From 70019b9d438ff62e7ab911b446742733c767ebef Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 2 May 2024 16:45:17 +0200 Subject: [PATCH 1/2] Note that for online scenarios, ARKG gives assurance of same-hardware binding --- draft-bradleylundberg-cfrg-arkg.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index fd93619..0dcb01b 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -145,8 +145,11 @@ Some motivating use cases of ARKG include: which is set to use single-use asymmetric keys to prevent colluding verifiers from using public keys as correlation handles. Each digital identity credential would thus be issued with a single-use proof-of-possession key, used only once to present the credential to a verifier. - ARKG enables offline usage scenarios by allowing pre-generation of public keys for single-use credentials + ARKG empowers both online and offline usage scenarios: + for offline scenarios, ARKG enables pre-generation of public keys for single-use credentials without needing to access the hardware security device that holds the private keys. + For online scenarios, ARKG gives the credential issuer assurance + that all derived private keys are bound to the same secure hardware element. - __Enhanced forward secrecy__: The use of ARKG can facilitate forward secrecy in certain contexts. From 50d9bebc902bda8e1989f7dfdee521338198f54b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 2 May 2024 16:52:15 +0200 Subject: [PATCH 2/2] Also note that public keys can be generated in userspace instead of secure enclave --- draft-bradleylundberg-cfrg-arkg.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-bradleylundberg-cfrg-arkg.md b/draft-bradleylundberg-cfrg-arkg.md index 0dcb01b..9101c9c 100644 --- a/draft-bradleylundberg-cfrg-arkg.md +++ b/draft-bradleylundberg-cfrg-arkg.md @@ -150,6 +150,8 @@ Some motivating use cases of ARKG include: without needing to access the hardware security device that holds the private keys. For online scenarios, ARKG gives the credential issuer assurance that all derived private keys are bound to the same secure hardware element. + In both cases, application performance may be improved + since public keys can be generated in a general-purpose execution environment instead of a secure enclave. - __Enhanced forward secrecy__: The use of ARKG can facilitate forward secrecy in certain contexts.