Hello ERIS,

The ERIS specification has recently gone trough a quick security
evaluation by Radically Open Security (ROS) [1].

The report is available in the spec Git repository:

https://codeberg.org/eris/spec/raw/branch/main/ros/report_ngid-openengiadina.pdf

This was a very helpfull exercise and even uncovered a quite serious
security issue (as already announced by Emery [2]). On top of that we
had quite a bit of fun discussing the issues with Christian from ROS.

We will be incorporating the feedback from this review to the
specification in the coming weeks.

Please note that this review may NOT be considered a full audit of ERIS
and neither does this review guarantee any security properties of ERIS.

The review was made possible by NLnet as a service offered to NGI0
Discovery projects (ERIS grew out of the openEngiadina [3] project which
is a NGI0 project). Thanks to Radically Open Security for their great
work and thanks to NLnet for supporting this review!

-pukkamustard

[1] https://www.radicallyopensecurity.com/
[2] https://lists.sr.ht/~pukkamustard/eris/%3C20220125202715.82bd135fc8bdbec4b2703a39%40posteo.net%3E
[3] https://openengiadina.net/