Re: [EAT] Attestation BoF charter updates?

Jeremy O'Donoghue <> Mon, 22 October 2018 13:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AC6E0130E21; Mon, 22 Oct 2018 06:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SAiIsNYWq9vj; Mon, 22 Oct 2018 06:14:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 07DF7130E10; Mon, 22 Oct 2018 06:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1540214075; x=1571750075; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=5dEDDdP+sHByKqllyYPsr5D0SMzaOE8mSxF9cZAapO4=; b=oSi9xMgIw7L8ob6gwfQn7x1nOS2qM1W/fpGQAAPItlv3HcY08jB93kXE KE2aVSOdP0YIFQuKkc18hK6AkHv/ITRqIypXqgORfOPNOxtTbo0FOKhko hMQ/+JHBr62DL7vl8vwIAvmrKCtHR0L2f/4wMGKEAFNskoo3jo6vZ77YF 8=;
X-IronPort-AV: E=Sophos;i="5.54,412,1534802400"; d="scan'208,217";a="1374602"
Received: from ([]) by with ESMTP; 22 Oct 2018 15:14:32 +0200
X-IronPort-AV: E=McAfee;i="5900,7806,9053"; a="6060488"
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 22 Oct 2018 15:14:32 +0200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 22 Oct 2018 15:14:30 +0200
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Mon, 22 Oct 2018 15:14:30 +0200
From: Jeremy O'Donoghue <>
To: Henk Birkholz <>
CC: "" <>, Laurence Lundblade <>, "" <>
Thread-Topic: [EAT] Attestation BoF charter updates?
Thread-Index: AQHUaDl7oJCVy1SmWEy2j20ofanQ0qUrIFoA
Date: Mon, 22 Oct 2018 13:14:30 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.9.1)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_570FEF0CFD3A4EBFB8E67B13D2FD8E22qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [EAT] Attestation BoF charter updates?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Oct 2018 13:14:40 -0000

This is a very useful contribution, Laurence.

The current draft text is too strongly biased towards attestation based on measurement, and does not adequately cover other mechanisms which are already broadly deployed in proprietary form, and which should be supported in an interoperable standards based manner.

From my perspective, there are a number of issues which lead to the need for charter text which is more inclusive of different approaches to attestation:

  *   TPM and systems based on measured file execution procedures have very limited presence in the mobile ecosystem, and any attestation standard of interest needs to be useful in the mobile space and highly constrained (microcontroller-class and smaller) IoT if we are to avoid fragmentation in future. The flexibility of EAT is a great strength here.
  *   In devices where the threat model may include the device owner - such as many mobile and IoT devices - attestation bound to the REE, as is typical in the TPM use-case, has some challenges. provides an example which is in the public domain.
  *   Systems based on run-time (as opposed to boot time) integrity measurement address trustworthiness over time - see There are commercial examples of such systems in mass production on several different mobile SoCs. Information available to the public includes Eric Voit has already shared that such systems are also deployed in the network infrastructure space, so it seems to me that the charter text should cover this case.
  *   As noted in previous mail to the list, there is ongoing work in GlobalPlatform which plans to make use of the approach described in the EAT draft. I also have good reason to believe that other industry bodies are considering this approach, which provides a great opportunity to promote interoperability through the output of the eventual WG.

As it stands, the text is too specific to a particular approach for me to be able to support it. That said, and wishing to be constructive, I have attempted to merge the current charter text (commit 267b166) with Laurence' contribution below. Black text is the current draft; red text is mine and blue text is from Laurence.

Remote ATtestation ProcedureS (RATS) are included in network protocols to provide the basis for establishing claims about a device in a trustworthy manner exchanges with a device, such claims may include, but are not limited to, device identity, manufacturing origin, system integrity, configuration, operational state and measurements of steps which led to the operational state. RATS expose such device characteristics in the form of trusted claim sets which allow remote parties to evaluate (based on Proof-of-Possession) to detailed Attestation Evidence (Proof-of-Protection) that enable a Verifying Parties to retrace every step that led to its current Operational State. A consequence of this retracing is that it is possible to appraise the trustworthiness of a device. RATS provide evidence that a device supports a certain set of operations and functions and/or that it is actually the exact device it is supposed to be (Attestation Provenance) via identity documents or passes. RATS ensure that the information conveyed is unique, complete, and fresh (exposing tampering, replay, and/or relay attacks).

