Comments (6)
Given the growing range of use cases for EAT, the alternative to manufacturer provisioned keys may not just be ephemeral keys, but could be keys obtained via an enrollment operation into some service and securely stored e.g. for anonymization reasons or to reflect a set of claims relevant to some service interaction. Agree that the simplest solution here may be to just drop this sentence but consider also whether the rest of the para, starting "In all operating models, the manufacturer provisions some secret attestation key material..." needs revising. I like the idea of a separate security section which could discuss the trust alternatives for the signing key.
from eat.
A stronger definition of what is meant by 'ephemeral' may be required. This relates to Issue 24.
from eat.
Pretty sure the resolution here is to remove most of the operational and architectural model text so EAT is just claims definitions like CWT and JWT.
Discussion of key material can go in other documents or profiles.
from eat.
That would be an ideal resolution
from eat.
This can be closed because this will go into the architecture document and profiles.
from eat.
Fixed in #129
from eat.
Related Issues (20)
- measurement results claim --- seems too general purpose to be useful HOT 2
- what is purpose of tolerating jti/cti claims HOT 6
- how to find/label Endorsement and Verification Keys HOT 5
- IANA considerations, expert review guidance needs clarity HOT 3
- some advice on freshness would be good HOT 8
- Should spoofed or corrupted location be addressed in the specification? HOT 3
- readers must be familiar with CDDL and CBOR diagnostic format
- add ref to EAT media types
- What are "attestations" HOT 5
- inconsistency in `iat` definition HOT 10
- prohibition around "passing through" claims from evidence to attestation results HOT 7
- IANA Considerations HOT 3
- The value of eat_nonce used in the examples HOT 7
- Security AD Review: clarify sec cons discussion on nonces HOT 1
- Security AD review: address SBOM comments HOT 2
- Security AD review: clarify intuse claim HOT 1
- How far to go with manifest and measurement sub types HOT 1
- use rfc2648 for profile identification HOT 1
- small typos in examples HOT 1
- Measurements encoding clarifications HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eat.