Re: [Rats] 802.1AR device identity

Laurence Lundblade <> Thu, 11 March 2021 19:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9049D3A0E50 for <>; Thu, 11 Mar 2021 11:02:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.916
X-Spam-Status: No, score=-1.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fl3fwa4wevtJ for <>; Thu, 11 Mar 2021 11:02:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3B0323A0E0D for <>; Thu, 11 Mar 2021 11:02:31 -0800 (PST)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id KQXelJLlTGlIUKQXflzXAe; Thu, 11 Mar 2021 12:00:15 -0700
X-CMAE-Analysis: v=2.4 cv=cd0XElPM c=1 sm=1 tr=0 ts=604a68bf a=t2DvPg6iSvRzsOFYbaV4uQ==:117 a=t2DvPg6iSvRzsOFYbaV4uQ==:17 a=48vgC7mUAAAA:8 a=d89gtNoHE_lvAHdhvrEA:9 a=QEXdDO2ut3YA:10 a=LrXWqHzY8c5mkKdJaqgA:9 a=eN45PPH_a0raEnLw:21 a=_W_S_7VecoQA:10 a=w1C3t2QeGrPiZgrLijVG:22
From: Laurence Lundblade <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_33FB6DE4-01D3-456F-9153-95ABA1781D2C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Thu, 11 Mar 2021 11:00:14 -0800
In-Reply-To: <>
Cc: Eliot Lear <>, "" <>, Guy Fedorkow <>, "" <>
To: "Smith, Ned" <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.17)
X-CMAE-Envelope: MS4xfBQUNUAJtGCqXhXlyUCCwpKZcbAGmBaTXxN9x+qg8bjMVQTB9s15dtOGZ9WjR94s0HKtk/w8qLqThww1qn7WA/vv9+MFKMiJ/ayESoXZCa3AD1K+/dTG aSQnqVNGb+GfX3GZuCulot8wzqDIgfWzl2ZIRLdcTlDbc4vN37jZlEU3C/+piRT3XmssR1XHoQUBHAOCw3rQ6Qii2WAMtmvkbzMpP0V2xpRilZWvss01x8J6 AAJH18UCmACA0bAHfdIiDr3fVfrhMw3ruFEQ4lPIXMS0G/hFfrI81Uzc0RQhOM8akdhhrK7bwHiIPMjynxU/2A==
Archived-At: <>
Subject: Re: [Rats] 802.1AR device identity
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Mar 2021 19:02:36 -0000

I want to unpack and unfold a few things here.

Permanence / Lifecycle / Privacy — I think the main topic here is about when an ID changes relative to the lifecycle of the device and how this relates to privacy.

Compromise — I think compromise due to algorithms being compromised or the device being owned or such is a separate topic. Discussion of it seems orthogonal, should go into security considerations and really comes down to certification in the end if you really want to lock it down.

I’m not sure which is meant by “immutability” in the previous emails.

My intent in the definition of UEID was that it is truly permanent. It doesn’t change at any time in the lifecycle of the device. This is the simplest case to describe. It is not at all privacy preserving for some use cases (e.g., mobile phone), but is OK for others (e.g., dumb sensor). 

I was thinking other folks might define other IDs for other use cases. Maybe the time has come to invent one or two of those and put them in EAT.

Some Solutions
One possibility is an SUEID, a semi-permanent UEID (maybe not use SPUIED). It is allowed to change in major events in the devices lifecycle such as events when ownership changes, the managing entity changes or on factory reset. I think this lines up with the way some MAC addresses are managed for privacy reasons. This line up is good because a UEID can be an IEEE MAC.

An RP might receive an EAT with only an UEID, only an SPUEID or both. The RP can decide what they want to use.

Another one is for the Attester to authenticate the Verifier and/or Relying Party and generate a distinct UEID or SUEID just for use by that RP. This is a solution to the privacy issue. I’ve actually done an implementation of this one.

A related solution is to have a privacy proxy between the Attester and the Verifier that makes RP-specific UEIDs or SUEIDs.

Separation of ID from Attestation Key
An ID that is not signed is nearly useless because anyone can forge it so we’re always talking about some sort of signing.

EAT intentionally separates the ID from the signing key. I haven’t read IDevID, but I don’t think it has this separation. The reason EAT separates them is to have a lot of flexibility to deal with the privacy and lifecycle issues that come up in real deployments for chip makers and complex supply chains.

For example, FIDO uses group attestation keys to deal with the privacy issue. One key is put into 100,000 plus devices which makes it statistically not very useful for tracking users. Maybe the device manufacture uses this tactic for billions of devices. Then maybe a use case involving only millions of these devices needs a truly global ID and have the means to program it. This can work if the keys and IDs are separate.

Or maybe the manufacturer changes signing schemes moving from a primitive MAC to EC-based pub key and onto some sort of DAA while maintaining the same scheme for device IDs.

Possible harmonization with other Device IDs?
I noticed that birkholz-rats-suit-claims <> mentions a device ID based on UUIDs. We should probably take a look at how this relates UEID. There’s probably others to check out. We probably want to re use a lot of the claims from Evidence in Attestation Results so they can be pass-through for the Verifier.

Note also that UUIDs are obsolete now.


P.S., Any suggestions on how to get access to IEEE IDevID? I’m not part of a big company. I tried joining IEEE once, but that wasn’t enough to get access.