IETF Logo Mail Archive

Re: [Rats] Vetting claim definitions

"Eric Voit (evoit)" <evoit@cisco.com> Mon, 10 June 2019 21:24 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C0812011D for <rats@ietfa.amsl.com>; Mon, 10 Jun 2019 14:24:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=in+NZkR2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=s/+skSWg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxFuYvb0gAHl for <rats@ietfa.amsl.com>; Mon, 10 Jun 2019 14:23:59 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F031201CB for <rats@ietf.org>; Mon, 10 Jun 2019 14:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=66228; q=dns/txt; s=iport; t=1560201838; x=1561411438; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=K0t87aKiQhxPz8yE70h6kNNFELtisUFwqHM7dNYsDCU=; b=in+NZkR2MYIX03pnJk3x/MK3dQCzk9qpQYmPv287pyOMCFuLm5ZJwE6k zFy0G926JBgHEWEFm5yg4V43LQV5Uk+tijX66dsqTG6IUs4K50xwjgDQg yNNGp8wI7UZLuwhlwUMI2WtipeoI7a6FWlQYmJg6bixesf0l5S+vVRc14 Y=;
IronPort-PHdr: 9a23:OsByoRa9cxHb24GxaxzsaET/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20Q+bRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavncSs7AOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AdAADdyP5c/4gNJK1mGQEBAQEBAQEBAQEBAQcBAQEBAQGBVAEBAQEBAQsBgQ4vJAUnA2pVIAQLKAqEC4NHA45fgleXMoFCgRADUAQJAQEBDAEBGAEKCgIBAYRAAheCXSM3Bg4BAwEBBAEBAgEEbRwMhUoBAQEBAwEBEAgJChMBASkDAgIHAQ8CAQgOAwQBASEBBgMCAgIlCxQJCAIEDgUIFwODAYEdTQMdAQIMnW4CgTiITxBxgTGCeQEBBYUFGIIPAwaBNAGKPoEeF4FAPyZrRoJMPoJhAQECAYErAQsBBgEhDB8JAoJSMoImi0IjKAOCGIRsIpULagkCgg+GRIhFhFSCJS+GTYQEiXaUJo8nAgQCBAUCDgEBBYFlImdxcBU7gmyCDwsBF4ECAQKCSIUUhT9yAYEojDgBAQ0XB4EEAYEgAQE
X-IronPort-AV: E=Sophos;i="5.63,576,1557187200"; d="scan'208,217";a="282899624"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Jun 2019 21:23:57 +0000
Received: from XCH-RCD-015.cisco.com (xch-rcd-015.cisco.com [173.37.102.25]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x5ALNvYa014703 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 10 Jun 2019 21:23:57 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-015.cisco.com (173.37.102.25) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 10 Jun 2019 16:23:56 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 10 Jun 2019 17:23:55 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 10 Jun 2019 16:23:55 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K0t87aKiQhxPz8yE70h6kNNFELtisUFwqHM7dNYsDCU=; b=s/+skSWg64Pad8DV21ZXG/OHb2/lEBKkE/qonVw/HRCNHohwNkk62DNN+v9J97drUczFbXNvMFxZZSE6fN1BEiW467mcJsb2xkNLTnUk6ZAfuguKw1mRO5btt0u1EUqzYG/rZNxQOx2ri7+pae/0R4IiXkq73QZQNvFNQiPMIzo=
Received: from DM6PR11MB4089.namprd11.prod.outlook.com (20.176.126.30) by DM6PR11MB3785.namprd11.prod.outlook.com (20.179.16.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.12; Mon, 10 Jun 2019 21:23:54 +0000
Received: from DM6PR11MB4089.namprd11.prod.outlook.com ([fe80::d014:d7a3:270:e5a9]) by DM6PR11MB4089.namprd11.prod.outlook.com ([fe80::d014:d7a3:270:e5a9%3]) with mapi id 15.20.1965.017; Mon, 10 Jun 2019 21:23:54 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Vetting claim definitions
