Re: [EAT] [Rats] Attestation BoF charter updates?

Jeremy O'Donoghue <> Wed, 24 October 2018 12:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13C79128DFD; Wed, 24 Oct 2018 05:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ILiK_aqHGHJL; Wed, 24 Oct 2018 05:47:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 95770127332; Wed, 24 Oct 2018 05:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1540385240; x=1571921240; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=5NrvUKpdcQHSRC9NkLvxcNTByOY/znrLyV5u/Z+qyHM=; b=AKyhIdrNSl1Yr+ojVWoxSfJeseiZ8+g4kswvXDtGbFUM0xUgUby0ncfG Key0RbFm01LpCARYPUYUac0sADHV38S926uyYBFdfb0YaIDEL+ZL1mjHR Glz+N8vq/23yHRZwW6y00ZEpiXG4MJhvCKKnIsknN+kZ45hxWTHK8jOQ+ Q=;
X-IronPort-AV: E=Sophos;i="5.54,420,1534802400"; d="scan'208,217";a="1387166"
Received: from ([]) by with ESMTP; 24 Oct 2018 14:46:23 +0200
X-IronPort-AV: E=McAfee;i="5900,7806,9055"; a="6117362"
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 24 Oct 2018 14:46:23 +0200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 24 Oct 2018 14:46:21 +0200
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Wed, 24 Oct 2018 14:46:21 +0200
From: Jeremy O'Donoghue <>
To: Carl Wallace <>
CC: "Smith, Ned" <>, Michael Richardson <>, "" <>, "" <>
Thread-Topic: [EAT] [Rats] Attestation BoF charter updates?
Thread-Index: AQHUavXP5xlM3Oo/GUa0I+2fOxOmhqUs9bMAgAAVBwCAAARWgIAADiwAgAAAmYCAARnZgA==
Date: Wed, 24 Oct 2018 12:46:21 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.9.1)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_8340B1B8775D4932B43229B715A3B45Dqtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [EAT] [Rats] Attestation BoF charter updates?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Oct 2018 12:47:23 -0000

I have the following understanding (possibly misunderstood) from this thread:

  *   It is desirable to have syntax for incorporating sets of Claims in structures that are defined in ASN.1. At the surface level this may be straightforward because claims are essentially (key, value) pairs - the key potentially being implicit in some cases, but there could be important semantic differences in the meaning of signing in Attestation formats vs legacy formats, and there may be challenges in mapping some CBOR or JSON constructions to ASN.1.
  *   The main use-case under discussion is to address mechanisms to enable an attestation to be presented to a CA in the context of a certificate request protocol. If I have correctly understood this, it means that a direct mapping of the Claims in an attestation to an X.509 certificate is a non-goal as the CA would be responsible for correctly interpreting the semantics of the Claims and incorporating them into an issued certificate in ways that make sense in the X.509 world.

I think we need to take care to limit the scope of work items in this area as there exists a considerable existing body of specifications in this area. Girl has mentioned ACME, and Carl mentioned SCEP, for which a new version appears to be nearing publication.

My suggestion is that it should be in scope to define a syntax for describing attestations which which could be transported via certificate request protocols such as ACME and SCEP, but that the question of how the semantics of attestations are managed in their use-cases is a question for the WGs owning those specifications.

Looking at the current SCEP draft<>=1>, it might be sufficient for the CRIAttributes definition (from RFC2986) to include the ASN.1 encoding of an attestation. ACME seems to encode the CSR in RFC2986 for as well, so this might be workable.

In terms of the charter text (which is what is really in scope here) we could add text to the WG description indicating that the WG will work with relevant WGs to identify where attestations may be useful in PKI infrastructures. I think the existing charter text already covers the possibility of defining Claims to enable transport of an X.509 certificate as part of an attestation.

Please let me know if I have misunderstood. I will be posting an update to the text shortly which I believe covers this.


On 23 Oct 2018, at 20:57, Carl Wallace <<>> wrote:

[nms] Right. In order for the CA (verifier) to distinguish the certifying key is an ‘attestable key’ vs. a traditional CSR. The CA should look for a signature from the mfg cert over the CSR (certificate management message?) containing the generated public key. I’m still not seeing where there is a self-signed (issued) certificate in the equation.
This began with request to codify binding to certificate request protocols, not for a self signed certificate.