IETF Logo Mail Archive

[Rats] Re: [Seat] FW: New Version Notification for draft-reddy-rats-key-binding-00.txt

Thomas Fossati <thomas.fossati@linaro.org> Tue, 17 March 2026 15:49 UTC

Return-Path: <thomas.fossati@linaro.org>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EC8CACC50F66 for <rats@mail2.ietf.org>; Tue, 17 Mar 2026 08:49:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=linaro.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhzcefftK3vb for <rats@mail2.ietf.org>; Tue, 17 Mar 2026 08:49:44 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D5230CC50ED2 for <rats@ietf.org>; Tue, 17 Mar 2026 08:49:15 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-5a2793d0d6fso75919e87.1 for <rats@ietf.org>; Tue, 17 Mar 2026 08:49:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773762555; cv=none; d=google.com; s=arc-20240605; b=Uo/Uf4NurQpIxE8GZuw+76uXysKXC7KwptQDRdlsDniUVw6BT2PxFVQwFaG7gg/3Eg lZpyWOaCmIqlZBWSxzcBo2mFvweO/mXB5AO/hCQfjXrQ2nhwRRsMOKNjAqEQmx1HN2MW fYh2Gr58CzY0d/eAudJuOiBccVQyhbpyyKUVjCoje/5BYIZobaPnZRxwLNGKUDsrd3+E CXJ34KTrdoAH4ghJhNTkpd22kNqNkhoP8lCIG3Szeq0OvxqtR5MhuvmBTRoQo7NteF6f 9PKKIkMQPcqDhXuMpsFgOO6Wx6pUfPUBsB2QzCXzIsUdwzIuMrgDyvttFnKEvu3lUYHG hpDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=PwZHV74knMaV9OfhKdS3GgHn532uvGxSiyZIEOM4qIA=; fh=h9um0t7Sv8MfTDq5CNukS7soZ4xALSZKFrN3R0wrhaI=; b=cvArBh1D3P0yxD4LAKL044NaRqN/t8MJzP54Lyq0majNK3rCrsn585UxwGLOcfmhvG Vc5jz28QU9OJFjIIB/oOk5VvyjDo2mTFcpxml/UWDBPiyf0OzB/+fuy9zassxQn5DGeW 6FksltQG6cNVH/6nJNdOkCQV3PHf7MpxW8m/X6GpltdVqUJ1jk0NUJJixziKYNon0xQj ezatrL3nYR7yvmZIjpiydaVF89006BX6PBEveILTtIHw2oqdXtXHAZnSgqpk24nHWgFg VgkXHuxr6dQ0Tjqlv0s6mSJcS/Bc6PWNtyX0KhTR6heOk2N1/cEQF/s4mKLQK0bn0iKS DMEA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1773762555; x=1774367355; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PwZHV74knMaV9OfhKdS3GgHn532uvGxSiyZIEOM4qIA=; b=xKkUVDUogSj3VI4X6Q1ot1jSq7gmBF1+IveuhgTp/dCfv9vmFacMH/xvJD9JYC1RCU ME0jzldMRHTKgfmqPe9aeT/cgqaO4B3Se2jmAGzde5zIIc2+s1zWbTzGGkB56AfJDlaN IBjCZ5B8LfoM78PVK1yIyhnPzRHazDcGRjkRssPChfKcdG/uF5RkuUNOzuoPRvWwhwTZ Cs7xMLzK0WlOt/PQl74tg4RowPnMVTyn2Up+rhAPh4N3lVMSZENQYTfSSO2anf3sErGe wjcNKDhJHj5wc8nSGQBEbgpdd4ia0vzcoCHG3CqeJ8rQ5cVYrpsue/Fxg0Z3TMeGnEvD i/GQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773762555; x=1774367355; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=PwZHV74knMaV9OfhKdS3GgHn532uvGxSiyZIEOM4qIA=; b=rE+aBoj2bZbdyPhE6UfA11QBldWV8hQSb6nXgqv1Ij4XI/X1NC2QLZnHbGOMf9QFHC Qjebg06hR8cbbVX6FOP91QS7rGlC8om2jxdfoz/++7BtaTw5fLltPIxblrhnrftghBaB 5qpwdUm1/7BM4dZt2E+Gq2z1i60/qD7+5xBfCRMt0OCzgQV9pLBc3DlZ2r8efQvqE+9s Te4Ura4L7k8/zc4LuVwXWMpPQzc+mP/4/LBybjqjaDLQ5xTbhra2ySvrghzJ9tLe05Cz /ux+p0Dqi+HQejdjq5YO8+8NYt/3XYwVupkmYDU1zFOwqByC7dM4t+U/ffEkYVDFvDEL hNcA==
X-Forwarded-Encrypted: i=1; AJvYcCVThMNYX2dj/cXmT9ws8uyg1AEsjLTVeP94G24xK4z1IJMoZst/s2oWeDbLJLI7yHMQnrxE@ietf.org
X-Gm-Message-State: AOJu0YwpZ6CqlqaIyghopeIpmlsRtad72RdHucc86/h/J9kHs774Tt5W g2r0s+ETBwlxjmMl49p1kwiL4Xsj6mFe2EY3G0adqqfYAY8AmTmkcdG7/afO7GH3stfMbkoLs6t 0nYpmFuhiALMpt42vSXSQfwB5jOR4i3a/3GPwrwggMw==
X-Gm-Gg: ATEYQzz5jHuwi3VHIuEGbQw07DWckjvJrcAk/JCrKo9T13o7xVukblfDFbkzybD5ABj B38tv+RegYMRd2voN4EEmMdeCGbMz+4A5uqzYnMZF3Ks2Zef5RxyBGl9H4AJVwbVE93QERAK3K/ fCvfztZ6xPjFDajc9Lyg6TK9cTMkqSGxsIc3cLw6Or0aTdWnaub9HHa/rK62pgaiAco145oMVfO 4JD0MAhZtEMIUy7WPx7iAZKUmB+DVKVUoue/VetRo4Vz0/LAtJDyQ6dNSwzUb04R4MsYmu3nXB4 kYvXJ3I+dNd+UgqLYN0b8IR7IxZsXSsY0gOTRhojjQxjiwtLP1TP/gwUGf4Bh1/w4RtXtq2dS+v LPD9kJpnowuD6n134sbkp12gOJbNgTNIy+MGAy8pcGq6Ufi410E8z0vy3eZOeGEQ/QtdmqpMs9G BYThZWnGYCPiRRqV/E
X-Received: by 2002:a05:6512:3d1e:b0:5a1:3bad:8ffb with SMTP id 2adb3069b0e04-5a279598ec2mr25411e87.19.1773762554478; Tue, 17 Mar 2026 08:49:14 -0700 (PDT)
MIME-Version: 1.0
References: <177358299754.193806.3663616865438494971@dt-datatracker-5477d56788-5pkt5> <VI0PR07MB113715D68DF911E0821D31357AB43A@VI0PR07MB11371.eurprd07.prod.outlook.com> <CAFpG3gcNfk+4yaq7JV3i98xjd5D7DS5iwjb3thqtYSLNrR394g@mail.gmail.com> <CA+1=6yd7t32=rB_0X26ApxEzN_gyBs7MujOgxVN4PgOm0BoCvQ@mail.gmail.com> <CAFpG3gchv1+tfySfN6ctjHw5isHjfsHLQq8+-Qa5jBKt6_wGcA@mail.gmail.com>
In-Reply-To: <CAFpG3gchv1+tfySfN6ctjHw5isHjfsHLQq8+-Qa5jBKt6_wGcA@mail.gmail.com>
From: Thomas Fossati <thomas.fossati@linaro.org>
Date: Tue, 17 Mar 2026 16:48:58 +0100
X-Gm-Features: AaiRm53Jpc5qUn7hoNqbPQVQZVJlsJ4Ft89eNHl8tIt4m2vX4SOPSRNJJy_apn8
Message-ID: <CA+1=6yegfy37hTbwS8Q80vXymz-cQs5zjS2hYiGSzVu1hFZjGg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: EGSA6WPIYHQ3HTRHRNF4TB4XXY7J4DDA
X-Message-ID-Hash: EGSA6WPIYHQ3HTRHRNF4TB4XXY7J4DDA
X-MailFrom: thomas.fossati@linaro.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: seat@ietf.org, rats@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: [Seat] FW: New Version Notification for draft-reddy-rats-key-binding-00.txt
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/NGgXS4SdjKptN_XpLS9DCoZ-CGI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Hi Tiru,

On Tue, 17 Mar 2026 at 08:58, tirumal reddy <kondtir@gmail.com> wrote:
> The key difference is that this draft does not require an additional root of trust or new ABIs. It works with attestation evidence the platform already produces, with the binding achieved at the protocol layer by using the cnf claim to carry the subject public key in the attestation evidence.

This is not what I gathered from the evidence construction described
in §3.2, which states that the EAT claims-set is signed by the AK.
Now, since the AK is defined as follows:

“A cryptographic key, typically hardware-backed, used to sign
attestation evidence that conveys claims about the state of a platform
or trusted execution environment.”

It means that, in order to obtain a signature from the AK, the
functionality (i.e. the evidence claims-set construction) will need to
be integrated into the RoT that holds the AK.  Plus, since the
construction is parameterised on nonce and PK, extending the RoT’s
API/ABI surface will also be necessary.

I can't think of any other way to realise §3.2 as written.

Instead, we (roughly) did the following:

1. Construct the unsigned "key confirmation" claims set (UCCS) within
the confidential VM that hosts the TLS endpoint
2. CBOR encode it
3. Hash the CBOR bytes
4. Supply the computed hash as nonce through the existing platform
attestation ABI
5. Get back the platform evidence
6. Wrap it alongside the UCCS in a CMW collection
7. Ship it to the TLS peer/RP, which would forward it to the verifier

The verifier would then appraise the platform token, verify the
correct binding to the "key confirmation" UCCS via the nonce, extract
the public key and send it back to the RP within an attestation result
that essentially stated: "This public key is bound to the successfully
appraised TEE and you can use it to verify your peer's signature over
the TLS handshake."

The advantage of this design is that it simply reuses existing, common
attestation ABIs (e.g., configfs-tsm, TPM, PSA), which permit a
fixed-size "inblob" parameter.

cheers!

Digression/ramblings (feel free to skip it):

The one described above is an "indirect" attestation from the
_platform_ RoT.  It’s indirect because it requires the verifier to
recognise that a certain reported measurement in the platform
attestation (e.g., that of the confidential VM) corresponds to an
execution environment with the desired “key handling” properties.

If instead there was a standard RoT that provided certain key handling
features (generation, secure storage, signing and non-exportability),
you coudl obtain an attestation statement from that RoT confirming
that you own the key used in the PoP protocol, i.e., something like
“this key is held by me, the RoT, and belongs to the presenter who is
the only one authorised to request signatures using this key."

This would be a "direct" attestation from the _special-purpose_ RoT,
whose attesattion key would be endorsed by the supply chain. This
would allow the verifier to check its claims directly rather than
indirectly via a certain measurement.

I'm not aware of any publicly available RoTs with those features.

v2.46.0 | Report a Bug | By Email | System Status