Re: [Rats] Composite Evidence

"Smith, Ned" <> Fri, 24 January 2020 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13D3A1200A3 for <>; Fri, 24 Jan 2020 13:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Sl6m_SqgPlUM for <>; Fri, 24 Jan 2020 13:04:38 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B38D120052 for <>; Fri, 24 Jan 2020 13:04:37 -0800 (PST)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2020 13:04:37 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.70,358,1574150400"; d="scan'208";a="400768753"
Received: from ([]) by with ESMTP; 24 Jan 2020 13:04:36 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 24 Jan 2020 13:04:36 -0800
Received: from ([]) by ([]) with mapi id 14.03.0439.000; Fri, 24 Jan 2020 13:04:36 -0800
From: "Smith, Ned" <>
To: Michael Richardson <>
CC: "" <>
Thread-Topic: [Rats] Composite Evidence
Thread-Index: AdXRgB49sEcLGXWTRbyFhaWoEjRAwwAWWlWAAB2RpAD//6sSAIAAlNyA//+lU4CAAcbpAP//iMmAgACXmoD//4eZgA==
Date: Fri, 24 Jan 2020 21:04:35 +0000
Message-ID: <>
References: <> <25403.1579747229@localhost> <> <> <14896.1579811757@localhost> <> <14740.1579889976@localhost> <> <12261.1579896931@localhost>
In-Reply-To: <12261.1579896931@localhost>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Rats] Composite Evidence
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jan 2020 21:04:40 -0000

On 1/24/20, 12:15 PM, "RATS on behalf of Michael Richardson" < on behalf of> wrote:

    Smith, Ned <> wrote:
        > Smith, Ned <> wrote:
        mcr> [%] I think you are saying that rather than documenting that we
        mcr> forward a union of evidence and attestation results, that we
        mcr> document that will create a kind of evidence, which includes attestation results?
        Ned> Maybe. It really is a case of multiplexing several conversations
        Ned> over the same conveyance mechanism, but otherwise conversations
        Ned> could be de-multiplexed (without creating unnecessary
        Ned> cross-dependencies). For example in both Passport and BK-Check
        Ned> topology models, a message is simply relayed. The endpoints are
        Ned> still the way they're defined in the Roles Arch diagram.
        mcr> yes, I agree, we could send a list of evidence and a list of attestion
        mcr> results from components.  I don't really know what the list of potential
        mcr> *verification* protocols is.
        Nms> I don't know what a verification protocol is. I would describe the
        Nms> interaction between a Verifier and Relying Party as Attestation
        Nms> Results exchange over a conveyance protocol. This implies there is a
        Nms> protocol binding specification needed for each protocol that is used
        Nms> for conveyance.
 mcr>   I don't know what to call the Attester->Verifier connection.
 mcr>   Yes, it's a conveyance protocol.
nms> Maybe the architecture should give them names?
        mcr> I don't think this communication can ever be via certificate, while the final
        mcr> attestation results could be placed inside a certificate.
        nms> Both a certificate and token are examples of signed documents that
        nms> could include both Evidence or Attestation Results
   mcr>  A certificate (manufacturer signed IDevID...) could convey fresh evidence?
   mcr>  I find that hard to believe.
   nms>  Yes, it is possible for a trusted environment to issue a certificate for a key that is dynamically generated and used to attest. Sometimes these signed things aren't called certificates. For example, a TPM "quote" operation can "quote a key" which results in a signed structure that contains a public key. SGX can do something similar too. A JWT/CWT token can include a public key value which someone could say is a 'certificate' because it associates a key with another key (namely the issuer). Additionally, a DICE RoT can sign an X.509.v3 certificate called the "Alias Identity". 
nms> A use case that supports this practice is when a HW or SW module is added to a device after it ships. The module could become a new Target environment that the Attesting environment hashes to produce new Evidence. If the new module in turn supports adding another sub-module, then it may become the Attesting environment to the sub-module. The attestation key it uses may be dynamically generated. One of the claims is that the new key is trustworthy because it belongs to a Target environment that was attested by a trusted Attesting environment. I believe EAT submods claim supports this usage.
    Michael Richardson <>ca>, Sandelman Software Works
     -= IPv6 IoT consulting =-