ietf-rats-wg / draft-ietf-rats-daa Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
How is freshness achieved in DAA without compromising the main security goal (i.e., anonymity)? I think the document should explain that clearly.
Current text:
"The Join Protocol is essentially an enrollment protocol that consumes
Evidence from the Attester (therefore the mapping to the Verifier
role). Corresponding Appraisal Policies for Evidence specific to the
Join Protocol are used to produce Attestation Results to decide
whether to issue a DAA credential to an Attester or not (therefore
the mapping to the Relying Party role)."
and
"The DAA Issuer acts as the Endorser for the Group Public Key that is
used by the Verifier for the appraisal of evidence of anonymized
Attesters that use the DAA credentials and associated key material to
produce Evidence."
This seems to suggest that Endorser, Verifier, and RP entities all have to be the same entity for join and sign protocols to work. However, this seems unnecessarily complex and may not align well with actual supply chain entities.
Consider the case where a supplier manufactures 1M instances of device X and provisions a group signing key K to all the device instances. If Evidence is signed using key K, then verifiers seeking to prove integrity of evidence signed by K(private) uses K(public) contained in a certificate issued by the supplier's chosen CA.
The verifier doesn't know which of the 1M devices signed evidence with K(private). Therefore, the verifier can't collude to reveal with Attester has which Evidence. If Evidence also contains only class identifiers, then all 1M devices will produce the same evidence.
The signatures will be different, but there is no way for the verifier to distinguish which signature belongs to which attester (within the group).
This approach means the DAA Issuer need only be implemented by the Endorser role. The join protocol is implemented only by the 1M Attesters. There's no reason for verifier / RP to participate in the join protocol.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.