Re: [Rats] About current RATS drafts

Laurence Lundblade <> Fri, 01 November 2019 17:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 09D9E120D64 for <>; Fri, 1 Nov 2019 10:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z3A4HT4IlY4L for <>; Fri, 1 Nov 2019 10:56:25 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BB7D1200B4 for <>; Fri, 1 Nov 2019 10:56:25 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id Qb9riLvVwyg8JQb9siO1vj; Fri, 01 Nov 2019 10:56:24 -0700
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_77BA8A11-EA31-4CD1-BC50-BA4F559FD3D9"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 1 Nov 2019 10:56:22 -0700
In-Reply-To: <>
Cc: H Y <>,
To: Henk Birkholz <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfP8TUl2+EWo3Y6KsO5H3FkjbMFXikQAS74MeiJbVGd5qyELUkYD6G1AnvV3M3GtnawaUNUan0Ohb/oslF+V+chpyCq30mp9Kpi0XK5JsHOd6+uP9yaUp sd6yol2v7e0T6cYvOmkSz0aucH/CryoefiKipLbMoTdFMo3aOLw5ZxSRkfgLyAJ2ijq1lOYAoQUOXOGesy6DUFuH2ZeDefCe3NXoaEfXL6eqsdtxc5Yutt79 Lo4rp3E5r5hczlquHOcUhg==
Archived-At: <>
Subject: Re: [Rats] About current RATS drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2019 17:56:27 -0000

> On Nov 1, 2019, at 8:38 AM, Henk Birkholz <> wrote:
> I do not fully follow you here, I am afraid. Which Claims can be added by the Verifer to what at which time? :) I assume you mean that the Attestation Result can include implicit assertions based on the attestation Provenance - expressed as Claims. I am not really sure, what type of claims you are implying, though.

Yes, more details are a good idea. :-) With an example of a chip made by the fictitious “Acme Chip Company”. 

Acme makes chip model X with HW and boot ROM that:
- have an attestation key programmed at the Acme factory
- prevent use of the attestation key unless
  - booted using authenticated sw
  - all HW debug facilities are turned off

Acme operates the verification service itself. When it receives attestation evidence from chip model X it knows that authenticated boot was used and all the debug modes are turned off because the attestation key would not be accessible if that wasn’t true. There would be no attestation. Further, it knows it is Acme Model X because of the particular attestation key. They only put that key in Model X device, not in Model Y or Z devices.

So, when Acme’s verification service generates an attestation result it can include these even though they were not in the attestation evidence:
debug_disable_claim = disabled
boot_state_claim = true

They are implicit claims in the attestation evidence made explicit in the attestation result.

I expect there are a number of claims that could and should work this way.