[Rats] about the four (+?) different LAMPS/ACME documents involving certificates and attestation

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 18 September 2025 21:56 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: rats@mail2.ietf.org
Delivered-To: rats@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8DDF66539312; Thu, 18 Sep 2025 14:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfIfRHdcrKpV; Thu, 18 Sep 2025 14:56:34 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0F8496539305; Thu, 18 Sep 2025 14:56:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9BA3F18014; Thu, 18 Sep 2025 17:56:33 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id 2iVU0HnAECIU; Thu, 18 Sep 2025 17:56:32 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1758232592; bh=IKWdilbH6OZ2y51vSYqIgQ7IyKwdICm2XHggTQzEhws=; h=From:To:cc:Subject:Date:From; b=f15IrS3hrK5c4zJdgEXuJWwL1doPr76WakcH9DjJDRoW0paefCt5yx4GLsQfmxDWf dFkaU2P+sThXCWRjkKm/TCGoc3AGBX00iZ/6vPmQPRfifdSLQu1KMEAbdvP2sbRzSn FLYfuqRY7x4avNCWZSkiivCt6poS3s9KtEbxLTuRdpd3jM7UgqF9kuAq43W30utMGq jMN4B8vVAsYpmgzVWSVBNkyZjIY1jt+JhCiYiOY/DOfDevLQHzwKM9191WsqGBOsIi qs5HZqc5AS4jNUoQpPHYLTYmUJrudqxpBZF/+Job9MMELdPL0zOne/p8o9QwjSy9CZ +di5rQTUSlgew==
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:b241:6fff:fe09:a92b]) by tuna.sandelman.ca (Postfix) with ESMTP id 6A8E718012; Thu, 18 Sep 2025 17:56:32 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 64C42236; Thu, 18 Sep 2025 17:56:32 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: acme@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 18 Sep 2025 17:56:32 -0400
Message-ID: <14090.1758232592@obiwan.sandelman.ca>
Message-ID-Hash: FIW2PKZAIJBN6S5EKVSSHQTJABNIKHD4
X-Message-ID-Hash: FIW2PKZAIJBN6S5EKVSSHQTJABNIKHD4
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rats.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: rats@ietf.org, lamps@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Rats] about the four (+?) different LAMPS/ACME documents involving certificates and attestation
List-Id: Remote ATtestation procedureS <rats.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/zu3Mqm-FOm2pAi1GymfDVHey-7s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Owner: <mailto:rats-owner@ietf.org>
List-Post: <mailto:rats@ietf.org>
List-Subscribe: <mailto:rats-join@ietf.org>
List-Unsubscribe: <mailto:rats-leave@ietf.org>

Let me write this up, since I've been through a few iterations of explaining this.
I would welcome edits and clarifications, but note that there are definitely
details that I have omitted for purposes of clarity.

The documents I know about:
1. draft-ietf-lamps-csr-attestation. (in LAMPS)
2. draft-acme-device-attest (adopted in ACME, despite wrong name)
3. draft-liu-acme-rats-latest (yet to be adopted in ACME)
4. draft-ietf-acme-client (adopted in ACME)

TL;DR> no overlap between them.  Reasonable to mix and match.

To understand things best, consider a system that has a TCG TPM 2.0 device attached.
There are some places that a private key can be stored: in the TPM, or in a
file on the system disk.
(Note that private keys can be "sealed" by the TPM, which means that
the private key is symmetrically encrypted by a key that only the TPM knows.
Such a key is effectively in the TPM, since they can never be used when
outside)

**draft-ietf-lamps-csr-attestation**
This document is about providing Evidence/Attestation Result about the
location of the private key.   A CA wants proof as to where the private key is.
The certificate signing policy of the CA to sign certain kinds of keys
requires that the key be stored in a place with particular security
properties.
Evidence: The Evidence is included *within* the Certificate Signing Request, and then
          via background check, Verified, producing Attestation Results.
          This mechanism can be used with any enrollment protocol: ACME,
          SCEP, EST, CMP... anything that uses CSR.

Certificate: The Attestation Results will not typically affect anything that
             goes into the resulting certificate.

**draft-acme-device-attest**
This document is about authorizing an identity relating to a TPM, or
equivalent TEE, such as Android Keystore or ChromeBook. The identity in question is the
permanent-identifyer/hardware-module, and includes hwType and hwSerialNum.
This allows authorization by leveraging keys built in the TPM during
manufacturing time.
Evidence:    A challenge nonce is provided, and the client uses the
             credential in their hardware to sign a WebAuthn statement.
             This credential is used as the AccountKey, and this can connect
             to an Enterprise based directory.

Certificate: The hwType/hwSerialNum can be included into resulting
             certificate as an otherName SAN.
             Note that the private key associated with the certificate has no
             set relationship to the TPM/TEE.  It could be the same,
             it could be entirely different, and *this* extension says
             nothing about that key.

**draft-liu-acme-rats**
This document is about authorizing issuing of a certificate based upon an
evaluation of the trustworthiness of the system making the request.
While it now uses (I-D not yet updated) a pseudo-identity with ACME,
the resulting Certificate never has a related identity in it.
Evidence:    A challenge nonce is provided, a passport mechanism is used to
             get fresh Attestation Results, which are then returned to the
             ACME server in the Authorization Response.
Certificate: No identity that goes into the certificate is defended.

**draft-ietf-acme-client**
This document offers OTP (HOTP, TOTP, OTP), public key and WebauthN
authorizations.  While the document presents these as challenges, it is not
clear to me how that is correct. It seems to me that this is an account
authentication in the guise of an account.
Evidence:    The HOTP and TOTP mechanisms are not challenge/response systems.
             A new password is generated every 30s (TOTP), or when a key is
             pressed (HOTP).   Validation of the result value requires
             that the ACME Server has access to the per-user secret.  Or
             to a validation service that has access to it.  RADIUS
             (User-Password) or DIAMETER or another service could be used.
Cerificate:  No identity that goes into the certificate is defended.

-------------

Could one use all four at the same time? Yes.
Assume a new-hire to an Enterprise.  The new employee has been issued with a
corporate device (phone or laptop), and a TOTP physical device (which might
be the phone, or a token with biometric activation)

1. draft-ietf-acme-client could be used to authenticate the ACME account (if
rewritten), or an ephermal account used with the challenge mechanism described used.
This authenticates the new employee.

2. draft-lui-acme-rats is used to provide evidence that the device itself is
running appropriate ("golden") versions of software; that it's malware free.

3. draft-acme-device-attest is used to connect the certificate is going to be
issued to the device itself.  This provides evidence that the credential is
on the device that the Enterprise expected to deploy to.  Alternatively, in a
BYOD situation, a TOFU step results.  Certificate renew then can be locked to
that device.  This could mitigate physical attacks/threats on the *person*
itself ("gun to the head") where they are compelled to load a credential into
an attackers device.

4. draft-ietf-lamps-csr-attestation provides assurance that the generated
private key is held in a secure enclave, from which it can not be exported.

5. RFC8823. An email-reply-00 challenge provides proof of control of an email
account, and results in a certificate with a SubjectAltName rfc822Name for
that email address.



ps: I think that draft-ietf-acme-client needs significant revision.
I don't think it's about client-certificates, in the same sense that DANCE
thinks about them.  It's about authenticating human-shaped things.

pps: I would not use the word "attest" with draft-acme-device-attest.
To me, this is a form of device authentication, with optional authentication
of the HardwareModule otherName contents.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide