MIME-Version: 1.0
References: 
 <177358299754.193806.3663616865438494971@dt-datatracker-5477d56788-5pkt5>
 <VI0PR07MB113715D68DF911E0821D31357AB43A@VI0PR07MB11371.eurprd07.prod.outlook.com>
 <CAFpG3gcNfk+4yaq7JV3i98xjd5D7DS5iwjb3thqtYSLNrR394g@mail.gmail.com>
 <CA+1=6yd7t32=rB_0X26ApxEzN_gyBs7MujOgxVN4PgOm0BoCvQ@mail.gmail.com>
In-Reply-To: 
 <CA+1=6yd7t32=rB_0X26ApxEzN_gyBs7MujOgxVN4PgOm0BoCvQ@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 17 Mar 2026 13:27:41 +0530
Message-ID: 
 <CAFpG3gchv1+tfySfN6ctjHw5isHjfsHLQq8+-Qa5jBKt6_wGcA@mail.gmail.com>
To: Thomas Fossati <thomas.fossati@linaro.org>
Content-Type: multipart/alternative; boundary="000000000000c17e72064d33b2a9"
Message-ID-Hash: YE2U4FSCCQKOKW5MQ5KLGQIHSC422NVD
CC: seat@ietf.org, rats@ietf.org
Precedence: list
Subject: =?utf-8?q?=5BRats=5D_Re=3A_=5BSeat=5D_FW=3A_New_Version_Notification_for_dra?=
	=?utf-8?q?ft-reddy-rats-key-binding-00=2Etxt?=
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/rats/Y9M_E--csF991tWZJts154b_FCY>

--000000000000c17e72064d33b2a9
Content-Type: text/plain; charset="UTF-8"

On Mon, 16 Mar 2026 at 12:08, Thomas Fossati <thomas.fossati@linaro.org>
wrote:

> Hi Tiru & Hannes,
>
> On Sun, 15 Mar 2026 at 15:22, tirumal reddy <kondtir@gmail.com> wrote:
> >
> > We have published a new draft:
> https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt.
> >
> > In certificate enrollment and TLS authentication, the attestation
> evidence and the private key used to sign a CSR, or the private key
> corresponding to a TLS end-entity certificate, are validated independently,
> which can enable key substitution or relay attacks (a threat raised by Paul
> in SEAT WG). The threat is discussed in more detail in the Introduction of
> the draft.
> >
> > The draft addresses this by binding the Subject Key to the attested
> platform state while leveraging the existing protocol-level proof of
> possession, and by defining a key-attributes claim to convey key protection
> properties. The mechanism defined in the draft can be used with both the
> pre-handshake and post-handshake attestation solution drafts.
> >
> > Comments and feedback from the WG would be welcome.
>
> AFAICS, this approach is very similar to the one we developed in the
> early days of the attested TLS project, for exactly the same reasons.
> (It is captured in draft-kat [1].)
> The problem with this approach was that it required the platform to
> support an additional root of trust & ABIs, which is impractical in
> the general case.  In the context of CC, we moved the functionality to
> the confidential workload and bound it on top of the existing platform
> evidence.  I found that a bit ad hoc, but it solved our immediate
> problem.  I'm not sure that can be easily generalised. This appears to
> be a typical IMPDEF (implementation-defined) case, where the developer
> must ensure the system hosting the TLS endpoint offers the necessary
> primitives and determine how to achieve this.
>

Thanks for the feedback and the pointer to draft-bft-rats-kat, we discussed
it before publishing this draft.

The key difference is that this draft does not require an additional root
of trust or new ABIs. It works with attestation evidence the platform
already produces, with the binding achieved at the protocol layer by using
the cnf claim to carry the subject public key in the attestation evidence.
This cryptographically binds the subject key to the attested platform state
without requiring any new platform primitives. The key-attributes claims
are reused from draft-ietf-rats-pkix-key-attestation rather than defining
new ones, we are reusing what already exists in CWT-based EAT. The
key-attributes claim conveys the protection properties and the relying
party makes the trust decision based on its security policy, consistent
with the RATS architecture.

