Hi,
The document, in section 1.2 “EAT as a Framework”, states “As with CWT and JWT, no claims are mandatory and claims not recognized should be ignored.”. The selection and prioritization
of claims is done in profiles (see section 6). As an example, Arm's Platform Security Architecture (PSA) Attestation Token (https://datatracker.ietf.org/doc/draft-tschofenig-rats-psa-token/)
is an EAT profile designed to support resource-constrained devices. It uses 4 claims from the EAT specification (of which only 3 are mandatory) and adds other profile-specific claims. The profile also contains a “Security and Privacy Considerations” section
that builds on the generic “Privacy Considerations” and “Security Considerations” sections of the EAT document.
Sincerely,
-- Mathias Brossard
On 6/10/24, 3:18 PM, "Linda Dunbar via Datatracker" <noreply@xxxxxxxx> wrote:
Reviewer: Linda Dunbar
Review result: Has Issues
I have reviewed this document as part of the Ops area directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the Ops area directors.
Document editors and WG chairs should treat these comments just like any other
last-call comments.
The document includes a comprehensive list of claims (e.g., hardware model,
version, software name/version, location, uptime, boot count, etc.). This
extensive scope could lead to implementation challenges, especially for
constrained devices with limited resources. Defining and managing such a wide
range of claims across various device types and manufacturers may be overly
complex.
Is it possible to prioritize and reduce the number of mandatory claims to those
most critical for attestation? Optional claims can be defined for more specific
use cases to reduce the burden on constrained devices.
It would be useful if the document provides detailed guidelines and best
practices for implementing privacy protections, including minimizing the
exposure of sensitive claims and ensuring that privacy considerations are
integrated into the design from the outset.
Best regards, Linda Dunbar
_______________________________________________
RATS mailing list -- rats@xxxxxxxx
To unsubscribe send an email to rats-leave@xxxxxxxx
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose,
or store or copy the information in any medium. Thank you.
|
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
