Re: [EAT] Device Identity (was Re: [EXTERNAL] Re: [Rats] Attestation BoF charter updates?)

Laurence Lundblade <> Sat, 20 October 2018 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E810130E63 for <>; Sat, 20 Oct 2018 09:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NsUMiggDw0bM for <>; Sat, 20 Oct 2018 09:00:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 744A812D4EB for <>; Sat, 20 Oct 2018 09:00:04 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id DtfSgPm5QOmMwDtfUgraJt; Sat, 20 Oct 2018 09:00:03 -0700
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_57FB3170-01ED-4DAD-9AD5-284066FCDEA4"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sat, 20 Oct 2018 21:29:57 +0530
In-Reply-To: <>
Cc: Guy Fedorkow <>, "Smith, Ned" <>, Jeremy O'Donoghue <>, "" <>, "" <>, Denis <>, Hannes Tschofenig <>
To: Henk Birkholz <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.9.1)
X-CMAE-Envelope: MS4wfPM8Xnpw7KJNSE3KsSNZyga4mWpbSzqmrEeMPsZP93FbS+Ug6iAwLNXf2G86qJxxUdFTRrU7guYWF3eOsbEe5muMVWZ7aw+ICDgJI6b3XFvN4LN8S4vk RLWnHYIy5kT6E2OXWtvoPcphKjZ+UEfV4TVfsTL+zU2kN4kOQ/r7WZXmdpxU7nnoI2CKIZELo7QXzVYgm4uxes4x9o/7E3n6u0Q+12sXti8Ql9TUGQ20zb9X 75lLVVi4/wCNXcbR9WjSFBgZ+w1YXADqT3m8vCJq6Dtx/QAeLsi9pQTF7toADw0eR5PD5qm6Gee3M1VXLEKoP96RXirNqisKd+1fVb3dBbtohF1B7Z3amkaF VTbItdNo66O0kSXCOolptwWUSajeBe5AOYRab+MCggV8E3WFBiY=
Archived-At: <>
Subject: Re: [EAT] Device Identity (was Re: [EXTERNAL] Re: [Rats] Attestation BoF charter updates?)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Oct 2018 16:00:09 -0000

> On Oct 20, 2018, at 9:13 PM, Henk Birkholz <> wrote:
> Hello Laurence,
> what I understood now, I think, is that the processes that will eventually make use of EATs - "in the bigger picture" - are intended to be based on more than proof-of-possession.
> The EAT that is the signed claim set is relying on the "assumption that the device manufacturer will only put attestation keys in devices that are configured correctly".
> And that is exactly what I meant. The key material deployed on the thing has meaning: if it is there, you trust the assumption that the thing is configured correctly.

Seems to me that there is always some implied trust in the behavior of some part of the device you put the key in. It might be a tiny bit of HW, but it is something. No matter how many layers of measurement and roots-of-trust there are, the bottom that hold the key has to be trusted to have some behavior before you put the key in during manufacture.

> Do we agree on this? :-)

Well probably, but we haven’t spend enough time together yet to know for sure. :-)

> The reoccurring reference to TCG seems to exclude other more thorough approaches on how to conduct remote integrity verification a bit, I think. I am carefully highlighting this, because the reasoning behind an IETF WG is the demand for network protocols that are able to consolidate the different "inbox-api" and "out-of-band" concepts used in various domains.

I added a few lines below. 

Not sure what an inbox-api and such are yet...


> Viele Grüße,
> Henk
> On October 20, 2018 4:21:52 PM GMT+01:00, Laurence Lundblade <> wrote:
>> On Oct 20, 2018, at 8:26 PM, Henk Birkholz < <>> wrote:
>> Hello Laurence,
>>  And I am perplexed how you think I was implying that EAT or CoID are insecure. How did I make the impression to have suggested that?
> You have characterized EAT as only proof-of-possesion. It is not.
>> Wrt the "verification keys" I am not so sure, what the diagram means by that. With an asymmetric key-pair these would probably be public keys to check the signature by (I assume)?
> It is an open-ended range of things:
> An ECDAA interaction with service (Maybe like Intel’s)
> A verification request of an Android Attestation from a Google Service
> An IEEE-802.1AR CA and Sub-CAs (mostly standard X.509)
> A public key fetch based on any reasonable / useful key ID (e.g. Subject Key ID)
> A submission of the EAT token signed by a symmetric key to a service that verifies it (and rather carefully protects the private verification keys with high quality HSMs)
> A redirect through a privacy CA
> Some custom manufacturer defined scheme

* A RATS Procedure based on TCG stuff
* A RATS Procedure not using TCG stuff

> I strongly believe this flexibility is necessary for real deployments especially for the high investment already made by platform and chip vendors.
> There is an assumption that the device manufacturer will only put attestation keys in devices that are configured correctly. Typically the attestation key will only be usable to sign attestation if the device booted code that was verified, debug was turned off and such. (I know TCG does this in a more elaborate thorough way, and that is good and well and can be put to use with EAT for appropriate use cases). 
> LL
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> EAT mailing list