IETF Logo Mail Archive

[saag] Re: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems

Eric Rescorla <ekr@rtfm.com> Wed, 04 March 2026 22:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@mail2.ietf.org
Delivered-To: saag@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 01515C47D899 for <saag@mail2.ietf.org>; Wed, 4 Mar 2026 14:54:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCdxU61A0BHB for <saag@mail2.ietf.org>; Wed, 4 Mar 2026 14:54:18 -0800 (PST)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 283B2C47D88A for <saag@ietf.org>; Wed, 4 Mar 2026 14:54:18 -0800 (PST)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-7986a347d4bso72904977b3.0 for <saag@ietf.org>; Wed, 04 Mar 2026 14:54:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1772664857; cv=none; d=google.com; s=arc-20240605; b=Cyqh84W4u7fEM3H/4GZbjzIBukPpWn3EB8nWXix2HN3vH2+3gRe2Ny0+XP/AEWimLU UZX3n+fS7S3LPflU04m7FIoro4lcWikjhTBxJ+DEGUe1W9g8km75eVW1lrUae3upFner w/MaAJ9dr7RTM+DusenXRuVQ22wXrZupL375axyHnxxGwQJil8oqBrMv83GLQjaf99kt LkknUN+tGR6MQwBbYjyoplRC9HA7l7I2OmInzqMcQD8Flh0noJgoDgTDARJ0siSI6T8N hAyxwTC3B0BQl2zztzJkynzZze8Nq5Bd2UmTHu35rJ1xSMY0x1To9QkJCcu0bIkX6keD Vswg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=SW8KPynPK1d8YO0zn9rZ8ABOEHFQAyYXyteH8c2F4Ic=; fh=MVaiQAIHymUfCUGkUSwOL4tf1vx5fVyx92Ijkvot+ww=; b=BT5aPQyTOzruH+gKP5A09Gttoc95qyiJOHkEUVONLDt1VhuyBNaDIZm6pzoYI/wZxp /bZWZ1UHpFmoOOYMm4EMXGFSA/i0sLzl+3HKcdjkSAw4qj2KtG2DkFi1wp8PGDjqwlG4 gg9HNCRD4SphhlPWdaUitfwMRRIHE1iyKQnhBJkhCSFMv45MLhZYiUhu3xyxA7YcbWKl SlqXp73syAa0os2NnsImP5YtAXkU8neImpDcjck2R9dF36o3FVJApiEsT6DaTP21YQNT ac2j8dMhHMZJpvpySbxXeP9Xor+CIZetAIAEZ1oqRgK1etYTvvNppbJlkPejGlNRAgBN tPQA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1772664857; x=1773269657; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SW8KPynPK1d8YO0zn9rZ8ABOEHFQAyYXyteH8c2F4Ic=; b=NDUpKDt0N7jsy5OERv4L2h3VtBU8vSSp6tpTX3p/f2dQPSRiDv+VPu+wt7mjVfjmwe k6KV0s3hNG8lGNtNvW2Ingi9rhUA9PybaEDB4/WaWH4cLTyz3vCHcNIC6uWCV8SoezQS QYJ1Rn87jixochYNjEfhmRuBUxCUtwz7mbrTgxZLTIsWOf0ht94GKGU5Yd+BR1TnoTSh 9+ba4D1rJnUA5YybmzOm4jjiAcLiU3z32NjqF5qAsB2nr1Urrxz+eHnAc3VMmhkAjqpo PKpzcbywxJrKW+kp5PIm2uRr4kL8VUoFGSzfh4y6+uBrH69W9+3GhByntDpGRj3sHfz2 7NwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772664857; x=1773269657; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=SW8KPynPK1d8YO0zn9rZ8ABOEHFQAyYXyteH8c2F4Ic=; b=wCk2Vwp4ni6ka3xlMCJQWN/bVIEnF1dSqoabx4eYhB5S3MrQfQOAORr4BN8R10Xyap B8IUv6MbIhGl6769e2XkZIx1vuHhSjybzY3HnAGBJxmVOnipjDpXIUs3Ajv0DdmGC2xd YMrkEyERG4YC7doEplC47EH3Lv5mXumXnyVv7eVYBg1akjFm+J1JmlNfv60NlEmYs4CD yiA6J4iGwqlfxEIPwLVQwkbD0TyxnV5a60HWMAMTp1nV5OmRmWtCd9JcFPseyEyRnTs/ Z6dTO5Mv0AX2GtDn+W9vRH7XHFo/k5mNWKraQGjIpDwqrI00WAI+lvQVEnXr+Zrli1dC H4uQ==
X-Gm-Message-State: AOJu0YygpfQMaluWTcX3kOosVzN2SiyDYbHgbnZOYRM+an2yafJ4pr/I 9zvT/b9yza9VeNZJJa4Y/8UrtuaQK4mJtj00fDHTjr6DQ4mnbStjYRo87gk6f5OLgKKcFuQ1RA9 UNReaV7rv0TF9kBxXRqPWRk6/arpnu5SSMqT0ROicLQ==
