Greetings!
I was reviewing:
OAuth 2.0 Attestation-Based Client Authentication
draft-ietf-oauth-attestation-based-client-auth-04
and think there's an opportunity to increase clarity. I assume by
mentioning attestations, the draft means that a key created off of the root
of trust (like the AIK/AK key in a TPM) will be used to sign evidence so
that you are authenticating the client is the one for whom the root of
trust (EK) resides. However, this is never stated, so it's not clear. With
attestation, it is still best to spell out exactly what is meant as many
are coming up to speed familiarizing themselves with it.
How authentication is actually provided in this method should be explicitly
stated.
Section 8.2 could make it more clear as well as earlier in the draft.
This draft references section 2.2 or RFC7523 and you'll see that it has a
clear explanation of the credentials that assist in authentication. For
attestation, the evidence is verified along with the digital signature on
that evidence.
I hope this is helpful!
--
Best regards,
Kathleen
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
