A7 Attacker Clarification

Issue #542 resolved
Dave Tonge created an issue

From Tim

One additional note: It should be clarified when/where the requests/responses leak. Following the section heading, I’d assume that they leak at the RS, e.g., a resource request leaks only after the “honest” request arrived at the RS. This distinction is important when considering DPoP Proof Replay: If the attacker has a chance to use a leaked DPoP proof before the honest request using that proof arrives at the RS, the RS cannot detect/prevent the attack (e.g., using DPoP nonces or the jti claim).

Comments (3)

  1. Tim Würtele

    I want to also add my original note on the A7 attacker in PR #358, as this question was a source of confusion for us (i.e., may be a source of confusion for others, as well):

    If I remember our discussion on 20/07/22 correctly, Nat stated that the A7 attacker only gets the Resource Request in plaintext, whereas the Resource Response only leaks as ciphertext. This is what we currently assume in the formal model and I’d argue it should be clarified here (either way).

  2. Log in to comment