[Rats] Re: [EXTERNAL] Re: Re: Freshness with Nonces

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 19 June 2024 14:09 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9AEFC14F696; Wed, 19 Jun 2024 07:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.504
X-Spam-Level:
X-Spam-Status: No, score=-1.504 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rKjPJIG_9h-a; Wed, 19 Jun 2024 07:09:55 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23314C14F60D; Wed, 19 Jun 2024 07:09:54 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45JAdxQI022138; Wed, 19 Jun 2024 09:09:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=mail1; bh=CCn1PU9kGHPlX2QSFfdzoIsN3mX/ WORJScU7HRn2250=; b=Q7wIUQ1FUXiTGkHbzcxQBy/Oy5pSWPwBJQhU7T2gxtpN WnKTDGn6ZNxqILWCjhpdxrOZpXlWzyCR02M/TO7mneFBvVjTs3yCazb7MD5hJiwO QdKbho5ilFp45ie1VgZpHQb2ZtLsWMa5vB74O3QUTFZei7BcOl1YCfoNr3tWYrer FiacCOHAWB3hw1paWPDoCweZAWFrM7uAQ16O+/reAGaz9QpsOP/HsCYJ7IAu8S3v 7vg6Iyiy4AdYm6rSeqbKZo3YjBJJCrocIexBY7pTJbGfQmbRCaNhsp4RVYXUa5+H ApvpQc61yEvRFMyz/+QdsCQ++Y2ecW6B4QRsSEuiog==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2171.outbound.protection.outlook.com [104.47.55.171]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3yuja1cega-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 19 Jun 2024 09:09:52 -0500 (CDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MjOAXId9P+O+tb0IPfuR8eQNjlqeONW07kxgH+7Qij6CXyngUULy4w64e9lPtKUcwqO0139mCwnl96pyKU+WzU5hWsEfrWNpNKjOD5R08kVHkjRVR7jat+/qwVFYZQsAbzrvd1pf2R07gVoGF1NAn9eCWf3fDXHkU/nTebe37tY1Kt75O90Agc6qAwC9luGLphkL6szAYD4z85jvNBJ6aBpRSb0cLyYOQHX4aodVYS06j3UqdPkPxUCsBTWcAgT6RYPISxBAgjQy9eOJnTArQvKz/WFA3TmKcIQU++N6CD8D4paRzLRsUg8INQQt+icSY0lAo154aBGc3vAyKVvQ4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XgIhV5Z6TR/hcgEWEOASmwdCO7bKQ03zDAQBnZ6eW4Q=; b=XpZl53x3SXLf+Iy/oH8CuznpJW6K3txk7a0lPG4rWmNiPufpR8qNHvjpAjxBkJMCflvFV9hpVUIrcpGPlD5GpmODZ5GPfRAOf+i4CKt0etwcjduRXUatiQP88vvQMZUPQJ1LAuOsgAsN7mc0J9/RAQ5DD+QZ+2wqqlSWbrSSMeB4xEkXSpRcesRka8OecB1DF1vby4yJxi/lccvHUzS/QLFw8izwzksaqV6708KqxH8Hx7v6uCMNytzZZJzBXzpgn8PjyfDPmZdvXGWHRl/dv76tbRcD02hC378s0NU7zCsjfCcKVFwKX6/N2zYhPzKYxQUQLoThjrMEwxF16ogNmg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CO1PR11MB5185.namprd11.prod.outlook.com (2603:10b6:303:6e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7698.19; Wed, 19 Jun 2024 14:09:48 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::b93d:b2d:3ad8:9702%4]) with mapi id 15.20.7698.017; Wed, 19 Jun 2024 14:09:48 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Orie Steele <orie@transmute.industries>
Thread-Topic: [Rats] Re: [EXTERNAL] Re: Re: Freshness with Nonces
Thread-Index: AQHawlHXYB7HhsbXRUGqaVVXQv8GUbHPH02w
Date: Wed, 19 Jun 2024 14:09:48 +0000
Message-ID: <CH0PR11MB573961958439997EE9D0A22A9FCF2@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <AS8PR10MB74275704257FDAB125BE4B31EECD2@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <CH0PR11MB573974D46A64B7892E555BA49FCE2@CH0PR11MB5739.namprd11.prod.outlook.com> <c99aee9e-8932-44a1-9b21-a76b8b75f271@tu-dresden.de> <CH0PR11MB573973434D170D888A513BB99FCF2@CH0PR11MB5739.namprd11.prod.outlook.com> <CAN8C-_LyWxr9JEowYGj2i17Qi=jazZ1hRzfbyaijFc90xmhn8A@mail.gmail.com>
In-Reply-To: <CAN8C-_LyWxr9JEowYGj2i17Qi=jazZ1hRzfbyaijFc90xmhn8A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CO1PR11MB5185:EE_
x-ms-office365-filtering-correlation-id: 1efe2815-5ed0-498c-9698-08dc90697a9c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230037|4022899006|1800799021|366013|376011|38070700015;
x-microsoft-antispam-message-info: fGzXBlpBC94gDrkDvIR2h2+LfsBbAlgsVBe0K2XCf0PcAPkuwS5y1I/e/N7fQ1iRNbYCnb5rGgNhSCfqHaMPB4o8ohY4fPeX0/RyrQ3Wzqn0YwLtbhfAHwP3FCAD7WDjqvMPgj+c6RG6sRYFlBswYUTcmOA8IZ1O0FSIgF3YwMj0pP0czwZHotmiNTvllwRQcS68pl8kY4Bf5tzSh9ZRomVTV4dXeO9+Zpv3WwN3wUy0abBeVLxQq5p/k2Nih8XDHkT5+BambwhntvbwFYPkaztNdPMFX9Ne+GiOHEb+FvL37kPzxVcDNwo/pZPCMiwwK8woWNTbPjXTR6BSsbf70Z/Y7rwzYxKua1rQHQdBLuZttjHHN0auJA9lsD/D9sGLz5AdI2w0AQ2vIdVWCx+bNNxtfw+bYthNav0o3acQNV9FCxWJ3BuGz0goEW0PYLtgBrUkzHMckrKsoVCACctM6//F9p4cChm9oFwdN1JB/sv3PTN+KYR0I7pzL9Wma/h62+g6MIJtK9a/LMBqDn0i/TXEpCQ9pwaNYPUVeqZfti1bXQt+DiBuMmg5Ul+tabqRIkBdca6ilJ/1CNiOzcLU5vxNgobEZSGLUOYYBJaCqNrmHqdk3+jzI1EVctA3ahr40LFynahSiE6AB6QUez3lKPaNkxuKgP+DPygIeu4RcTgF670/1QsZARZgZRf1Z3g8L+CeS951gg6DVLtD4dbp2uh7pi+g0sesSrZ3jcfUAzO+IWBHD2HsyYfMRBV0h/0xs7V7IcrRw6u6uuyYO7mbyLyhqgYNMs0Nve5MT52byxXIknLWkLidqzWOu3/DwHktK67Fb9CoIRVy7t0HbSmkJSjrk5K73qJ7ToWh4nEuGpYQw3MiBVRzljXRfoqGeK3T+Mh1qSefylpNatK7CipDxaoiuGXmslFnEmpxF83rQy+jBD4elr04Tg+K/5rgLUy7gpYHk5X5mAOruSGLmEiaZvx0/FEDryVtn0SFANaA91f3tCuoifINwunLARmVG7mT5YS6/9PCgpYNzZXAfxD5h29+XrTXG3CrVSG+PJqy2g/OUb/wOzJMTzxSFJKtHF7y+TfNnWYVGA9HpKhKVH8aS60vlvfUKq6lv8qX+YlC2xNpoOwReepsZXI9RM+YLi5rI34F+hxEuVc8iPzKsHV8Dv7+06v+Imj2ZQceXwMji5ynh6Nvo3RDAr1jODgL+3TDXkd5J+XNTYgg0IN/FsEi9hB0kUPzd//uT9HF1XZzYM/9eg+/z3dbFvwkljDgKnNj7JDLR3PUOsG/m8xtB9zHsX8QBzfgZakUWLDVWvnvQWR3PLjg//RtedSFPfBgDraI
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR11MB5739.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230037)(4022899006)(1800799021)(366013)(376011)(38070700015);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hFp3j33xN5dH1LcgngaYiJ7Gt4FcyS6OCQRmOgiBta/MBsL8hxOClrnok4RtHYsc0nW7zlIUQtvw667/TfcxKVOpdedR5JiYBfM0tyH5F0xxZCE26AaLvTmSzjKmCIbR4WiMLEWNny4yLNOuht+TGFpbh97Gk9iCOpAXOuNvv+4NHA06onrUcI0Oq2sliGqs4OuTiofFrkTwtOoLKcvA0IrU061JhUhBLGtVf2qtLt5yYO60qXvnDlR3hNnWGTAzGfsVd8VPvVOlv8EzQ+XrdoDFwyHkQ0nYLBJ9Souriwcs0xG0995YItbcmgJjfLiRh9M5zJCdRpk8F7m2r8jJ43uF+RsgPrY5tPdjTglsQWysr6wWDf4KzlHyRnXh873V/NDl33dXCEecfR92XlvV1kLR5TMttnvTLhCieIgZFgCjeV0GoZUOnGSv+mOFf3GIHCJP8kLJxKT5jfG01dxM1mKU7adRqAWj6GoQHzrV4VyDSIA6ZKD0hB6G+3jnEi0hEfsaKiE+MqRr96dXH2be5Gs7j9mHi8MQTPjjnHgYTuyxOWG+tSPCIPCIs7MNpKjOgFK4podvBUM20dfUUqqglwZBqtaDPDm+O3IlsETFhOk7w9WKjzvP7zd2zzlb2WCu6alVvr4Y92OPepGJojGSHRDdMWjVV6fPUmvk8QEY6IvKm18kuMEhn1Z2BBzarz6jSO1hEU53jWSDmLO6z4fLrpmj8tOfdc6gphT80nsP0e6SCA1+ByIcewvDgUVzyfxaGbSuvxD7yFp8IxbmrBWhPyS5oy9M9iaNnWCP3TGHYUr1iOWXZxkl2kGIBMUikmwAOqS5QdFNMCobAzW4ChYjt62lpOw2BUkkjEJ/6pt4URIizNUQfSFPaR534eM1FLjk1HVrxcFqU2PGxg5jiaUKGJUCr2ZGoxT5EyiWBjfLXEcQgJhYazvySHdC3MJvL/0CQ1AJIbtbBji7JlRHrQeRPSzld6k30Z+QmD8zkuPTPJODCgcmRTZq9D6WLw7+Lp6GbnymrX09h7qrABeal6DOS+kcbabt38QX3sMcU1uxo0kluUZeJZjCGoc58XLEKrpk0talzF6jWxD0KT9PWMlpK+FEjyjmLH+xFbY4iak4JDdQJ+0vMeb5VADoMTThuwppAxfaZS76sARx0GJOGBSvCAewaXEiAW/3b7rtJvz+ROBgzAAOvZSp/QrpLEBsGfdOXOHQpAoJJ07Ogv3PA0NpFIhzG+2aakPuBVDU41PHA9Sg5+2nVbOSTUAhuLkeDLOfNTMiFB6HJ2ngK6cTnLSba7IbJO1O2Qw1y8cDkhLIL2N9TvUkNVoYAdQ8D6Z1pAY7PR3i7O9v593zCDlQK+ikmLOQcASe2IILXZVSvjfU6vgRJwsOh32czROEq1L9S8aWbq7JBEI65MLmjFvZ07lvgw8gewCQOzomJgTdYSIp89AR9eX3Q3u1bcbPdX5S21t0o8WsiENaRgSlUqpg4dOGZW8MbByjxwhZcW34NsHGrLO1ZqMtZQA5Thj2BK0zcZhg7fPtDCvoCzGGSFwjydji+v6wdXTjiiIMUcQptosRqmrlL02u/qhE7Ou/EcxwbulQ
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00AD_01DAC228.6E8066C0"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1efe2815-5ed0-498c-9698-08dc90697a9c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2024 14:09:48.2477 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5KECJodP5Z8PFXdBBekV74zzc5FVusA54q2tJHqroXPmDAFcWuI5Sbn6NJL6NMYwjR7DO0zgDiEYJqzCLwFav62BP0QmSl4g239lVPavEcE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5185
X-Proofpoint-ORIG-GUID: Ww8oJo9koFzZ2_q_-pHb35JgFbgDf01A
X-Proofpoint-GUID: Ww8oJo9koFzZ2_q_-pHb35JgFbgDf01A
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-19_02,2024-06-19_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxlogscore=999 priorityscore=1501 suspectscore=0 malwarescore=0 impostorscore=0 mlxscore=0 phishscore=0 clxscore=1015 adultscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2405170001 definitions=main-2406190106
Message-ID-Hash: QUQNARFAQ4P4L4PXX66GY7NTSD5RDS2W
X-Message-ID-Hash: QUQNARFAQ4P4L4PXX66GY7NTSD5RDS2W
X-MailFrom: Mike.Ounsworth@entrust.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>, rats <rats@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Rats] Re: [EXTERNAL] Re: Re: Freshness with Nonces
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/CosrjVD97zHJ9R6HqmIKsb9H3x0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Right. So OAUTH SD might be an example where the verifier does all the work, and the RP wants to be oblivious.

