You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-rats-reference-interaction-models.md
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -616,13 +616,21 @@ One example of a specific handle representation is {{-epoch-markers}}.
616
616
617
617
In the Uni-Directional model, handles are composed of cryptographically signed trusted timestamps as shown in {{-TUDA}}, potentially including other qualifying data.
618
618
The Handles are created by an external trusted third party (TTP) -- the Handle Distributor -- which includes a trustworthy source of time, and takes on the role of a Time Stamping Authority (TSA, as initially defined in {{-TSA}}).
619
+
In some deployments, a Verifier may obtain a Handle from the Handle Distributor and forward it to an Attester.
620
+
While feasible if the Handle can be authenticated (e.g., an Epoch Marker with a verifiable timestamp), this indirection introduces additional latency for the Attester and can make freshness semantics harder to appraise.
621
+
Therefore, direct distribution of Handles from the Handle Distributor to Attesters is the recommended approach.
622
+
619
623
Timestamps created from local clocks (absolute clocks using a global timescale, as well as relative clocks, such as tick-counters) of Attesters and Verifiers MUST be cryptographically bound to fresh Handles received from the Handle Distributor.
620
624
This binding provides a proof of synchronization that MUST be included in all produced Evidence.
621
625
This model provides proof that Evidence generation happened after the Handle generation phase.
622
626
The Verifier can always determine whether the received Evidence includes a fresh Handle, i.e., one corresponding to the current Epoch.
623
627
624
628
### Handle Lifecycle and Propagation Delays {#handle-lifecycle-and-propagation-delays}
625
629
630
+
The term "uni-directional" refers to individual conveyance channels: one from the Handle Distributor to the Attester, and one from the Attester to the Verifier.
631
+
Together, they establish an attestation loop without requiring request/response exchanges.
632
+
This model does not assume that Verifiers broadcast Handles, as such a setup would require Verifiers to take on the Handle Distributor role and undermine the separation of duties between these roles.
633
+
626
634
The lifecycle of a handle is a critical aspect of ensuring the freshness and validity of attestation Evidence.
627
635
When a new handle is generated by the Handle Distributor, it effectively supersedes the previous handle.
628
636
However, due to network latencies and propagation delays, there may be a period during which both the old and new handles are in circulation.
@@ -632,6 +640,7 @@ To manage this complexity, it is essential to define a clear policy for handle v
632
640
633
641
* *Handle Expiry*:
634
642
Each handle should have a well-defined expiration time, after which it is considered invalid.
643
+
An Attester that is aware of the expiration time MUST NOT send Evidence with an expired handle.
635
644
This expiry must account for expected propagation delays and be clearly communicated to all entities in the attestation process.
0 commit comments