Thread-Index: AQHVHSQrNP3gSrcbuEuedIL4RWxi86aQLzAwgABa8ACAABflIIAEoFOAgAAVAQA=
Date: Mon, 10 Jun 2019 21:23:53 +0000
Message-ID: <DM6PR11MB4089D8274D816949BAC5215DA1130@DM6PR11MB4089.namprd11.prod.outlook.com>
References: <BC6D5D3A-BD2F-496E-AA68-D2A758A33843@island-resort.com> <12913.1559739926@localhost> <30754CD8-98AB-4080-952E-880BC630EC69@island-resort.com> <BL0PR00MB029274A33B44A0B8CE310C0BF5160@BL0PR00MB0292.namprd00.prod.outlook.com> <VI1PR08MB536061869B7BE623F861B821FA100@VI1PR08MB5360.eurprd08.prod.outlook.com> <DM6PR11MB408908B0F071051FEC0B090BA1100@DM6PR11MB4089.namprd11.prod.outlook.com> <902E75D8-D8AC-403B-A295-0EC3034E44B2@island-resort.com> <DM6PR11MB4089C31F977DD496B5CC49D7A1100@DM6PR11MB4089.namprd11.prod.outlook.com> <D990AE6C-3722-40EA-9B11-9B7EDEF9AFE5@island-resort.com>
In-Reply-To: <D990AE6C-3722-40EA-9B11-9B7EDEF9AFE5@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a28011b2-3b92-401e-f982-08d6ede9f0c2
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB3785;
x-ms-traffictypediagnostic: DM6PR11MB3785:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM6PR11MB3785C717C67DB7E3A864FAC1A1130@DM6PR11MB3785.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0064B3273C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(136003)(39860400002)(376002)(396003)(366004)(189003)(40434004)(199004)(124014002)(66446008)(66946007)(8936002)(66476007)(66556008)(68736007)(26005)(25786009)(476003)(5660300002)(66574012)(71200400001)(66066001)(9326002)(186003)(76116006)(64756008)(256004)(14444005)(6916009)(76176011)(102836004)(73956011)(7696005)(6116002)(5024004)(3846002)(11346002)(446003)(6506007)(53546011)(790700001)(4326008)(53936002)(478600001)(74316002)(45080400002)(966005)(52536014)(316002)(99286004)(606006)(14454004)(33656002)(6246003)(54906003)(55016002)(236005)(53946003)(86362001)(6306002)(6436002)(81156014)(8676002)(71190400001)(81166006)(9686003)(486006)(229853002)(2906002)(54896002)(30864003)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB3785; H:DM6PR11MB4089.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2W4kAAXuUMitdWJgvO0bHdncYBmE2zPnEU+QnwNyuctkX4XAPBcjpoCoV3G5qZObVT9+7K1qha+pVqtOEAOwt91zqbonlGck2raUSnPOpvJiann+nwXl4Xtp6z/bfhODQSlz8r2e98ApIqWq4V4Sl9jnj7++KHMgNwItGw3ksK8ubN+33U5VHqt7QhAMTzY804EsODmOvsSkWeSqb+6yIuADEYoXJuHJ4i0fR0UTbfFotX0hCCclpOCz99leFBxjHKgukrufVVsrbA7iMgTkuS+U8Izkk0HSZUiYDwWdb2pZxRGcl3qdKX3MxlI1F/oaFa+x4h/p+VzO0h2UahM3OCPK22iHh9YPLh3Ks4+hQnLYrXM6c9XgU3Q4Hfn9zM6oo7+hzE8TkryVlZUZJh1VFZR2YkUp43hp66aT8DJCMg8=
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB4089D8274D816949BAC5215DA1130DM6PR11MB4089namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a28011b2-3b92-401e-f982-08d6ede9f0c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2019 21:23:54.0287 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: evoit@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3785
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.25, xch-rcd-015.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/oRUviOXXpGiw0my25WRIk7X8czQ>
Subject: Re: [Rats] Vetting claim definitions
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 21:24:09 -0000

