[Rats] Re: [Seat] FW: New Version Notification for draft-reddy-rats-key-binding-00.txt
Nathanael Ritz <nathanritz@gmail.com> Mon, 16 March 2026 17:47 UTC
Return-Path: <nathanritz@gmail.com>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 589D7CB7C03D for <rats@mail2.ietf.org>; Mon, 16 Mar 2026 10:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1wFIqU-z_YX4 for <rats@mail2.ietf.org>; Mon, 16 Mar 2026 10:47:29 -0700 (PDT)
Received: from mail-dl1-x1234.google.com (mail-dl1-x1234.google.com [IPv6:2607:f8b0:4864:20::1234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9E1A9CB7C025 for <rats@ietf.org>; Mon, 16 Mar 2026 10:47:29 -0700 (PDT)
Received: by mail-dl1-x1234.google.com with SMTP id a92af1059eb24-1271257ae53so6478202c88.1 for <rats@ietf.org>; Mon, 16 Mar 2026 10:47:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773683243; cv=none; d=google.com; s=arc-20240605; b=SSv2BQ7++q64N5Sf5gYp9Vf0aFGjHMm9NLJCk/Z9i1WOC6YOZhrUhYh19omWddUYfk zKLo+ytn0SBdG45/NOgc+ZDZEmJ/JgABD3gXI6WUKaOJQKQUdJWlIXfMxetpzm/Q3gQB Wvph2D4HvVJxveTySqMj3oEUB4VmiI+dmMJ4w0bU1RHuNup5SZAZGsxTi74O9ki8j0/B LAB/QI+u1r4VO3q7QtiVBnqzeASEiJ6sQzGOBOKEs3JWNDIy+eBJqfgrWC+9kL5ErClW CFduWZVZ0zNLYKYlA44uKXGxcTcodd26dA1BaQQLtnMP2UWRBWdHmnUp01tbPAzdsBPU dzzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=Tqo5h/yBPHNMGa2ovwVPfhysf7uzqAcx4itHm7xwLOA=; fh=ngzXg41Tpv39e4tdKwDd45d//bMZSFeCReDNsug6Gf8=; b=gF8kO4XYFjQsBI3INd/Xz3psh8vAzNIEpis35wAh537s3KqZ9ssxOuXmlalXap+Dtc v5crfIVEU5JrrLGh7WBqoaydrC1nvnr3XQeGaP4haI8om+ZKHZDBU0mKNPJt0fGyY5+q KQ3VVg0Nk/wP7zsVgbknzt3y+anFugVptpYoRcBDcRAIiK3JOeKZdc6SsTAZYEwTUVNG 4+o83lzqdhrX7//+ht4w0v4Hr7nwfSnBi7zm0hAvR8+GP9YlJ4YNQeUyvSKwASeyGXss b6GLKczaVBOgTBOkmrw9MrUTqyVtF89YrMSfoGEW5vNxVSMgWpfVsXTTjJpjS6sHz84u 37XA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773683243; x=1774288043; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Tqo5h/yBPHNMGa2ovwVPfhysf7uzqAcx4itHm7xwLOA=; b=OZxUZx/+JK/MpEqbiqMndNS/W8hV1i+H+axIkjEe/b29/8myM8dnWFUwSz5FPUimgo SMB179XRLdDK2Eqgp/7ybX2owZWiNlP4liKjGkZg6L1HWUMMadZC12AyBfVne9kwWqXN ACxBSJYqpWPudZkzNT5AAAlKfJTkLLEj75ud/Igk6JUAgB97Qc92fp3Xt/N/H2/MXrte QOl1c9W8eMv11PDecb+iy11SpKnSScTZWWIlXNJgZZmoxoSSvHRaKYUdTSw44gx3kOFx 5ulCS+Q7sRMh2dTC0LhZ0u2YXXXXNhT4+ds2qRPD/F3hPgM6YRMnJDszKcZiBdJ2isbU Rmdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773683243; x=1774288043; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Tqo5h/yBPHNMGa2ovwVPfhysf7uzqAcx4itHm7xwLOA=; b=eY1vlFuZJLqSXCCxyarfCwRpkNnOAvpKbk/aZlqIlz8Dz6G2j2xGVwVVFwnQ0vxq9r mc1ohp/rgx6kPz7qe3WFPJknqqfJ+NOJm9ptgKBuEqZMdyekVlShzM87+T7btrpbLajr YYIs3fWBI7pY8jEggrfDNRh6XgI/rHv5TcxzAOIAEjVae7IXTgv48h+/iYf0KPC6rYJc rGepBgsu8T5Z+rF+RLIcX9+OUA7E/QzouZuiEdNWvsH6V//o9kzk03pEY/Y2QMAU0ESL /t6rRVWCWVI1tzvjaI+qBfVFSHv3LEZeDPUnDN1UOUZQyyp2TLJ1b6ItB+/VBBxWXX+k duFA==
X-Forwarded-Encrypted: i=1; AJvYcCV0SIxSPlqdiyG2ZJZyEz99vC4U5WtclFMfKCzCi2tNOUKJlYgfwf9T+9rR62YajCjSrmuM@ietf.org
X-Gm-Message-State: AOJu0YwNOPwt+YpJeY2O6H/TqzsV8hKwwAGL8rqY1blYpxCQ3GGSzFf5 bayj2EKFPvAjlIfDnx6mlaQmVwBeWmOrdvqkwqJ6xAHb6AQX/X9teZ0HRM5eHwtlLd80AwhRGQx oVAwuVYCNOt7punZFgb9oMoGBuV11l0g=
X-Gm-Gg: ATEYQzzh7z93yqZTLi8LoCi/ZGlwFfn1+uTmtzi8KCZMtzI55I/TsYgnc2XhkWUdgKt S7ODa22kakHAYl4+CVpsl4AOLWlRC6esIvxKgkQr0QFLdey2wcdwPVvHgmrGqoQZJDIAElhzNbI HQoSOzWmfND1O6/G0LCGq4d3M4QTIjnlCzHGjvlW7xqJEfraZ9G3Dsjsoa3pPh9l1+UbRQJRGA/ 2OIkIQEKT/A4cUqv+Z9HlDIFRzDK6u2TB1kK6XYe6e4+nGlaMBd+MMd63akb/83S49Ys/gBPwPo BbHq/Vo=
X-Received: by 2002:a05:7022:1a85:b0:128:dab3:f528 with SMTP id a92af1059eb24-128f3d00dddmr6367132c88.8.1773683242862; Mon, 16 Mar 2026 10:47:22 -0700 (PDT)
MIME-Version: 1.0
References: <177358299754.193806.3663616865438494971@dt-datatracker-5477d56788-5pkt5> <VI0PR07MB113715D68DF911E0821D31357AB43A@VI0PR07MB11371.eurprd07.prod.outlook.com> <CAFpG3gcNfk+4yaq7JV3i98xjd5D7DS5iwjb3thqtYSLNrR394g@mail.gmail.com> <CA+1=6yd7t32=rB_0X26ApxEzN_gyBs7MujOgxVN4PgOm0BoCvQ@mail.gmail.com>
