Description
When a responder receives a RecipientRequest with non-nil RecipientData, implement strict ownership verification by checking not just that the identity exists in the wallet, but that the wallet possesses the private key material by attempting to retrieve the signer. Never return the requester-supplied RecipientData object directly. Instead, fetch authentic audit info and metadata from the wallet's identity provider and reconstruct a fresh RecipientData object with verified fields. Validate that the TMSID matches expected configuration and reject requests for unauthorized TMS instances. If supplied fields don't match locally stored values or ownership cannot be proven, reject the request immediately. This prevents attackers from forcing responders to claim ownership of identities they don't control.
Description
When a responder receives a RecipientRequest with non-nil RecipientData, implement strict ownership verification by checking not just that the identity exists in the wallet, but that the wallet possesses the private key material by attempting to retrieve the signer. Never return the requester-supplied RecipientData object directly. Instead, fetch authentic audit info and metadata from the wallet's identity provider and reconstruct a fresh RecipientData object with verified fields. Validate that the TMSID matches expected configuration and reject requests for unauthorized TMS instances. If supplied fields don't match locally stored values or ownership cannot be proven, reject the request immediately. This prevents attackers from forcing responders to claim ownership of identities they don't control.