IETF Logo Mail Archive

Re: [Rats] Interoperability ... RE: EAT Profiles

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 26 September 2022 09:36 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D77C14CF13 for <rats@ietfa.amsl.com>; Mon, 26 Sep 2022 02:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=odlK3RMV; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=odlK3RMV
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZsm20D2G63T for <rats@ietfa.amsl.com>; Mon, 26 Sep 2022 02:36:08 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2072.outbound.protection.outlook.com [40.107.21.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C03C14F720 for <rats@ietf.org>; Mon, 26 Sep 2022 02:36:07 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=T/jlLC7m+kFY9p9EdM5FmIPPDXltuOaLj9SohXQTjKGTcbKBj7YAf/QGdBwfnrljB3bsIZYhlfdGtsanIdgdecS1iwnkcLhWaKjRmQfHKcUWcjtAF7TRW15KrkLfMI1e7JKmGOcrBiMDOHSGKovDGVf+0XW4pYNWEfx/9jfzNqwlK/VJf1RB9w9tCh+J9oHkPe7Iaa1nsBh05nxcma875Rmf6gC9GOylm2z4fxlWKH1qOdlSb353S6wFtpX9Cb8tn0670L6bj+YEJlnoG15qVu9HvbL02KAn39OhCdQImRrA5Fv1kbkSOjtxIckTsWac7VHuimplRf8NtDTJaP16Fg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kYqEBaHQON2EiCqFC2Ksz6TVVOwOXmGrPxjFP2QQz1k=; b=X/Qql7GUpTqwxABBO/Pf0pqnml1TB8O8NYJ6ziioXSvlepsNttvpBSKaZRLQSKHgB68Nw2UkUsCuGyQ2tbIPHYqx7lGoxWGIP62r7tuWaJ3p+vTg2g9fSQVGA6uU3ScrX0k+uq4uYTbSN+JqEkY6Lg6th92G4WDFHj2gNFKY7NtKl7HXbJUAebkmQn21FZzITyjPalIJfwGU9gi0gwfnYl7vUcASk6rSb0wvcvn0xL2OB+rJFEognws3JZvuBP/eLW6u0PD+x7kZ9+xt7WvueJZ5exG6S/O6gq+G9H7hMHQ9Rwohyd+9oi6Xa7POihQYBylg4g92nHgfEhgVU2t0vA==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 63.35.35.123) smtp.rcpttodomain=ietf.org smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kYqEBaHQON2EiCqFC2Ksz6TVVOwOXmGrPxjFP2QQz1k=; b=odlK3RMVVufpz7OxSsX27XPftQTfEQHKaftfP8v3KyEgiKpJYqRRREwZHXabtLAb3mVlDqMKsRNDBG83ElE0qRZqhfAz+bwXzJRrEd69Xs/wQfpaDT5cnfwmAE3R3/jef+1AaSno68ZRG37GmnzWZaDwnh9S4gFEaIyEE0F/Rjo=
Received: from AM5PR0101CA0023.eurprd01.prod.exchangelabs.com (2603:10a6:206:16::36) by DU0PR08MB9132.eurprd08.prod.outlook.com (2603:10a6:10:474::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.25; Mon, 26 Sep 2022 09:36:03 +0000
Received: from AM7EUR03FT027.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:16:cafe::ff) by AM5PR0101CA0023.outlook.office365.com (2603:10a6:206:16::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.25 via Frontend Transport; Mon, 26 Sep 2022 09:36:03 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM7EUR03FT027.mail.protection.outlook.com (100.127.140.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.14 via Frontend Transport; Mon, 26 Sep 2022 09:36:02 +0000
Received: ("Tessian outbound fc2405f9ecaf:v124"); Mon, 26 Sep 2022 09:36:02 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: d7698b352dd6d7d8
X-CR-MTA-TID: 64aa7808
Received: from 8aa196f97a3e.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 02F05024-1436-426F-B32D-A962EB9CE948.1; Mon, 26 Sep 2022 09:35:55 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 8aa196f97a3e.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 26 Sep 2022 09:35:55 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oJsQlIKRxQNgRGBRGFQIxd+soYpHzS8bp70xEYzNAoXVvY7m0+g5SDK9EB/Ql9JfK0ZdH9/stX4u0MEhJ4+mw7vL4rDh27vOW4LZbC88DhG6rgnlYjy3uPePj0Xz07A/0FMeG3kAyUOYPsVfaXYWDkH3spAyIapdikteCAou13q1kMRue//N3unsPBWO5Pn9SaPuOEvYF+hnS6KZOSsEYrDqS2+ocLyVCCJxgzCkLKBUfbGoefgX0WMvjpL7IF9JVVClPoOwug7Lg0CHZkUsoINdU2a60+iiXA+pBrPl2BMS0/pjlx6Jbj5hSEiznR9meZx654H/n+mgyBpLKgih0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kYqEBaHQON2EiCqFC2Ksz6TVVOwOXmGrPxjFP2QQz1k=; b=Edn9YREoGW8OMMm5A3q6kQ4Fu1SEMY08iooupOA0epGtCzYfdtAi6HE9VxlBkPsYOV5ZqGAVLuS1aRdvFVy8XVJS7+bqsX+p1D55Hc/9sg+QHcdZc2LQdvWH6AdLQIpAu6yk/brUzyky+nncC/EWydItmlWw8YDLbuvjXYMqG5HUBUnRHobI8IEuOYTtlWvyfnWJTTqTV4ENC71viFgBrd0FqqLtUtdFlg5Vyxbt5/7kAGjv0dI+NeqeWsxHNwXtfO+C7B4fGM/7iTWr8WBrCAL2J5qpFOuUl0fE8p1xObCldRuQgUOsmISp4I6TnfvRmicFUyy9l8z38dPU3prqOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kYqEBaHQON2EiCqFC2Ksz6TVVOwOXmGrPxjFP2QQz1k=; b=odlK3RMVVufpz7OxSsX27XPftQTfEQHKaftfP8v3KyEgiKpJYqRRREwZHXabtLAb3mVlDqMKsRNDBG83ElE0qRZqhfAz+bwXzJRrEd69Xs/wQfpaDT5cnfwmAE3R3/jef+1AaSno68ZRG37GmnzWZaDwnh9S4gFEaIyEE0F/Rjo=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by AM8PR08MB6386.eurprd08.prod.outlook.com (2603:10a6:20b:362::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.25; Mon, 26 Sep 2022 09:35:51 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::d48c:61b9:7a6a:88bc]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::d48c:61b9:7a6a:88bc%7]) with mapi id 15.20.5654.025; Mon, 26 Sep 2022 09:35:51 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Thomas Fossati <tho.ietf@gmail.com>, "Smith, Ned" <ned.smith@intel.com>
CC: Laurence Lundblade <lgl@island-resort.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Michael Richardson <mcr+ietf@sandelman.ca>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Interoperability ... RE: EAT Profiles
Thread-Index: AQHYzG8BjmSfqp2lpUm1bLF8Dh+Lra3ovQ6AgADZvwCAAIUsAIABUpiAgAYOP9A=
Date: Mon, 26 Sep 2022 09:35:51 +0000
Message-ID: <DBBPR08MB5915547A166C910F051E4FD8FA529@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <AS8PR08MB5911E476356C4005F68D6D4CFA4D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <6F9F204B-E01C-4C56-9FA3-0E5F88F8C225@island-resort.com> <EF696290-B899-482F-B41E-BA358D57C123@intel.com> <CAObGJnNZ7=-v=ue94C+1CyfmXX7eYMTDKvdLYaBQ8K2cje42DA@mail.gmail.com> <4554C994-57E6-4873-9B41-66352CEA2920@intel.com> <CAObGJnNp7DrCn4MfAzBTBog1niOY0u5auETJU-iR7kk-CivJSw@mail.gmail.com> <A20E8654-BD16-48DE-B0A3-71EC45E16FE9@intel.com> <CAObGJnPPLcKpqnHYRnDbOJo-Um2WuQbq4tHOF7CLP8auh=i6=w@mail.gmail.com>
In-Reply-To: <CAObGJnPPLcKpqnHYRnDbOJo-Um2WuQbq4tHOF7CLP8auh=i6=w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 7A6E30B8F141C049816B215BC226C93D.0
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DBBPR08MB5915:EE_|AM8PR08MB6386:EE_|AM7EUR03FT027:EE_|DU0PR08MB9132:EE_
X-MS-Office365-Filtering-Correlation-Id: 882f4909-4511-4f68-7929-08da9fa286fd
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 0YDhm4joI1G8GHPzIUOsDyfZR9bsiPNP0wObeaoCBwJqZ2FonC/UtOcrK/xvT9ObOyYhffFzljRM/nxI61apLLRH/YJGK+Oc635k+sVMSyAv08pEBD3r19He9AxHul+khSzMb+MJN9UgET6rLOwN4zeBjwYVX0yRBXdKm/rOtLFskeoL5K2sXUqx7V5ikA0Ly8Gnu/DF6BJH724D4X3f/SfKzubqPGxO2a1Fw2OT8Rvg1nGjjH9zL7C3u8ZHyvEcz69rhLoVV2apKG1AHc5I+jcuDfj2L+9wBBo2nYXSfB0QrSwlgajJGuOCl5f7b1Efj3GeIfjgTVPtKbUDRdeflf3vqxasi/FSyqiQfLGcXhw2fBYGHTPA3pDEWzGcFuPynoVnXi70uDKhVajOe6S+Y9HsRLfaKmvsuq2DkAyUTGdSO24ZOo3vWyq4uRmfr3jiU1Q9IF37v5/yAECTx6F5XWeQexcbI3XMKos3QCOxxuKQ7BC+iqS5RA0fbRoZWoba5cuXvxIPNOkPjFkew/BxcUe0KXi48rAqC0dNyXikR9G2mrAqF6p5lZa1S4Hvao+fXmDI7M/57o28/k2ZU9DDbS+BJpElMLnvKCetNnylHuWEYTuSdbirrdzuvW1+caX/D5rj12TiOd3cN1wKYhHm+ITJ7lVTQWIDVvoeHEbgfLwYqdl1z/9Nn9QmR+YDdUS3ZDVssCi2VbYCtm/blxQpgn4bpsGrYlhmxL49DQLIJIQyCH4+M9T4I5cbroNrXi7HIl8Q1V/QK09JNomPKi6HXw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(366004)(396003)(376002)(39860400002)(346002)(451199015)(4326008)(8676002)(66476007)(186003)(66556008)(76116006)(66446008)(64756008)(53546011)(26005)(7696005)(6506007)(110136005)(54906003)(316002)(9686003)(33656002)(2906002)(5660300002)(122000001)(38070700005)(83380400001)(38100700002)(41300700001)(8936002)(86362001)(55016003)(52536014)(66946007)(71200400001)(478600001); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB6386
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM7EUR03FT027.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 4e375bce-b890-4e93-dc95-08da9fa28061
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1/74hXRbv2Gi5sEtlyEhdz0Y52U78MCU56EK0JalnaIk6Rwdp9UhLeiM0dj9ghH20TGbL6OK4VyEsxFfQB29+h8lYpr0UDmsYQ0FBO/8xG4A20BtJszHXKLXM42kunAqjmvgndJeexO+Zb9Ek8ul5LoO2JXDHA16H5bBg3uT8zHe0bSPULoE6lxHKtTxVzSw5BAEVGFPUfM0Jf0NzJeyYK/erdpUYhSdyh8Tcj35IRER/PSoHtF1bFfioK3XFKwtOgFzMA3bsobUDTEuFtIVBysp6wFstc0b/6OoBFr78l67GoRqmecPq6FBPjR5QYr3Y74hRKoyMQuJRG/YMHOxKTLrqv6flkgPszcCsT7sCY7mlfmA4tIBhwV6j0+yKt+muJEVjAOiH9EvCr9RnuEmUZm9X0yUQsHN+2SABIVxC8GLijUKBCZVlm7gU5qUtwhC5HmEsQOF4zu3TVDj0qQguasE+r2SP9c/AU/NYfQuDYPHmnaORwuPmae/sJKoBedOjNPzHTIWii9obUcpRVHVRT5EPdR7JBvgt9GSUtVz9EJbuTC/czc8CBrzxlT5/KCE3LBv4AbQun3V9SOt0Mr6sEuWVT5VeIWKEaH8jjcYXb7bLTAdsfeAcRgws7Y+NECTX17U6r9zLmNfmAaCNVwoAHmclRtWNk+6xIKdKUZ4677PvpcRsqcgX9l05W6p5fPH4bTi7fPSna1h5qaFsa0HP27VPRC4FJiK7oPqnDQqLoEOJ6iCEkE1kpZ+rMjq+o4PQ0gyI1DZGLpvWfkNYUrLaAQp525pnt3/0ZR2ExE2FX1Ky4WooOoxhs3F3dcbE62D
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(376002)(136003)(346002)(396003)(451199015)(40470700004)(46966006)(36840700001)(33656002)(36860700001)(478600001)(186003)(82310400005)(40480700001)(55016003)(82740400003)(336012)(83380400001)(7696005)(8676002)(70586007)(356005)(40460700003)(41300700001)(2906002)(70206006)(4326008)(81166007)(8936002)(47076005)(26005)(9686003)(316002)(54906003)(52536014)(6506007)(110136005)(53546011)(5660300002)(86362001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Sep 2022 09:36:02.3842 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 882f4909-4511-4f68-7929-08da9fa286fd
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM7EUR03FT027.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR08MB9132
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/X-OlyImsMkt221kRYTBgBtu94JY>
Subject: Re: [Rats] Interoperability ... RE: EAT Profiles
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 09:36:13 -0000

Hi Ned,

I would like to respond to your statement about the AISS token being an extension to the CWT/JWT rather than the EAT token.

EAT intentionally builds on CWT/JWT. This is a good design approach.

The AISS token re-uses claims in EAT and therefore extends EAT and indirectly the CWT/JWT.

Should the draft provide more information regarding the recommendations in Section 6 of draft-ietf-rats-eat? Yes. Definitely.

In a nutshell, I don't see a problem. FWIW I have implemented a prototype of the AISS token using the EAT library Laurence released.

Ciao
Hannes

-----Original Message-----
From: Thomas Fossati <tho.ietf@gmail.com>
Sent: Thursday, September 22, 2022 3:04 PM
To: Smith, Ned <ned.smith@intel.com>
Cc: Laurence Lundblade <lgl@island-resort.com>; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; Michael Richardson <mcr+ietf@sandelman.ca>; rats@ietf.org
Subject: Re: [Rats] Interoperability ... RE: EAT Profiles

hi Ned,

On Wed, Sep 21, 2022 at 5:51 PM Smith, Ned <ned.smith@intel.com> wrote:
> On 9/21/22, 1:55 AM, "RATS on behalf of Thomas Fossati" <rats-bounces@ietf.org on behalf of tho.ietf@gmail.com> wrote:
> > On Tue, Sep 20, 2022 at 8:55 PM Smith, Ned <ned.smith@intel.com> wrote:
> > > Profiles should extend standardized statements at a defined
> > > extension point; but existing seem to go beyond this in several
> > > ways.
> >
> > Can you point me to where that is happening?  Speaking for PSA, we
> > do not extend any standardised EAT statement.
>
> [nms]    aiss-token = {
>        aiss-nonce,
>        aiss-instance-id,
>        aiss-profile,
>        aiss-implementation-id,
>        aiss-lifecycle,
>        aiss-boot-odometer,
>        aiss-watermark,
>    }
>
> Aiss-token seems to be an extension of a CWT/JWT token (rather than an
> EAT token). However, this token does integrate with some claims found
> in the EAT draft such as nonce, profile, UEID, and hash-type. Hence,
> it is both a subset of EAT claims as well as a superset of an EAT
> token.

I am not sure I see a problem here.  An EAT can (and typically will) be a CWT/JWT, so anything claiming to be an EAT "profile" can a) inherit the CWT/JWT wrapping, b) extend the claims set using newly registered CWT/JWT claims if the available EAT claims are not sufficient.

> Philosophically, EAT claims could be incorporated into other container
> structures besides CWT/JWT tokens.

True, but.
In order to extend the top-level type one needs a "IETF standards track document." (see §3), so it's not going to be cheap to do that.

> For example, an X.509 certificate
> could define an extension that contains UCCS expression of EAT claims

This X.509 extension would be wrapped in a UCCS which is a top-level EAT (when it gets its RFC number), so this is not the right example of "new bounding container", I think.

> or a protocol frame could do something similar.

If by "similar" you mean UCCS wrapping the EAT/CWT claims then there's no need to define anything for the profile.  Just reference [UCCS].

> It seems reasonable that a profile could specify the bounding
> container for EAT defined claims.

yes, but in order to be called an EAT it needs to be defined in a STD track document.

cheers,
--
Thomas
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email