[EAT] Entity Attestation Token (EAT) Draft Comments

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 22 October 2018 15:36 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: eat@ietfa.amsl.com
Delivered-To: eat@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9706A130DD9 for <eat@ietfa.amsl.com>; Mon, 22 Oct 2018 08:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id h59esOlhyU3N for <eat@ietfa.amsl.com>; Mon, 22 Oct 2018 08:36:05 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10074.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C59E130EA1 for <eat@ietf.org>; Mon, 22 Oct 2018 08:36:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jd1akq9k0DpaT6QHG1D6aO6ZjB9W17fd+g03Z4zp1QQ=; b=XWQ6/faSAYlGEWY7hpmo/tG2X/iUeFNX8QVEM54J17RgqbvYWTAomhseuwvtmd0Rokdyk6Ug/dPikafJrpTaxyS1I3W0x5oXpL5XX0mKdI3Nqg5h8654DOTW9R2Iy5A8Y2prsUC5CSab5ddSyg8ldFFq1uZOzEPF5pNeIe80LqE=
Received: from AM5PR0801MB2097.eurprd08.prod.outlook.com ( by AM5PR0801MB1377.eurprd08.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1250.20; Mon, 22 Oct 2018 15:36:01 +0000
Received: from AM5PR0801MB2097.eurprd08.prod.outlook.com ([fe80::15e6:1b13:9bae:f7a2]) by AM5PR0801MB2097.eurprd08.prod.outlook.com ([fe80::15e6:1b13:9bae:f7a2%9]) with mapi id 15.20.1250.028; Mon, 22 Oct 2018 15:36:01 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "eat@ietf.org" <eat@ietf.org>
Thread-Topic: Entity Attestation Token (EAT) Draft Comments
Thread-Index: AdRqHE9eYU+1nPd6ShCxBvgCuuUTdw==
Date: Mon, 22 Oct 2018 15:36:01 +0000
Message-ID: <AM5PR0801MB20975EC123628567CE278CC2FAF40@AM5PR0801MB2097.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM5PR0801MB1377; 6:KaE/4NWar9BWSAW9TF37XnoRfpchLB18P+WzZZrfOYgw4mzW2d2JHu0iPaSArXIYQIPgmR7Q5VE33DorY0AWhJ7FOv5kPBHKMHeuHeEM29I7vsK3AYiyB7SBy7pzldSFgwdaPCUi+nPZ21/6/gQVyAgkI1s5WJhxBpNPtXU00LN9mFqTgTUqA7nEhyTXVH2nSX8kmf7IfOVh20NT9VdKq9viq8sjg5YWcMAuftKkH8IR8eYragCqnVkoWcnfuXzC+6XcYZvNTDJOhsfhC6g5Pg/uVyB/XS6DvzeGFop6Cmmi50N3rWmdQa5NhOMTUVDk23zlhajPotSTR7tnCeq4HJygXsNrPQfgzyEzWTxwg9HD/lT204raxpJgLxCci3Hjca/m1vau3g0lVkQobTqzAzNOB8O0RRoZFwZwP19ql3pwcyGKxcnCbvxt2iKa2U90GFiVtG/oNGmSYG/9E/+dtw==; 5:6CilaCcJ7xdrmpGkanLFkAbqhgF7TFhu6sNPsn9R/5cWAd2Y7WXO2pGMVcjR6GKIHsB5YkJZY6asenMiKBQ2X7iVLf8QbF+zg2t0DlI1WDDz6AImOlC0K8Rla0ka/MiZAiELyRrJiM8xQ/wbH6JzIpO6Dh62IzEPFYkKMhMMoLw=; 7:01K0Fu9vDzmKzoblemNGBO+FmMIAmyK+4N7VZgcmmrRVYoE8YGZZrlbPZbwFo03vWI6eI0dvT896f9zbxAi6CdfOQITc7OkQffj65nNwwj8HCm5ZRic2Pwep2uael7kW68glWEIjzdPZcZv7ifo58MkNO4zUk9UygSYwjkJ95oyp+ny/wFVI47c4nFLmcxZYQ74FWInGXUU0rE6/U4zqQS9B3moRE22zYRATVDmRDTNZ2XPhCmbOn/4QfrLO/dQx
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f89bcf8f-75a3-42bb-dde8-08d63834122e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM5PR0801MB1377;
x-ms-traffictypediagnostic: AM5PR0801MB1377:
x-microsoft-antispam-prvs: <AM5PR0801MB1377D958E03CD9663C9A4F41FAF40@AM5PR0801MB1377.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(52105095)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:AM5PR0801MB1377; BCL:0; PCL:0; RULEID:; SRVR:AM5PR0801MB1377;
x-forefront-prvs: 08331F819E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(366004)(39860400002)(376002)(346002)(136003)(396003)(199004)(189003)(53754006)(40434004)(86362001)(99286004)(2900100001)(7736002)(7696005)(105586002)(106356001)(33656002)(486006)(5640700003)(186003)(561944003)(26005)(476003)(2351001)(5024004)(14444005)(102836004)(256004)(8676002)(1730700003)(81156014)(81166006)(8936002)(68736007)(97736004)(6116002)(74316002)(71190400001)(71200400001)(3846002)(25786009)(2906002)(5660300001)(6916009)(316002)(5630700001)(6506007)(966005)(14454004)(66066001)(53936002)(55016002)(9686003)(54896002)(53946003)(72206003)(6436002)(478600001)(790700001)(6306002)(2501003)(5250100002)(579004)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5PR0801MB1377; H:AM5PR0801MB2097.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: wahMTQITWN0C+1wax28ZQQQiUAPw+Cm2FmDhHRJt1gLnQU0k62zOL+ChpZ9CXPcnIIxD7hsRFXT0vLEhH6pq/cVQSw9im7HEIK8j3oXaHYSNizSitI1qfj8dhzmrRimmX1ljfEGmxt962axfqe95yvlhY4hg55IkY9JcdxthBdTyGmaNox1KP6dXdAASpyAI2/tqJHOEnQg1a1kCXW0MWyeiW/zXFhdyegAuc80KQVZ226FbtBBCjeMYkmYTb32ZDIQfQJKCBJtq1YUQXaGrKzZPwSK8eOMwJ7uMruBYJlGajvzAFt6HlligmCwrx8cDnrydbUrWMchfC8u3iMsUHuBq92iODBElyYmz/82eHPk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM5PR0801MB20975EC123628567CE278CC2FAF40AM5PR0801MB2097_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f89bcf8f-75a3-42bb-dde8-08d63834122e
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Oct 2018 15:36:01.3539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1377
Archived-At: <https://mailarchive.ietf.org/arch/msg/eat/nTdl3dDUER97o9O-GOFrdajm3B8>
Subject: [EAT] Entity Attestation Token (EAT) Draft Comments
X-BeenThere: eat@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <eat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eat>, <mailto:eat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eat/>
List-Post: <mailto:eat@ietf.org>
List-Help: <mailto:eat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eat>, <mailto:eat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 15:36:16 -0000

