Re: [EAT] [Rats] Attestation BoF charter updates?

Jeremy O'Donoghue <> Wed, 24 October 2018 16:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0167212D4E8; Wed, 24 Oct 2018 09:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oEKfh73iHc7B; Wed, 24 Oct 2018 09:32:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47CEB126F72; Wed, 24 Oct 2018 09:32:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1540398739; x=1571934739; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dNi8dPkOn3M8ZfUHPx5mIkl/QisaiUW5eTJzo4Gdl+Q=; b=WdyJ7yamUIOyqtFOfPYVdM1ITyBNMSXCvE5lQXJa1E5I+YOpn10tOUw6 RJppr4Lq2xkScUxEkv6EJ0c5kEsAsvRnrV3NGNg6nIzrxlRRaGFBKjokX pmEXeYwNZebHvbT2IDuGi8WfS349KKZHddXSmHbbzSo0clOZ2ZpcTvE2S U=;
X-IronPort-AV: E=Sophos;i="5.54,421,1534802400"; d="scan'208,217";a="1388275"
Received: from ([]) by with ESMTP; 24 Oct 2018 18:32:17 +0200
X-IronPort-AV: E=McAfee;i="5900,7806,9055"; a="6119156"
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 24 Oct 2018 18:32:17 +0200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 24 Oct 2018 18:32:15 +0200
Received: from ([]) by ([]) with mapi id 15.00.1365.000; Wed, 24 Oct 2018 18:32:15 +0200
From: Jeremy O'Donoghue <>
To: Henk Birkholz <>
CC: "" <>, Carl Wallace <>, Michael Richardson <>, "Smith, Ned" <>, "" <>
Thread-Topic: [EAT] [Rats] Attestation BoF charter updates?
Date: Wed, 24 Oct 2018 16:32:15 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.9.1)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_91CD33FEA023464FA49F04B38A2A6274qtiqualcommcom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [EAT] [Rats] Attestation BoF charter updates?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EAT - Entity Attestation Token <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Oct 2018 16:32:24 -0000

I think you already have text which keeps this scenario in scope in the latest draft (the bit about ASN.1 interoperability). From my perspective this is enough for now.


On 24 Oct 2018, at 17:27, Henk Birkholz <<>> wrote:

Please all keep in mind that we are intending to cut work items into phases. While we are starting to agree more than we disagree, I think, we should continue to pay attention to scoping, please. Not now does not mean never!

Viele Grüße,


On October 24, 2018 2:46:21 PM GMT+02:00, Jeremy O'Donoghue <<>> wrote:
I have the following understanding (possibly misunderstood) from this thread:

  *   It is desirable to have syntax for incorporating sets of Claims in structures that are defined in ASN.1. At the surface level this may be straightforward because claims are essentially (key, value) pairs - the key potentially being implicit in some cases, but there could be important semantic differences in the meaning of signing in Attestation formats vs legacy formats, and there may be challenges in mapping some CBOR or JSON constructions to ASN.1.
  *   The main use-case under discussion is to address mechanisms to enable an attestation to be presented to a CA in the context of a certificate request protocol. If I have correctly understood this, it means that a direct mapping of the Claims in an attestation to an X.509 certificate is a non-goal as the CA would be responsible for correctly interpreting the semantics of the Claims and incorporating them into an issued certificate in ways that make sense in the X.509 world.

I think we need to take care to limit the scope of work items in this area as there exists a considerable existing body of specifications in this area. Girl has mentioned ACME, and Carl mentioned SCEP, for which a new version appears to be nearing publication.

My suggestion is that it should be in scope to define a syntax for describing attestations which which could be transported via certificate request protocols such as ACME and SCEP, but that the question of how the semantics of attestations are managed  in their use-cases is a question for the WGs owning those specifications.

Looking at the current SCEP draft<>=1>, it might be sufficient for the CRIAttributes definition (from RFC2986) to include the ASN.1 encoding of an attestation. ACME seems to encode the CSR in RFC2986 for as well, so this might be workable.

In terms of the charter text (which is what is really in scope here) we could add text to the WG description indicating that the WG will work with relevant WGs to identify where attestations may be useful in PKI infrastructures. I think the existing charter text already covers the possibility of defining Claims to enable transport of an X.509 certificate as part of an attestation.

Please let me know if I have misunderstood. I will be posting an update to the text shortly which I believe covers this.


On 23 Oct 2018, at 20:57, Carl Wallace <<>> wrote:

[nms] Right. In order for the CA (verifier) to distinguish the certifying key is an ‘attestable key’ vs. a traditional CSR. The CA should look for a signature from the mfg cert over the CSR (certificate management message?) containing the generated public key. I’m still not seeing where there is a self-signed (issued) certificate in the equation.
This began with request to codify binding to certificate request protocols, not for a self signed certificate.

Sent from my Android device with K-9 Mail. Please excuse my brevity.