You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: specifications/ietf-eat-profile/spec.ocp
+17-3Lines changed: 17 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -157,13 +157,14 @@ implementation flexibility.
157
157
**Claim Ordering**: To ensure consistent CBOR serialization and maximize
158
158
interoperability across different implementations, **all claims MUST**
159
159
be reported following the CBOR deterministic encoding requirements as specified
160
-
in [@{ietf-rfc8949}].
160
+
in Section 4.2 of [@{ietf-rfc8949}].
161
161
Specifically, the keys in the CWT map **MUST** be sorted in the bytewise
162
162
lexicographic order of their deterministic encodings. This ordering convention
163
163
applies to mandatory claims, optional claims, and private claims when present.
164
164
165
165
**Mandatory Claims (1-6)**: These claims are **REQUIRED** for all attestations
166
-
and provide the minimum necessary information for verifier appraisal policies:
166
+
and provide the minimum necessary information for verifier appraisal policies. The verifier
167
+
can expect at a minimum these claims in a compliant attestation:
167
168
168
169
1. **issuer** (claim key: 1, encoded as 0x01)
169
170
* This claim is used by the attester to bind the EAT to the certificate chain that issued it. It **SHALL** match the SUBJECT Common Name of the Attestation Key Certificate.
@@ -307,6 +308,12 @@ The COSE_Sign1 unprotected header **MUST** include:
307
308
* **x5chain** (label 33): Certificate chain as specified in the main
308
309
specification
309
310
311
+
### Key Identification
312
+
313
+
The leaf certificate in the certificate chain of the COSE_Sign1 header identifies
314
+
the public key associated with the signing keypair. No other methods to identify
315
+
the keypair must be included in the token (e.g. kid).
316
+
310
317
### Future Algorithm Support
311
318
312
319
This profile serves as the base for ECDSA-based attestation. Additional
@@ -318,6 +325,13 @@ profile will maintain the same claim structure and overall architecture
318
325
while specifying the appropriate cryptographic parameters for that
319
326
algorithm.
320
327
328
+
## Use of CBOR Tags
329
+
330
+
CBOR tags as described in this specification **MUST** be included in the attestation.
331
+
The required tags are the registered self-described CBOR tag, EAT tag, COSE_Sign1 tag
332
+
and the concise evidence tag.
333
+
334
+
321
335
## Concise Evidence
322
336
323
337
The concise evidence **MUST** be defined according to the specifications
@@ -411,4 +425,4 @@ The following example illustrates a CWT containing claims for three target envir
0 commit comments