Re: [Rats] should base architecture mandate a distributed structure for Endorsements

Henk Birkholz <> Tue, 04 August 2020 05:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 156643A0CB8 for <>; Mon, 3 Aug 2020 22:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.946
X-Spam-Status: No, score=-0.946 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8RN94xXvEwsL for <>; Mon, 3 Aug 2020 22:44:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B64273A0CB7 for <>; Mon, 3 Aug 2020 22:44:50 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.75,433,1589234400"; d="scan'208";a="23345081"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Aug 2020 07:44:47 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.75,433,1589234400"; d="scan'208";a="87538169"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Aug 2020 07:44:44 +0200
Received: from ( []) by (8.15.2/8.15.2/Debian-10) with ESMTPS id 0745ihCU000566 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Tue, 4 Aug 2020 07:44:43 +0200
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 4 Aug 2020 07:44:38 +0200
To: Laurence Lundblade <>, Michael Richardson <>
CC: <>
References: <> <> <> <> <2900.1596296932@localhost> <>
From: Henk Birkholz <>
Message-ID: <>
Date: Tue, 4 Aug 2020 07:44:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Rats] should base architecture mandate a distributed structure for Endorsements
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Aug 2020 05:44:55 -0000

A single vital comment in-line:

On 01.08.20 21:37, Laurence Lundblade wrote:
>> On Aug 1, 2020, at 8:48 AM, Michael Richardson <> wrote:
>> There is some discussion in private, on github and in the architecture DT
>> calls around the question of Endorsements.
>> There is a pull request at:
>> text.  The text is
>> and I suggest that new readers go to the three dots and unselect "Show comments"
>> But, I include the text:
>>   - An Endorsement is a secure statement that some entity (e.g., a
>>   - manufacturer) vouches for the integrity of the
>>   - device's signing capability.  For example, if the signing capability is in hardware, then
>>   - an Endorsement might be a manufacturer certificate that signs a public key whose corresponding
>>   - private key is only known inside the device's hardware.
>>   + An Endorsement input to a Verifier is always required. An Endorsement is
>>   + what allows a Verifier to trust an Attester and in turn to trust the Evidence
>>   + produced by an Attester. Without Endorsements a Verifier cannot function.
>>   + Said another way, an Attester for which there is no Endorsement is not
>>   + useful since there is no good basis by which a Verifier can trust it.
>>   + One of the Endorsements for an Attester will just about always contain
>>   + cryptographic key material.
>>   + This key material will correspond to key material that is put in the Attester.
>>   + The key material is the basis for the Verifier trusting the Attester.
>>   + This architecture does not dictate any particular cryptographic protocol
>>   + for establishing this trust, hence the key material can be symmetric or
>>   + asymmetric, a single key, multiple keys, key hierarchies, X.509 cert or
>>   + chains or other.
>> I think that we get into conflict immediately on the first sentence.
>> There ARE many use cases in which we WILL need input to the
>> Verifier from a variety of manufacturers in a signed artifact form.(A)
>> There are other use cases in which the Verifier will be configured with all
>> the information that it needs.  Is a configuration file, loaded by a trusted
>> operator, a "secure statement"?
>> I think so, and this is why we used this wording. (B)
> My view is that the arrows in the diagram show the complete and exhaustive inputs of relevance to attestation.

Probably adjusting the expectations of the arrows in the diagrams wrt to 
"completeness" can mitigate this issue at it's root?

> The one and only input from the Manufacturer/Endorser to the Verifier is the Endorsement. If there is a configuration file (with keys) transferred from the Manufacturer/Endorser to the Verifier, it would be going over the arc labeled Endorser in the diagram.
> I think this is true of every arrow/arc in Figure 1. I don’t think are alternate channels. It seems confusing to tacitly expect the reader to assume them.
> Even if it weren’t true, the key material is critical and fundamental to attestation that its transfer needs to upfront and clear. You can do attestation with just a key and a nonce and nothing else. You can’t do attestation without a key and nonce. We have pages of discussion on nonces.
> The most important thing transferred from Manufacturer/Endorser to the Verifier is the verification key material. It should be characterized clearly and should allow for all types of keys and transfer scenarios.
>> When I read the changes above, it seems to me that it contains aspirational
>> text that intends to make case (A) universal.
>> I think that a number of us believe that an Endorsement is the name for a
>> signed artifact.  This may be the basis for our disagreement: I'm not entirely sure.
>> Our definition of "Endorsement" does not say that, so it may be that I read
>> too much into the proposed changes.
> Endorsement being a “signed artifact” seems like common understanding in the TCG world to me.
> If we want to stick with that definition, that is fine, but that excludes Endorsements as a means to convey symmetric keys, databases of keys and the operation of a key look up service and a hash verification service. So then we need to switch to a term like Verifier Input with Endorsements being one form of Verifier Input.
>> I firmly believe that we will need an Architecture for Distributed Endorsements.
>> I also think that we can do this separately, and that there are probably
>> reasons for some industrial verticals to do this on their own.
> Agree with that.
> I’m only after a few paragraphs of high-level characterization. Nothing as detailed as the nonce discussion.
>> It could be that this is not the goal of the above text.
>> I do not think we need this level of detail in this part of the architecture.
>> It's not wrong, it's just not helpful, I think.
> What’s different about the Endorser-Verifer-Attester trust relationship is that it is transitive in a unique and important way for attestation. I think bringing that to light in a clear way is necessary.
> LL
>> --
>> Michael Richardson <>ca>, Sandelman Software Works
>> -= IPv6 IoT consulting =-
>> _______________________________________________
>> RATS mailing list
> _______________________________________________
> RATS mailing list