Re: [Rats] Dealing with Attestation Roots
Laurence Lundblade <lgl@island-resort.com> Wed, 22 April 2020 14:38 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B63F3A0D77 for <rats@ietfa.amsl.com>; Wed, 22 Apr 2020 07:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzQ7gRFC_sYX for <rats@ietfa.amsl.com>; Wed, 22 Apr 2020 07:38:28 -0700 (PDT)
Received: from p3plsmtpa11-08.prod.phx3.secureserver.net (p3plsmtpa11-08.prod.phx3.secureserver.net [68.178.252.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C8F33A0D43 for <rats@ietf.org>; Wed, 22 Apr 2020 07:38:28 -0700 (PDT)
Received: from [192.168.1.78] ([76.167.193.86]) by :SMTPAUTH: with ESMTPA id RGWAjZgkiCRmmRGWAjtK0f; Wed, 22 Apr 2020 07:38:27 -0700
X-CMAE-Analysis: v=2.3 cv=WKYBoUkR c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=IkcTkHD0fZMA:10 a=pGLkceISAAAA:8 a=FOECo9npAAAA:8 a=YR1WRx-QAAAA:8 a=i0EeH86SAAAA:8 a=z6gsHLkEAAAA:8 a=hD80L64hAAAA:8 a=48vgC7mUAAAA:8 a=r7TYC1OoSX58LEqLnS4A:9 a=DKqIX6kcpxdWtR1i:21 a=YeL7WE9HN8xOC2lt:21 a=QEXdDO2ut3YA:10 a=byWG51NV23l9F6lfGfes:22 a=iOyaEzCc-dPZPfZw1HLk:22 a=d-OLMTCWyvARjPbQ-enb:22 a=w1C3t2QeGrPiZgrLijVG:22
X-SECURESERVER-ACCT: lgl@island-resort.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Laurence Lundblade <lgl@island-resort.com>
In-Reply-To: <49d8907c-7637-3d21-0619-4999565fc50e@gmail.com>
Date: Wed, 22 Apr 2020 07:38:26 -0700
Cc: "rats@ietf.org" <rats@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C65B977-FA56-4118-BA8B-121BD9697F7C@island-resort.com>
References: <49d8907c-7637-3d21-0619-4999565fc50e@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfCMDtxgHyRtWOP2Bv2iFVfytLBusw8cYDYQMOBf5tUDgPrlhvnv8R90buI1nTlBQjT/NfrX+WEYbsxMiz6aPU5V6g/GNdJ3kt7oSwi3Vp4m+sblGwpC6 LZs5TpYDmSaT1pl4e11MMsO9hi5SbiUEL5ixrWPnXZQRyTdiWvmoxyEQs0ZuI17T7v5AMV1mUXHkrrTDDgvIqhmcbL01t1KFscY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/RSpc3i_dj441kRJR5o4s2XNFTOM>
Subject: Re: [Rats] Dealing with Attestation Roots
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 14:38:30 -0000
Hi Anders, > On Feb 27, 2020, at 9:51 AM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > > Hi List, > In the https://cyberphone.github.io/openbankingwallet project the idea was to use attestations. The most recent version of the Android app indeed supports this as well. > > In an ideal world the root would be provided by Google. However, since we don't live in an ideal world there are vendors out there who do not follow that "recipe”. Are you referring to Android N Key Attestation that is implemented in the key store? > > For W3C's PaymentRequest API a simpler solution is used which do not match attestations but is better than nothing. This scheme builds on publishing a manifest associated with the app. Here is my particular manifest: https://mobilepki.org/w3cpay/method > > But I still would like to use attestations and also not being tied to browsers. > > What about making attestations optionally contain a URL to the root like https://huawei.com/teeroot ? I don’t know what https://huawei.com/teeroot is. I can’t get anything from this URL. I’m guessing you are after an X.509 root certificate, one that is used for Android-style attestation. Is that right? LL > Since the number of vendors in finite and the Web-PKI is in a fairly good shape these days, this could serve as a workaround for those who don't have any number of cycles to spend on installing arbitrary tee root certificates. That is, a verifier's "trust registry" would simply hold host names like "huawei.com", "sony.com", "samsung.com", etc. > > If there is a better method, I'm all ears! > > thanx, > Anders > > _______________________________________________ > RATS mailing list > RATS@ietf.org > https://www.ietf.org/mailman/listinfo/rats
- [Rats] Dealing with Attestation Roots Anders Rundgren
- Re: [Rats] Dealing with Attestation Roots Anders Rundgren
- Re: [Rats] Dealing with Attestation Roots Laurence Lundblade
- Re: [Rats] Dealing with Attestation Roots Anders Rundgren
- Re: [Rats] Dealing with Attestation Roots Laurence Lundblade
- Re: [Rats] Dealing with Attestation Roots Anders Rundgren
- Re: [Rats] Dealing with Attestation Roots Eliot Lear
- Re: [Rats] Dealing with Attestation Roots Laurence Lundblade
- Re: [Rats] Dealing with Attestation Roots Laurence Lundblade