IETF Logo Mail Archive

[Rats] Dealing with Attestation Roots

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 27 February 2020 17:51 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341A03A0E53 for <rats@ietfa.amsl.com>; Thu, 27 Feb 2020 09:51:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EscI0bjmsaKd for <rats@ietfa.amsl.com>; Thu, 27 Feb 2020 09:51:19 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CBC53A0E43 for <rats@ietf.org>; Thu, 27 Feb 2020 09:51:19 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id z12so315398wmi.4 for <rats@ietf.org>; Thu, 27 Feb 2020 09:51:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=N231AzP73ln0VdBpe09hEqKE03wvBrYiuqQnaQEyeAE=; b=c1P5rnAvpWH6p9mfyqMR4lXqala++LuO9hE4F2rkqvqXngOwvDgDaLjexe0hDOQTqA vURqxkplZr1UFAJDr9OQ13UwdijEP1/dDmER5kyYZTAYenJE4AJ+w2BMcyhh+0/71+CI RF2n7pHqs/VhLLSpH3AdLTtzsAKJlqQwrpfx8E1t+IZKxKOPRClgH4kqgNRnVlakG2WB r/3/Crbrb9xoPX/RtHDS9Xx+CbtF16KACoARvAqdDGK6zEL/lCR6dbZOGKNCeqtor1UG sUlOgBGzL76z0JeFIMjrOqwM44ZBKGC9jkHVNSdCVg2tXBr+ZLgVKzzPUJyHGgah19D4 HGRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=N231AzP73ln0VdBpe09hEqKE03wvBrYiuqQnaQEyeAE=; b=kctLpjin9FNeaIUp65kmreHXwsml2JEaTtbaxI/+bpeKClxaLzcWAClI4+ajEe2EFX ApnIKajPP6gbrsZILFhDgKiv6xdjS/unB1QcphrmR6mOzLfJx6k27qfL+TC0TA5wF8HM uHrz0tGqgaL+V3Ci6BHCnNnfuuxAsssjhpFvS5t2LYJ8u2n1k4a7teKqVg1kkIZNqHuY nD/UQuC3ye5J13P7fMqQNw7xODOBZef6XJj1SisZNkNi9Jfdq4uXBt2OHMRWX0RIjNCQ o/2EpSZNdfN5lNrrcIxwRB2OqpGcMXz73aBIemHnjQfzRez61PiTR1O2GX8QuXG9X5+j IPvQ==
X-Gm-Message-State: APjAAAW750/uN+yX8UR01KgGMiR0NtUURql6XLtwB+3/NcPDsHeTbuHs WPRmtYxQJ1gD78dExKgNaglMkox7
X-Google-Smtp-Source: APXvYqx225l22+5iRuDTx9jvpFFv4hT+hKx3RjGwm2la+/zrNL9kZUuUJfPv2qx8LTYc8qTxo6GN0g==
X-Received: by 2002:a1c:804a:: with SMTP id b71mr642883wmd.132.1582825877554; Thu, 27 Feb 2020 09:51:17 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id n8sm8200820wrx.42.2020.02.27.09.51.16 for <rats@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Feb 2020 09:51:16 -0800 (PST)
To: "rats@ietf.org" <rats@ietf.org>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <49d8907c-7637-3d21-0619-4999565fc50e@gmail.com>
Date: Thu, 27 Feb 2020 18:51:15 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/qth3-OexWYzA7mo4ZwMYYXPUuIg>
Subject: [Rats] Dealing with Attestation Roots
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 17:51:28 -0000

Hi List,
In the https://cyberphone.github.io/openbankingwallet project the idea was to use attestations.  The most recent version of the Android app indeed supports this as well.

In an ideal world the root would be provided by Google.  However, since we don't live in an ideal world there are vendors out there who do not follow that "recipe".

For W3C's PaymentRequest API a simpler solution is used which do not match attestations but is better than nothing.  This scheme builds on publishing a manifest associated with the app.  Here is my particular manifest:  https://mobilepki.org/w3cpay/method

But I still would like to use attestations and also not being tied to browsers.

What about making attestations optionally contain a URL to the root like https://huawei.com/teeroot ?
Since the number of vendors in finite and the Web-PKI is in a fairly good shape these days, this could serve as a workaround for those who don't have any number of cycles to spend on installing arbitrary tee root certificates.  That is, a verifier's "trust registry" would simply hold host names like "huawei.com", "sony.com", "samsung.com", etc.

If there is a better method, I'm all ears!

thanx,
Anders

v2.23.0 | Report a Bug | By Email