| rfc9334v6.txt | rfc9334.txt | |||
|---|---|---|---|---|
| skipping to change at line 1600 ¶ | skipping to change at line 1600 ¶ | |||
| This information might be particularly interesting to many attackers. | This information might be particularly interesting to many attackers. | |||
| For example, knowing that a device is running a weak version of | For example, knowing that a device is running a weak version of | |||
| firmware provides a way to aim attacks better. | firmware provides a way to aim attacks better. | |||
| In some circumstances, if an attacker can become aware of | In some circumstances, if an attacker can become aware of | |||
| Endorsements, Reference Values, or appraisal policies, it could | Endorsements, Reference Values, or appraisal policies, it could | |||
| potentially provide an attacker with insight into defensive | potentially provide an attacker with insight into defensive | |||
| mitigations. It is recommended that attention be paid to | mitigations. It is recommended that attention be paid to | |||
| confidentiality of such information. | confidentiality of such information. | |||
| Additionally, many Claims in Evidence, Attestation Results, and | Additionally, many Evidence, Attestation Results, and appraisal | |||
| appraisal policies potentially contain PII depending on the end-to- | policies potentially contain Personally Identifying Information (PII) | |||
| end use case of the remote attestation procedure. Remote attestation | depending on the end-to-end use case of the remote attestation | |||
| that includes containers and applications, e.g., a blood pressure | procedure. Remote attestation that includes containers and | |||
| monitor, may further reveal details about specific systems or users. | applications, e.g., a blood pressure monitor, may further reveal | |||
| details about specific systems or users. | ||||
| In some cases, an attacker may be able to make inferences about the | In some cases, an attacker may be able to make inferences about the | |||
| contents of Evidence from the resulting effects or timing of the | contents of Evidence from the resulting effects or timing of the | |||
| processing. For example, an attacker might be able to infer the | processing. For example, an attacker might be able to infer the | |||
| value of specific Claims if it knew that only certain values were | value of specific Claims if it knew that only certain values were | |||
| accepted by the Relying Party. | accepted by the Relying Party. | |||
| Conceptual messages (see Section 8) carrying sensitive or | Conceptual messages (see Section 8) carrying sensitive or | |||
| confidential information are expected to be integrity protected | confidential information are expected to be integrity protected | |||
| (i.e., either via signing or a secure channel) and optionally might | (i.e., either via signing or a secure channel) and optionally might | |||
| skipping to change at line 1893 ¶ | skipping to change at line 1894 ¶ | |||
| [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., Tschofenig, H., | [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., Tschofenig, H., | |||
| and RFC Publisher, "CBOR Web Token (CWT)", RFC 8392, | and RFC Publisher, "CBOR Web Token (CWT)", RFC 8392, | |||
| DOI 10.17487/RFC8392, May 2018, | DOI 10.17487/RFC8392, May 2018, | |||
| <https://www.rfc-editor.org/info/rfc8392>. | <https://www.rfc-editor.org/info/rfc8392>. | |||
| 14.2. Informative References | 14.2. Informative References | |||
| [CCC-DeepDive] | [CCC-DeepDive] | |||
| Confidential Computing Consortium, "A Technical Analysis | Confidential Computing Consortium, "A Technical Analysis | |||
| of Confidential Computing", Version 1.3, November 2022, | of Confidential Computing", Version 1.3, November 2022, | |||
| <https://confidentialcomputing.io/whitepaper-02-latest>. | <https://confidentialcomputing.io/white-papers-reports>. | |||
| [CTAP] FIDO Alliance, "Client to Authenticator Protocol (CTAP)", | [CTAP] FIDO Alliance, "Client to Authenticator Protocol (CTAP)", | |||
| February 2018, <https://fidoalliance.org/specs/fido-v2.0- | February 2018, <https://fidoalliance.org/specs/fido-v2.0- | |||
| id-20180227/fido-client-to-authenticator-protocol-v2.0-id- | id-20180227/fido-client-to-authenticator-protocol-v2.0-id- | |||
| 20180227.html>. | 20180227.html>. | |||
| [NIST-800-57-p1] | [NIST-800-57-p1] | |||
| Barker, E., "Recommendation for Key Management: Part 1 - | Barker, E., "Recommendation for Key Management: Part 1 - | |||
| General", DOI 10.6028/NIST.SP.800-57pt1r5, May 2020, | General", DOI 10.6028/NIST.SP.800-57pt1r5, May 2020, | |||
| <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
| End of changes. 2 change blocks. | ||||
| 6 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||