 

When we embed attestations within PKI, the nonce needs to be carried by the PKI protocol (ACME, CMP, whatever), and that’s clearly the domain of the RP (which is the PKI component), and not the Verifier (which is the Attestation component).

 

/shrug?

Maybe splitting hairs over “Verifier” vs “RP” in the abstract is not actually a helpful debate?

 

---

Mike Ounsworth

 

From: Orie Steele <orie@transmute.industries> 
Sent: Wednesday, June 19, 2024 9:06 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>; Tschofenig, Hannes <hannes.tschofenig@siemens.com>; spasm@ietf.org; rats <rats@ietf.org>
Subject: Re: [Rats] Re: [EXTERNAL] Re: Re: Freshness with Nonces

 

I'm a tourist here. See this section of OAuth SD-JWT which comments on the responsibility of the "OAuth SD-JWT Verifier" when processing a "key binding token" which is associated with a "confirmation claim" 



I'm a tourist here.

See this section of OAuth SD-JWT which comments on the responsibility of the "OAuth SD-JWT Verifier" when processing a "key binding token" which is associated with a "confirmation claim" in a JWT (COSE equivalents exist, and are modeled the same way).

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-09#section-8.3 <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-09*section-8.3__;Iw!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3J45tyIXo$> 

In my mental model, the RP is usually not aware of such details, but is aware of media types that require special processing by a verifier, and forwards them to verifiers trusted to evaluate such media types.

Hopefully this comment is helpful.

Regards,

OS



 

On Wed, Jun 19, 2024 at 8:57 AM Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:40entrust.com@dmarc.ietf.org> > wrote:

Hi Usama,

 

I agree that when a nonce is involved, “something” needs to be stateful. My question is whether it’s the RP that’s stateful, or the Verifier. In my mind, the RP is the big application with smarts that’s actually communicating with the attesting device, and the Verifier is some library or utility that knows how to read attestations, that’s how we laid out the abstract architecture diagram in CSR Attest (figure 1) [1] which is based on a very similar figure in RATS Architecture Background Check Model section (figure 6) [2].

 

However, on the other hand, the overall RATS Architecture (figure 1) [3] shows the Verifier being the front-end thing that communicates with the attester, and therefore the Verifier would be the thing that tracks nonce state.

 

So maybe the answer to my question is that the division of exact labour between “verifier” and “relying party” is fairly arbitrary and depends on the implementation?

 

[1]: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-csr-attestation-09#name-architecture <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-lamps-csr-attestation-09*name-architecture__;Iw!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3JIunxo8c$> 

[2]: https://datatracker.ietf.org/doc/html/rfc9334#name-background-check-model <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc9334*name-background-check-model__;Iw!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3JgnCXkNc$> 

[3]: https://datatracker.ietf.org/doc/html/rfc9334#name-architectural-overview <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/rfc9334*name-architectural-overview__;Iw!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3JoKd8Sn4$> 

 

---

Mike Ounsworth

 

From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de <mailto:muhammad_usama.sardar@tu-dresden.de> > 
Sent: Tuesday, June 18, 2024 10:18 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com> >
Cc: Tschofenig, Hannes <hannes.tschofenig@siemens.com <mailto:hannes.tschofenig@siemens.com> >; spasm@ietf.org <mailto:spasm@ietf.org> ; rats <rats@ietf.org <mailto:rats@ietf.org> >
Subject: [EXTERNAL] Re: [Rats] Re: Freshness with Nonces

 

On 18. 06. 24 22: 13, Mike Ounsworth wrote: Are common verifier implementations stateful like that? Your description below sounds like the Verifier creates the nonce, and then needs to remember it to correlate against the Evidence that it will 

On 18.06.24 22:13, Mike Ounsworth wrote:

Are common verifier implementations stateful like that? Your description below sounds like the Verifier creates the nonce, and then needs to remember it to correlate against the Evidence that it will receive eventually. 

If simply storing the nonce makes a protocol "stateful" then almost all protocols would be stateful. In my understanding, a protocol is "stateful" only when a participant needs to store some information across multiple sessions. In the case under discussion, Verifier is randomly generating a nonce for each session, and does not need to store it across multiple sessions. Hence, I think it is not stateful. Please correct me if I am wrong. 

I would expect that the RP chooses the nonce and then hands it in to the Verifier; but I have limited hands-on experience here.

RP should generate a nonce for freshness of Attestation Results (not the Evidence).

Usama

_______________________________________________
RATS mailing list -- rats@ietf.org <mailto:rats@ietf.org> 
To unsubscribe send an email to rats-leave@ietf.org <mailto:rats-leave@ietf.org> 




 

-- 

 

ORIE STEELE
Chief Technology Officer
www.transmute.industries <https://urldefense.com/v3/__http:/www.transmute.industries__;!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3J4zcbtDk$> 

 <https://urldefense.com/v3/__https:/transmute.industries__;!!FJ-Y8qCqXTj2!aJtwyJzZqcWKkZ8igTJnRGTUzJBAL7-qlURY-fEnQenveC_1KY2lMHqhqlmdc0NFJbmHhGLRRTWv8-PJjW3Jsrz1KcM$>