In-Reply-To: <CA+1=6yd7t32=rB_0X26ApxEzN_gyBs7MujOgxVN4PgOm0BoCvQ@mail.gmail.com>
From: Nathanael Ritz <nathanritz@gmail.com>
Date: Mon, 16 Mar 2026 11:47:09 -0600
X-Gm-Features: AaiRm51xCEa07p4J618dGrfOweCWNpaAwlxuQ4R9tZSKOJ8w9GCA2oz3gaGl-sI
Message-ID: <CAHxYnaMbP3uPqaytFQ314aiCj7OpLbfMwTtgW1RFhpY+yv132A@mail.gmail.com>
To: Thomas Fossati <thomas.fossati@linaro.org>
Content-Type: multipart/alternative; boundary="000000000000a2903d064d27cffe"
Message-ID-Hash: G2GZF6T2VEQOUPCEF2UOLHVZEGAIRTUO
X-Message-ID-Hash: G2GZF6T2VEQOUPCEF2UOLHVZEGAIRTUO
X-MailFrom: nathanritz@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tirumal reddy <kondtir@gmail.com>, seat@ietf.org, rats@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] Re: [Seat] FW: New Version Notification for draft-reddy-rats-key-binding-00.txt
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/qR3uTwtJKstRH2axeL8ONmHaZfc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>
Hi, If I understand Thomas's concern correctly (and the general presupposition of key provenance assumed with RATS in general), it is that the proposed attested key is another silicon-bound RoT that everyone has to figure out what to do with, how to design it into the hardware/ABIs, and so on. While I am not involved in HW engineering of such solutions, I'm sure the concern is valid. What came to mind for me when reading through the new draft was how the `key-attributes` claims could be used to enhance trustworthiness for ephemeral PRF derived keys during TEE-backed enrollment, or effectively attested-TOFU (such as in support of "authentication in constrained use cases" per Sec. 4.6 of the SEAT Use-Cases I-D [0]). You can let me know if this framing would be pushing the original intent behind the draft. If widespread hardware support later follows, where new RoTs or additional silicon-bound keys are widely deployed, then the transition from attested TOFU of an ephemeral PRF key to a proper HW-bound key seems straightforward to me. But I can imagine this being implementable in practice via software to start. In this case, I would imagine these claims would be carried forward in a Verifier-signed AR which could be used for the passport models of the proposed SEAT drafts. Cheers, -Nathanael [0] https://www.ietf.org/archive/id/draft-mihalcea-seat-use-cases-01.html#section-4.6-1 On Mon, 16 Mar 2026 at 00:39, Thomas Fossati <thomas.fossati@linaro.org> wrote: > Hi Tiru & Hannes, > > On Sun, 15 Mar 2026 at 15:22, tirumal reddy <kondtir@gmail.com> wrote: > > > > We have published a new draft: > https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt. > > > > In certificate enrollment and TLS authentication, the attestation > evidence and the private key used to sign a CSR, or the private key > corresponding to a TLS end-entity certificate, are validated independently, > which can enable key substitution or relay attacks (a threat raised by Paul > in SEAT WG). The threat is discussed in more detail in the Introduction of > the draft. > > > > The draft addresses this by binding the Subject Key to the attested > platform state while leveraging the existing protocol-level proof of > possession, and by defining a key-attributes claim to convey key protection > properties. The mechanism defined in the draft can be used with both the > pre-handshake and post-handshake attestation solution drafts. > > > > Comments and feedback from the WG would be welcome. > > AFAICS, this approach is very similar to the one we developed in the > early days of the attested TLS project, for exactly the same reasons. > (It is captured in draft-kat [1].) > The problem with this approach was that it required the platform to > support an additional root of trust & ABIs, which is impractical in > the general case. In the context of CC, we moved the functionality to > the confidential workload and bound it on top of the existing platform > evidence. I found that a bit ad hoc, but it solved our immediate > problem. I'm not sure that can be easily generalised. This appears to > be a typical IMPDEF (implementation-defined) case, where the developer > must ensure the system hosting the TLS endpoint offers the necessary > primitives and determine how to achieve this. > > cheers, t > > [1] https://datatracker.ietf.org/doc/draft-bft-rats-kat/ > > > Best regards, > > - Tiru and Hannes > > > > -----Original Message----- > > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > > Sent: Sunday, March 15, 2026 7:27 PM > > To: K Tirumaleswar Reddy (Nokia) <k.tirumaleswar_reddy@nokia.com>; > Hannes Tschofenig <Hannes.Tschofenig@gmx.net>; Hannes Tschofenig < > hannes.tschofenig@gmx.net>; K Tirumaleswar Reddy (Nokia) < > k.tirumaleswar_reddy@nokia.com> > > Subject: New Version Notification for draft-reddy-rats-key-binding-00.txt > > > > > > CAUTION: This is an external email. Please be very careful when clicking > links or opening attachments. See the URL nok.it/ext for additional > information. > > > > > > > > A new version of Internet-Draft draft-reddy-rats-key-binding-00.txt has > been successfully submitted by Tirumaleswar Reddy and posted to the IETF > repository. > > > > Name: draft-reddy-rats-key-binding > > Revision: 00 > > Title: Key Attestation for Entity Attestation Tokens (EAT) > > Date: 2026-03-15 > > Group: Individual Submission > > Pages: 17 > > URL: > https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.txt > > Status: https://datatracker.ietf.org/doc/draft-reddy-rats-key-binding/ > > HTML: > https://www.ietf.org/archive/id/draft-reddy-rats-key-binding-00.html > > HTMLized: > https://datatracker.ietf.org/doc/html/draft-reddy-rats-key-binding > > > > > > Abstract: > > > > This document defines a CWT-based Entity Attestation Token (EAT) > > profile and a new EAT claim that cryptographically bind a private key > > used to sign a certificate signing request (CSR), or the private key > > corresponding to an end-entity certificate used for TLS > > authentication, to an attested execution environment. > > > > The subject public key is conveyed using the EAT cnf claim defined in > > [RFC8747], and freshness uses the EAT nonce claim defined in > > [RFC9711]. The proof of possession of the subject key is obtained > > from the surrounding protocol, such as TLS certificate-based > > authentication or CSR signature verification. Because the EAT is > > signed by a hardware-backed Attestation Key (AK), successful > > verification of the EAT signature together with protocol-level proof > > of possession establishes a cryptographic binding between the private > > key and the attested platform state. This mechanism addresses key > > substitution attacks that arise when attestation evidence and the > > certificate private keys are validated independently. > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > > Seat mailing list -- seat@ietf.org > > To unsubscribe send an email to seat-leave@ietf.org > > _______________________________________________ > RATS mailing list -- rats@ietf.org > To unsubscribe send an email to rats-leave@ietf.org >
- [Rats] FW: New Version Notification for draft-red… tirumal reddy
- [Rats] Re: [Seat] FW: New Version Notification fo… Muhammad Usama Sardar
- [Rats] Re: [Seat] FW: New Version Notification fo… Thomas Fossati
- [Rats] Re: [Seat] FW: New Version Notification fo… Nathanael Ritz
- [Rats] Re: [Seat] FW: New Version Notification fo… tirumal reddy
- [Rats] Re: [Seat] FW: New Version Notification fo… Thomas Fossati
- [Rats] Re: [Seat] FW: New Version Notification fo… Carl Wallace