Cheers,
-Tiru


>
> cheers, t
>
> [1] https://datatracker.ietf.org/doc/draft-bft-rats-kat/
>
> > Best regards,
> > - Tiru and Hannes
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> > Sent: Sunday, March 15, 2026 7:27 PM
> > To: K Tirumaleswar Reddy (Nokia) <k.tirumaleswar_reddy@nokia.com>;
> Hannes Tschofenig <Hannes.Tschofenig@gmx.net>; Hannes Tschofenig <
> hannes.tschofenig@gmx.net>; K Tirumaleswar Reddy (Nokia) <
> k.tirumaleswar_reddy@nokia.com>
> > Subject: New Version Notification for draft-reddy-rats-key-binding-00.txt
> >
> >
> > CAUTION: This is an external email. Please be very careful when clicking
> links or opening attachments. See the URL nok.it/ext for additional
> information.
> >
> >
> >
> > A new version of Internet-Draft draft-reddy-rats-key-binding-00.txt has
> been successfully submitted by Tirumaleswar Reddy and posted to the IETF
> repository.
> >
> > Name:     draft-reddy-rats-key-binding
> > Revision: 00
> > Title:    Key Attestation for Entity Attestation Tokens (EAT)
> > Date:     2026-03-15
> > Group:    Individual Submission
> > Pages:    17
> > URL:
> https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt
> > Status:   https://datatracker.ietf.org/doc/draft-reddy-rats-key-binding/
> > HTML:
> https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.html
> > HTMLized:
> https://datatracker.ietf.org/doc/html/draft-reddy-rats-key-binding
> >
> >
> > Abstract:
> >
> >    This document defines a CWT-based Entity Attestation Token (EAT)
> >    profile and a new EAT claim that cryptographically bind a private key
> >    used to sign a certificate signing request (CSR), or the private key
> >    corresponding to an end-entity certificate used for TLS
> >    authentication, to an attested execution environment.
> >
> >    The subject public key is conveyed using the EAT cnf claim defined in
> >    [RFC8747], and freshness uses the EAT nonce claim defined in
> >    [RFC9711].  The proof of possession of the subject key is obtained
> >    from the surrounding protocol, such as TLS certificate-based
> >    authentication or CSR signature verification.  Because the EAT is
> >    signed by a hardware-backed Attestation Key (AK), successful
> >    verification of the EAT signature together with protocol-level proof
> >    of possession establishes a cryptographic binding between the private
> >    key and the attested platform state.  This mechanism addresses key
> >    substitution attacks that arise when attestation evidence and the
> >    certificate private keys are validated independently.
> >
> >
> >
> > The IETF Secretariat
> >
> >
> > _______________________________________________
> > Seat mailing list -- seat@ietf.org
> > To unsubscribe send an email to seat-leave@ietf.org
>

--000000000000c17e72064d33b2a9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Mon, 16 Mar 2026 at 12:08, Thomas Foss=
ati &lt;<a href=3D"mailto:thomas.fossati@linaro.org">thomas.fossati@linaro.=
org</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container"><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex">Hi Tiru &amp; Hannes,<br>
<br>
On Sun, 15 Mar 2026 at 15:22, tirumal reddy &lt;<a href=3D"mailto:kondtir@g=
mail.com" target=3D"_blank">kondtir@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; We have published a new draft: <a href=3D"https://www.ietf.org/archive=
/id/draft-reddy-rats-key-binding-00.txt" rel=3D"noreferrer" target=3D"_blan=
k">https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt</a>.=
<br>
&gt;<br>
&gt; In certificate enrollment and TLS authentication, the attestation evid=
ence and the private key used to sign a CSR, or the private key correspondi=
ng to a TLS end-entity certificate, are validated independently, which can =
enable key substitution or relay attacks (a threat raised by Paul in SEAT W=
G). The threat is discussed in more detail in the Introduction of the draft=
.<br>
&gt;<br>
&gt; The draft addresses this by binding the Subject Key to the attested pl=
atform state while leveraging the existing protocol-level proof of possessi=
on, and by defining a key-attributes claim to convey key protection propert=
ies. The mechanism defined in the draft can be used with both the pre-hands=
hake and post-handshake attestation solution drafts.<br>
&gt;<br>
&gt; Comments and feedback from the WG would be welcome.<br>
<br>
AFAICS, this approach is very similar to the one we developed in the<br>
early days of the attested TLS project, for exactly the same reasons.<br>
(It is captured in draft-kat [1].)<br>
The problem with this approach was that it required the platform to<br>
support an additional root of trust &amp; ABIs, which is impractical in<br>
the general case.=C2=A0 In the context of CC, we moved the functionality to=
<br>
the confidential workload and bound it on top of the existing platform<br>
evidence.=C2=A0 I found that a bit ad hoc, but it solved our immediate<br>
problem.=C2=A0 I&#39;m not sure that can be easily generalised. This appear=
s to<br>
be a typical IMPDEF (implementation-defined) case, where the developer<br>
must ensure the system hosting the TLS endpoint offers the necessary<br>
primitives and determine how to achieve this.<br></blockquote><div><br></di=
v><div>Thanks for the feedback and the pointer to draft-bft-rats-kat, we di=
scussed it before publishing this draft. <br><br>The key difference is that=
 this draft does not require an additional root of trust or new ABIs. It wo=
rks with attestation evidence the platform already produces, with the bindi=
ng achieved at the protocol layer by using the cnf claim to carry the subje=
ct public key in the attestation evidence. This cryptographically binds the=
 subject key to the attested platform state without requiring any new platf=
orm primitives. The key-attributes claims are reused from draft-ietf-rats-p=
kix-key-attestation rather than defining new ones, we are reusing what alre=
ady exists in CWT-based EAT. The key-attributes claim conveys the protectio=
n properties and the relying party makes the trust decision based on its se=
curity policy, consistent with the RATS architecture.</div><div><br></div><=
div>Cheers,</div><div>-Tiru</div><div>=C2=A0</div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex">
<br>
cheers, t<br>
<br>
[1] <a href=3D"https://datatracker.ietf.org/doc/draft-bft-rats-kat/" rel=3D=
"noreferrer" target=3D"_blank">https://datatracker.ietf.org/doc/draft-bft-r=
ats-kat/</a><br>
<br>
&gt; Best regards,<br>
&gt; - Tiru and Hannes<br>
&gt;<br>
&gt; -----Original Message-----<br>
&gt; From: <a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank">in=
ternet-drafts@ietf.org</a> &lt;<a href=3D"mailto:internet-drafts@ietf.org" =
target=3D"_blank">internet-drafts@ietf.org</a>&gt;<br>
&gt; Sent: Sunday, March 15, 2026 7:27 PM<br>
&gt; To: K Tirumaleswar Reddy (Nokia) &lt;<a href=3D"mailto:k.tirumaleswar_=
