search

ietf-rats-wg / architecture

RATS Architecture
Other
16 stars 10 forks source link

RD AD foundational issues in section 5 #358

Closed mcr closed 2 years ago

mcr commented 2 years ago 
** Section 5. There is something foundational I am not following about this section.  The interactions described here do not conform behaviors described in the terminology in Section 4 or the high-level reference architecture of Figure 1.  I'm not sure how to reconcile this discrepancy.  

Minimally, these discrepancies are:

-- Figure 5.  Per Section 4, "Attestation Results" are not supposed to be consumed by the "Attester" and are supposed to come from the Verifier (not the Attester).
-- Figure 6, Evidence is being provided from the Attester to the Relying Party.  Relying part is providing evidence to the Verifier.

Additional sections in the document, e.g., Section 7.2, make use of this interactions too.

The introductory text states that "[t]he discussion that follows is for illustrative purposes only and does not constrain the interactions between RATS roles to the presented patterns."  I don't follow what is being illustrated in the context of RATS.  What is the takeaway for implementers or designers from this section?

** Section 5.1.
In this model, an Attester conveys Evidence to a Verifier, which
   compares the Evidence against its appraisal policy.  

Should the analogy be connected to the RATS architecture by saying the citizen is the Attester and the Evidence is ID (e.g., birth certificate) needed to present to get the passport issued.

** Section 5.1.  Per the paragraph, "Since the resource access protocol ...", I found this text an unexpected level of detail.  No earlier part of the document had previously discussed the existence of a serialization format or resource access protocol, let alone interoperability issues

** Section 7.1  I got a bit lost in the repeated use of the word trust as a verb, noun and adjective.  It seems like two properties should be described:
-
- (authenticity) Trusting that information came from a expected entity/role

-- (correctness) Having confidence in the veracity of the information being provided (e.g., the processes used by the verifier to process the evidence or compute ).

I'd recommend being clearer on what kind of trust is meant.