[assuming a threat model where RP and Attester do not collude, but either could be malicious.]
On 29/07/2021, 02:42, Michael Richardson <[email protected]> wrote: > [...] > > Is it acceptable for a nonce to be created via TLS Exporter? yes, it seems infeasible to anyone (including a mitm) to manipulate the exporter output (and therefore the nonce) in any meaningful way. > Is it acceptable for the nonce to be known to the RP? yes, as long as the nonce is non-predictable -- and the construction that you described has that property -- it is immaterial that the RP "knows" the nonce (the nonce is a public parameter in the protocol). > Is it okay that the Verifier didn't get to insert entropy into the > nonce? yes, if we rule out colluding RP & Attester, the freshness guarantee is preserved even if the Verifier did not contribute to the computation of the nonce. my two cents, t IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