Hi Laurence,

It is true that the YANG of draft-birkholz-rats-basic-yang-module is currently TPM2 specific.  But over the past month we have been having discussions on how to augment into this model case statements and a tree structure which allows exposure of information from alternative hardware types such as the TPM1.2.

Per your note below, I am guessing that draft-birkholz-rats-basic-yang-module could provide a query/response interface to access EAT information.  The Network Element's YANG model theoretically could allow access based on whatever choice of protocols the Network Element supports (e.g., NETCONF/XML. RESTCONF/JSON, CoMI/CBOR).  But the choice and protocols of used to access EAT objects over a YANG interface is something each platform would need to define.   The baseline choice for Interoperability here is tbd.

Whether it is even meaningful/relevant to support such YANG-EAT interoperability is something I don't know yet.  For me to consider EAT for implementation would mean EAT has been adopted within routers/switches.   As this is possible, I feel there is little for the WG to lose if we try to select/define some common objects which span our different domains.

Please understand that in no way do I claim that YANG is perfect.  And YANG models can take years to complete.   But on the plus side for YANG, I am sure it is possible to construct YANG models so that new hardware types can be inserted.  If you want a preview of the types of structure which might be used for this type of extensibility, check out at how draft-ietf-netconf-yang-push augments new case types into a the YANG model described within draft-ietf-netconf-subscribed-notifications.

Eric

From: Laurence Lundblade, June 10, 2019 2:57 PM

Hi Eric,

So I think we have some agreement on general principles for how to structure the documents this work group produces so we can have both flexibility in the definition of new claims and well-defined concise sets claims for particular use cases.

In particular I appreciate the confirmation of this from Mike Jones. Hopefully lack of objection implies a lot of agreement.


Eric, I think you are now digging into the next level of detail on how to deal with TPM-based implementations and claims specified in YANG and how that will interoperate with CWT/COSE and JWT/JOSE based tokens.

I don’t really understand YANG and how to fully read draft-birkholz-rats-basic-yang-module yet. Working on it (but I should be working on the new EAT draft…)

draft-birkholz-rats-basic-yang-module REQUIRES a TPM to implement it. That implies to me that neither CWT/COSE and JWT/JOSE signed container formats can be used because I don’t think TPM’s can produce either format. Pretty sure we agree that EAT will always be CWT/COSE or JWT/JOSE.

(It is also odd to me that an IETF standard would require particular HW. It should just be about bits on the wire. EAT will have some means to indicate the security of the HW and SW that produced a given token, but will not require any particular security from the HW or SW)

But let’s assume that a relying party (I think you call this the Network Element) can unpack and verify signature that in the format of CWT and JWT and the TPM-style sig that I think is implied by draft-birkholz-rats-basic-yang-module. The result will be a set of claims in some syntax. It will be CBOR or JSON in the case of CWT or JWT.

What will it be for draft-birkholz-rats-basic-yang-module??? YANG-described stuff an be lots of different syntaxes by my understanding. How many of them will a relying party be expected to support so there is interop?

I’m going to stop here for the answer to that question.

LL







On Jun 7, 2019, at 1:31 PM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:

Hi Laurence,

Effectively this “Router Attestation Profile” draft you are proposing would consist of well-defined claims which are also YANG objects.  And these YANG objects would augment the model definition within draft-birkholz-rats-basic-yang-module.

If you agree, this is exactly what I was hoping to hear.  Good things which can come from this approach:

  *   Network Elements would be capable of reading some subset of what is coming off of EAT capable hardware chips.
  *   Where brand new claims are being explored, a search of existing YANG objects could be done.  Adoption on YANG definitions where possible would minimize downstream mapping.

Eric

From: Laurence Lundblade, June 7, 2019 2:53 PM
Hi Eric,

Feels like there’s opposing views:

1) Carsten, Kathleen, myself and maybe Henk and others want an EAT to be a CWT/JWT.This really does make the claim set open-ended. CWT is a bit more carefully managed than JWT, but we’ll still end up with a lot of claims registered.

2) You want a very well-defined concise claim set, a controlled policy for allowing new claims and maximal interoperability.

I think both objectives are good and desirable.

I think the way to have both is to leave the CWT/JWT registration open as they are AND ALSO define a profile / subset in an IETF standard for your use case. This profile / subset can:

- Make clear normative references to extant claims that are considered well-enough formed and interoperable
- Define some new claims where none are extant
- Define a policy for adding new claims
- Labelling to distinguish the profile from a general open-ended CWT/JWT

So one way forward is for this WG to adopt another document. Maybe call it “Router Attestation Profile”.  This would be in addition to EAT. It makes normative references to the EAT claims it likes.

Another way forward is for the EAT draft to change direction some and become the more tight and limited attestation definition. It would probably address more than just the router use case, but it would retain the main characteristics you want. If we do this, then we can expect other attestation use cases to write documents and maybe run them through this WG or maybe not.

LL



On Jun 7, 2019, at 10:14 AM, Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>> wrote:

Hi Hannes,

If we were sure we could limit EAT claims to just a few things which come out of hardware, this wouldn't concern me as much as it does.  However the domain of attestable objects was left fairly open within the EAT draft.   And we need to determine what level of interoperability are we trying to shepherd via RATS.

In the end, RATS (and EAT) need to determine the level of interoperability desired for specific claims.   I don't claim deep familiarity with JWT.  But looking at RFC-7519, Section 4.1, I see that I would have questions as an implementer.  For example, the claims "iss", "sub", and "aud" look to have population/processing which is application specific.  Therefore with these claims, it is up to applications on either side of the JWT must come to an agreement on what the populated instances mean.  (I.e., not the WG.)

Common of object definitions/claims from internal hardware are important if the Network Element needs to act on specific values.  And as a vendor, I know that I do want to act on information coming out of hardware even if the information is being pushed to a remote validator (e.g., immediately push an EAT token downstream if a specific hash value changes).  As a result I want more explicit and stable claim definitions.

More highly specified claims of course exposes possible claim redundancy, foreign key relationships, and cross-mapping with downstream information models. I assert this is a good thing because we expose (and hopefully minimize) costs which are borne by downstream developers.

Eric

Hannes Tschofenig, June 7, 2019 7:29 AM
FWIW: While the JWT registry looks more mixed in terms of claim types. This is, however, only a result of the widespread adoption.
There are no problems, as far as I know, with the diversity of the claims and that they are not all useful in every context. Different deployments use the claims they find useful.

I am wondering whether we are trying to fix a problem with the registry of claims that doesn’t occur in practice.

Ciao
Hannes

From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> On Behalf Of Mike Jones
Sent: Mittwoch, 5. Juni 2019 19:31
To: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>; Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>
Cc: rats@ietf.org<mailto:rats@ietf.org>
Subject: Re: [Rats] Vetting claim definitions

Actually, normal (non-collision-resistant) JWT claims *are* allocated on a specification required basis with expert review.  See this text at https://tools.ietf.org/html/rfc7519#section-10.1:

   Values are registered on a Specification Required [RFC5226<https://tools.ietf.org/html/rfc5226>] basis
   after a three-week review period on the jwt-reg-review@ietf.org<mailto:jwt-reg-review@ietf.org>
   mailing list, on the advice of one or more Designated Experts.
   However, to allow for the allocation of values prior to publication,
   the Designated Experts may approve registration once they are
   satisfied that such a specification will be published.

So a specification can easily register both JWT and CWT claims.

                                                       -- Mike

From: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Sent: Wednesday, June 5, 2019 8:46 AM
To: Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>
Cc: rats@ietf.org<mailto:rats@ietf.org>; Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Subject: Re: [Rats] Vetting claim definitions

Below…
+ Mike Jones, co-author of CWT

On Jun 5, 2019, at 6:05 AM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:


Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:
— Today CWT allocates millions of slots for expert review. No
specification is required, but some information should be provided.

JWT doesn’t seem to have this, which is maybe why it is messier. It
kind of seems bad and wrong that it doesn’t to me.

JWT doesn't have this because the claims are "unlimited" length strings, so
one can always make up a unique string in lieu of registration.
 org.island-resort.lgl.whateverstringyouwant

is probably completely yours :-)
Of course, if you want to interoperate you need to agree about how, so there
are some advantages of a forcing function that demands you write things down
first :-)

Unlimited length string claim names are fully part of CWT. Also, COSE allows them for headers, algorithm names and such too. So from a syntax view CWT and COSE are the same as JWT in allowing long string names.

However, COSE and CWT are different in the management of the string name space:

Strings of length 1            Standards Action
Strings of length 2            Specification Required
Strings of length greater than 2    Expert Review

These, along with the integer names space rules, then imply:

Integer values less than -65536 are the only ones free for use with no review or processing by IANA and experts.

JWT also has this notion of Collision-Resistant Name based on OIDs or UUIDs, which is essentially some rules to make up names that don’t go into an IANA registry and are still unique and won’t collide.

JWT could have done what CWT does. Seems to me that CWT has taken a radically more managed approach to the super-open JWT approach. Maybe the CWT folks realized the JWT design was poor.


At any rate, there seems to be some consensus here that the CWT approach is what we want for attestation. It is also the more recent and thus maybe more advanced thinking.

I’m hoping we can find our way to just accept the CWT claim naming management scheme as is for attestation. If other CWT-based efforts did the same (draft-birkholz-core-coid) did the same then the world would be much simpler.

However that still leaves open some issue with JWT namespace management. (We do want JSON based attestation to be JWT’s, right? Just the same as CBOR-based attestation are CWT’s).

LL

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email