5.4 Protection against Credential Replay Attacks and VP Lifetime #47
Labels
documentation
Improvements or additions to documentation
Steering - FYI
Technical or internal change. Not necessary for Steering to review.
for Steering
There is seemingly superfluous and misleading information in the section that deals with replay attacks pointing to a prior design decision. In addition, this wording adds no value for auditors or implementers and may cause confusion. Suggest removal of the para in question and clarification for implementers.
Observation
Issues
Suggestion
The simplest solution is to remove the 1st para in 5.4. and add a clear requirement for the corrUUID to be added to the VP nonce field.
The design justification may be communicated elsewhere but seems superfluous, even counterproductive, in a conformance document whose purpose is to state the current requirements.
Affected Parties (help determine Sunrise/Sunset):
Affected OCI Artifact
Change Category (Guides Steering Review)
- Steering/Industry Review
- Steering/Industry Notification
The text was updated successfully, but these errors were encountered: