Re: [EAT] {RATS] Introduction

"Eric Voit (evoit)" <> Thu, 13 September 2018 14:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E204D130DD1; Thu, 13 Sep 2018 07:47:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4FMKboKpMPGj; Thu, 13 Sep 2018 07:47:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3B24812D7EA; Thu, 13 Sep 2018 07:47:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=38116; q=dns/txt; s=iport; t=1536850033; x=1538059633; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=DeTBsbJNz4riAZXMZXSoBVQ2PSpAlyzs529iWP9gd4s=; b=PH9sAlY28f7XBgmLLnPEvo+gGXUXXmz7mXxj757nROVOQwF6JOtIfZgx XhKk+2MwCQPP4QItKPKtQq3TpyMJE+pNDwi2el1ywjFvwYrrmfZeavFac Rt+NfpV7E1XlKr8cneshWh4GuC6vJht7i60G0IkEvaAHOscp19NngbZZW k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A2AACqd5pb/5JdJa1FFhkBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQGBToERd2V/KAqDaIgVjBeCDZY+FIFmCx+ETQIXg0AhNBg?= =?us-ascii?q?BAgEBAgEBAm0cDIU4AQEBAQMjCkwQAgEGAhEDAQIUAgsBBgMCAgInCRQJCAI?= =?us-ascii?q?EAQ0FCIMagR1kD4oUm0yBLoQpAoVgBYlMgQ0PF4FBPyZsgxKDGwICgRoCAQY?= =?us-ascii?q?mAisDBQEHDwmCQoJXAogTGYUPjhxPCQKND4J3H4FBhEiDAIV6hwGNCwIRFIE?= =?us-ascii?q?lHTgngS5wFTuCbIYBilJvAYtSgS2BHgEB?=
X-IronPort-AV: E=Sophos;i="5.53,369,1531785600"; d="scan'208,217";a="171167783"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Sep 2018 14:47:12 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id w8DElBEU009952 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 13 Sep 2018 14:47:11 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 13 Sep 2018 10:47:11 -0400
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Thu, 13 Sep 2018 10:47:11 -0400
From: "Eric Voit (evoit)" <>
To: "Diego R. Lopez" <>, "Eric Voit (evoit)" <>, Carl Wallace <>, Shawn Willden <>, "Smith, Ned" <>
CC: "" <>, "" <>
Thread-Topic: [EAT] {RATS] Introduction
Thread-Index: AQHUSzDdOdg5M/CVmEygJf3ibeBcNaTuO6hQ
Date: Thu, 13 Sep 2018 14:47:10 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_ebba301028e64a94a4e60389a82ce0d6XCHRTP013ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [EAT] {RATS] Introduction
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Sep 2018 14:47:17 -0000

Hi Diego,

Yes.  Looking over draft-pastor-i2nsf-nsf-remote-attestation, there are common elements.

From a RATS/EATS scoping perspective, I was simply trying to show that it interesting for the same cryptoprocessor stored measurements to be passed over independent paths and different protocols.

When it comes to binding specific transport protocols to the attested information, there will be plenty of options still needing system integration.  (E.g., how might we bind this with the results of something like 802.1ar.)


From: Diego R. Lopez, September 13, 2018 3:10 AM


If I am correctly following your proposal, this is connected with the idea of a trusted channel we experimented with in the SECURED project, and described in draft-pastor-i2nsf-vnsf-attestation:

“A trusted channel is an enhanced version of the secured channel. It adds the requirement of integrity verification of the contacted endpoint by the other peer during the initial handshake to the functionality of the secured channel. However, simply transmitting the integrity measurements over the channel does not guarantee that the platform verified is the channel endpoint. The public key or the certificate for the secure communication MUST be included as part of the measurements presented by the contacted endpoint during the remote attestation. This way, a malicious platform cannot relay the attestation to another platform as its certificate will not be present in the measurements list of the genuine platform.”

Be goode,

"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D

Tel:         +34 913 129 041
Mobile:  +34 682 051 091

On 12/09/2018, 22:17, "EAT on behalf of Eric Voit (evoit)" <<> on behalf of<>> wrote:

I think saving both the attestation data and the attested evidence is useful.  One RATS use case I have been interested in relates to proxy verification.  For example, what if changes in attested PCRs from one router’s TPM are provided both to an SDN controller (as part of a YANG Notification) and to a peer router (perhaps as EAP credentials over 802.1x).

This would allow the controller to use the same information to determine if a controlled device is trustworthy, as well as act as a RADIUS Server for the peer router.


From: Carl Wallace, September 7, 2018 7:55 AM

This gets at one difference between current attestation formats. Some require the generator to save the attestation if needed later, others are on demand.

From: EAT <<>> on behalf of Shawn Willden <<>>
Date: Friday, September 7, 2018 at 7:45 AM
To: "Smith, Ned" <<>>
Cc: "<>" <<>>
Subject: Re: [EAT] Introduction

Proof of protection is a good description of what Keystore attestation aims to accomplish, and timeliness or "freshness" is important.  Keystore achieves the latter with a challenge value supplied by the verifier.

On Thu, Sep 6, 2018 at 6:21 PM Smith, Ned <<>> wrote:
|--- snip ---
|So Keystore provides a valuable tool to authors of apps that require strong
|security. For example, for a key used to authenticate an account holder to
|a banking system. But this tool is much less valuable if the bank's server
|can't verify that the secret is managed in a trusted environment. Hence,
|Keystore attestation, which allows the trusted environment to prove that it
|secures the key material, and specifies the authorizations that define how
|it may be used.
--- snip ---
Right, the main objective of attestation is to provide evidence to a verifier regarding the trustworthiness properties of the environment that protects keys and other important things. It goes beyond traditional proof-of-possession.. I think of it as proof-of-protection (PoPr) though that term isn’t widely used. Distinguishing between storage and use may be important since protection techniques differ for each. At the end-of-the-day, attestation expects there is a ‘verifier’ – some entity that wants to check attestation evidence – who engages with the ‘attester’ following some sort of protocol to pass attestation evidence. Timeliness of evidence exchange can be important since, often, environments that protect key storage and use will change during deployment (after initial manufacturing). Attestation protocol is needed to facilitate a timely exchange of attestation evidence. I think these aspects are a primary area where IETF could add value to attestation infrastructure.


Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição