Re: [Rats] Out-of-band key material set up in architecture document

Laurence Lundblade <> Wed, 06 November 2019 16:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EA83120089 for <>; Wed, 6 Nov 2019 08:58:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mG4MkRYt6SpW for <>; Wed, 6 Nov 2019 08:58:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F5D6120072 for <>; Wed, 6 Nov 2019 08:58:24 -0800 (PST)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id SOdTiDnOmISIwSOdTiL8RW; Wed, 06 Nov 2019 09:58:24 -0700
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_149AF028-8C07-4BAB-B5EC-1675FA879DC5"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 6 Nov 2019 08:58:20 -0800
In-Reply-To: <>
Cc: "" <>
To: Dave Thaler <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfCiehx0yMFFP9Rt7ceFJqJ+y/LX0PyBOnEsWUZ4wbHhtMzjOzphMMdA7XGS/l1U/6a6chMTmwVKXB25Lw/hacbT3T4E12iMlV3hx/jd8GzpUwF6L1W6T DDC80cqcg/QFmUxGvAxXzuh835buwCGdvS8PXcfWyMf6hmm/EVwwqErhIdKIJjmQYQY8mehCv+MStN+FsOOcRa5OfHFmJmEQl4c=
Archived-At: <>
Subject: Re: [Rats] Out-of-band key material set up in architecture document
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Nov 2019 16:58:27 -0000

> On Nov 5, 2019, at 3:40 PM, Dave Thaler <> wrote:
> Inline below…
> From: RATS < <>> On Behalf Of Laurence Lundblade
> Sent: Tuesday, November 5, 2019 12:17 PM
> To: <>
> Subject: [Rats] Out-of-band key material set up in architecture document
> An issue I have with both the current architecture documents is that they do not discuss the need for some out of band key material set up to make verification work.
> The manufacturer of the device must put some private key into each device so that the device can sign attestation evidence. Most likely the manufacturer also creates the verifying key material, but they may or may not be the verifier.  If they are not the verifier, somehow the verifier of attestation evidence must have corresponding key material to verify the signature.
> This paragraph could be a start of the text. I think this is a critical part of the architecture because attestation doesn’t work without it. 
> I agree that a private key is needed in each device for attestation to work (at least using any techniques
> I’m aware of). Saying “the manufacturer must put it there”, is however I think too narrow, as it implies the
> manufacturer actually knows the key. In some arguably more secure designs, the device itself creates the
> key pair and the manufacturer per se never knows the private key, only the public key, so it would be
> confusing to say the manufacturer “put” it there, or that the “manufacturer creates” the key material.

We could say “establish the signing key”? Certainly don’t want to exclude those more secure designs.

> ...
> Furthermore, the RATS charter does not constrain attestation to only *hardware* based roots of trust.
> There are some cases where it may be in a hypervisor or bios or firmware or whatever, and only attest
> things above that, with obviously a weaker level of security than hardware-rooted attestation.   But any
> protocol mechanisms should still work (mainly because it’s almost impossible to rule them out except via
> a security policy that says which keys to trust), even if it’s not the primary focus we care most about.  The
> point here being that in such a case it may not be the “manufacturer”, but may be another entity.  That’s
> actually true in some cases even for hardware-based roots of trust.

Yes, the “manufacturer” could be a SW vendor or even the author of a dumb Android app. We need a much broader term or description.