Difference between revisions of "Attested"

Revision as of 20:44, 30 August 2018

A statement is Attested if some Trusted Third Party can create a Validated Claim about a User Device used during either Authentication or Authorization.

The Context in which an Attestation of Identity applies is typically during the Validation of the security of protection offered to User secrets (such as Credentials) in a User Agent.

When a secure operation is performed at a user location, the packet returned from that User Device needs to be trusted by the Site that receives it.
The signing key for that packet will have a certificate that binds that signing key to a particular device.
If the device reports a serial number, or (equivalently) a public key that is unique that that device, that can be used as a tracking number for the owner of the device.

The certificate for the signing key from the User Device, and potentially the configuration information from the device, will need to be Attested by some Trusted Third Party.
Attestation can be complex for programmable computers, or simple for one function User Devices like Security Tokens.
An example of a single attestation program with associated metadata is described in the FIDO web site.
When a simple certificate is used, it typically is accompanied by a metadata statement, an example is this one at Yubico.

@@ Line 9: / Line 9: @@
 * When a secure operation is performed at a user location, the packet returned from that [[User Device]] needs to be trusted by the [[Site]] that receives it.
 * The signing key for that packet will have a certificate that binds that signing key to a particular device.
+* If the device reports a serial number, or (equivalently) a public key that is unique that that device, that can be used as a tracking number for the owner of the device.
 ==Solution ==