Re: [Rats] [Acme] device attestation and ACME

Brandon Weeks <> Thu, 21 July 2022 22:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EEB4BC13C224 for <>; Thu, 21 Jul 2022 15:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.61
X-Spam-Status: No, score=-17.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YZhODq_jWEBR for <>; Thu, 21 Jul 2022 15:57:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id DEF19C13C218 for <>; Thu, 21 Jul 2022 15:55:59 -0700 (PDT)
Received: by with SMTP id c22so1834004wmr.2 for <>; Thu, 21 Jul 2022 15:55:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Aje0oLJtfpWdRNmx+Q0hAHujW/zYTGOV9DmBvEELs0=; b=CL5C/MvsSII2YFnY+3/0xmXOOod9bRCMUJuh6lzREcB0FDpMMrncX9nV71AgHjzuQo oc3x4J85E6ycmvRtpNL3se0ulGSk7UhLdsU4iqEy2DaZnBSFpDW8gLaKhTKfeaP7SejA DNbVdJz72vulK45k7UYOmCUVMix6j/ozA2RQbds7bV0KE3/FU+sGJc1tORdf4xFq1U3/ zIAxxHf8Z7It2GWYCVsY9Rwa2zUjIbXCIO3UqLzCausisYdmTyqwoVr1gzHq+AH1k5Bl nOC10cNlOi61bTQicDSWnp6XD/IRwQHwDbiHKm7UsOJ1x2zTb/FJIXfnpB9PogkMga/y 2AvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Aje0oLJtfpWdRNmx+Q0hAHujW/zYTGOV9DmBvEELs0=; b=JoCnIhh4V+EAlbKZ/EPC9ta0g2NBCqY1aKquUuigspsimKxslve6+zLvUY/0HWdmG+ hz3ndEc6xZBfgnQgSrIFe84pdxd1KiWGF8BPJnGut4NyT7b0hwMxP2fJy395cI1TUZsq ++UIF7SIBIqYqyk0u6slbGJfGIJIS6IWcaJBC3x3FAQNrXY3FG4//7EVRmOKdj/tvUG2 d9j6KkIizwBG0hw2bENQBqAM/J4MlvIsuSN1SGbbpRwRUthmGvdZjHpFyD6tGgmbBTOG 3l4dyq4xpI7oAH7bWix+EPVQbgcBnH1EtdZ45U9kpldrA4XiBGM3shzw7eKivnj0bV/y GhZQ==
X-Gm-Message-State: AJIora85953463OnJ5x/Isl15kyGxMREFLUfk+CXd8peEWuKmQhpBo+q TvyTaLxEtGcMCwGVaO7rKvR7nMfN3gEuhYP19p5vt89yGQEUVA==
X-Google-Smtp-Source: AGRyM1v/d6T0j3VSG9lPIsaoKlikq40AdvXfKGdy4q6WaZndb34ETTOUmRXIqaR9kOvX18QnpTOXEgjqoHbr4cIARHA=
X-Received: by 2002:a05:600c:3044:b0:3a3:f60:c907 with SMTP id n4-20020a05600c304400b003a30f60c907mr9622639wmh.19.1658444157636; Thu, 21 Jul 2022 15:55:57 -0700 (PDT)
MIME-Version: 1.0
References: <1680731.1658356904@dooku> <>
In-Reply-To: <>
From: Brandon Weeks <>
Date: Thu, 21 Jul 2022 15:55:46 -0700
Message-ID: <>
To: Carl Wallace <>
Cc: Michael Richardson <>,,
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ebde4a05e4589e45"
Archived-At: <>
Subject: Re: [Rats] [Acme] device attestation and ACME
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jul 2022 22:57:05 -0000

Unfortunately each attestation format has a different method of
verifying the trust relationship of the attestation certificates.

- Android Key Attestation: Android publishes the root certificates
that all valid attestation certificates chain up to.
- Apple Managed Device Attestation: follows a similar pattern of
Android, the attestation certificates chain up to a well-known root.
- Chrome OS: there is only a web API for verifying challenges, there
is no way to do offline verification.
- TPM: an enterprise would manually curate a collection of trusted
Endorsement Key certificate roots or use Microsoft's curated

Since platform vendors define the verification procedures and can
change the procedure or the trusted roots at any time, I'm not sure
the best place to either specify or informatively reference the
verification procedures.

On Wed, Jul 20, 2022 at 4:07 PM Carl Wallace <> wrote:
> Distributing trust anchors to verify device attestations is one of the aims of Note, there's also a LAMPS draft that borrows the WebAuthn format approach from this ACME device attestation draft but for use in extensions suitable for CMP, EST, SCEP, etc.
> On 7/20/22, 6:41 PM, "RATS on behalf of Michael Richardson" < on behalf of> wrote:
>     I read acme-device-attest, and I guess the key part is a new device-attest-01
>     method.
>     tries to explain the format, and how the challenge is signed by the device.
>     What I do not understand is any of the trust relationships between the ACME
>     server and the manufacturer/provisionor of the Android Key Attestation/Chrome
>     OS Verified Access/Trusted Platform Module.
>     Why does the Enterprise trust the attestation key?
>     --
>     Michael Richardson <>, Sandelman Software Works
>      -= IPv6 IoT consulting =-
>     _______________________________________________
>     RATS mailing list
> _______________________________________________
> Acme mailing list