Hi all,

Within Arm, we have been looking at the role of attestation with respect to a wide set of use cases and evaluating EAT as the means to describe the claims necessary to describe the entities within these use cases. We have some comments on the existing set of claims proposed in https://tools.ietf.org/html/draft-mandyam-eat-00 and would like to introduce further claims of general utility.

The use cases considered include:


  *   Attestation for a standalone, self-contained device
  *   Overall attestation for a device or system composed of multiple identifiable components
  *   Attestation for a combination of hardware and the software deployed on that device


In the above, even for the combination cases, it is assumed that where an EAT is produced, a single attesting authority can produce the token. If there are different trust or security levels within the components, they can still be combined into a single report, but the report will then be structured to clarify the diverse conditions. Where a device is composed of components which might have multiple attesting authorities, it would be expected that multiple EATs would be created, even if delivered as a package within a further EAT.


Proposed claims:



Having 4 separate claims related to debug tracking (debug-*-disabled) could lead to some contradictory declarations, especially as the definitions of those settings appear to be of increasing restriction. We would propose that the 4 are combined into a single 'debug-disabled' claim, with 4 integer values representing the states represented by the current individual claims. It would also then be useful to have a distinct value for ‘Enabled’ to help distinguish that distinct state from the absence of the claim.


'Origination' + 'OEM'

Where the device involved may have complex make up, these claims alone are not sufficient to be able to describe all components. Therefore, we propose the addition of the following claims to be used in addition to these. These claims can be used for both software and hardware components. Use of claims within submods and arrays or within embedded EAT claims would capture the necessary hierarchy of the component set. The exact hierarchy will depend upon the scope of the attesting authority with respect to the components within the device. Where possible, it seems desirable to keep the maximum set of claims within a single EAT, but depending on the composition of the device, multiple EATs can contribute different scopes. If there are a subset of claims which have a contained signing or encryption scope, it would be expected that set would be embedded in a (signed, encrypted) EAT. Also note the ‘profile’ proposal below to clarify layout for any use case.

The following set of proposed new claims appear to be of general value to describe an entity.

'manufacturer' - string value capturing manufacturer name or code. Note that this is most similar to one of the existing uses of 'origination' and it is possible that claim might suffice for this claim purpose.


'component' - string value capturing the component name or part code (from a given manufacturer). In hierarchical descriptions, this claim may often match or reflect a submod_name and can potentially be omitted.


'version' - string value reflecting a release level of a component. It was not felt that multiple levels of version claims would be required as the value of this claim would often contain a relevant internal structure, for example the "major.minor.maintenance.build" format common to many software releases.


'securityReleaseLevel' - a string value reflecting the security release (sometimes called epoch) level. Given the nature of some device components, this was felt to be a useful distinct claim in addition to version.

‘session’ – a claim for data such as boot seeds or similar that might be used to do correlated validations across a number of tokens from the same source.


'measurement' - a string value reflecting some measurement of the component. For the example of a software component, this would often be a hash of the software, taken at the relevant point of its lifecycle for the nature of the attestation.


'measurementState' - a string value which describes the lifecycle state of a component when it was measured. A string is proposed for flexible interpretation, but it could be possible to capture an expected set of states. Examples might be 'delivered', 'installed', 'loaded', 'executing', 'snapshot'.


'certifiedBy' - where a component has been through a certification program, this claim would be a string value representing the identity of the authority conducting that certification. Examples could be an authority which formally assesses the seclevel claim or a software signing authority. This claim could potentially be used by a verifier to check with the authority for any alteration claims to that certification or used with the measurement claim to check that a component has an expected measured value.


'certifiedByReference' - this claim would be a string value, used in association with 'certifiedBy' to locate the relevant program that the certification authority has applied. An example might be the thumbprint of a signing certificate.


We have deliberately kept these proposed additions to a modest set. It is thought that they can enhance the descriptive nature of claims in an EAT for a multitude of use cases. Where a device or system is of complex nature, hierarchical layout of the EAT should be able to reflect any subtle or specific semantic interpretations of claims and their relationships.


'development' - this would be an additional (global level) claim added to a report that indicates that the EAT has been generated only for system development purposes and not deployed in production. This claim could allow a validating service to treat such a submission with lower priority or to return greater detail on any errors.




In order to assist the implementors of a verifier for a given EAT set and to assist in keeping the EAT claims to a discrete set, we would also like to propose the publication of EAT 'Profiles'.  These would be separate documents created by a vendor, industry alliance, or an SDO, which describe what claims must be present for a particular use case. The document would contain:

·            which standard claims would be used

·            whether the presence of those claims is required / recommended / optional

·            what the expected submod / array / embedded EAT hierarchy would be in the EAT and any semantic interpretations or claim relationships that a verifier should consider.

·            list any custom claims expected, with their key values, presence recommendations and place in a hierarchy

·            what signing algorithm must be used

If a profile is expected to be in place for a given EAT use case, additional claims may also be present in the EAT, to assist the expected validation process. These claims would be strings  ‘profileName’ and ‘profileVersion’, expected to be resolvable to a known published use case/description. IANA could maintain a profile registry.

 (As a comparison, this profile concept has been applied successfully to JWTs by organizations like the OpenID Foundation.)


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.