Comments (4)
In Section 4.2, tes discussion of token says:
The TAM MUST expire the token value after receiving the first responce from the device and ignore any subsequent messages that have the same token value.
Should this say the first response that has a valid signature? Otherwise, we are creating an opportunity for an attacker to quickly respond with a matching token but otherwise garbage. Then a legitimate responder will be ignored.
Section 6.1 second paragraph says to drop the message if it is not valid according to the rules in 4.1.2. Section 4.1.2 explains that the TEEP message fields are only looked at in step 6, so by the time you get to the text in section 4.2 you've already passed steps 1-5, so you get the meaning you stated.
from teep-protocol.
Russ Housley wrote:
In Section 7, I think that future ciphersuites should allow MAC algorithms other than HMAC, such as GMAC.
Do you believe any text change is needed?
sure, just change "HMAC" to "MAC"
from teep-protocol.
The last comment remaining is:
In Section 9, please say whether future registrations will allow integrity-without-confidentiality ciphersuites. Let's settle this now instead of dumping on the IANA Expert.
This was discussed at IETF 110 where the minutes conclude:
Dave T: if thereʼs a use case that doesnʼt require confidentiality, we could allow IANA expert the latitude to decide.
Nancy: Intent of the UCCS draft was to address EAT tokens/claims that do not require confidentiality
Brendan: If integrity-only is to be allowed, it probably needs an entry in the security considerations detailing how much it exposes personal information.
Dave T: propose to update draft to allow for ability to not have confidentiality, but include in the security considerations the use cases where it is appropriate or perhaps state examples where this should not be allowed
from teep-protocol.
Fixed in draft-06
from teep-protocol.
Related Issues (20)
- CDDL contradictions HOT 9
- Hackathon 115: EAT, distinguish Evidence or Attestation Result HOT 11
- `profile` -> `eat_profile` HOT 1
- Is Complete CDDL appendix normative? HOT 2
- Hackathon 115: SUIT_Envelope vs SUIT_Envelope_Tagged HOT 6
- Hackathon 115: CDDL compilation warnings HOT 9
- Hackathon 115: EAT profile: mandatory vs optional claims HOT 1
- Hackathon 115: SUIT digest in unneeded-manifest-list HOT 1
- Hackathon 115: EAT manifests claim in TEEP profile HOT 2
- Hackathon 115: SUIT reports can contain sensitive information HOT 20
- Relationship between TEEP EAT profile and AR4SI HOT 4
- CDDL validation failure on system-property-claims HOT 6
- Error return for QueryResponse HOT 5
- A Compromised Agent wants to theft Attestation Results from a healthy Agent. HOT 13
- EAT media-types 1-char update HOT 1
- [hackathon] How to store Verifier's nonce in Attestation Results? HOT 2
- IETF116: Change HPKE to ECDH HOT 5
- IETF116: Change firmware-encryption to informative reference HOT 1
- Encrypted Personalization Data HOT 2
- [IESG submission] Attesting TAM from Agent in the architecture draft is not in the TEEP protocol draft HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from teep-protocol.