Closed laurencelundblade closed 1 year ago
Added the commas. Thx.
Pub keys in TLS server certs, PGP keys and such are long-lived authentication keys.
One addition might be to say something like "In the financial transaction example, authentication is what sets up for bank balance check and credit risk check and attestation is what sets up for a limit based on the type of terminal is being used".
I'm also wondering if this should move to an appendix that goes on for several paragraphs about what attestation (in the broad non-TPM) sense is about rather than trying to rely on RATS Architecture.
Server keys for TLS are generally much shorter lived than keys in an attestation. I don't see where the financial example adds any clarity and would not add those words.
I'm trying to convey this: if you the reader do not understand the security model for attestation, you should go read about it elsewhere to help you understand EAT.
I'm trying to use contrast with authentication to make that point. I'm not sure if it is working. Maybe a different approach would work better?
How about this?
I also do not wish to put a definition of the attestation security model in EAT. EAT is just a protocol document. The RATS architecture document is where the attestation security model is defined. If we had to, we could put a definition of the attestation security model in EAT, but I would want it in an appendix.