[Rats] FIDO and Android are major TEE use cases

Laurence Lundblade <lgl@island-resort.com> Tue, 08 October 2019 16:31 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 90F5F12004C for <rats@ietfa.amsl.com>; Tue, 8 Oct 2019 09:31:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ybwe_mHE81bW for <rats@ietfa.amsl.com>; Tue, 8 Oct 2019 09:31:28 -0700 (PDT)
Received: from p3plsmtpa06-03.prod.phx3.secureserver.net (p3plsmtpa06-03.prod.phx3.secureserver.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE88120018 for <rats@ietf.org>; Tue, 8 Oct 2019 09:31:28 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPA id HsOVi6HfstyxRHsOViIsQI; Tue, 08 Oct 2019 09:31:27 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <002BF9A4-C144-4998-B586-FACF2FE11B2A@island-resort.com>
Date: Tue, 8 Oct 2019 09:31:26 -0700
To: rats@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfDpwbEjaOfm4Aihj99dMwMfbeWE7zLASo9CpA08y8UHppdKy+jndgEo3LWM7arKucNkEp0kJrpdDBKTi6KxXR7T2/iqKR+MkFz3XlI7B0andOJOsW+Fq 0cVP4YoV00GBOms2dwLyCQdFn7kUD8hQR4awRyQoHbYkFm83aUGSgFL6
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/uFJvIuoWicghZFk0JPAjvqvK4Bs>
Subject: [Rats] FIDO and Android are major TEE use cases
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 16:31:30 -0000

Want to point out that TEEP / OTRP is a potential TEE use case, but not yet a major one (IMO). 

The Android keystore with attestation is just about always implemented in the TEE. There are extensive APIs available to Android apps today to use it. What is particularly cool about it is that access to a key in the keystore can be gated on biometric authentication making it a keystore that is actually useful to applications. Android SafetyNet is different and not in the TEE.

Most FIDO implementations are in the TEE, some by virtue of using the Android keystore some because they are an a separate trusted application.

WeChat pay, a major payment system in China bigger than PayPal, uses a tweaked version of the Android key store in the TEE. Probably IFAA / AliPay too.

Appleā€™s Secure Enclave is roughly equivalent to a TEE for our purposes. It is a fully isolated and functional computing environment that has facilities similar to the Anroid keystone that hopefully someday will implement EAT.