Re: [Rats] EAT claims needed by TEEP

Laurence Lundblade <> Tue, 27 October 2020 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E109E3A0E9E for <>; Tue, 27 Oct 2020 13:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.261
X-Spam-Status: No, score=-0.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, LH_URI_DOM_IN_PATH=1.533, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Sk1sRJeLAK8f for <>; Tue, 27 Oct 2020 13:45:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D48E33A0EE1 for <>; Tue, 27 Oct 2020 13:45:09 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id XVq8kNvDACxjbXVq9knBDS; Tue, 27 Oct 2020 13:45:09 -0700
X-CMAE-Analysis: v=2.4 cv=MYepB7zf c=1 sm=1 tr=0 ts=5f9886d5 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=yMhMjlubAAAA:8 a=K6EGIJCdAAAA:8 a=48vgC7mUAAAA:8 a=UqCG9HQmAAAA:8 a=0XtbOteLAAAA:20 a=yj6dSO1jGMNs0pzK1ZEA:9 a=ZaHD-_rrhb3_OlZV:21 a=_FpwxEm8Vo6fSCVZ:21 a=QEXdDO2ut3YA:10 a=VYg6gOQCZo0zsz-dFs4A:9 a=XMRbwrl2xdCQ6TV1:21 a=BP4yVtUgfEJ8JaCq:21 a=w7rmA34bbtZsaBuO:21 a=_W_S_7VecoQA:10 a=L6pVIi0Kn1GYQfi8-iRI:22 a=w1C3t2QeGrPiZgrLijVG:22
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E37BC342-409F-4A3C-9684-BCF326C16DCC"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Tue, 27 Oct 2020 13:45:08 -0700
In-Reply-To: <>
Cc: "" <>, teep <>
To: Dave Thaler <>
References: <> <> <>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfAWqfDgD7QZgcfXxvW0P7APYznLunv78kMvSSgpVpQNPk6p7a+pYbgTL0+X3WCE+yK2eeT5cZxUtIm+DUDzBmd8h8lH+k41sm+hFslIVQXKOtakvI0aF sBooYiFS6xAU3VbPXsPSyIcGplRQ1Chm3Yz5YBxWCGpKGxx0gjtbqhQGNwxJbQ152qwVDMOZsoV7a5M+a8kgoyuTojNaNmex9oy+qy979eBjTi2zev8pcOtm LlShGlPRDqYRUY9Roz8BGw==
Archived-At: <>
Subject: Re: [Rats] EAT claims needed by TEEP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Oct 2020 20:45:12 -0000

CoSWID should cover all the identification of vendors, models, versions and stuff for SW. If it doesn’t talk to Henk about fixes to CoSWID. :-)

For HW, there is OEMID and recently proposed chip version, board version and device version. It seems like we need a model number claim for HW. I will work on that.

Seems like submodules would be used to organize claims for layered attestation and all of the above claims can occur in any submodule they need to.

Does this mostly cover it? 

I worry that the HW claims are bit too rigid in their use of EAN-13 and IEEE registries. Might need to do something about that.


> On Oct 27, 2020, at 1:26 PM, Dave Thaler <> wrote:
> Inline below…
> From: Laurence Lundblade < <>> 
> Sent: Tuesday, October 27, 2020 11:57 AM
> To: Dave Thaler < <>>
> Cc: <>; teep < <>>
> Subject: Re: [Rats] EAT claims needed by TEEP
> Personally, I think attestation of TEE’s is pretty important and should be handled well in EAT. So I’m interested in working on and adding claims for this to EAT.
> After reading section 7.1 in TEEP architecture, it does seem like there some work to do here to get to specific standardized interoperable claims.
> More comments below.
> On Oct 26, 2020, at 3:15 PM, Dave Thaler < <>> wrote:
> As discussed in previous IETF meetings, if there are claims beyond the base set that
> other WGs need, they can be specified by the other WGs with review by RATS.
> The TEEP WG needs the following in EATs and I am not sure whether they can be
> covered by existing claims or whether TEEP-specific claims are needed.  From
> section 7.1 of draft-ietf-teep-architecture:
> Ø     -  Device Identifying Information: TEEP attestations may need to
> Ø        uniquely identify a device to the TAM.  Unique device
> Ø        identification allows the TAM to provide services to the device,
> Ø        such as managing installed TAs, and providing subscriptions to
> Ø        services, and locating device-specific keying material to
> Ø        communicate with or authenticate the device.
> I believe the Universal Entity ID Claim (ueid) is claim that meets the above requirement.
> But the TEEP arch then goes on to say:
> Ø        In some use cases it
> Ø        may be sufficient to identify only the class of the device.  The
> Ø        security and privacy requirements regarding device identification
> Ø        will vary with the type of TA provisioned to the TEE.
> Which EAT claim contains the device class? The closest thing I see is OEM Identification by IEEE (oemid)
> but I am not sure that is sufficient since it's only the OEM not the device class from that OEM.
> This doesn’t seem like something that should be TEEP specific though, so can someone tell me how to
> represent device class using the claims in the EAT spec?
> I don’t think the OEMID, UEID or other should be (ab)used  to represent device class. That would result in them being less reliable and useful in a generic sense. We should come up with a new claim.
> +1
> We can define a claim to be  the device class and make it a byte string like a UEID, but I think we have to go further to make it useful as an interoperable standardize claim. There has to be some method for the classification. TrustZone vs hypervisor based? Fast vs slow? Has a protected mode kernel and TAs? The TEEP document doesn’t say. This seems problematic without a classification scheme.
> [DT] I’m not sure we need a classification scheme, at least for TEEP.  A simple device class byte string as you suggest would suffice in my opinion.
> I wonder if the intent is more about grouping, in which case we can define a GEID (Group Entity ID) that looks a lot like a UEID. That seems useful and sensible to me. It is not about classification based on any characteristics. It lines up with the privacy preserving technique of one key per 100,000 devices.
> Ø     -  TEE Identifying Information: The type of TEE that generated this
> Ø        attestation must be identified, including version identification
> Ø        information such as the hardware, firmware, and software version
> Ø        of the TEE, as applicable by the TEE type.  TEE manufacturer
> Ø        information for the TEE is required in order to disambiguate the
> Ø        same TEE type created by different manufacturers and address
> Ø        considerations around manufacturer provisioning, keying and
> Ø        support for the TEE.
> Similarly for this requirement, the closest thing I see is Origination Claim (origination) but I am not sure
> that is sufficient since it's just the manufacturer not the "version identification information such as the
> hardware, firmware, and software version of the TEE”
> Definitely not origination claim. 
> +1
> The intent of it something like Endorser identification and I think it should be replaced by an Endorser/X.509 cert URL.
> I would say, this is a combination of claims
> It’s just used:
> 1)     For a Verifier in appraising the evidence (nothing TEEP specific here, appraisal policy can involve any claim), and
> 2)     To be used by a TAM to decide which TA’s apply to the TEE.  In that sense it’s just like any other vendor id + device class for any non TEE, and I believe if there were a byte string for device class as you suggest that would be sufficient in my opinion.
> Keeping in mind the “layered attestation” concept in the arch doc, as long as we have a claimset per layer, then I think the same “vendor id” and “class” claims that would apply to any device could be reused for the TEE, and reused for describing each layer.  E.g., a “version” claim would apply at the hardware layer and be the hardware version, at the firmware layer and be a firmware version, at the OS layer and be an OS version, etc.
> I’ve just added a PR <> for HW version claims.
> The intent for SW version claims is to use CoSWID. We should probably create some examples to see if it can represent what TEEP wants to represent.
> Agree this sounds promising.
> The paragraph mentions “type of TEE”. I’m not sure what is intended. I don’t know of any common taxonomy for classifying TEEs.
> A unique identifier is sufficient in my view, no “classification” or “taxonomy” is required by anything that the TEEP WG has discussed to date, as far as I know.
> Should the TEEP WG define TEEP-specific claims for such information?
> I’d like to see most of them go into EAT unless they are super specific to TEEP (TEEP not TEEs). I think there is value in broad standardize claims as it promotes interoperability of RATS.
> Sounds good to me.   Consider this a request to add some way to express “vendor id”, “model” (or “class” or whatever you want to call it), and “version” as claims that can be applied in claimsets at various layers.   I glanced at the PR you referenced and it seems to be a chip-specific version, not a generic version claim that can be used at multiple layers, so is not sufficient to meet the TEEP arch draft’s requirements, we still need other claims added.
> Thanks!
> Dave
> LL
> Dave
> _______________________________________________
> RATS mailing list
> <>
> <>