X-Gm-Gg: ATEYQzzn3MhYxYjRVjEmeWcgD3YBqETsPqRhLz9F+QDTtkxUzkwLh38yK4PlTmX5Ip3 mim4LEu22ViBjxFhPQcf5PwuKTtol9MPxLfjwinyEbvPlQMcrvBXmD3DtdlyxVMFOzild4qKE6c L0yncu9KadEoZZpjQ5t1TgjvKWOVTBPds3iEuHDPH6XdggsVYflQs5n4b/n6npP9O7Sm3UERKwO ZyKJxS6vkuZPRgEVxj4vX8NzopV5ybvg7M5o7H5fzWbTKvaApEt97bB8Jg7ga7Ur2e03ZfxVeYC fY5Xeb2e9Y6XN1n/zXoDEZuFpdZ349IaK8SMcmO/yMp6qmpkn+9+x2PBvBCiQNIwbYEUKdnj/Oy lEltBa7EVDhzH9+09HAqoSA==
X-Received: by 2002:a05:690c:19:b0:78f:bc2b:83f5 with SMTP id 00721157ae682-798c6bd0aacmr32778607b3.20.1772664857580; Wed, 04 Mar 2026 14:54:17 -0800 (PST)
MIME-Version: 1.0
References: <47ebb3cb-d35a-43e3-9fbd-864804356f9e@tu-dresden.de> <06d15e70-32b9-41bc-8c77-51d569716c96@tu-dresden.de> <CABcZeBPEM_UP6GEbRqBCAnnJ9xdxTs0_gHHbxQyswBGs_21g8Q@mail.gmail.com> <62bf4413-6ac9-4a09-8397-4351b0e3b069@tu-dresden.de>
In-Reply-To: <62bf4413-6ac9-4a09-8397-4351b0e3b069@tu-dresden.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 04 Mar 2026 14:54:00 -0800
X-Gm-Features: AaiRm523XuyEUnWqCN-z6q1-OfKwPCJz8825lO7UCK7YXRNd7N0_Z0zzA3cslB0
Message-ID: <CABcZeBOQK9GK8JC3L7360uC=6iBvxHgmu63gEpUNE52jf8eNkA@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="000000000000246473064c3ab382"
Message-ID-Hash: Q5B447HXSPWY5AG3XYSB43GMKTBSQUC6
X-Message-ID-Hash: Q5B447HXSPWY5AG3XYSB43GMKTBSQUC6
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: saag <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: Relay Attacks in Intra-handshake Attestation for Confidential Agentic AI Systems
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/McIzSkxUceUrqIxelkVxx-zE86A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Wed, Mar 4, 2026 at 1:49 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> On 04.03.26 19:02, Eric Rescorla wrote:
>
> On Wed, Mar 4, 2026 at 9:59 AM Muhammad Usama Sardar <
> muhammad_usama.sardar@tu-dresden.de> wrote:
>
>> [ Already shared at relevant lists like SEAT, RATS, TLS, UFMRG; sharing
>> here for wider opinion/review ]
>>
> Please stop doing reposting this everywhere.
>
> I believe there are folks here who are not on other lists, and vice versa.
> I would very much value their perspective. There was a disclaimer upfront
> which folks on these list could safely ignore.
>

The whole purpose of having lists is so that people can subscribe to one
stream of messages and not others. Cross-posting to a bunch of
semi-irrelevant lists -- let alone reposting to them -- subverts this
purpose. The disclaimer doesn't make it better.


> It's not relevant to IETF activity.
>
> Ironically, the work to *exhaustively* explore all intra-handshake
> attestation options was requested by Paul, and Cocos AI is one of the major
> ones.
>
What's irrelevant here is not the technical questions about intra-handshake
attestation, but rather critiquing their activities elsewhere ("continuing
to make false
claims on social media").

-Ekr

v2.46.0 | Report a Bug | By Email | System Status