[Rats] Attestation of implementation vs authenticity of service

Laurence Lundblade <lgl@island-resort.com> Mon, 03 August 2020 18:59 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8FE723A0A3B for <rats@ietfa.amsl.com>; Mon, 3 Aug 2020 11:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.006
X-Spam-Status: No, score=0.006 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ueh4I87zDVu5 for <rats@ietfa.amsl.com>; Mon, 3 Aug 2020 11:59:05 -0700 (PDT)
Received: from p3plsmtpa06-03.prod.phx3.secureserver.net (p3plsmtpa06-03.prod.phx3.secureserver.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 204C53A0A6A for <rats@ietf.org>; Mon, 3 Aug 2020 11:59:00 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id 2ffnkqFuZoraZ2ffnkGKDv; Mon, 03 Aug 2020 11:58:59 -0700
X-CMAE-Analysis: v=2.3 cv=PZqBeRpd c=1 sm=1 tr=0 a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=mE7JM0AAAAAA:8 a=BM-95ODdJa3X30QArsMA:9 a=ZIdEE5YbPCf3Leim:21 a=7oIFj7L-xEes53XR:21 a=QEXdDO2ut3YA:10 a=kViqyZy1v31e6LSPT28A:9 a=IwOSapfIirHiE0Yq:21 a=_W_S_7VecoQA:10 a=sjx5D4xYqjbV_PqBlxw0:22
X-SECURESERVER-ACCT: lgl@island-resort.com
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5247168A-2B95-4D04-A869-F098AB7A93F2"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <0B64B104-1BA0-4341-8470-A17D2C6AC181@island-resort.com>
Date: Mon, 3 Aug 2020 11:58:58 -0700
To: rats@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfCrwCJyeib9GPKJk6KEn0+zKmSvVAetdGJcIO5c5FJj4rdm0nikBROdNy9e76dqo8WeBkr9yVHEI2vLjN2fibs15fdia7A+OB+O67ASieuiI1l4ROdAS T4YYOfHvgoCmjF5+n4AM4Wze5aSRcQUXvTM+9uXV9azWDNjEmb59dDRm
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/jW8s4p6bf2NcE9mi9qRrCQHvehY>
Subject: [Rats] Attestation of implementation vs authenticity of service
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 18:59:09 -0000

This is to introduce discussion about the use of TLS/HTTPS versus Attestation. I’ve seen a few places where Attestation is being proposed for use where I think TLS/HTTPS is probably sufficient or a better fit.

Reviewing the trust relationships described in the architecture document got me thinking about sharpening a distinction between device attestation (e.g., EAT for phone) and service authenticity (e.g. HTTPS for a web site):

Device Attestation
Focus is on the implementation, the HW and SW
The legal entity of interest is the device manufacturer
The claims are about the HW and the SW, not the device owner
Example: a mobile phone (not its owner/user)
Example: integrity of a remote device

Service Authenticity
Focus is on the provider of the service, not the HW or SW
The legal entity of interest is the service provider
There is no equivalent of claims, but if there was they would be about the business or person operating the service
Example: a web site
Example: an email provider (IMAP service)

Service providers (e.g., web sites) use whatever HW and SW they want to use. As a user of the service we don’t care what HW and SW they select. We trust the service provider to pick good HW and SW and to configure and operate it correctly. They might change the HW and the SW and as a user we won’t know.  For example we trust Bank of Xxx to operate their banking web site correctly with little concern for their HW. This is why attestation of the HW and SW is not so useful to the user of a service.

Users of mobile phones and IoT devices are not trustworthy to pick secure HW and SW. They are not professionals like the people running web sites. There is little accountability against them if they pick bad SW and HW. Therefor we want attestation for these usage scenarios. This is why EAT, FIDO and Android Attestation exist.

I don’t think the line between device attestation and service authenticity is completely black and white. In some use cases attestation may be bent to provide some service authenticity. But I don’t think it makes sense to add attestation to the millions of web sites out there, add support for it to browsers and make attestation an extra layer of security for web browsing.

I think it is fine for a service provider to use attestation inside their service to monitor integrity and such of the HW and SW providing the service. But usually that won’t be manifest outside the service. It could be awkward for the user to the service to have to re evaluate the service every time the service provider changes HW.

Another way to look at this is from a certification / regulatory view. If the thing you're looking at is a candidate for implementation certification such as Common Criteria, FIPS, FIDO certification, then it probably lines up with device attestation. On the other hand, if the thing your are looking at lines up with regulation (e.g., banking regulation, GDPR,...) and to some degree OWASP <https://owasp.org/>, then it probably lines up with service authenticity. 

I think the RATS architecture document should probably have text that describes when attestation is applicable and when it is not, for example saying something like “attestation is not a replacement or augmentation for HTTPS/TLS"

I think the RATS architecture should be clear which of its components are services and which are targets of attestation. In particular, I think the Verifier and Endorser/Manufacturer are services and that service authenticity is more appropriate for them than attestation (I would consider a signed Endorsement a form of service authenticity).