Re: [Rats] Removal of the "replay protection and privacy" section in the EAT draft
"Smith, Ned" <ned.smith@intel.com> Thu, 29 September 2022 17:41 UTC
Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113B2C14CE26 for <rats@ietfa.amsl.com>; Thu, 29 Sep 2022 10:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.675
X-Spam-Level:
X-Spam-Status: No, score=-7.675 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSduMHSCQ6-N for <rats@ietfa.amsl.com>; Thu, 29 Sep 2022 10:41:23 -0700 (PDT)
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B431DC14CF04 for <rats@ietf.org>; Thu, 29 Sep 2022 10:41:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1664473283; x=1696009283; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=tYKdPXrlN/rTjYdjxUPiLQDVJsNQ3UhTdrVfsnYCKp8=; b=LFMJkuedkh7+UJcAH3zxrAmj8+jKA4By06H2quzv9HSYKwDQFI8/AlNn HlYJeApRHI7cs53D1VQlp6lwzIVmLAddt6c3ndhK5OnWTRg026L1UM12/ rfVU2miOmJgCVj53NrPHmufNw/aYE6oNTedqIJkMJe/qp4l4BSvblLwU/ XFWH087R0qhzrnmQCDY6DVboUHJk2ypidozL95zchTMnnRJveGXRWilAc E9j44R9P9cYUWeK+2OnE9vVwsgoBYFkvE4gcRpx7cuNv9/GNixGLti/lo wWqEo2MM4SbUX1d63CKp6PhVfOpqlmALR2RlyNnhrpzsGrFcMfvGBqcfV Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10485"; a="285114916"
X-IronPort-AV: E=Sophos;i="5.93,355,1654585200"; d="scan'208";a="285114916"
Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Sep 2022 10:41:23 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10485"; a="690923293"
X-IronPort-AV: E=Sophos;i="5.93,355,1654585200"; d="scan'208";a="690923293"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by fmsmga004.fm.intel.com with ESMTP; 29 Sep 2022 10:41:22 -0700
Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 29 Sep 2022 10:41:22 -0700
Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Thu, 29 Sep 2022 10:41:21 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31 via Frontend Transport; Thu, 29 Sep 2022 10:41:21 -0700
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.104) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.31; Thu, 29 Sep 2022 10:41:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VTjsCoUZdwLwVQRJkQ9xtvz3RlOcAroM95eoVvzLqEbATDlEhhzBy0j43SepsZ+BlTr7E2iAS7GiB7FGEYhg4kbfEKNKNRGFQX5OIY/SUSYE5IQcYEuVAvqDAWnWaWMw5zXEZ7ERfFMdkBLlNdANsBYqycFXbltyYbU/ZaKP6z1AOXdf2Nj2liAv+vfUPuQJAlc92/VrZeNrPBVBVqeyK+YnerAvWK0/tOVqH/DD9VKpICd2D9a4lOUBv+fXnfkqP2NkozW3ftm9jfyReaNPNqTS94wNWXyw5QfQA3WXw38LukEARwCKmcGN84Oy/jzkM9RuIYiJzVmQT7xDEyt2EQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tYKdPXrlN/rTjYdjxUPiLQDVJsNQ3UhTdrVfsnYCKp8=; b=fO2yq9ZYOPWW4m/QkntUNIS9Vt3qgZsLIeDxQMGtRCSIDNpIHPHHATR45PPsSCW541YTSqkdMmxR4r23ikLhHvBAajXDEQSnrN9Vc2PJB1qaLsvdIm8EXRspz04nJ3IWoI0ZWtzQ0roOs5FbIc3vXMgMFkUNr2IZ/Rvc7Us79rTYQbi2+NkJSKrKEUMBm+yDIwU1edrib6f4HgrWL7l3y3g98JrF8WgCKfsSwCt2ptUsbpbN3uvpJ0zmfERCPOPW83R+SBoOkaE+GxHsccCSVGVbb59ZibwMXp8hoxVI3vNw5UCF/8AY04Rynk1Zogf5VRQlVtR3TNbFFLvInbuy6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by SJ0PR11MB6718.namprd11.prod.outlook.com (2603:10b6:a03:477::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.17; Thu, 29 Sep 2022 17:41:14 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::33fe:67c:11b8:bc4f]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::33fe:67c:11b8:bc4f%5]) with mapi id 15.20.5676.020; Thu, 29 Sep 2022 17:41:13 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Giridhar Mandyam <mandyam@qti.qualcomm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Removal of the "replay protection and privacy" section in the EAT draft
