[Rats] FIDO TPM attestation

Laurence Lundblade <lgl@island-resort.com> Wed, 13 November 2019 04:08 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327F81200FE for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 20:08:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjgPr3zWZC3i for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 20:08:54 -0800 (PST)
Received: from p3plsmtpa06-08.prod.phx3.secureserver.net (p3plsmtpa06-08.prod.phx3.secureserver.net [173.201.192.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0DC120090 for <rats@ietf.org>; Tue, 12 Nov 2019 20:08:54 -0800 (PST)
Received: from [10.141.0.146] ([45.56.150.139]) by :SMTPAUTH: with ESMTPA id UjxcivstCfTtLUjxdiszEx; Tue, 12 Nov 2019 21:08:53 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <62DD1AD3-6F1A-4B2B-8236-10ECCE254443@island-resort.com>
Date: Tue, 12 Nov 2019 20:08:52 -0800
To: rats@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfIG1tpVBYwz7aGlPwi4bdzW+WhFu/8FdUglLDHj3xvPZr1biRo7kRk70fAQcmq5uBO+cWV4DxMqNDcs6RaST5uN9v7znKsir1nSv3x+Ften73Hud+zxz RGSpTqIv0KtB+Cd2OUPhKKSksPFw0TitTTQhyKclOfyRUtOXd8hXTSr3
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/nBemrDdCedxeoDg76qew0fyUA2M>
Subject: [Rats] FIDO TPM attestation
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 04:08:56 -0000

Here’s evidence that remote TPM attestation is not just for routers and is used in non-YANG environments: https://fidoalliance.org/specs/fido-v2.0-ps-20150904/fido-key-attestation-v2.0-ps-20150904.html#tpm-attestation.

In non-TPM FIDO attestation, the whole attester is in the TEE or such. In TPM FIDO attestation only the key storage and signing is in the TPM. There is reliance on components outside of the TPM for the security of the attestation, so it isn’t the preferred form.

This is a reason to consider the TPM Token I’ve mentioned. It would allow remote TPM-based attestation to be used anywhere there is a TPM for use cases beyond routers and YANG.

LL