[saag] Re: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Thu, 05 March 2026 12:57 UTC
Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: saag@mail2.ietf.org
Delivered-To: saag@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4D0CDC4E65BB for <saag@mail2.ietf.org>; Thu, 5 Mar 2026 04:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dip3VuiU3cse for <saag@mail2.ietf.org>; Thu, 5 Mar 2026 04:57:48 -0800 (PST)
Received: from mailout7.zih.tu-dresden.de (mailout7.zih.tu-dresden.de [141.76.32.220]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3CFDDC4E65B1 for <saag@ietf.org>; Thu, 5 Mar 2026 04:57:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=Content-Type:In-Reply-To:References:CC:To: Subject:From:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ul5+wOtNLtZ6zmfj2kCuWJNl3mTgJY6+I0P173SBziA=; b=WtgOBvyCqtf4KLsyUKtC/JooAR Ev9OIbnBCGNNQNA9YrctIjk6zqFw46VX+P6KeP3zzL6jxf7dCpWWLUc8tnUbv2RFjAGoXQE9q0jOG iARGibu83VfE5MfvOxoanQwEP8aPAROuC8T8kYFXSq4RA54i8UE3hjn2hNJPT54PkU6jsEF9x/StQ iC4+jfVCHXFq4u4LA7YkEgqUk/kvvF8JX6DHyjOCLpF2sBFabBSnZVpXtqPEasln7L1nbVDEsRr97 ysrd59Za5CwYXR0RufV5zE31toxniANeyhj8/j37aQtkuBnYczPOaxkjvTMU/GnMcMlol0D/upMJV yldNR7NQ==;
Received: from msx-l415.msx.ad.zih.tu-dresden.de ([172.26.34.135] helo=msx.tu-dresden.de) by mailout7.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1vy8Gr-009OWC-3C; Thu, 05 Mar 2026 13:57:47 +0100
Received: from [10.12.5.228] (141.76.13.165) by msx-l415.msx.ad.zih.tu-dresden.de (172.26.34.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.37; Thu, 5 Mar 2026 13:57:41 +0100
Message-ID: <9f4bbd75-4922-4cdb-9fc0-4d616c4f7937@tu-dresden.de>
Date: Thu, 05 Mar 2026 13:57:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
To: Eric Rescorla <ekr@rtfm.com>
References: <47ebb3cb-d35a-43e3-9fbd-864804356f9e@tu-dresden.de> <06d15e70-32b9-41bc-8c77-51d569716c96@tu-dresden.de> <CABcZeBPEM_UP6GEbRqBCAnnJ9xdxTs0_gHHbxQyswBGs_21g8Q@mail.gmail.com> <62bf4413-6ac9-4a09-8397-4351b0e3b069@tu-dresden.de> <CABcZeBOQK9GK8JC3L7360uC=6iBvxHgmu63gEpUNE52jf8eNkA@mail.gmail.com>
Content-Language: en-US
In-Reply-To: <CABcZeBOQK9GK8JC3L7360uC=6iBvxHgmu63gEpUNE52jf8eNkA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000907070703090301010701"
X-ClientProxiedBy: MSX-T414.msx.ad.zih.tu-dresden.de (172.26.35.134) To msx-l415.msx.ad.zih.tu-dresden.de (172.26.34.135)
X-TUD-Virus-Scanned: mailout7.zih.tu-dresden.de
Message-ID-Hash: SXYDSVKG7NPIJOOL5CQW4HXIIBIOQWPP
X-Message-ID-Hash: SXYDSVKG7NPIJOOL5CQW4HXIIBIOQWPP
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: saag <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/FP6taINS6CvR1chSb7GbE9ZgsPY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>
Hi Ekr, Thank you for clarification on the second point. I'd like to ensure I'm following your reasoning correctly on the first one. On 04.03.26 23:54, Eric Rescorla wrote: > > On Wed, Mar 4, 2026 at 1:49 PM Muhammad Usama Sardar > <muhammad_usama.sardar@tu-dresden.de> wrote: > > On 04.03.26 19:02, Eric Rescorla wrote: > >> On Wed, Mar 4, 2026 at 9:59 AM Muhammad Usama Sardar >> <muhammad_usama.sardar@tu-dresden.de> wrote: >> >> [ Already shared at relevant lists like SEAT, RATS, TLS, >> UFMRG; sharing here for wider opinion/review ] >> >> Please stop doing reposting this everywhere. > I believe there are folks here who are not on other lists, and > vice versa. I would very much value their perspective. There was a > disclaimer upfront which folks on these list could safely ignore. > > > The whole purpose of having lists is so that people can subscribe to one > stream of messages and not others. Cross-posting to a bunch of > semi-irrelevant lists -- let alone reposting to them -- subverts this > purpose. The disclaimer doesn't make it better. Sorry, I don't fully understand your point. Could you please re-phrase to be more specific to my post/work rather than general comments? Specifically, are you claiming that the work I posted is "semi-irrelevant" to this list? or to other lists? Please clarify. For each list, there is a specific context and for this list, in meeting 124, I mentioned on-mic about the wish to have a research group (RG) on confidential AI in IRTF and this work is planting the seed for that. As I mentioned, I envision that potential RG to be very security-focused and SAAG seems to be the right place to bootstrap some discussions and to gather more potential proponents for the upcoming side meeting. I believe a serious research effort takes 9-12 months to mature, and to the best of my memory, I believe I have never [*] posted any pre-mature results anywhere in the IETF/IRTF; so cross-posting and even reposting after this period is not excessive to me, given the multi-disciplinary nature of the work and the aim to create a multi-disciplinary RG, building on top of SEAT, RATS and TLS and collaborating with UFMRG. I actually have a draft for SAAG on the gap analysis, but due to some other urgent work, I couldn't make it to this cutoff but that is the intended path for this work. I'll share that when I have it in a presentable form. You are a very experienced IETF contributor and I very much value your opinion. So I sincerely hope we do a technical discussion over the post that I can take into account for drafting a proposed charter of the potential RG, so that the potential RG is not a paper-making machine, rather actually contributes to the goals of the IETF. However, if I am in serious breach of this mailing list etiquette (I'm fairly new here), please let me know, and I'll surely stop. In that case, please accept my sincere apologies in advance. Best regards, -Usama [*] Whenever I did post intuition and/or preliminary work, I believe it was with an explicit warning with words like "intuition" or "work-in-progress" not to put much weight in this.
- [saag] Relay Attacks in Intra-handshake Attestati… Muhammad Usama Sardar
- [saag] Re: Relay Attacks in Intra-handshake Attes… Muhammad Usama Sardar
- [saag] Re: Relay Attacks in Intra-handshake Attes… Eric Rescorla
- [saag] Re: Relay Attacks in Intra-handshake Attes… Muhammad Usama Sardar
- [saag] Re: Relay Attacks in Intra-handshake Attes… Brian Campbell
- [saag] Re: Relay Attacks in Intra-handshake Attes… Eric Rescorla
- [saag] Re: Relay Attacks in Intra-handshake Attes… Muhammad Usama Sardar