Aaron Gable <[email protected]> wrote: >> *ONE* of the challenges. But more than one challenge needs to be >> done.
> I don't understand why this is true. Maybe this is because I don't
> fully understand how RATS attestations work.
> My understanding is that the server has some set of things that it
> wants the client to prove, e.g. that the client's OS is up to date, and
> it is in FIPS mode, and that the key lives in a TPM.
You have it right.
> My reading of RFC 9334 suggests that a Remote Attestation Result can
> contain any number of claims. If that is true, then all the claims the
> server wants to see can be satisfied by a single challenge. If that is
Yes.
And then how/when does the client prove that they own example.com?
> not true, then what is stopping the server from creating multiple
> Authorization objects, each with one claim that the client needs to
> prove? In either case, each Authorization will be fulfilled by exactly
> one challenge. No need for multiple challenges to be completed.
So multiple Authorization objects, not additional challenges within a single
Authorization.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
