Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Freshness of Workload Proof Tokens #43

Open
PieterKas opened this issue Jul 4, 2024 · 2 comments
Open

Freshness of Workload Proof Tokens #43

PieterKas opened this issue Jul 4, 2024 · 2 comments
Labels

Comments

@PieterKas
Copy link

Commenting as identity enthusiast as opposed to WIMSE co-chair

DPoP includes a mechanism that allows verifiers to specify a nonce that should be used in the next proof. It achieves this by returning a nonce as part of the response to a request (either as an error or as part of the HTPP 200 response). It adds an extra call, but is efficient after that with a fresh nonce provided in each response. Although including these nonces may preclude pre-computation and re-use of proofs, it may be required for high assurance applications and may be made optional, similar to how this mechanism was made options for DPoP.

@PieterKas PieterKas changed the title Freshness proofs Freshness of Workload Proof Tokens Jul 4, 2024
@yaronf
Copy link
Collaborator

yaronf commented Jul 4, 2024

Interesting, but if we accept an extra round we can do much more than provide a nonce. We can replace the asymmetric digital signature by an initial handshake to establish a shared secret, followed by symmetric MAC for all other HTTP exchanges. The "hidden" cost is quite a bit of complexity.

@arndt-s
Copy link
Collaborator

arndt-s commented Jul 11, 2024

Challenge response would limit the use cases to synchronous calls. Asynchronous deployments such as message brokers would not be able to implement this.

@yaronf yaronf added the ietf120 label Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants