oauth2.dev

bootseed

IETF

Registry Context

The `bootseed` claim identifies a particular boot session of an entity.

Technical Summary

In a JSON-encoded EAT, `bootseed` contains base64url-encoded binary data created at system boot time, allowing attestation reports from different boot sessions of the same entity to be distinguished.

When Used

Used in Entity Attestation Tokens when reports from different boot sessions of a particular entity need to be distinguished.

Normative Requirements

Implementations

MUST NOT
1

  1. RFC 9711 - Section 4.2.13

    use the `bootseed` value for any purpose requiring a secret seed, such as seeding a random number generator.

    Condition: when processing or using the `bootseed` claim

    It is not a secret and MUST NOT be used for any purpose where a secret seed is needed, such as seeding a random number generator.

MUST
1

  1. RFC 7519 - Section 4

    ignore claims they do not understand.

    Condition: in the absence of application-specific requirements for those claims

    in the absence of such requirements, all claims that are not understood by implementations MUST be ignored.

Unspecified actor

MUST
1

  1. RFC 7519 - Section 4

    ensure Claim Names within a JWT Claims Set are unique.

    Condition: when constructing a JWT Claims Set containing `bootseed`

    The Claim Names within a JWT Claims Set MUST be unique.

EAT implementations

MUST
1

  1. RFC 9711 - Section 9.3

    provide a freshness mechanism.

    Condition: for all EAT use

    All EAT use MUST provide a freshness mechanism to prevent replay and related attacks.

JWT parsers

MUST
1

  1. RFC 7519 - Section 4

    either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name.

    Condition: when parsing a JWT Claims Set

    JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name.

Validation Guidance

error

Reject a JWT Claims Set containing multiple `bootseed` members, unless the parser follows RFC 7519 by retaining only the lexically last duplicate member.

error

Verify that a JSON-encoded `bootseed` value is a base64url text string representing binary data.

error

Do not use `bootseed` as cryptographic secret material or as a random-number-generator seed.

info

If `bootseed` is unsupported and no application-specific rule requires it, ignore the claim rather than failing solely because it is unrecognized.

error

Do not treat `bootseed` alone as satisfying the EAT freshness requirement; verify that the EAT use provides an appropriate freshness mechanism.

Security Notes

RFC 9711 - Section 4.2.13

The `bootseed` value is usually public and is not a secret; using it where secret seed material is required can undermine security.

RFC 9711 - Section 8.3

Because `bootseed` is a stable entity identifier within a boot epoch, it is unsuitable for privacy-preserving attestation schemes.

Reference

RFC9711

Details

Entry Id
bootseed
Claim Name
bootseed
Claim Description
Identifies a boot cycle
Change Controller
IETF
Reference
RFC9711