Comments (7)
Verifier policies ultimately determine which claims matter and how to respond appropriately. Saying "all claims are optional" is different from saying "all claims not understood by implementations MUST be ignored". The latter potentially contradicts verifier policy that may NOT wish to process unknown claims as these may have obligatory requirements to protecting the confidentiality or integrity.
Definition of Verifier policies may be out of scope for RATS, though it should be anticipated that Verifiers have them.
from eat.
The intent of proposing the use of a referenced profile in draft-tschofenig-rats-psa-token is that it would be a description of the rules applied by the attesting implementation to the production of the EAT. A verifier would use this document to understand how to implement sufficient verification. The document would be normally be human readable rather than machine readable, though the latter case is not eliminated.
The profile will contain a full description of the standard claims and custom claims included, their usage (incl optionality), expected token signing, and any any verification specifics e.g. token structure such as submod usage.
from eat.
CWT text seems pretty good:
Specific applications of CWTs will require implementations to
understand and process some claims in particular ways. However, in
the absence of such requirements, all claims that are not understood
by implementations MUST be ignored.
from eat.
I agree that the CWT text makes sense.
In trying to answer your queries posed in the initial Issue it seems to raise the question of whether there should be a mechanism for an implementation to declare the exact nature of its operation. What I probably should have added to my comment above is the suggestion that EAT should include a standard claim for 'profile' which would support such a mechanism. Previously that seemed supplementary to this specific issue but I'm not sure by what other form of submission you would like that proposal?
from eat.
We can close this because there is consensus that the CWT and JWT text for optionality is fine and because there is a separate issue for profiles, #32
from eat.
#121 is needed to address this. The CWT wording is short but critically addressed Ned's point above.
from eat.
Fixed by #121
from eat.
Related Issues (20)
- can SUEID and UEID be identical? HOT 3
- please get Google Android team review of Location Claim HOT 3
- measurement results claim --- seems too general purpose to be useful HOT 2
- what is purpose of tolerating jti/cti claims HOT 6
- how to find/label Endorsement and Verification Keys HOT 5
- IANA considerations, expert review guidance needs clarity HOT 3
- some advice on freshness would be good HOT 8
- Should spoofed or corrupted location be addressed in the specification? HOT 3
- readers must be familiar with CDDL and CBOR diagnostic format
- add ref to EAT media types
- What are "attestations" HOT 5
- inconsistency in `iat` definition HOT 10
- prohibition around "passing through" claims from evidence to attestation results HOT 7
- IANA Considerations HOT 3
- The value of eat_nonce used in the examples HOT 7
- Security AD Review: clarify sec cons discussion on nonces HOT 1
- Security AD review: address SBOM comments HOT 2
- Security AD review: clarify intuse claim HOT 1
- How far to go with manifest and measurement sub types HOT 1
- use rfc2648 for profile identification HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eat.