Skip to content

Commit 32254ad

Browse files
paulbastianc2bo
paulbastian
and
c2bo
authored
Update draft-ietf-oauth-attestation-based-client-auth.md
Co-authored-by: Christian Bormann <8774236+c2bo@users.noreply.github.com>
1 parent b0a46d2 commit 32254ad

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

draft-ietf-oauth-attestation-based-client-auth.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -496,7 +496,7 @@ This specification does not provide a mechanism to rotate the Client Instance Ke
496496

497497
## Replay Attack Detection {#implementation-consideration-replay}
498498

499-
Authorization Servers implementing measures to detect replay attacks as described in [](#security-consideration-replay) require efficient data structures to manage large amounts of challenges for use cases with high volumes of transactions. To limit the size of the data structure, the Authorization Server should use a sliding window, allowing Client Attestation PoPs within a certain time window, in which the seen `challenge` or `jti` values are stored, but discard them afterwards. To ensure security, Client Attestation PoPs outside this time window MUST be rejected by the Authorization Server. The allowed window is determined by the `iat` of the Client Attestation PoP and the sliding window time duration chosen by the Authorization Server. These data structures need to:
499+
Authorization Servers implementing measures to detect replay attacks as described in [](#security-consideration-replay) require efficient data structures to manage large amounts of challenges for use cases with high volumes of transactions. To limit the size of the data structure, the Authorization Server should use a sliding window, allowing Client Attestation PoPs within a certain time window, in which the seen `challenge` or `jti` values are stored, but discarded afterwards. To ensure security, Client Attestation PoPs outside this time window MUST be rejected by the Authorization Server. The allowed window is determined by the `iat` of the Client Attestation PoP and the sliding window time duration chosen by the Authorization Server. These data structures need to:
500500

501501
- search the data structure to validate whether a challenge form a Client Attestation PoP has been previously seen
502502
- insert the new challenges from the Client Attestation PoP if the search returned no result

0 commit comments

Comments
 (0)