RATS may include definition of procedures by which a remote party evaluates certain claims. For example, how some measurement or other claims are compared to expected values to evaluate the trustworthiness of the device. RATS further supports Various Roots of Trust (e.g. for Measurement, for Reporting, or for Verification) provide the foundation to enable Implicit Remote Attestation (the fact that a secret key is accessible implies a specific meaning and specific defined set of characteristics which therefore need not be supplied explicitly). assertions are optional) and Explicit Remote Attestation, which uses the  output of measured file execution as Attestation Evidence which can be used (along with event log details) to ratify that the device is actually a Trusted System.

RATS may include the definition of new protocols and/or the definition of secured data structures (e.g. signed) that are carried in existing protocols.

RATS is general purpose and aims to address a broad range of use-cases including online banking, payment transactions, critical infrastructure, network security functions, constrained-node devices, business and government enterprises and or the management of end-user devices, including scenarios where device and/or end-user privacy are required.

Like Laurence, I would prefer a new name to reflect the fact that we are merging different contributions, but I have retained RATS in the above to focus on the changes to the text.

Best regards

On 20 Oct 2018, at 06:54, Laurence Lundblade <<>> wrote:

I’d like to propose this for the Introduction in the charter. I tried pretty hard to write what I wanted through edits to the existing intro, but really couldn’t make it work, so this is mostly new text. Some phrases are re used. Apologies for not finding a better way to do this. I have tried to put all the ideas and concepts in Henk’s original charter intro in here, though I have gone for a more abstract conceptual level. A few more notes below.

RATS enables remote parties communicating with a device to evaluate the trustworthiness, device identity, origin of manufacture, system integrity, configuration, operational state and other characteristics of that device. Conceptually, the remote party ends up knowing a set of claims about the device and using them to make the evaluation. The claims may explicitly be transmitted or implicitly derived from other things known about the device. Various means are used to secure, or prove the security of, claims for the remote party. Signing of the claims is the most important but may not be the only means of securing the claims. These claims can provide evidence that a device supports a certain set of operations and functions and/or that it is actually the exact device it is supposed to be.

RATS includes the measurement of SW running on the device and securely conveying those measurements to the remote party.  These measurements enable tje remote party to evaluate device trustworthiness, that it operates as expected, does what is required and does not do other things.

RATS may include definition of procedures by which a remote party evaluates certain claims. For example, how some measurement or other claims are compared to expected values to evaluate trustworthiness of the device.

RATS may include the definition new protocols and/or definition of secured data structures (e.g., signed) that are carried in existing protocols.

RATS is general purpose and aims to address a broad range of uses cases including on-line banking, payment transactions, critical infrastructure, network security functions, constrained devices, business and government enterprises and management of end-user devices.


  *   I have avoided the use of the formally defined terms in the introduction so it can stand more on its own, is easier to understand and is less presumption about architectures and designs. Seems like it is work for the WG to define the terms and create the designs.
  *   My use of the lower case “device”, “claim” and “remote party” are just as broad concepts to be able to get the general idea across. The WG documents should use the more formal and specific definitions.
  *   Hope I’ve covered both EAT and RATS concepts here. It was my goal.
  *   While I used the term RATS, I still want the WG name change to CREATE.


On Oct 11, 2018, at 10:19 PM, Henk Birkholz <<>> wrote:

Hi all,

sorry for the delay. Please find an updated charter proposal here:<>

The BoF proponents tried to merge all comments and proposals on keystores, existing solutions, provenance & device characteristics, etc that were raised on the list - and align them in homogeneous fashion.

This draft is intended to focus the discussion and improve the wording.

Viele Grüße,


On 10/06/2018 08:23 AM, Laurence Lundblade wrote:
Hi Henk,
Bangkok IETF is getting close, will you be able to update the charter for the attestation BoF to properly include EAT?  I sent you some text that just needs to be pasted along with some comments. It doesn’t look like there’s been any updates.

EAT mailing list<>

EAT mailing list<>