RFC Errata
RFC 9711, "The Entity Attestation Token (EAT)", April 2025
Source of RFC: rats (sec)
Errata ID: 8404
Status: Rejected
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Muhammad Usama Sardar
Date Reported: 2025-05-04
Rejected by: Deb Cooley
Date Rejected: 2025-06-27
Section 8.4 says:
The nonce claim is based on a value usually derived remotely (outside of the entity).
It should say:
See notes
Notes:
Attester-generated nonce does not provide any replay protection since the Attester can pre-generate an Evidence that might not reflect the actual system state, but a past one.
See the attack trace for Attester-generated nonce at:
https://mailarchive.ietf.org/arch/msg/rats/jcAv9FKbYSIVtUNQ8ggEHL8lrmM/
For replay protection, nonce should *always* be derived remotely (for example, by the Relying Party).
--VERIFIER NOTES--
Incorrectly formatted errata. The corrected text is not correct.