On Thu, Dec 20, 2018 at 09:11:24AM +0000, Hannes Tschofenig wrote: > > -----Original Message----- > From: Ludwig Seitz <ludwig.se...@ri.se> > Sent: Donnerstag, 20. Dezember 2018 08:40 > To: Jim Schaad <i...@augustcellars.com>; Hannes Tschofenig > <hannes.tschofe...@arm.com>; 'Stefanie Gerdes' <ger...@tzi.de>; ace@ietf.org > Subject: Re: [Ace] Security of the Communication Between C and RS > > On 19/12/2018 21:22, Jim Schaad wrote: > > > > It would be more reasonable to say that if you are doing a physical > > attack, then it would be easy to get an RPK and then you are the RS > > until such a time as the AS is told that the key is no longer trusted. > > In this case you will just continue getting tokens as a client which > > are still valid and none of this is helpful in any event. > > Ok my example was perhaps not ideal, since it has an even bigger breach as > precondition. So under what conditions would an attacker get access to a > pop-key of an expired token? Steffi any ideas? > > [Hannes] We definitely need some more details about the type of attack we > would like to prevent. Maybe it is worthwhile to think about what information > the attacker steals from whom at what point in time could be a way to > progress the topic.
It is perhaps contrived, but one scenario in which the PoP key could be exposed to an attacker or third party is if some sort of post-facto auditing service is in play, where the "previous generation" of key material is released to an auditing service, after expiration or key rollover has occurred. This third party would then be able to audit network traffic (whether for intrusion detection or other purposes) but not modify any live traffic. Such a scheme has been proposed in the context of TLS (though I'm not finding a good reference in the archive; maybe it was just at a mic line?), though not with any great degree of seriousness AFAIK. -Ben _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace