← Back to context

Comment by fer

10 days ago

> You can just query a wallet for that attribute, store it and replay it to some other website.

Uh, replay attacks are a solved problem in pretty much any industry standard challenge-response authentication, including OpenID. Am I missing something?

2 comments

fer

Reply
tonfa  10 days ago

Doesn't this system have more privacy constraints? E.g. the website you're visiting shouldn't be able to learn anything about your identity beyond the attribute (above 18), and the identity provider shouldn't know anything about which website you're visiting.

It does seem like people tried very hard to make it privacy preserving.

Aaargh20318  10 days ago

You're missing the part where I describe the mechanism used to prevent replays, I'm just describing why it is necessary.