Thread-Index: AQHY1CqrdF6y1V1zwEqD44wqHWlkEw==
Date: Thu, 29 Sep 2022 17:41:13 +0000
Message-ID: <01E280C1-9622-40C5-8279-B1261702FDEB@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR11MB5169:EE_|SJ0PR11MB6718:EE_
x-ms-office365-filtering-correlation-id: fe4757ee-81b0-40f9-b5a2-08daa241ce05
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BBT+SMTL9n9egXsX4gySauaXsw0sG9bjCHchzyV6ROinus9puwJnkxYXpi3zWUsRoyYatOsMaWNvRuT0o+0x+FIcPs6agz8I94Yd7xBGp4GfQPAeWvDxFQWSgj95Gs/BiLr+Ebb12dTAqQ8KcWFFKGlPmOaj4dpxJoggMwpYSF3i8qTd2uv9neQCCANJP2JgHCWB68dL2Tnzub8LGNBSI72+pNPwykV21Vt/SnnbUvxpAooNypEZUmBxfbvSsX/FzpdOyJ4QYfo7fMwa248HxaAzHwOYWg3O4SsOcla5Vhsf8teO07d5hIupkGIdmtID4KMyFOyGr7rE95hQDtmXndhp6QrTg7i+snbhQLuS9XHbekjsKSmTj8vCDrpD8YiF/7SnsnfWEZHJltoVGiWlB8YcXxuVy8udsQBRel9LDlXwR/4mdTfH37U00CIgTiMB73miA9KBdM5jcDxhGFvFjhmABdN9dpNQWJQqoWTxtpJEQwRg1NGH++D5IVFysO5efOkYUDYxPTeKfkxDpVs47IhCqCUH11VPqJVEW6CgqFFSXh5OtOgQLZaeNEhw9zOymOp3GteByfCphdNZwvV+XcqAb3AUfbIlemQPCg85AOnIIJ22uYdX0XSDm82ZTcyoJt62xkrt2H/jcNCqYXHl2H9Wl0UPkhlk62TgToc/u3NwWa9B63hJpkJXAI/eNq/wO6rnjruEo9BX8mPDfveV4LlQnC7hGGs4ZyPfYP4oTCIJvSKOp+MUwkabC8eASjZfmqRRrQkp9rYy881aQOmDlcwEO2wC1GbqNVqBsZVt/naY90436pB7PjwwvDSJnkHCB4NDwWa1f8Umj5AkusFseVSa9Ykfdp38tDSwQDTcLoxWsUddeAWqZ5eW7qIGrfFl
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(376002)(346002)(396003)(39860400002)(136003)(451199015)(38100700002)(66556008)(36756003)(26005)(6512007)(33656002)(83380400001)(38070700005)(110136005)(122000001)(316002)(91956017)(2906002)(2616005)(5660300002)(30864003)(64756008)(82960400001)(66446008)(186003)(66476007)(8676002)(41300700001)(76116006)(86362001)(66946007)(71200400001)(966005)(478600001)(6486002)(66899015)(6506007)(8936002)(53546011)(12393003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: kKLC2589mDah0rSinH+H3RbzcEKFM/L4bACIofyeoliA0gpJyc8KdAYs6NxXrv8hXnhd7R5Gssp4X76cSaT8+bpkbuFka0tMTzVk1hGrbwm2ClrZgvyaBAnPv3We3o+5CwlWME7wSRJD54xjUbcSEyOWWuhympN0oXBGv++HzRR16+auDGZfTOZ3aIsVTSSXIjAl4Jhhx0FhiGfU/aTDIMu0S74Lf4B2Uy8AzZbBn6kc9jWrbLjE+Ekg5gfwp/y62dkwdNL/QoxoAFTHbNKWhvFqGhJpOCL1nUNNEY1BHwSTIIpeFheV9BLaQJcCsg9SbYlpjglszdOrFXH9oW1608ZXphx4R9lAY3ddWM48b64Ch26taB3AsN01FwHQxnZttHCZZD3CIEChvvoNKeL9I0aYzIwds0t83JUzyQntRULpPDNQIbjoRspkZeDRTruzMKDq9wvyerGXGZZHj2hTZrkCShp4xMGVir9xx76F4cdeQl6EE/l15LEdg1VhM4xUkJq812kK3wtwRXpG5hmFt1HJa35j64JCrqcf5TRVLeLDJCgcdKl7ZWPrQqKV2C37eQIO6kbEVRythBql/Htw9mcFeDumfScWpcFXQ6EzKsM+nMwrjaa6LAo6RQWNZi/sfxDmTkD76JcGJdBMnZdawOTrhtbSof+RoLl7aVP3L8XyepQDquDIi3+k1d+0NwGQaIST3C/oNNUIBHLU6v1y+lWnl63zUu6JYd2jO6xPzQAy+U5Snt49GuCUByo/0RVB6cZgbZsuu1T+yOY6zjomV7+954OD9rtnxR90KoRORLJ/hfZxPV13oanRD8787YljVwAGYcpy8EELYm2qpSQlgGyeL5pHXanj9sVU+UBio719HUQVc8UwrC073hNrTyLZZNNqG2n2o3yrITt1MTYn+mlx8hLeTSJZ/TNJzWyK7xVGD0078PBeJLoRmmaR5I9EDQTlFp6bpAHY9Of/Z0zHFockSPVZLTQIUcf9bDAFxYW1ODu38xAmQlT7RTceaM6g9DqMpl4g3W3/zgPryequSY5GkKHc2oAX5Z3xEfgBKOnC2vpxF07QoHGVsx2X1y7HBPhs0bdjkqWD2mlxJaDhvoQbRcNjGBGd9RFWUTmU2zka+9g8iTya+Bwrw87pux9/etefdErWS6/sAGlXVt+14JA+pP9yxSzqWor2e7CiachgE+4UCQveMjc0q5LtxeYi07ABxvLxHqDyYb82aebE++Fe1SUh9BObFjPgZemdZlvgB1kksTIKGJDgv2B1tVuJ8zKcGlPPCqUwljgt7gV6ymVMxItOhmilUMzeW/xddEMbxx9I9l8I2PO7RrL8agAkmLle/GnwQSWKXF29DOkLa+q7hCJuFCgzqoF/iBqE5JdxuSeRTtMC5bFe46b6n6tnxSLG5VsFwvlo5MYUPoZ1lI/Le/4LkC8jlQuVtDmoqx4mXhgzyNWpSVbhJh+a6zaObaEqGSuIStQgCkvZCO0j8QIqX82bd0jjHngyW1+SUaAj6BVf97pkC0cVKjOGY7JnGy3JnQvzTKmTLzuTDn+/nBF6B+mPNXyCe9dj5T8Ehs4EuwKXUwafnMquPJyLFBk/Bb+rW6Zj/rtD7ln1Meht3A==
Content-Type: text/plain; charset="utf-8"
Content-ID: <962DB0A45270404F8D90851BD3818C7D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe4757ee-81b0-40f9-b5a2-08daa241ce05
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2022 17:41:13.8776 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O8eaqkToN+APwQZ130dM7u2y0GRxI0cZmOeXfH54ZkylYc8KxMjY/MmnZqVBm6pfOBgo93NI+lQFY4/OANFKZw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB6718
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/InaR6-OHVa3dGBJ6F6Cohs6Lvc4>
Subject: Re: [Rats] Removal of the "replay protection and privacy" section in the EAT draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 17:41:28 -0000
The privacy considerations section should clearly describe that nonce reuse could result in privacy compromise. -Ned On 9/29/22, 8:16 AM, "RATS on behalf of Giridhar Mandyam" <rats-bounces@ietf.org on behalf of mandyam@qti.qualcomm.com> wrote: > Why would anyone use a nonce to convey a username in it? Has anyone done this already? I hope not. But nonce is a new CWT claim and we don't know how it is being used. Use of username/password alone was meant to be an extreme example of how not to generate a nonce, but even a random value that is generated exactly one-time and is forever tied to the user account (i.e. continually re-used) could also impact privacy. In this case, the nonce can serve as an identifier of the user account and therefore the user. The nonce privacy section in EAT was partly inspired by comparable considerations on challenge data (https://www.w3.org/TR/webauthn-2/#dom-collectedclientdata-challenge) from FIDO/Webauthn: https://www.w3.org/TR/webauthn-2/#sctn-cryptographic-challenges. As you can see from the above, the normative description of challenge does not make any restrictions on use of solely deterministic data in determining the challenge. The security considerations section however makes it clear that the server-provided challenge must be generated from a reliable source of randomness. The above cited text further goes on to say " This SHOULD be done in a fashion that does not rely upon a client's behavior", which means that a nonce should not be generated one time only and used for subsequent operations for the given user (and the ensuing example implies as much when it says "the Relying Party SHOULD store the challenge temporarily until the operation is complete"). FIDO's mandate of nonce randomness on a per-operation level is treated solely as a security consideration. In my opinion there is a privacy aspect as well, and FIDO might have been better served to expand upon the "does not rely upon a client's behavior" requirement as part of their privacy considerations. -Giri -----Original Message----- From: RATS <rats-bounces@ietf.org> On Behalf Of Hannes Tschofenig Sent: Thursday, September 29, 2022 7:52 AM To: Giridhar Mandyam <mandyam@qti.qualcomm.com>; rats@ietf.org Subject: Re: [Rats] Removal of the "replay protection and privacy" section in the EAT draft WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros. Hi Giri, Good to hear that the text about the cti/jti was removed. If I just look at the remaining text from the replay protection section (see below) then the content has obviously changed: instead of claiming that the cti contains an equivalent of a username or account login, it now says that the nonce may contain that information. Why would anyone use a nonce to convey a username in it? Has anyone done this already? Ciao Hannes ------ Replay Protection and Privacy EAT defines the nonce claim for token replay protection (also sometimes known as token "freshness"). The nonce claim is based on a value that is usually derived remotely (outside of the entity). This claim can be used to extract and convey personally-identifying information either inadvertently or by intention. For instance, an implementor may choose a nonce that is equivalent to a username associated with the device (e.g., account login). If the token is inspected by a 3rd-party then this information could be used to identify the source of the token or an account associated with the token. In order to avoid the conveyance of privacy-related information in the nonce claim, it should be derived using a salt that originates from a true and reliable random number generator or any other source of randomness that would still meet the target system requirements for replay protection. -----Original Message----- From: Giridhar Mandyam <mandyam@qti.qualcomm.com> Sent: Thursday, September 29, 2022 4:07 PM To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; rats@ietf.org Subject: RE: Removal of the "replay protection and privacy" section in the EAT draft > The text above talks about two mechanisms, namely >- nonces, and >- the cti/jti. > In the EAT draft version -14 the cti/jti claims are mentioned in two sections, namely in Section 8.4 (see above) and also in Section 4.3.1. The cti claim contains a unique identifier for the JWT. Actually all mention of cti/jti has been removed in this section and the rest of the document as of recent PR merge. See https://github.com/ietf-rats-wg/eat/pull/308. EAT spec is now silent on the use of cti/jti. I do think there is room for cti as the sole replay protection in an EAT token when a nonce is not possible (i.e. one-way transport such as IP Multicast/BLE-AD), but it appears that group consensus is to not discuss it as a replay mechanism in the document itself. EAT does not prevent an implementor from using an existing CWT/JWT claim so cti could appear in an EAT token. > The privacy implications of the nonce are not described nor are other privacy implications of the iat (issued at) claim defined, which would correspond to the timestamp replay protection mechanism defined in the RATS architecture. That is not my interpretation of the current text. The text only discusses the privacy implications of the nonce. Moreover, iat is a claim whose value is set by the token issuer. Nonce presumably is not. For claims set by the token issuer, the attester could (depending on the implementation) take user privacy preferences into account when determining which claims to include. As a crude example, if an entity's permissions settings indicate that location should not be exposed by the device to any 3rd-parties then the location claim could be excluded by the attester. Therefore the privacy considerations for the 2 claims are different. There could be a privacy considerations sub-section for token-issuer controlled claims, but I think such considerations would not be particularly meaningful without assuming certain implementations (e.g. Android/Windows permissions framework and how it affects claims included in the token). This might have been the reason why RFC 8392 avoided such a discussion altogether (https://datatracker.ietf.org/doc/rfc8392/). -Giri -----Original Message----- From: RATS <rats-bounces@ietf.org> On Behalf Of Hannes Tschofenig Sent: Thursday, September 29, 2022 4:37 AM To: rats@ietf.org Subject: [Rats] Removal of the "replay protection and privacy" section in the EAT draft WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros. Hi all, In PR https://github.com/ietf-rats-wg/eat/pull/299 I proposed a re-write of the privacy consideration section. As part of my re-write I removed text that was, according to Giri, "reviewed and agreed upon by the Architecture team and EATS editors in https://github.com/ietf-rats-wg/eat/pull/164". Now, I would like to bring it to the group. Here is the relevant text: 8.4. Replay Protection and Privacy EAT offers 2 primary mechanisms for token replay protection (also sometimes known as token "freshness"): the cti/jti claim and the nonce claim. The cti/jti claim in a CWT/JWT is a field that may be optionally included in the EAT and is in general derived on the same device in which the entity is instantiated. The nonce claim is based on a value that is usually derived remotely (outside of the entity). These claims can be used to extract and convey personally-identifying information either inadvertently or by intention. For instance, an implementor may choose a cti that is equivalent to a username associated with the device (e.g., account login). If the token is inspected by a 3rd-party then this information could be used to identify the source of the token or an account associated with the token (e.g., if the account name is used to derive the nonce). In order to avoid the conveyance of privacy-related information in either the cti/jti or nonce claims, these fields should be derived using a salt that originates from a true and reliable random number generator or any other source of randomness that would still meet the target system requirements for replay protection. The RATS architecture talks about three approaches for providing freshness, namely - timestamps, - nonces, and - epoch IDs. The text above talks about two mechanisms, namely - nonces, and - the cti/jti. (As you will see later, the cti/jti does not correspond to one of the freshness mechanisms from the RATS architecture.) In the EAT draft version -14 the cti/jti claims are mentioned in two sections, namely in Section 8.4 (see above) and also in Section 4.3.1. The cti claim contains a unique identifier for the JWT. Assuming that an implementer uses the cti to convey a username / account login is unjustified given what Section 4.1.7 of RFC 7519 defines it to be, see https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7. So, there is only a privacy problem with the cti/jti if you use it in a way that has not been envisioned and even suggested by the RFC that defined it. The privacy implications of the nonce are not described nor are other privacy implications of the iat (issued at) claim defined, which would correspond to the timestamp replay protection mechanism defined in the RATS architecture. For this reason I suggested to remove this text from the privacy consideration section. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats
- [Rats] Removal of the "replay protection and priv… Hannes Tschofenig
- Re: [Rats] Removal of the "replay protection and … Giridhar Mandyam
- Re: [Rats] Removal of the "replay protection and … Hannes Tschofenig
- Re: [Rats] Removal of the "replay protection and … Giridhar Mandyam
- Re: [Rats] Removal of the "replay protection and … Smith, Ned