reddy@nokia.com" target=3D"_blank">k.tirumaleswar_reddy@nokia.com</a>&gt;; =
Hannes Tschofenig &lt;<a href=3D"mailto:Hannes.Tschofenig@gmx.net" target=
=3D"_blank">Hannes.Tschofenig@gmx.net</a>&gt;; Hannes Tschofenig &lt;<a hre=
f=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">hannes.tschofenig@=
gmx.net</a>&gt;; K Tirumaleswar Reddy (Nokia) &lt;<a href=3D"mailto:k.tirum=
aleswar_reddy@nokia.com" target=3D"_blank">k.tirumaleswar_reddy@nokia.com</=
a>&gt;<br>
&gt; Subject: New Version Notification for draft-reddy-rats-key-binding-00.=
txt<br>
&gt;<br>
&gt;<br>
&gt; CAUTION: This is an external email. Please be very careful when clicki=
ng links or opening attachments. See the URL <a href=3D"http://nok.it/ext" =
rel=3D"noreferrer" target=3D"_blank">nok.it/ext</a> for additional informat=
ion.<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; A new version of Internet-Draft draft-reddy-rats-key-binding-00.txt ha=
s been successfully submitted by Tirumaleswar Reddy and posted to the IETF =
repository.<br>
&gt;<br>
&gt; Name:=C2=A0 =C2=A0 =C2=A0draft-reddy-rats-key-binding<br>
&gt; Revision: 00<br>
&gt; Title:=C2=A0 =C2=A0 Key Attestation for Entity Attestation Tokens (EAT=
)<br>
&gt; Date:=C2=A0 =C2=A0 =C2=A02026-03-15<br>
&gt; Group:=C2=A0 =C2=A0 Individual Submission<br>
&gt; Pages:=C2=A0 =C2=A0 17<br>
&gt; URL:=C2=A0 =C2=A0 =C2=A0 <a href=3D"https://www.ietf.org/archive/id/dr=
aft-reddy-rats-key-binding-00.txt" rel=3D"noreferrer" target=3D"_blank">htt=
ps://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt</a><br>
&gt; Status:=C2=A0 =C2=A0<a href=3D"https://datatracker.ietf.org/doc/draft-=
reddy-rats-key-binding/" rel=3D"noreferrer" target=3D"_blank">https://datat=
racker.ietf.org/doc/draft-reddy-rats-key-binding/</a><br>
&gt; HTML:=C2=A0 =C2=A0 =C2=A0<a href=3D"https://www.ietf.org/archive/id/dr=
aft-reddy-rats-key-binding-00.html" rel=3D"noreferrer" target=3D"_blank">ht=
tps://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.html</a><br>
&gt; HTMLized: <a href=3D"https://datatracker.ietf.org/doc/html/draft-reddy=
-rats-key-binding" rel=3D"noreferrer" target=3D"_blank">https://datatracker=
.ietf.org/doc/html/draft-reddy-rats-key-binding</a><br>
&gt;<br>
&gt;<br>
&gt; Abstract:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 This document defines a CWT-based Entity Attestation Toke=
n (EAT)<br>
&gt;=C2=A0 =C2=A0 profile and a new EAT claim that cryptographically bind a=
 private key<br>
&gt;=C2=A0 =C2=A0 used to sign a certificate signing request (CSR), or the =
private key<br>
&gt;=C2=A0 =C2=A0 corresponding to an end-entity certificate used for TLS<b=
r>
&gt;=C2=A0 =C2=A0 authentication, to an attested execution environment.<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 The subject public key is conveyed using the EAT cnf clai=
m defined in<br>
&gt;=C2=A0 =C2=A0 [RFC8747], and freshness uses the EAT nonce claim defined=
 in<br>
&gt;=C2=A0 =C2=A0 [RFC9711].=C2=A0 The proof of possession of the subject k=
ey is obtained<br>
&gt;=C2=A0 =C2=A0 from the surrounding protocol, such as TLS certificate-ba=
sed<br>
&gt;=C2=A0 =C2=A0 authentication or CSR signature verification.=C2=A0 Becau=
se the EAT is<br>
&gt;=C2=A0 =C2=A0 signed by a hardware-backed Attestation Key (AK), success=
ful<br>
&gt;=C2=A0 =C2=A0 verification of the EAT signature together with protocol-=
level proof<br>
&gt;=C2=A0 =C2=A0 of possession establishes a cryptographic binding between=
 the private<br>
&gt;=C2=A0 =C2=A0 key and the attested platform state.=C2=A0 This mechanism=
 addresses key<br>
&gt;=C2=A0 =C2=A0 substitution attacks that arise when attestation evidence=
 and the<br>
&gt;=C2=A0 =C2=A0 certificate private keys are validated independently.<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; The IETF Secretariat<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Seat mailing list -- <a href=3D"mailto:seat@ietf.org" target=3D"_blank=
">seat@ietf.org</a><br>
&gt; To unsubscribe send an email to <a href=3D"mailto:seat-leave@ietf.org"=
 target=3D"_blank">seat-leave@ietf.org</a><br>
</blockquote></div></div>

--000000000000c17e72064d33b2a9--