will need a BPN of a connector, which you want to mimic referred to "BPN_OF_INTEREST".
2. Create a connector for URL https://{{BPN_OF_INTEREST}}.yourdomain.com/[...]/OWN_BPN
3. Register connector in CX portal
4. Try to negotiate a contract with a data offering which has BPN validation active

Expected behavior

Not being able to negotiate a contract

Possible Implementation to mitigate risk

use endswith instead of contains

[paullatzelsperger]

FYI I converted this to a discussion. Also, the BPN validation received a significant overhaul with the introduction of SSI and VerifiableCredentials in version 0.5.x.

[jimmarino]

In the old release, someone would have to circumvent portal security and register a false connector.

With release 0.5.x, this is not possible unless someone obtains the connector`s summary credential.

[stephanbcbauer]

@SebastianOpriel did the answers help? Were you already able to test it again?